Imported Upstream version 5.4.0

author: Yves-Alexis Perez <corsac@debian.org> 2016-03-24 11:59:32 +0100
committer: Yves-Alexis Perez <corsac@debian.org> 2016-03-24 11:59:32 +0100
commit: 518dd33c94e041db0444c7d1f33da363bb8e3faf (patch)
tree: e8d1665ffadff7ec40228dda47e81f8f4691cd07
parent: f42f239a632306ed082f6fde878977248eea85cf (diff)
download: vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz
vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip
1512 files changed, 22142 insertions, 9444 deletions
diff --git a/Android.common.mk b/Android.common.mk
index 41f508a0e..1aa5b533b 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.3.5"
+strongswan_VERSION := "5.4.0"
 
diff --git a/Android.mk b/Android.mk
index 7b8bc8f87..f17289ea0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -97,7 +97,6 @@ strongswan_CFLAGS += \
 strongswan_BUILD := \
 	charon \
 	libcharon \
-	libhydra \
 	libstrongswan \
 	libtncif \
 	libtnccs \
diff --git a/Makefile.in b/Makefile.in
index 22286fe9f..55ddc0edc 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -444,6 +444,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/NEWS b/NEWS
index bda70686a..8de6cac4e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,43 @@
+strongswan-5.4.0
+----------------
+
+- Support for IKEv2 redirection (RFC 5685) has been added.  Plugins may
+  implement the redirect_provider_t interface to decide if and when to redirect
+  connecting clients.  It is also possible to redirect established IKE_SAs based
+  on different selectors via VICI/swanctl.  Unless disabled in strongswan.conf
+  the charon daemon will follow redirect requests received from servers.
+
+- The ike: prefix enables the explicit configuration of signature scheme
+  constraints against IKEv2 authentication in rightauth, which allows the use
+  of different signature schemes for trustchain verification and authentication.
+
+- The initiator of an IKEv2 make-before-break reauthentication now suspends
+  online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
+  CHILD_SAs are established.  This is required if the checks are done over the
+  CHILD_SA established with the new IKE_SA.  This is not possible until the
+  initiator installs this SA and that only happens after the authentication is
+  completed successfully.  So we suspend the checks during the reauthentication
+  and do them afterwards, if they fail the IKE_SA is closed.  This change has no
+  effect on the behavior during the authentication of the initial IKE_SA.
+
+- For the vici plugin a Vici:Session Perl CPAN module has been added to allow
+  Perl applications to control and/or monitor the IKE daemon using the VICI
+  interface, similar to the existing Python egg or Ruby gem.
+
+- Traffic selectors with port ranges can now be configured in the Linux kernel:
+  e.g. remote_ts = 10.1.0.0/16[tcp/20-23] local_ts = dynamic[tcp/32768-65535].
+  The port range must map to a port mask, though since the kernel does not
+  support arbitrary ranges.
+
+- The vici plugin allows the configuration of IPv4 and IPv6 address ranges
+  in local and remote traffic selectors. Since both the Linux kernel and
+  iptables cannot handle arbitrary ranges, address ranges are mapped to the next
+  larger CIDR subnet by the kernel-netlink and updown plugins, respectively.
+
+- Implemented IKEv1 IPv4/IPv6 address subnet and range identities that can be
+  used as owners of shared secrets.
+
+
 strongswan-5.3.5
 ----------------
 
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 72d9f258d..b7edaa8ee 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -73,6 +73,7 @@ plugins = \
 	plugins/ntru.opt \
 	plugins/openssl.opt \
 	plugins/osx-attr.opt \
+	plugins/p-cscf.opt \
 	plugins/pkcs11.opt \
 	plugins/radattr.opt \
 	plugins/random.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e6781b150..8bfc298a9 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -367,6 +367,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -455,6 +457,7 @@ plugins = \
 	plugins/ntru.opt \
 	plugins/openssl.opt \
 	plugins/osx-attr.opt \
+	plugins/p-cscf.opt \
 	plugins/pkcs11.opt \
 	plugins/radattr.opt \
 	plugins/random.opt \
diff --git a/conf/format-options.py b/conf/format-options.py
index d046e24ca..307394399 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 #
-# Copyright (C) 2014 Tobias Brunner
+# Copyright (C) 2014-2015 Tobias Brunner
 # Hochschule fuer Technik Rapperswil
 #
 # This program is free software; you can redistribute it and/or modify it
@@ -48,6 +48,14 @@ full.section.name {[#]}
 
 If a # is added between the curly braces the section header will be commented
 out in the configuration file snippet, which is useful for example sections.
+
+Dots in section/option names may be escaped with a backslash.  For instance,
+with the following section description
+
+charon.filelog./var/log/daemon\.log {}
+	Section to define logging into /var/log/daemon.log
+
+/var/log/daemon.log will be the name of the last section.
 """
 
 import sys
@@ -58,9 +66,10 @@ from operator import attrgetter
 
 class ConfigOption:
 	"""Representing a configuration option or described section in strongswan.conf"""
-	def __init__(self, name, default = None, section = False, commented = False):
-		self.name = name.split('.')[-1]
-		self.fullname = name
+	def __init__(self, path, default = None, section = False, commented = False):
+		self.path = path
+		self.name = path[-1]
+		self.fullname = '.'.join(path)
 		self.default = default
 		self.section = section
 		self.commented = commented
@@ -68,7 +77,7 @@ class ConfigOption:
 		self.options = []
 
 	def __lt__(self, other):
-		return  self.name < other.name
+		return self.name < other.name
 
 	def add_paragraph(self):
 		"""Adds a new paragraph to the description"""
@@ -113,7 +122,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), m.group('default'),
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, m.group('default'),
 										  commented = not m.group('assign'))
 			return
 		# section definition
@@ -121,7 +131,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), section = True,
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, section = True,
 										  commented = m.group('comment'))
 			return
 		# paragraph separator
@@ -133,11 +144,14 @@ class Parser:
 		if m and self.__current:
 			self.__current.add(m.group('text'))
 
+	def __split_name(self, name):
+		"""Split the given full name in a list of section/option names"""
+		return [x.replace('\.', '.') for x in re.split(r'(?<!\\)\.', name)]
+
 	def __add_option(self, option):
 		"""Adds the given option to the abstract storage"""
 		option.desc = [desc for desc in option.desc if len(desc)]
-		parts = option.fullname.split('.')
-		parent = self.__get_option(parts[:-1], True)
+		parent = self.__get_option(option.path[:-1], True)
 		if not parent:
 			parent = self
 		found = next((x for x in parent.options if x.name == option.name
@@ -149,18 +163,16 @@ class Parser:
 			if self.sort:
 				parent.options.sort()
 
-	def __get_option(self, parts, create = False):
+	def __get_option(self, path, create = False):
 		"""Searches/Creates the option (section) based on a list of section names"""
 		option = None
 		options = self.options
-		fullname = ""
-		for name in parts:
-			fullname += '.' + name if len(fullname) else name
+		for i, name in enumerate(path, 1):
 			option = next((x for x in options if x.name == name and x.section), None)
 			if not option:
 				if not create:
 					break
-				option = ConfigOption(fullname, section = True)
+				option = ConfigOption(path[:i], section = True)
 				options.append(option)
 				if self.sort:
 					options.sort()
@@ -169,7 +181,7 @@ class Parser:
 
 	def get_option(self, name):
 		"""Retrieves the option with the given name"""
-		return self.__get_option(name.split('.'))
+		return self.__get_option(self.__split_name(name))
 
 class TagReplacer:
 	"""Replaces formatting tags in text"""
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index b55d429a7..5ca61a8e8 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -20,6 +20,9 @@ charon {
     # Number of half-open IKE_SAs that activate the cookie mechanism.
     # cookie_threshold = 10
 
+    # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+    # delete_rekeyed = no
+
     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
     # strength.
     # dh_exponent_ansi_x9_42 = yes
@@ -44,6 +47,9 @@ charon {
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
+    # Whether to follow IKEv2 redirects (RFC 5685).
+    # follow_redirects = yes
+
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
     # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
     # address family specific        default values). If specified this limit is
@@ -188,7 +194,7 @@ charon {
     # DNS resolution failed), 0 to disable retries.
     # retry_initiate_interval = 0
 
-    # Initiate CHILD_SA within existing IKE_SAs.
+    # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
     # reuse_ikesa = yes
 
     # Numerical routing table to install routes to.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 816f3250c..86279ec83 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -61,6 +61,14 @@ charon.crypto_test.required = no
 charon.crypto_test.rng_true = no
 	Whether to test RNG with TRUE quality; requires a lot of entropy.
 
+charon.delete_rekeyed = no
+	Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+
+	Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+	Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
+	However, this might cause problems with implementations that continue to
+	use rekeyed SAs until they expire.
+
 charon.dh_exponent_ansi_x9_42 = yes
 	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 	strength.
@@ -89,6 +97,9 @@ charon.flush_auth_cfg = no
 	this might conflict with plugins that later need access to e.g. the used
 	certificates.
 
+charon.follow_redirects = yes
+	Whether to follow IKEv2 redirects (RFC 5685).
+
 charon.fragment_size = 0
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
 	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
@@ -283,7 +294,7 @@ charon.retry_initiate_interval = 0
 	resolution failed), 0 to disable retries.
 
 charon.reuse_ikesa = yes
-	Initiate CHILD_SA within existing IKE_SAs.
+	Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
 
 charon.routing_table
 	Numerical routing table to install routes to.
diff --git a/conf/plugins/p-cscf.conf b/conf/plugins/p-cscf.conf
new file mode 100644
index 000000000..5225a7ce6
--- /dev/null
+++ b/conf/plugins/p-cscf.conf
@@ -0,0 +1,18 @@
+p-cscf {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+    # Section to enable requesting P-CSCF server addresses for individual
+    # connections.
+    enable {
+
+        # <conn> is the name of a connection with an ePDG from which to request
+        # P-CSCF server addresses.
+        # <conn> = no
+
+    }
+
+}
+
diff --git a/conf/plugins/p-cscf.opt b/conf/plugins/p-cscf.opt
new file mode 100644
index 000000000..ec7f8153f
--- /dev/null
+++ b/conf/plugins/p-cscf.opt
@@ -0,0 +1,11 @@
+charon.plugins.p-cscf.enable {}
+	Section to enable requesting P-CSCF server addresses for individual
+	connections.
+
+charon.plugins.p-cscf.enable.<conn> = no
+	<conn> is the name of a connection with an ePDG from which to request
+	P-CSCF server addresses.
+
+	<conn> is the name of a connection with an ePDG from which to request
+	P-CSCF server addresses.  Requests will be sent for addresses of the same
+	families for which internal IPs are requested.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 633588325..e6a502952 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -97,6 +97,13 @@ Strictly require at least one test vector to enable an algorithm.
 Whether to test RNG with TRUE quality; requires a lot of entropy.
 
 .TP
+.BR charon.delete_rekeyed " [no]"
+Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces
+the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However,
+this might cause problems with implementations that continue to use rekeyed SAs
+until they expire.
+
+.TP
 .BR charon.dh_exponent_ansi_x9_42 " [yes]"
 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 strength.
@@ -177,6 +184,10 @@ are released to free memory once an IKE_SA is established. Enabling this might
 conflict with plugins that later need access to e.g. the used certificates.
 
 .TP
+.BR charon.follow_redirects " [yes]"
+Whether to follow IKEv2 redirects (RFC 5685).
+
+.TP
 .BR charon.fragment_size " [0]"
 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
 using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address
@@ -1191,6 +1202,17 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
 Whether DNS servers are appended to existing entries, instead of replacing them.
 
 .TP
+.B charon.plugins.p-cscf.enable
+.br
+Section to enable requesting P\-CSCF server addresses for individual connections.
+
+.TP
+.BR charon.plugins.p-cscf.enable.<conn> " [no]"
+<conn> is the name of a connection with an ePDG from which to request P\-CSCF
+server addresses.  Requests will be sent for addresses of the same families for
+which internal IPs are requested.
+
+.TP
 .BR charon.plugins.pkcs11.load_certs " [yes]"
 Whether to load certificates from tokens.
 
@@ -1572,7 +1594,7 @@ resolution failed), 0 to disable retries.
 
 .TP
 .BR charon.reuse_ikesa " [yes]"
-Initiate CHILD_SA within existing IKE_SAs.
+Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
 
 .TP
 .BR charon.routing_table " []"
diff --git a/config.h.in b/config.h.in
index b95e01843..02528e733 100644
--- a/config.h.in
+++ b/config.h.in
@@ -329,6 +329,9 @@
 /* support for IKEv2 protocol */
 #undef USE_IKEV2
 
+/* use thread ID for thread identification, if available */
+#undef USE_THREAD_IDS
+
 /* use Vstr string library for printf hooks */
 #undef USE_VSTR
 
diff --git a/configure b/configure
index 3d0478c88..dac40eacc 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.3.5.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.4.0.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.3.5'
-PACKAGE_STRING='strongSwan 5.3.5'
+PACKAGE_VERSION='5.4.0'
+PACKAGE_STRING='strongSwan 5.4.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -635,6 +635,8 @@ LIBOBJS
 strongswan_options
 USE_PY_TEST_FALSE
 USE_PY_TEST_TRUE
+USE_PERL_CPAN_FALSE
+USE_PERL_CPAN_TRUE
 USE_PYTHON_EGGS_FALSE
 USE_PYTHON_EGGS_TRUE
 USE_RUBY_GEMS_FALSE
@@ -691,8 +693,6 @@ USE_LIBIPSEC_FALSE
 USE_LIBIPSEC_TRUE
 USE_LIBCHARON_FALSE
 USE_LIBCHARON_TRUE
-USE_LIBHYDRA_FALSE
-USE_LIBHYDRA_TRUE
 USE_LIBSTRONGSWAN_FALSE
 USE_LIBSTRONGSWAN_TRUE
 USE_CONFTEST_FALSE
@@ -731,12 +731,6 @@ USE_LOCK_PROFILER_FALSE
 USE_LOCK_PROFILER_TRUE
 USE_LEAK_DETECTIVE_FALSE
 USE_LEAK_DETECTIVE_TRUE
-USE_KERNEL_PFROUTE_FALSE
-USE_KERNEL_PFROUTE_TRUE
-USE_KERNEL_PFKEY_FALSE
-USE_KERNEL_PFKEY_TRUE
-USE_KERNEL_NETLINK_FALSE
-USE_KERNEL_NETLINK_TRUE
 USE_ATTR_SQL_FALSE
 USE_ATTR_SQL_TRUE
 USE_ATTR_FALSE
@@ -869,6 +863,12 @@ USE_KERNEL_WFP_FALSE
 USE_KERNEL_WFP_TRUE
 USE_KERNEL_LIBIPSEC_FALSE
 USE_KERNEL_LIBIPSEC_TRUE
+USE_KERNEL_PFROUTE_FALSE
+USE_KERNEL_PFROUTE_TRUE
+USE_KERNEL_PFKEY_FALSE
+USE_KERNEL_PFKEY_TRUE
+USE_KERNEL_NETLINK_FALSE
+USE_KERNEL_NETLINK_TRUE
 USE_HA_FALSE
 USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
@@ -891,6 +891,8 @@ USE_ANDROID_LOG_FALSE
 USE_ANDROID_LOG_TRUE
 USE_ANDROID_DNS_FALSE
 USE_ANDROID_DNS_TRUE
+USE_P_CSCF_FALSE
+USE_P_CSCF_TRUE
 USE_OSX_ATTR_FALSE
 USE_OSX_ATTR_TRUE
 USE_UCI_FALSE
@@ -1025,6 +1027,8 @@ attest_plugins
 pool_plugins
 starter_plugins
 charon_plugins
+PERL_CPAN_INSTALL_FALSE
+PERL_CPAN_INSTALL_TRUE
 PYTHON_EGGS_INSTALL_FALSE
 PYTHON_EGGS_INSTALL_TRUE
 PY_TEST
@@ -1068,6 +1072,8 @@ systemd_journal_LIBS
 systemd_journal_CFLAGS
 systemd_daemon_LIBS
 systemd_daemon_CFLAGS
+systemd_LIBS
+systemd_CFLAGS
 xml_LIBS
 xml_CFLAGS
 soup_LIBS
@@ -1374,6 +1380,7 @@ enable_attr
 enable_attr_sql
 enable_dhcp
 enable_osx_attr
+enable_p_cscf
 enable_resolve
 enable_unity
 enable_imc_test
@@ -1441,9 +1448,12 @@ enable_ruby_gems
 enable_ruby_gems_install
 enable_python_eggs
 enable_python_eggs_install
+enable_perl_cpan
+enable_perl_cpan_install
 enable_coverage
 enable_leak_detective
 enable_lock_profiler
+enable_log_thread_ids
 enable_monolithic
 enable_defaults
 enable_all
@@ -1476,6 +1486,8 @@ soup_CFLAGS
 soup_LIBS
 xml_CFLAGS
 xml_LIBS
+systemd_CFLAGS
+systemd_LIBS
 systemd_daemon_CFLAGS
 systemd_daemon_LIBS
 systemd_journal_CFLAGS
@@ -2032,7 +2044,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.3.5 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.4.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -2102,7 +2114,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.3.5:";;
+     short | recursive ) echo "Configuration of strongSwan 5.4.0:";;
    esac
   cat <<\_ACEOF
 
@@ -2230,13 +2242,15 @@ Optional Features:
                           Requires libxml.
   --enable-sql            enable SQL database configuration backend.
   --enable-uci            enable OpenWRT UCI configuration plugin.
-  --enable-vici           enable strongSwan IKE generic IPC interface plugin.
+  --disable-vici          disable strongSwan IKE generic IPC interface plugin.
   --enable-android-dns    enable Android specific DNS handler.
   --disable-attr          disable strongswan.conf based configuration
                           attribute plugin.
   --enable-attr-sql       enable SQL based configuration attribute plugin.
   --enable-dhcp           enable DHCP based attribute provider plugin.
   --enable-osx-attr       enable OS X SystemConfiguration attribute handler.
+  --enable-p-cscf         enable plugin to request P-CSCF server addresses
+                          from an ePDG.
   --disable-resolve       disable resolve DNS handler plugin.
   --enable-unity          enables Cisco Unity extension plugin.
   --enable-imc-test       enable IMC test module.
@@ -2305,7 +2319,7 @@ Optional Features:
                           scripts).
   --enable-svc            enable charon Windows service.
   --enable-systemd        enable systemd specific IKE daemon charon-systemd.
-  --enable-swanctl        enable swanctl configuration and control tool.
+  --disable-swanctl       disable swanctl configuration and control tool.
   --enable-tkm            enable Trusted Key Manager support.
   --enable-bfd-backtraces use binutils libbfd to resolve backtraces for memory
                           leaks and segfaults.
@@ -2328,9 +2342,15 @@ Optional Features:
   --enable-python-eggs    enable build of provided python eggs.
   --enable-python-eggs-install
                           enable installation of provided python eggs.
+  --enable-perl-cpan      enable build of provided perl CPAN module.
+  --enable-perl-cpan-install
+                          enable installation of provided CPAN module.
   --enable-coverage       enable lcov coverage report generation.
   --enable-leak-detective enable malloc hooks to find memory leaks.
   --enable-lock-profiler  enable lock/mutex profiling code.
+  --enable-log-thread-ids use thread ID, if available, instead of an
+                          incremented value starting from 1, to identify
+                          threads.
   --enable-monolithic     build monolithic version of libstrongswan that
                           includes all enabled plugins. Similarly, the plugins
                           of charon are assembled in libcharon.
@@ -2453,6 +2473,10 @@ Some influential environment variables:
   soup_LIBS   linker flags for soup, overriding pkg-config
   xml_CFLAGS  C compiler flags for xml, overriding pkg-config
   xml_LIBS    linker flags for xml, overriding pkg-config
+  systemd_CFLAGS
+              C compiler flags for systemd, overriding pkg-config
+  systemd_LIBS
+              linker flags for systemd, overriding pkg-config
   systemd_daemon_CFLAGS
               C compiler flags for systemd_daemon, overriding pkg-config
   systemd_daemon_LIBS
@@ -2545,7 +2569,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.3.5
+strongSwan configure 5.4.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3067,7 +3091,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 5.3.5, which was
+It was created by strongSwan $as_me 5.4.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3930,7 +3954,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.3.5'
+ VERSION='5.4.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -6286,12 +6310,12 @@ if test "${enable_vici+set}" = set; then :
 			vici=false
 		fi
 else
-  vici=false
+  vici=true
 		vici_given=false
 
 fi
 
-	disabled_by_default=${disabled_by_default}" vici"
+	enabled_by_default=${enabled_by_default}" vici"
 
 # attribute provider/consumer plugins
 # Check whether --enable-android-dns was given.
@@ -6374,6 +6398,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" osx_attr"
 
+# Check whether --enable-p-cscf was given.
+if test "${enable_p_cscf+set}" = set; then :
+  enableval=$enable_p_cscf; p_cscf_given=true
+		if test x$enableval = xyes; then
+			p_cscf=true
+		 else
+			p_cscf=false
+		fi
+else
+  p_cscf=false
+		p_cscf_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" p_cscf"
+
 # Check whether --enable-resolve was given.
 if test "${enable_resolve+set}" = set; then :
   enableval=$enable_resolve; resolve_given=true
@@ -7234,12 +7274,12 @@ if test "${enable_swanctl+set}" = set; then :
 			swanctl=false
 		fi
 else
-  swanctl=false
+  swanctl=true
 		swanctl_given=false
 
 fi
 
-	disabled_by_default=${disabled_by_default}" swanctl"
+	enabled_by_default=${enabled_by_default}" swanctl"
 
 # Check whether --enable-tkm was given.
 if test "${enable_tkm+set}" = set; then :
@@ -7450,6 +7490,38 @@ fi
 
 	disabled_by_default=${disabled_by_default}" python_eggs_install"
 
+# Check whether --enable-perl-cpan was given.
+if test "${enable_perl_cpan+set}" = set; then :
+  enableval=$enable_perl_cpan; perl_cpan_given=true
+		if test x$enableval = xyes; then
+			perl_cpan=true
+		 else
+			perl_cpan=false
+		fi
+else
+  perl_cpan=false
+		perl_cpan_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" perl_cpan"
+
+# Check whether --enable-perl-cpan-install was given.
+if test "${enable_perl_cpan_install+set}" = set; then :
+  enableval=$enable_perl_cpan_install; perl_cpan_install_given=true
+		if test x$enableval = xyes; then
+			perl_cpan_install=true
+		 else
+			perl_cpan_install=false
+		fi
+else
+  perl_cpan_install=false
+		perl_cpan_install_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" perl_cpan_install"
+
 # compile options
 # Check whether --enable-coverage was given.
 if test "${enable_coverage+set}" = set; then :
@@ -7499,6 +7571,22 @@ fi
 
 	disabled_by_default=${disabled_by_default}" lock_profiler"
 
+# Check whether --enable-log-thread-ids was given.
+if test "${enable_log_thread_ids+set}" = set; then :
+  enableval=$enable_log_thread_ids; log_thread_ids_given=true
+		if test x$enableval = xyes; then
+			log_thread_ids=true
+		 else
+			log_thread_ids=false
+		fi
+else
+  log_thread_ids=false
+		log_thread_ids_given=false
+
+fi
+
+	disabled_by_default=${disabled_by_default}" log_thread_ids"
+
 # Check whether --enable-monolithic was given.
 if test "${enable_monolithic+set}" = set; then :
   enableval=$enable_monolithic; monolithic_given=true
@@ -17328,6 +17416,10 @@ if test x$python_eggs_install = xtrue; then
 	python_eggs=true
 fi
 
+if test x$perl_cpan_install = xtrue; then
+	perl_cpan=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -19498,6 +19590,65 @@ $as_echo "$systemdsystemunitdir" >&6; }
 
 
 pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd" >&5
+$as_echo_n "checking for systemd... " >&6; }
+
+if test -n "$systemd_CFLAGS"; then
+    pkg_cv_systemd_CFLAGS="$systemd_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd >= 209\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd >= 209") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_CFLAGS=`$PKG_CONFIG --cflags "libsystemd >= 209" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$systemd_LIBS"; then
+    pkg_cv_systemd_LIBS="$systemd_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd >= 209\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd >= 209") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_LIBS=`$PKG_CONFIG --libs "libsystemd >= 209" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        systemd_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd >= 209" 2>&1`
+        else
+	        systemd_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd >= 209" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$systemd_PKG_ERRORS" >&5
+
+
+pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_daemon" >&5
 $as_echo_n "checking for systemd_daemon... " >&6; }
 
@@ -19590,6 +19741,195 @@ fi
 
 
 
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_journal" >&5
+$as_echo_n "checking for systemd_journal... " >&6; }
+
+if test -n "$systemd_journal_CFLAGS"; then
+    pkg_cv_systemd_journal_CFLAGS="$systemd_journal_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-journal\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-journal") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_journal_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-journal" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$systemd_journal_LIBS"; then
+    pkg_cv_systemd_journal_LIBS="$systemd_journal_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-journal\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-journal") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_journal_LIBS=`$PKG_CONFIG --libs "libsystemd-journal" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        systemd_journal_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-journal" 2>&1`
+        else
+	        systemd_journal_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-journal" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$systemd_journal_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libsystemd-journal) were not met:
+
+$systemd_journal_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables systemd_journal_CFLAGS
+and systemd_journal_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables systemd_journal_CFLAGS
+and systemd_journal_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	systemd_journal_CFLAGS=$pkg_cv_systemd_journal_CFLAGS
+	systemd_journal_LIBS=$pkg_cv_systemd_journal_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_daemon" >&5
+$as_echo_n "checking for systemd_daemon... " >&6; }
+
+if test -n "$systemd_daemon_CFLAGS"; then
+    pkg_cv_systemd_daemon_CFLAGS="$systemd_daemon_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_daemon_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$systemd_daemon_LIBS"; then
+    pkg_cv_systemd_daemon_LIBS="$systemd_daemon_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_systemd_daemon_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null`
+		      test "x$?" != "x0" && pkg_failed=yes
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        systemd_daemon_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1`
+        else
+	        systemd_daemon_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$systemd_daemon_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (libsystemd-daemon) were not met:
+
+$systemd_daemon_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables systemd_daemon_CFLAGS
+and systemd_daemon_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables systemd_daemon_CFLAGS
+and systemd_daemon_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+	systemd_daemon_CFLAGS=$pkg_cv_systemd_daemon_CFLAGS
+	systemd_daemon_LIBS=$pkg_cv_systemd_daemon_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
 
 pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for systemd_journal" >&5
@@ -19683,6 +20023,15 @@ $as_echo "yes" >&6; }
 fi
 
 
+
+else
+	systemd_CFLAGS=$pkg_cv_systemd_CFLAGS
+	systemd_LIBS=$pkg_cv_systemd_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+
+fi
 fi
 
 if test x$tss = xtrousers; then
@@ -20556,7 +20905,7 @@ if eval \${$as_ac_Lib+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-l$openssl_lib  $LIBS"
+LIBS="-l$openssl_lib $DLLIB $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -21861,6 +22210,15 @@ else
 fi
 
 
+ if test "x$perl_cpan_install" = xtrue; then
+  PERL_CPAN_INSTALL_TRUE=
+  PERL_CPAN_INSTALL_FALSE='#'
+else
+  PERL_CPAN_INSTALL_TRUE='#'
+  PERL_CPAN_INSTALL_FALSE=
+fi
+
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -21886,9 +22244,8 @@ cmd_plugins=
 aikgen_plugins=
 
 # location specific lists for checksumming,
-# for src/libcharon, src/libhydra, src/libstrongswan and src/libtnccs
+# for src/libcharon, src/libstrongswan and src/libtnccs
 c_plugins=
-h_plugins=
 s_plugins=
 t_plugins=
 
@@ -21984,21 +22341,6 @@ if test x$rc2 = xtrue; then
 
 	fi
 
-if test x$sha1 = xtrue; then
-		s_plugins=${s_plugins}" sha1"
-		charon_plugins=${charon_plugins}" sha1"
-		scepclient_plugins=${scepclient_plugins}" sha1"
-		pki_plugins=${pki_plugins}" sha1"
-		scripts_plugins=${scripts_plugins}" sha1"
-		manager_plugins=${manager_plugins}" sha1"
-		medsrv_plugins=${medsrv_plugins}" sha1"
-		attest_plugins=${attest_plugins}" sha1"
-		nm_plugins=${nm_plugins}" sha1"
-		cmd_plugins=${cmd_plugins}" sha1"
-		aikgen_plugins=${aikgen_plugins}" sha1"
-
-	fi
-
 if test x$sha2 = xtrue; then
 		s_plugins=${s_plugins}" sha2"
 		charon_plugins=${charon_plugins}" sha2"
@@ -22027,6 +22369,21 @@ if test x$sha3 = xtrue; then
 
 	fi
 
+if test x$sha1 = xtrue; then
+		s_plugins=${s_plugins}" sha1"
+		charon_plugins=${charon_plugins}" sha1"
+		scepclient_plugins=${scepclient_plugins}" sha1"
+		pki_plugins=${pki_plugins}" sha1"
+		scripts_plugins=${scripts_plugins}" sha1"
+		manager_plugins=${manager_plugins}" sha1"
+		medsrv_plugins=${medsrv_plugins}" sha1"
+		attest_plugins=${attest_plugins}" sha1"
+		nm_plugins=${nm_plugins}" sha1"
+		cmd_plugins=${cmd_plugins}" sha1"
+		aikgen_plugins=${aikgen_plugins}" sha1"
+
+	fi
+
 if test x$md4 = xtrue; then
 		s_plugins=${s_plugins}" md4"
 		charon_plugins=${charon_plugins}" md4"
@@ -22498,7 +22855,7 @@ if test x$kernel_iph = xtrue; then
 	fi
 
 if test x$kernel_pfkey = xtrue; then
-		h_plugins=${h_plugins}" kernel-pfkey"
+		c_plugins=${c_plugins}" kernel-pfkey"
 		charon_plugins=${charon_plugins}" kernel-pfkey"
 		starter_plugins=${starter_plugins}" kernel-pfkey"
 		nm_plugins=${nm_plugins}" kernel-pfkey"
@@ -22507,7 +22864,7 @@ if test x$kernel_pfkey = xtrue; then
 	fi
 
 if test x$kernel_pfroute = xtrue; then
-		h_plugins=${h_plugins}" kernel-pfroute"
+		c_plugins=${c_plugins}" kernel-pfroute"
 		charon_plugins=${charon_plugins}" kernel-pfroute"
 		starter_plugins=${starter_plugins}" kernel-pfroute"
 		nm_plugins=${nm_plugins}" kernel-pfroute"
@@ -22516,7 +22873,7 @@ if test x$kernel_pfroute = xtrue; then
 	fi
 
 if test x$kernel_netlink = xtrue; then
-		h_plugins=${h_plugins}" kernel-netlink"
+		c_plugins=${c_plugins}" kernel-netlink"
 		charon_plugins=${charon_plugins}" kernel-netlink"
 		starter_plugins=${starter_plugins}" kernel-netlink"
 		nm_plugins=${nm_plugins}" kernel-netlink"
@@ -22820,6 +23177,13 @@ if test x$osx_attr = xtrue; then
 
 	fi
 
+if test x$p_cscf = xtrue; then
+		c_plugins=${c_plugins}" p-cscf"
+		charon_plugins=${charon_plugins}" p-cscf"
+		cmd_plugins=${cmd_plugins}" p-cscf"
+
+	fi
+
 if test x$android_dns = xtrue; then
 		c_plugins=${c_plugins}" android-dns"
 		charon_plugins=${charon_plugins}" android-dns"
@@ -23422,6 +23786,14 @@ else
   USE_OSX_ATTR_FALSE=
 fi
 
+ if test x$p_cscf = xtrue; then
+  USE_P_CSCF_TRUE=
+  USE_P_CSCF_FALSE='#'
+else
+  USE_P_CSCF_TRUE='#'
+  USE_P_CSCF_FALSE=
+fi
+
  if test x$android_dns = xtrue; then
   USE_ANDROID_DNS_TRUE=
   USE_ANDROID_DNS_FALSE='#'
@@ -23510,6 +23882,30 @@ else
   USE_HA_FALSE=
 fi
 
+ if test x$kernel_netlink = xtrue; then
+  USE_KERNEL_NETLINK_TRUE=
+  USE_KERNEL_NETLINK_FALSE='#'
+else
+  USE_KERNEL_NETLINK_TRUE='#'
+  USE_KERNEL_NETLINK_FALSE=
+fi
+
+ if test x$kernel_pfkey = xtrue; then
+  USE_KERNEL_PFKEY_TRUE=
+  USE_KERNEL_PFKEY_FALSE='#'
+else
+  USE_KERNEL_PFKEY_TRUE='#'
+  USE_KERNEL_PFKEY_FALSE=
+fi
+
+ if test x$kernel_pfroute = xtrue; then
+  USE_KERNEL_PFROUTE_TRUE=
+  USE_KERNEL_PFROUTE_FALSE='#'
+else
+  USE_KERNEL_PFROUTE_TRUE='#'
+  USE_KERNEL_PFROUTE_FALSE=
+fi
+
  if test x$kernel_libipsec = xtrue; then
   USE_KERNEL_LIBIPSEC_TRUE=
   USE_KERNEL_LIBIPSEC_FALSE='#'
@@ -24039,33 +24435,6 @@ else
 fi
 
 
-#  hydra plugins
-# ---------------
- if test x$kernel_netlink = xtrue; then
-  USE_KERNEL_NETLINK_TRUE=
-  USE_KERNEL_NETLINK_FALSE='#'
-else
-  USE_KERNEL_NETLINK_TRUE='#'
-  USE_KERNEL_NETLINK_FALSE=
-fi
-
- if test x$kernel_pfkey = xtrue; then
-  USE_KERNEL_PFKEY_TRUE=
-  USE_KERNEL_PFKEY_FALSE='#'
-else
-  USE_KERNEL_PFKEY_TRUE='#'
-  USE_KERNEL_PFKEY_FALSE=
-fi
-
- if test x$kernel_pfroute = xtrue; then
-  USE_KERNEL_PFROUTE_TRUE=
-  USE_KERNEL_PFROUTE_FALSE='#'
-else
-  USE_KERNEL_PFROUTE_TRUE='#'
-  USE_KERNEL_PFROUTE_FALSE=
-fi
-
-
 #  other options
 # ---------------
  if test x$leak_detective = xtrue; then
@@ -24220,14 +24589,6 @@ else
   USE_LIBSTRONGSWAN_FALSE=
 fi
 
- if test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
-  USE_LIBHYDRA_TRUE=
-  USE_LIBHYDRA_FALSE='#'
-else
-  USE_LIBHYDRA_TRUE='#'
-  USE_LIBHYDRA_FALSE=
-fi
-
  if test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
   USE_LIBCHARON_TRUE=
   USE_LIBCHARON_FALSE='#'
@@ -24452,6 +24813,14 @@ else
   USE_PYTHON_EGGS_FALSE=
 fi
 
+ if test x$perl_cpan = xtrue; then
+  USE_PERL_CPAN_TRUE=
+  USE_PERL_CPAN_FALSE='#'
+else
+  USE_PERL_CPAN_TRUE='#'
+  USE_PERL_CPAN_FALSE=
+fi
+
  if test "x$PY_TEST" != x; then
   USE_PY_TEST_TRUE=
   USE_PY_TEST_FALSE='#'
@@ -24475,6 +24844,11 @@ if test x$capabilities = xlibcap -o x$capabilities = xnative; then
 $as_echo "#define CAPABILITIES /**/" >>confdefs.h
 
 fi
+if test x$log_thread_ids = xtrue; then
+
+$as_echo "#define USE_THREAD_IDS /**/" >>confdefs.h
+
+fi
 if test x$monolithic = xtrue; then
 
 $as_echo "#define MONOLITHIC /**/" >>confdefs.h
@@ -24543,7 +24917,7 @@ fi
 #  build Makefiles
 # =================
 
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile"
 
 
 # =================
@@ -24711,6 +25085,10 @@ if test -z "${PYTHON_EGGS_INSTALL_TRUE}" && test -z "${PYTHON_EGGS_INSTALL_FALSE
   as_fn_error $? "conditional \"PYTHON_EGGS_INSTALL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${PERL_CPAN_INSTALL_TRUE}" && test -z "${PERL_CPAN_INSTALL_FALSE}"; then
+  as_fn_error $? "conditional \"PERL_CPAN_INSTALL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then
   as_fn_error $? "conditional \"USE_TEST_VECTORS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24947,6 +25325,10 @@ if test -z "${USE_OSX_ATTR_TRUE}" && test -z "${USE_OSX_ATTR_FALSE}"; then
   as_fn_error $? "conditional \"USE_OSX_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_P_CSCF_TRUE}" && test -z "${USE_P_CSCF_FALSE}"; then
+  as_fn_error $? "conditional \"USE_P_CSCF\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_ANDROID_DNS_TRUE}" && test -z "${USE_ANDROID_DNS_FALSE}"; then
   as_fn_error $? "conditional \"USE_ANDROID_DNS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24991,6 +25373,18 @@ if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
   as_fn_error $? "conditional \"USE_HA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_KERNEL_LIBIPSEC_TRUE}" && test -z "${USE_KERNEL_LIBIPSEC_FALSE}"; then
   as_fn_error $? "conditional \"USE_KERNEL_LIBIPSEC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25255,18 +25649,6 @@ if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
   as_fn_error $? "conditional \"USE_ATTR_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
-  as_fn_error $? "conditional \"USE_KERNEL_NETLINK\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
-if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
-  as_fn_error $? "conditional \"USE_KERNEL_PFKEY\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
-if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
-  as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
   as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25343,10 +25725,6 @@ if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}";
   as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then
-  as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
 if test -z "${USE_LIBCHARON_TRUE}" && test -z "${USE_LIBCHARON_FALSE}"; then
   as_fn_error $? "conditional \"USE_LIBCHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25459,6 +25837,10 @@ if test -z "${USE_PYTHON_EGGS_TRUE}" && test -z "${USE_PYTHON_EGGS_FALSE}"; then
   as_fn_error $? "conditional \"USE_PYTHON_EGGS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${USE_PERL_CPAN_TRUE}" && test -z "${USE_PERL_CPAN_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PERL_CPAN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${USE_PY_TEST_TRUE}" && test -z "${USE_PY_TEST_FALSE}"; then
   as_fn_error $? "conditional \"USE_PY_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25860,7 +26242,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.3.5, which was
+This file was extended by strongSwan $as_me 5.4.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -25926,7 +26308,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.3.5
+strongSwan config.status 5.4.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -26399,11 +26781,6 @@ do
     "src/libstrongswan/plugins/bliss/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/tests/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
-    "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
-    "src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;;
-    "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
-    "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
-    "src/libhydra/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/tests/Makefile" ;;
     "src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
     "src/libipsec/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/tests/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
@@ -26479,6 +26856,9 @@ do
     "src/libcharon/plugins/unity/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unity/Makefile" ;;
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+    "src/libcharon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_netlink/Makefile" ;;
+    "src/libcharon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfkey/Makefile" ;;
+    "src/libcharon/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfroute/Makefile" ;;
     "src/libcharon/plugins/kernel_libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_libipsec/Makefile" ;;
     "src/libcharon/plugins/kernel_wfp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_wfp/Makefile" ;;
     "src/libcharon/plugins/kernel_iph/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_iph/Makefile" ;;
@@ -26493,12 +26873,14 @@ do
     "src/libcharon/plugins/coupling/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/coupling/Makefile" ;;
     "src/libcharon/plugins/radattr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/radattr/Makefile" ;;
     "src/libcharon/plugins/osx_attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/osx_attr/Makefile" ;;
+    "src/libcharon/plugins/p_cscf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/p_cscf/Makefile" ;;
     "src/libcharon/plugins/android_dns/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_dns/Makefile" ;;
     "src/libcharon/plugins/android_log/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android_log/Makefile" ;;
     "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;;
     "src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;;
+    "src/libcharon/plugins/vici/perl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/perl/Makefile" ;;
     "src/libcharon/plugins/vici/python/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/python/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
@@ -27923,8 +28305,6 @@ $as_echo "-----------------------------------------------------" >&6; }
 $as_echo "libstrongswan:$s_plugins" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: libcharon:    $c_plugins" >&5
 $as_echo "libcharon:    $c_plugins" >&6; }
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libhydra:     $h_plugins" >&5
-$as_echo "libhydra:     $h_plugins" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: libtnccs:     $t_plugins" >&5
 $as_echo "libtnccs:     $t_plugins" >&6; }
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
diff --git a/configure.ac b/configure.ac
index ea6bddb7d..9486907a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.3.5])
+AC_INIT([strongSwan],[5.4.0])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -221,13 +221,14 @@ ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
 ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
 ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
-ARG_ENABL_SET([vici],           [enable strongSwan IKE generic IPC interface plugin.])
+ARG_DISBL_SET([vici],           [disable strongSwan IKE generic IPC interface plugin.])
 # attribute provider/consumer plugins
 ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
 ARG_DISBL_SET([attr],           [disable strongswan.conf based configuration attribute plugin.])
 ARG_ENABL_SET([attr-sql],       [enable SQL based configuration attribute plugin.])
 ARG_ENABL_SET([dhcp],           [enable DHCP based attribute provider plugin.])
 ARG_ENABL_SET([osx-attr],       [enable OS X SystemConfiguration attribute handler.])
+ARG_ENABL_SET([p-cscf],         [enable plugin to request P-CSCF server addresses from an ePDG.])
 ARG_DISBL_SET([resolve],        [disable resolve DNS handler plugin.])
 ARG_ENABL_SET([unity],          [enables Cisco Unity extension plugin.])
 # TNC modules/plugins
@@ -284,7 +285,7 @@ ARG_DISBL_SET([scepclient],     [disable SCEP client tool.])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
 ARG_ENABL_SET([svc],            [enable charon Windows service.])
 ARG_ENABL_SET([systemd],        [enable systemd specific IKE daemon charon-systemd.])
-ARG_ENABL_SET([swanctl],        [enable swanctl configuration and control tool.])
+ARG_DISBL_SET([swanctl],        [disable swanctl configuration and control tool.])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
 # optional features
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
@@ -299,10 +300,13 @@ ARG_ENABL_SET([ruby-gems],      [enable build of provided ruby gems.])
 ARG_ENABL_SET([ruby-gems-install],[enable installation of provided ruby gems.])
 ARG_ENABL_SET([python-eggs],    [enable build of provided python eggs.])
 ARG_ENABL_SET([python-eggs-install],[enable installation of provided python eggs.])
+ARG_ENABL_SET([perl-cpan],      [enable build of provided perl CPAN module.])
+ARG_ENABL_SET([perl-cpan-install],[enable installation of provided CPAN module.])
 # compile options
 ARG_ENABL_SET([coverage],       [enable lcov coverage report generation.])
 ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
 ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
+ARG_ENABL_SET([log-thread-ids], [use thread ID, if available, instead of an incremented value starting from 1, to identify threads.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 
 # ===================================
@@ -447,6 +451,10 @@ if test x$python_eggs_install = xtrue; then
 	python_eggs=true
 fi
 
+if test x$perl_cpan_install = xtrue; then
+	perl_cpan=true
+fi
+
 # ===========================================
 #  check required libraries and header files
 # ===========================================
@@ -935,13 +943,16 @@ if test x$systemd = xtrue; then
 		AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)])
 	fi
 
-	PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon])
-	AC_SUBST(systemd_daemon_CFLAGS)
-	AC_SUBST(systemd_daemon_LIBS)
-
-	PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal])
-	AC_SUBST(systemd_journal_CFLAGS)
-	AC_SUBST(systemd_journal_LIBS)
+	PKG_CHECK_MODULES(systemd, [libsystemd >= 209],
+		[AC_SUBST(systemd_CFLAGS)
+		 AC_SUBST(systemd_LIBS)],
+		[PKG_CHECK_MODULES(systemd_daemon, [libsystemd-daemon])
+		 AC_SUBST(systemd_daemon_CFLAGS)
+		 AC_SUBST(systemd_daemon_LIBS)
+		 PKG_CHECK_MODULES(systemd_journal, [libsystemd-journal])
+		 AC_SUBST(systemd_journal_CFLAGS)
+		 AC_SUBST(systemd_journal_LIBS)]
+	)
 fi
 
 if test x$tss = xtrousers; then
@@ -1063,7 +1074,8 @@ if test x$sqlite = xtrue; then
 fi
 
 if test x$openssl = xtrue; then
-	AC_CHECK_LIB([$openssl_lib],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[])
+	AC_CHECK_LIB([$openssl_lib],[main],[LIBS="$LIBS"],
+				 [AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB])
 	AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
 fi
 
@@ -1247,6 +1259,8 @@ if test x$python_eggs = xtrue; then
 fi
 AM_CONDITIONAL(PYTHON_EGGS_INSTALL, [test "x$python_eggs_install" = xtrue])
 
+AM_CONDITIONAL(PERL_CPAN_INSTALL, [test "x$perl_cpan_install" = xtrue])
+
 # ===============================================
 #  collect plugin list for strongSwan components
 # ===============================================
@@ -1268,9 +1282,8 @@ cmd_plugins=
 aikgen_plugins=
 
 # location specific lists for checksumming,
-# for src/libcharon, src/libhydra, src/libstrongswan and src/libtnccs
+# for src/libcharon, src/libstrongswan and src/libtnccs
 c_plugins=
-h_plugins=
 s_plugins=
 t_plugins=
 
@@ -1283,9 +1296,9 @@ ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([blowfish],             [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([rc2],                  [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([sha3],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([md4],                  [s charon scepclient pki nm cmd])
 ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd aikgen])
 ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
@@ -1335,9 +1348,9 @@ ADD_PLUGIN([load-tester],          [c charon])
 ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
 ADD_PLUGIN([kernel-wfp],           [c charon])
 ADD_PLUGIN([kernel-iph],           [c charon])
-ADD_PLUGIN([kernel-pfkey],         [h charon starter nm cmd])
-ADD_PLUGIN([kernel-pfroute],       [h charon starter nm cmd])
-ADD_PLUGIN([kernel-netlink],       [h charon starter nm cmd])
+ADD_PLUGIN([kernel-pfkey],         [c charon starter nm cmd])
+ADD_PLUGIN([kernel-pfroute],       [c charon starter nm cmd])
+ADD_PLUGIN([kernel-netlink],       [c charon starter nm cmd])
 ADD_PLUGIN([resolve],              [c charon cmd])
 ADD_PLUGIN([socket-default],       [c charon nm cmd])
 ADD_PLUGIN([socket-dynamic],       [c charon cmd])
@@ -1384,6 +1397,7 @@ ADD_PLUGIN([medsrv],               [c charon])
 ADD_PLUGIN([medcli],               [c charon])
 ADD_PLUGIN([dhcp],                 [c charon])
 ADD_PLUGIN([osx-attr],             [c charon cmd])
+ADD_PLUGIN([p-cscf],               [c charon cmd])
 ADD_PLUGIN([android-dns],          [c charon])
 ADD_PLUGIN([android-log],          [c charon])
 ADD_PLUGIN([ha],                   [c charon])
@@ -1488,6 +1502,7 @@ AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
+AM_CONDITIONAL(USE_P_CSCF, test x$p_cscf = xtrue)
 AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
 AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
 AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
@@ -1499,6 +1514,9 @@ AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
 AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
+AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
 AM_CONDITIONAL(USE_KERNEL_WFP, test x$kernel_wfp = xtrue)
 AM_CONDITIONAL(USE_KERNEL_IPH, test x$kernel_iph = xtrue)
@@ -1566,12 +1584,6 @@ AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
 
-#  hydra plugins
-# ---------------
-AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-
 #  other options
 # ---------------
 AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
@@ -1593,7 +1605,6 @@ AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
 AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
 AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
-AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
@@ -1622,6 +1633,7 @@ AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
 AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno)
 AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue)
 AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue)
+AM_CONDITIONAL(USE_PERL_CPAN, test x$perl_cpan = xtrue)
 AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x)
 
 # ========================
@@ -1634,6 +1646,9 @@ fi
 if test x$capabilities = xlibcap -o x$capabilities = xnative; then
 	AC_DEFINE([CAPABILITIES], [], [capability dropping support])
 fi
+if test x$log_thread_ids = xtrue; then
+	AC_DEFINE([USE_THREAD_IDS], [], [use thread ID for thread identification, if available])
+fi
 if test x$monolithic = xtrue; then
 	AC_DEFINE([MONOLITHIC], [], [monolithic build embedding plugins])
 fi
@@ -1735,11 +1750,6 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/bliss/tests/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/tests/Makefile
-	src/libhydra/Makefile
-	src/libhydra/plugins/kernel_netlink/Makefile
-	src/libhydra/plugins/kernel_pfkey/Makefile
-	src/libhydra/plugins/kernel_pfroute/Makefile
-	src/libhydra/tests/Makefile
 	src/libipsec/Makefile
 	src/libipsec/tests/Makefile
 	src/libsimaka/Makefile
@@ -1815,6 +1825,9 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/unity/Makefile
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
+	src/libcharon/plugins/kernel_netlink/Makefile
+	src/libcharon/plugins/kernel_pfkey/Makefile
+	src/libcharon/plugins/kernel_pfroute/Makefile
 	src/libcharon/plugins/kernel_libipsec/Makefile
 	src/libcharon/plugins/kernel_wfp/Makefile
 	src/libcharon/plugins/kernel_iph/Makefile
@@ -1829,12 +1842,14 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/coupling/Makefile
 	src/libcharon/plugins/radattr/Makefile
 	src/libcharon/plugins/osx_attr/Makefile
+	src/libcharon/plugins/p_cscf/Makefile
 	src/libcharon/plugins/android_dns/Makefile
 	src/libcharon/plugins/android_log/Makefile
 	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/vici/Makefile
 	src/libcharon/plugins/vici/ruby/Makefile
+	src/libcharon/plugins/vici/perl/Makefile
 	src/libcharon/plugins/vici/python/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
@@ -1908,6 +1923,5 @@ AC_MSG_RESULT([-----------------------------------------------------])
 
 AC_MSG_RESULT([libstrongswan:$s_plugins])
 AC_MSG_RESULT([libcharon:    $c_plugins])
-AC_MSG_RESULT([libhydra:     $h_plugins])
 AC_MSG_RESULT([libtnccs:     $t_plugins])
 AC_MSG_RESULT([])
diff --git a/init/Makefile.in b/init/Makefile.in
index 883d42403..72ee05912 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -391,6 +391,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
index 28cedbda8..0c5f5ce18 100644
--- a/init/systemd-swanctl/Makefile.in
+++ b/init/systemd-swanctl/Makefile.in
@@ -359,6 +359,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in
index 818d352d5..944101faf 100644
--- a/init/systemd-swanctl/strongswan-swanctl.service.in
+++ b/init/systemd-swanctl/strongswan-swanctl.service.in
@@ -7,3 +7,6 @@ Type=notify
 ExecStart=@SBINDIR@/charon-systemd
 ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
 ExecReload=@SBINDIR@/swanctl --reload
+
+[Install]
+WantedBy=multi-user.target
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 808023eb2..ab7d64766 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -359,6 +359,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/man/Makefile.in b/man/Makefile.in
index 501361003..5f621c201 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -365,6 +365,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 61804c8b3..54440c0c7 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -402,7 +402,7 @@ or
 keyword may be used, AH+ESP bundles are not supported.
 
 Defaults to
-.BR aes128-sha1,3des-sha1 .
+.BR aes128-sha256 .
 The daemon adds its extensive default proposal to this default
 or the configured value.  To restrict it to the configured proposal an
 exclamation mark
@@ -453,7 +453,7 @@ if required.
 .BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
-.BR aes128-sha1-modp2048 .
+.BR aes128-sha256-modp3072 .
 The notation is
 .BR encryption-integrity[-prf]-dhgroup .
 If no PRF is given, the algorithms defined for integrity are used for the PRF.
@@ -466,10 +466,10 @@ or
 .BR prfaesxcbc ).
 .br
 In IKEv2, multiple algorithms and proposals may be included, such as
-.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+.BR aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024 .
 
 Defaults to
-.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
+.BR aes128-sha256-modp3072 .
 The daemon adds its extensive default proposal to this
 default or the configured value.  To restrict it to the configured proposal an
 exclamation mark
@@ -587,18 +587,23 @@ or a key strength definition (for example
 or
 .BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 Unless disabled in
-.BR strongswan.conf (5)
-such key types and hash algorithms are also applied as constraints against IKEv2
+.BR strongswan.conf (5),
+or explicit IKEv2 signature constraints are configured (see below), such key
+types and hash algorithms are also applied as constraints against IKEv2
 signature authentication schemes used by the remote side.
 
 If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
 hash algorithms to be used during IKEv2 authentication may be configured.
-The syntax is the same as above. For example, with
-.B pubkey-sha384-sha256
+The syntax is the same as above, but with ike: prefix. For example, with
+.B ike:pubkey-sha384-sha256
 a public key signature scheme with either SHA-384 or SHA-256 would get used for
 authentication, in that order and depending on the hash algorithms supported by
 the peer.  If no specific hash algorithms are configured, the default is to
 prefer an algorithm that matches or exceeds the strength of the signature key.
+If no constraints with ike: prefix are configured any signature scheme
+constraint (without ike: prefix) will also apply to IKEv2 authentication, unless
+this is disabled in
+.BR strongswan.conf (5).
 
 For
 .BR eap ,
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index bdb8e5ffc..15e90064c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -474,6 +474,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/Makefile.am b/src/Makefile.am
index 9608a3a13..a9df10cc6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -4,10 +4,6 @@ if USE_LIBSTRONGSWAN
   SUBDIRS += libstrongswan
 endif
 
-if USE_LIBHYDRA
-  SUBDIRS += libhydra
-endif
-
 if USE_LIBIPSEC
   SUBDIRS += libipsec
 endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 7596e7e55..1d012fb22 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -78,39 +78,38 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
-@USE_LIBHYDRA_TRUE@am__append_2 = libhydra
-@USE_LIBIPSEC_TRUE@am__append_3 = libipsec
-@USE_SIMAKA_TRUE@am__append_4 = libsimaka
-@USE_TLS_TRUE@am__append_5 = libtls
-@USE_RADIUS_TRUE@am__append_6 = libradius
-@USE_LIBTNCIF_TRUE@am__append_7 = libtncif
-@USE_LIBTNCCS_TRUE@am__append_8 = libtnccs
-@USE_LIBPTTLS_TRUE@am__append_9 = libpttls
-@USE_IMCV_TRUE@am__append_10 = libimcv
-@USE_LIBCHARON_TRUE@am__append_11 = libcharon
-@USE_FILE_CONFIG_TRUE@am__append_12 = starter
-@USE_IPSEC_SCRIPT_TRUE@am__append_13 = ipsec _copyright
-@USE_CHARON_TRUE@am__append_14 = charon
-@USE_SYSTEMD_TRUE@am__append_15 = charon-systemd
-@USE_NM_TRUE@am__append_16 = charon-nm
-@USE_STROKE_TRUE@am__append_17 = stroke
-@USE_UPDOWN_TRUE@am__append_18 = _updown
-@USE_SCEPCLIENT_TRUE@am__append_19 = scepclient
-@USE_PKI_TRUE@am__append_20 = pki
-@USE_SWANCTL_TRUE@am__append_21 = swanctl
-@USE_CONFTEST_TRUE@am__append_22 = conftest
-@USE_DUMM_TRUE@am__append_23 = dumm
-@USE_FAST_TRUE@am__append_24 = libfast
-@USE_MANAGER_TRUE@am__append_25 = manager
-@USE_MEDSRV_TRUE@am__append_26 = medsrv
-@USE_ATTR_SQL_TRUE@am__append_27 = pool
-@USE_ATTR_SQL_FALSE@@USE_SQL_TRUE@am__append_28 = pool
-@USE_TKM_TRUE@am__append_29 = charon-tkm
-@USE_CMD_TRUE@am__append_30 = charon-cmd
-@USE_SVC_TRUE@am__append_31 = charon-svc
-@USE_LIBPTTLS_TRUE@am__append_32 = pt-tls-client
-@USE_INTEGRITY_TEST_TRUE@am__append_33 = checksum
-@USE_AIKGEN_TRUE@am__append_34 = aikgen
+@USE_LIBIPSEC_TRUE@am__append_2 = libipsec
+@USE_SIMAKA_TRUE@am__append_3 = libsimaka
+@USE_TLS_TRUE@am__append_4 = libtls
+@USE_RADIUS_TRUE@am__append_5 = libradius
+@USE_LIBTNCIF_TRUE@am__append_6 = libtncif
+@USE_LIBTNCCS_TRUE@am__append_7 = libtnccs
+@USE_LIBPTTLS_TRUE@am__append_8 = libpttls
+@USE_IMCV_TRUE@am__append_9 = libimcv
+@USE_LIBCHARON_TRUE@am__append_10 = libcharon
+@USE_FILE_CONFIG_TRUE@am__append_11 = starter
+@USE_IPSEC_SCRIPT_TRUE@am__append_12 = ipsec _copyright
+@USE_CHARON_TRUE@am__append_13 = charon
+@USE_SYSTEMD_TRUE@am__append_14 = charon-systemd
+@USE_NM_TRUE@am__append_15 = charon-nm
+@USE_STROKE_TRUE@am__append_16 = stroke
+@USE_UPDOWN_TRUE@am__append_17 = _updown
+@USE_SCEPCLIENT_TRUE@am__append_18 = scepclient
+@USE_PKI_TRUE@am__append_19 = pki
+@USE_SWANCTL_TRUE@am__append_20 = swanctl
+@USE_CONFTEST_TRUE@am__append_21 = conftest
+@USE_DUMM_TRUE@am__append_22 = dumm
+@USE_FAST_TRUE@am__append_23 = libfast
+@USE_MANAGER_TRUE@am__append_24 = manager
+@USE_MEDSRV_TRUE@am__append_25 = medsrv
+@USE_ATTR_SQL_TRUE@am__append_26 = pool
+@USE_ATTR_SQL_FALSE@@USE_SQL_TRUE@am__append_27 = pool
+@USE_TKM_TRUE@am__append_28 = charon-tkm
+@USE_CMD_TRUE@am__append_29 = charon-cmd
+@USE_SVC_TRUE@am__append_30 = charon-svc
+@USE_LIBPTTLS_TRUE@am__append_31 = pt-tls-client
+@USE_INTEGRITY_TEST_TRUE@am__append_32 = checksum
+@USE_AIKGEN_TRUE@am__append_33 = aikgen
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -184,12 +183,12 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
-	libtls libradius libtncif libtnccs libpttls libimcv libcharon \
-	starter ipsec _copyright charon charon-systemd charon-nm \
-	stroke _updown scepclient pki swanctl conftest dumm libfast \
-	manager medsrv pool charon-tkm charon-cmd charon-svc \
-	pt-tls-client checksum aikgen
+DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \
+	libradius libtncif libtnccs libpttls libimcv libcharon starter \
+	ipsec _copyright charon charon-systemd charon-nm stroke \
+	_updown scepclient pki swanctl conftest dumm libfast manager \
+	medsrv pool charon-tkm charon-cmd charon-svc pt-tls-client \
+	checksum aikgen
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -428,6 +427,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -451,8 +452,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_22) $(am__append_23) $(am__append_24) \
 	$(am__append_25) $(am__append_26) $(am__append_27) \
 	$(am__append_28) $(am__append_29) $(am__append_30) \
-	$(am__append_31) $(am__append_32) $(am__append_33) \
-	$(am__append_34)
+	$(am__append_31) $(am__append_32) $(am__append_33)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 2a4838c9a..432bde59b 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -382,6 +382,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index fe31dff64..08fce3e2c 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -359,6 +359,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 33ed13397..8fb9126e5 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -385,6 +385,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am
index 73df45072..1f4033aad 100644
--- a/src/charon-cmd/Makefile.am
+++ b/src/charon-cmd/Makefile.am
@@ -12,7 +12,6 @@ charon-cmd.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -20,6 +19,5 @@ AM_CPPFLAGS = \
 
 charon_cmd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 64dea34c7..f48410270 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -109,7 +109,6 @@ charon_cmd_OBJECTS = $(am_charon_cmd_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_cmd_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -419,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -442,7 +443,6 @@ charon_cmd_SOURCES = \
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -450,7 +450,6 @@ AM_CPPFLAGS = \
 
 charon_cmd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index d3b31cc0d..f350198c6 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -26,7 +26,6 @@
 #include <errno.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
@@ -330,11 +329,6 @@ int main(int argc, char *argv[])
 			exit(SS_RC_DAEMON_INTEGRITY);
 		}
 	}
-	atexit(libhydra_deinit);
-	if (!libhydra_init())
-	{
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
 	atexit(libcharon_deinit);
 	if (!libcharon_init())
 	{
diff --git a/src/charon-nm/Makefile.am b/src/charon-nm/Makefile.am
index d3630ffd5..b6f0c8b54 100644
--- a/src/charon-nm/Makefile.am
+++ b/src/charon-nm/Makefile.am
@@ -9,7 +9,6 @@ charon_nm_SOURCES = \
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -21,6 +20,5 @@ AM_CFLAGS = \
 
 charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB) ${nm_LIBS}
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 82f6fbcb2..490a08023 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -109,7 +109,6 @@ charon_nm_OBJECTS = $(am_charon_nm_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_nm_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
@@ -390,6 +389,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -412,7 +413,6 @@ charon_nm_SOURCES = \
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -424,7 +424,6 @@ AM_CFLAGS = \
 
 charon_nm_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB) ${nm_LIBS}
 
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index fb090e5d3..cbbed7ac1 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -20,7 +20,6 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <library.h>
@@ -177,14 +176,6 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init())
-	{
-		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
-		libhydra_deinit();
-		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
 	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
@@ -212,7 +203,6 @@ int main(int argc, char *argv[])
 	{
 		DBG1(DBG_DMN, "integrity tests enabled:");
 		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "daemon 'charon-nm': passed file integrity test");
 	}
@@ -260,7 +250,6 @@ int main(int argc, char *argv[])
 
 deinit:
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 	return status;
 }
diff --git a/src/charon-svc/Makefile.am b/src/charon-svc/Makefile.am
index ecccf02f5..c91ad08f8 100644
--- a/src/charon-svc/Makefile.am
+++ b/src/charon-svc/Makefile.am
@@ -6,11 +6,9 @@ charon-svc.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_svc_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index 1c0a4058d..4f9143d9b 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -105,7 +105,6 @@ am_charon_svc_OBJECTS = charon-svc.$(OBJEXT)
 charon_svc_OBJECTS = $(am_charon_svc_OBJECTS)
 charon_svc_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -384,6 +383,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -400,13 +401,11 @@ xml_LIBS = @xml_LIBS@
 charon_svc_SOURCES = charon-svc.c
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_svc_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
 
 all: all-am
diff --git a/src/charon-svc/charon-svc.c b/src/charon-svc/charon-svc.c
index 03cbdb871..823b366c0 100644
--- a/src/charon-svc/charon-svc.c
+++ b/src/charon-svc/charon-svc.c
@@ -14,7 +14,6 @@
  */
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 
 #include <utils/backtrace.h>
@@ -190,6 +189,15 @@ static int service_wait()
 }
 
 /**
+ * Add namespace alias
+ */
+static void __attribute__ ((constructor))register_namespace()
+{
+	/* inherit settings from charon */
+	library_add_namespace("charon");
+}
+
+/**
  * Initialize and run charon using a wait function
  */
 static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
@@ -210,28 +218,22 @@ static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
 		if (library_init(NULL, SERVICE_NAME))
 		{
 			update_status(SERVICE_START_PENDING);
-			if (libhydra_init())
+			if (libcharon_init())
 			{
+				charon->load_loggers(charon, levels, TRUE);
+				print_version();
 				update_status(SERVICE_START_PENDING);
-				if (libcharon_init())
+				if (charon->initialize(charon, PLUGINS))
 				{
-					charon->load_loggers(charon, levels, TRUE);
-					print_version();
 					update_status(SERVICE_START_PENDING);
-					if (charon->initialize(charon, PLUGINS))
-					{
-						update_status(SERVICE_START_PENDING);
-						lib->plugins->status(lib->plugins, LEVEL_CTRL);
+					lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-						charon->start(charon);
+					charon->start(charon);
 
-						status.dwWin32ExitCode = wait();
-					}
-					update_status(SERVICE_STOP_PENDING);
-					libcharon_deinit();
+					status.dwWin32ExitCode = wait();
 				}
 				update_status(SERVICE_STOP_PENDING);
-				libhydra_deinit();
+				libcharon_deinit();
 			}
 			update_status(SERVICE_STOP_PENDING);
 			library_deinit();
diff --git a/src/charon-systemd/Makefile.am b/src/charon-systemd/Makefile.am
index 1b9ac150f..9942a3682 100644
--- a/src/charon-systemd/Makefile.am
+++ b/src/charon-systemd/Makefile.am
@@ -7,13 +7,11 @@ charon-systemd.o :	$(top_builddir)/config.status
 
 charon_systemd_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
-	$(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+	$(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_systemd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
-	$(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
+	$(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index d6e1c471c..b4f624d45 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -106,10 +106,10 @@ charon_systemd_OBJECTS = $(am_charon_systemd_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_systemd_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -387,6 +387,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -405,16 +407,14 @@ charon-systemd.c
 
 charon_systemd_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
-	$(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
+	$(systemd_CFLAGS) $(systemd_daemon_CFLAGS) $(systemd_journal_CFLAGS) \
 	-DPLUGINS=\""${charon_plugins}\""
 
 charon_systemd_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
-	$(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
+	$(systemd_LIBS) $(systemd_daemon_LIBS) $(systemd_journal_LIBS) -lm $(PTHREADLIB) $(DLLIB)
 
 all: all-am
 
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index 4286cde82..5c7bbd779 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -31,7 +31,6 @@
 #include <systemd/sd-daemon.h>
 #include <systemd/sd-journal.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <library.h>
@@ -326,6 +325,15 @@ static plugin_feature_t features[] = {
 };
 
 /**
+ * Add namespace alias
+ */
+static void __attribute__ ((constructor))register_namespace()
+{
+	/* inherit settings from charon */
+	library_add_namespace("charon");
+}
+
+/**
  * Main function, starts the daemon.
  */
 int main(int argc, char *argv[])
@@ -355,12 +363,6 @@ int main(int argc, char *argv[])
 		sd_notifyf(0, "STATUS=integrity check of charon-systemd failed");
 		return SS_RC_INITIALIZATION_FAILED;
 	}
-	atexit(libhydra_deinit);
-	if (!libhydra_init())
-	{
-		sd_notifyf(0, "STATUS=libhydra initialization failed");
-		return SS_RC_INITIALIZATION_FAILED;
-	}
 	atexit(libcharon_deinit);
 	if (!libcharon_init())
 	{
diff --git a/src/charon-tkm/Makefile.am b/src/charon-tkm/Makefile.am
index d2b81a3ea..ad54eafc0 100644
--- a/src/charon-tkm/Makefile.am
+++ b/src/charon-tkm/Makefile.am
@@ -4,15 +4,13 @@ OBJ = $(abs_top_builddir)/src
 AM_CPPFLAGS = \
 	-include $(abs_top_builddir)/config.h \
 	-I$(SRC)/libstrongswan \
-	-I$(SRC)/libhydra \
 	-I$(SRC)/libcharon
 
 LIBLD = \
 	-L$(OBJ)/libstrongswan/.libs \
-	-L$(OBJ)/libhydra/.libs \
 	-L$(OBJ)/libcharon/.libs
-LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
-LIBFL = -lstrongswan -lhydra -lcharon
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libcharon/.libs
+LIBFL = -lstrongswan -lcharon
 
 DEFS += -DPLUGINS=\""$(PLUGINS)\"" -DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index bff198ab8..81afd4de5 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -347,16 +349,14 @@ OBJ = $(abs_top_builddir)/src
 AM_CPPFLAGS = \
 	-include $(abs_top_builddir)/config.h \
 	-I$(SRC)/libstrongswan \
-	-I$(SRC)/libhydra \
 	-I$(SRC)/libcharon
 
 LIBLD = \
 	-L$(OBJ)/libstrongswan/.libs \
-	-L$(OBJ)/libhydra/.libs \
 	-L$(OBJ)/libcharon/.libs
 
-LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libhydra/.libs:$(OBJ)/libcharon/.libs
-LIBFL = -lstrongswan -lhydra -lcharon
+LIBPT = $(OBJ)/libstrongswan/.libs:$(OBJ)/libcharon/.libs
+LIBFL = -lstrongswan -lcharon
 BUILD_OPTS = \
 	-XOBJ_DIR=$(abs_builddir)/obj \
 	-cargs $(AM_CPPFLAGS) $(DEFS) \
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 3923c8ae6..13352e55a 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -26,7 +26,6 @@
 #include <libgen.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <library.h>
 #include <utils/backtrace.h>
@@ -256,14 +255,6 @@ int main(int argc, char *argv[])
 		exit(status);
 	}
 
-	if (!libhydra_init())
-	{
-		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
-		libhydra_deinit();
-		library_deinit();
-		exit(status);
-	}
-
 	if (!libcharon_init())
 	{
 		dbg_syslog(DBG_DMN, 1, "initialization failed - aborting %s", dmn_name);
@@ -391,7 +382,6 @@ int main(int argc, char *argv[])
 deinit:
 	destroy_dh_mapping();
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 	tkm_deinit();
 	return status;
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
index 74c0d3618..f4107d90a 100644
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -14,7 +14,7 @@
  * for more details.
  */
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <tkm/constants.h>
 #include <tkm/types.h>
@@ -25,8 +25,7 @@
 void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
 {
 	DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id);
-	hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL,
-									 NULL);
+	charon->kernel->acquire(charon->kernel, sp_id, NULL, NULL);
 	*res = TKM_OK;
 }
 
@@ -47,6 +46,5 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id,
 
 	DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id,
 		 ntohl(spi_rem), dst);
-	hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-									spi_rem, dst, hard != 0);
+	charon->kernel->expire(charon->kernel, protocol, spi_rem, dst, hard != 0);
 }
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index d087bee3f..8bba1f9d9 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -17,7 +17,6 @@
 #include <tests/test_suite.h>
 
 #include <daemon.h>
-#include <hydra.h>
 #include <config/proposal.h>
 #include <encoding/payloads/ike_header.h>
 #include <tkm/client.h>
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index ac152b690..e3cd2d903 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -18,7 +18,6 @@
 #include <tests/test_runner.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 
 #include "tkm.h"
@@ -50,7 +49,6 @@ static bool test_runner_init(bool init)
 
 	if (init)
 	{
-		libhydra_init();
 		libcharon_init();
 		lib->settings->set_int(lib->settings,
 							   "test-runner.filelog.stdout.default", 0);
@@ -74,8 +72,6 @@ static bool test_runner_init(bool init)
 
 		plugin_loader_add_plugindirs(BUILDDIR "/src/libstrongswan/plugins",
 									 PLUGINS);
-		plugin_loader_add_plugindirs(BUILDDIR "/src/libhydra/plugins",
-									 PLUGINS);
 		plugin_loader_add_plugindirs(BUILDDIR "/src/libcharon/plugins",
 									 PLUGINS);
 		if (charon->initialize(charon, PLUGINS))
@@ -95,7 +91,6 @@ static bool test_runner_init(bool init)
 
 	destroy_dh_mapping();
 	libcharon_deinit();
-	libhydra_deinit();
 	return result;
 }
 
diff --git a/src/charon/Android.mk b/src/charon/Android.mk
index 852d73c10..92a027094 100644
--- a/src/charon/Android.mk
+++ b/src/charon/Android.mk
@@ -8,7 +8,6 @@ charon.c
 # build charon -----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libcharon \
 	$(strongswan_PATH)/src/libstrongswan
 
@@ -23,7 +22,7 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra libcharon
+LOCAL_SHARED_LIBRARIES += libstrongswan libcharon
 
 include $(BUILD_EXECUTABLE)
 
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 6c5b88eb8..c6a6f40f9 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -7,7 +7,6 @@ charon.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -15,7 +14,6 @@ AM_CPPFLAGS = \
 
 charon_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index e1cc5c202..b4abeff25 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -106,7 +106,6 @@ charon_OBJECTS = $(am_charon_OBJECTS)
 am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -386,6 +385,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -404,7 +405,6 @@ charon.c
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\" \
@@ -412,7 +412,6 @@ AM_CPPFLAGS = \
 
 charon_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 4c2a9a477..116ce7e93 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -27,7 +27,6 @@
 #include <fcntl.h>
 #include <errno.h>
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <library.h>
@@ -309,14 +308,6 @@ int main(int argc, char *argv[])
 		exit(SS_RC_DAEMON_INTEGRITY);
 	}
 
-	if (!libhydra_init())
-	{
-		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
-		libhydra_deinit();
-		library_deinit();
-		exit(SS_RC_INITIALIZATION_FAILED);
-	}
-
 	if (!libcharon_init())
 	{
 		dbg_stderr(DBG_DMN, 1, "initialization failed - aborting charon");
@@ -403,7 +394,6 @@ int main(int argc, char *argv[])
 	{
 		DBG1(DBG_DMN, "integrity tests enabled:");
 		DBG1(DBG_DMN, "lib    'libstrongswan': passed file and segment integrity tests");
-		DBG1(DBG_DMN, "lib    'libhydra': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "lib    'libcharon': passed file and segment integrity tests");
 		DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
 	}
@@ -457,7 +447,6 @@ int main(int argc, char *argv[])
 
 deinit:
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 	return status;
 }
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index b358699d0..9cc5fb6b2 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -8,7 +8,6 @@ EXTRA_PROGRAMS = checksum_builder
 checksum_builder_SOURCES = checksum_builder.c
 checksum_builder_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
 checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
@@ -17,7 +16,6 @@ CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\"
 
@@ -35,14 +33,6 @@ if !MONOLITHIC
   AM_CPPFLAGS += -DS_PLUGINS=\""${s_plugins}\""
 endif
 
-if USE_LIBHYDRA
-  deps += $(top_builddir)/src/libhydra/libhydra.la
-  libs += $(DESTDIR)$(ipseclibdir)/libhydra.so
-if !MONOLITHIC
-  AM_CPPFLAGS += -DH_PLUGINS=\""${h_plugins}\""
-endif
-endif
-
 if USE_LIBIPSEC
   deps += $(top_builddir)/src/libipsec/libipsec.la
   libs += $(DESTDIR)$(ipseclibdir)/libipsec.so
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 4e4134625..2584beb76 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -80,34 +80,31 @@ build_triplet = @build@
 host_triplet = @host@
 EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
 @MONOLITHIC_FALSE@am__append_1 = -DS_PLUGINS=\""${s_plugins}\""
-@USE_LIBHYDRA_TRUE@am__append_2 = $(top_builddir)/src/libhydra/libhydra.la
-@USE_LIBHYDRA_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libhydra.so
-@MONOLITHIC_FALSE@@USE_LIBHYDRA_TRUE@am__append_4 = -DH_PLUGINS=\""${h_plugins}\""
-@USE_LIBIPSEC_TRUE@am__append_5 = $(top_builddir)/src/libipsec/libipsec.la
-@USE_LIBIPSEC_TRUE@am__append_6 = $(DESTDIR)$(ipseclibdir)/libipsec.so
-@USE_TLS_TRUE@am__append_7 = $(top_builddir)/src/libtls/libtls.la
-@USE_TLS_TRUE@am__append_8 = $(DESTDIR)$(ipseclibdir)/libtls.so
-@USE_RADIUS_TRUE@am__append_9 = $(top_builddir)/src/libradius/libradius.la
-@USE_RADIUS_TRUE@am__append_10 = $(DESTDIR)$(ipseclibdir)/libradius.so
-@USE_LIBPTTLS_TRUE@am__append_11 = $(top_builddir)/src/libpttls/libpttls.la
-@USE_LIBPTTLS_TRUE@am__append_12 = $(DESTDIR)$(ipseclibdir)/libpttls.so
-@USE_LIBTNCCS_TRUE@am__append_13 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_LIBTNCCS_TRUE@am__append_14 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
-@MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE@am__append_15 = -DT_PLUGINS=\""${t_plugins}\""
-@USE_SIMAKA_TRUE@am__append_16 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_SIMAKA_TRUE@am__append_17 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
-@USE_IMCV_TRUE@am__append_18 = $(top_builddir)/src/libimcv/libimcv.la
-@USE_IMCV_TRUE@am__append_19 = $(DESTDIR)$(ipseclibdir)/libimcv.so
-@USE_CHARON_TRUE@am__append_20 = $(top_builddir)/src/libcharon/libcharon.la
-@USE_CHARON_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libcharon.so
-@USE_CHARON_TRUE@am__append_22 = $(DESTDIR)$(ipsecdir)/charon
-@MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_23 = -DC_PLUGINS=\""${c_plugins}\""
-@USE_CMD_TRUE@am__append_24 = $(DESTDIR)$(sbindir)/charon-cmd
-@USE_SCEPCLIENT_TRUE@am__append_25 = $(DESTDIR)$(ipsecdir)/scepclient
-@USE_PKI_TRUE@am__append_26 = $(DESTDIR)$(bindir)/pki
-@USE_SWANCTL_TRUE@am__append_27 = $(DESTDIR)$(sbindir)/swanctl
-@USE_ATTR_SQL_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/pool
-@USE_IMV_ATTESTATION_TRUE@am__append_29 = $(DESTDIR)$(ipsecdir)/attest
+@USE_LIBIPSEC_TRUE@am__append_2 = $(top_builddir)/src/libipsec/libipsec.la
+@USE_LIBIPSEC_TRUE@am__append_3 = $(DESTDIR)$(ipseclibdir)/libipsec.so
+@USE_TLS_TRUE@am__append_4 = $(top_builddir)/src/libtls/libtls.la
+@USE_TLS_TRUE@am__append_5 = $(DESTDIR)$(ipseclibdir)/libtls.so
+@USE_RADIUS_TRUE@am__append_6 = $(top_builddir)/src/libradius/libradius.la
+@USE_RADIUS_TRUE@am__append_7 = $(DESTDIR)$(ipseclibdir)/libradius.so
+@USE_LIBPTTLS_TRUE@am__append_8 = $(top_builddir)/src/libpttls/libpttls.la
+@USE_LIBPTTLS_TRUE@am__append_9 = $(DESTDIR)$(ipseclibdir)/libpttls.so
+@USE_LIBTNCCS_TRUE@am__append_10 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_LIBTNCCS_TRUE@am__append_11 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
+@MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE@am__append_12 = -DT_PLUGINS=\""${t_plugins}\""
+@USE_SIMAKA_TRUE@am__append_13 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_SIMAKA_TRUE@am__append_14 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
+@USE_IMCV_TRUE@am__append_15 = $(top_builddir)/src/libimcv/libimcv.la
+@USE_IMCV_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libimcv.so
+@USE_CHARON_TRUE@am__append_17 = $(top_builddir)/src/libcharon/libcharon.la
+@USE_CHARON_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+@USE_CHARON_TRUE@am__append_19 = $(DESTDIR)$(ipsecdir)/charon
+@MONOLITHIC_FALSE@@USE_CHARON_TRUE@am__append_20 = -DC_PLUGINS=\""${c_plugins}\""
+@USE_CMD_TRUE@am__append_21 = $(DESTDIR)$(sbindir)/charon-cmd
+@USE_SCEPCLIENT_TRUE@am__append_22 = $(DESTDIR)$(ipsecdir)/scepclient
+@USE_PKI_TRUE@am__append_23 = $(DESTDIR)$(bindir)/pki
+@USE_SWANCTL_TRUE@am__append_24 = $(DESTDIR)$(sbindir)/swanctl
+@USE_ATTR_SQL_TRUE@am__append_25 = $(DESTDIR)$(ipsecdir)/pool
+@USE_IMV_ATTESTATION_TRUE@am__append_26 = $(DESTDIR)$(ipsecdir)/attest
 subdir = src/checksum
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -173,7 +170,6 @@ checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
 am__DEPENDENCIES_1 =
 checksum_builder_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1)
 checksum_builder_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
@@ -453,6 +449,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -475,16 +473,15 @@ libchecksum_la_LDFLAGS = -module -avoid-version -rpath '$(ipseclibdir)'
 checksum_builder_SOURCES = checksum_builder.c
 checksum_builder_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(DLLIB)
 
 checksum_builder_LDFLAGS = -rpath '$(DESTDIR)$(ipseclibdir)'
 CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
-	$(am__append_4) $(am__append_15) $(am__append_23)
+	$(am__append_12) $(am__append_20)
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
 
@@ -493,16 +490,16 @@ AM_CFLAGS = \
 # to the installed libraries. for executables we use the built files directly
 # as these are not relinked during installation.
 deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__append_2) $(am__append_5) $(am__append_7) \
-	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_16) $(am__append_18) $(am__append_20)
+	$(am__append_2) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_13) \
+	$(am__append_15) $(am__append_17)
 libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
-	$(am__append_6) $(am__append_8) $(am__append_10) \
-	$(am__append_12) $(am__append_14) $(am__append_17) \
-	$(am__append_19) $(am__append_21)
-exes = $(am__append_22) $(am__append_24) $(am__append_25) \
-	$(am__append_26) $(am__append_27) $(am__append_28) \
-	$(am__append_29)
+	$(am__append_5) $(am__append_7) $(am__append_9) \
+	$(am__append_11) $(am__append_14) $(am__append_16) \
+	$(am__append_18)
+exes = $(am__append_19) $(am__append_21) $(am__append_22) \
+	$(am__append_23) $(am__append_24) $(am__append_25) \
+	$(am__append_26)
 all: all-am
 
 .SUFFIXES:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index cc8185ecd..65399f5bc 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -19,7 +19,6 @@
 #include <dlfcn.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/enumerator.h>
 
@@ -128,9 +127,8 @@ int main(int argc, char* argv[])
 {
 	int i;
 
-	/* forces link against libhydra/libcharon, imports symbols needed to
+	/* forces link against libcharon, imports symbols needed to
 	 * dlopen plugins */
-	hydra = NULL;
 	charon = NULL;
 
 	/* avoid confusing leak reports in build process */
@@ -159,9 +157,6 @@ int main(int argc, char* argv[])
 #ifdef S_PLUGINS
 	build_plugin_checksums(S_PLUGINS);
 #endif
-#ifdef H_PLUGINS
-	build_plugin_checksums(H_PLUGINS);
-#endif
 #ifdef T_PLUGINS
 	build_plugin_checksums(T_PLUGINS);
 #endif
diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am
index eeb26f225..2d4e439da 100644
--- a/src/conftest/Makefile.am
+++ b/src/conftest/Makefile.am
@@ -2,7 +2,6 @@ ipsec_PROGRAMS = conftest
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
@@ -20,7 +19,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 78438d8f5..f5647f9d9 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -120,7 +120,6 @@ conftest_OBJECTS = $(am_conftest_OBJECTS)
 am__DEPENDENCIES_1 =
 conftest_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -400,6 +399,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -415,7 +416,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${charon_plugins}\""
 
@@ -432,7 +432,6 @@ conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \
 
 conftest_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la \
 	-lm $(PTHREADLIB) $(DLLIB)
 
diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c
index edfe0ca35..d10f3c7b7 100644
--- a/src/conftest/conftest.c
+++ b/src/conftest/conftest.c
@@ -356,7 +356,6 @@ static void cleanup()
 	free(conftest->suite_dir);
 	free(conftest);
 	libcharon_deinit();
-	libhydra_deinit();
 	library_deinit();
 }
 
@@ -442,16 +441,9 @@ int main(int argc, char *argv[])
 		library_deinit();
 		return SS_RC_LIBSTRONGSWAN_INTEGRITY;
 	}
-	if (!libhydra_init())
-	{
-		libhydra_deinit();
-		library_deinit();
-		return SS_RC_INITIALIZATION_FAILED;
-	}
 	if (!libcharon_init())
 	{
 		libcharon_deinit();
-		libhydra_deinit();
 		library_deinit();
 		return SS_RC_INITIALIZATION_FAILED;
 	}
diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h
index 6bbdabd07..2d0320429 100644
--- a/src/conftest/conftest.h
+++ b/src/conftest/conftest.h
@@ -21,7 +21,6 @@
 #define CONFTEST_H_
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <credentials/sets/mem_cred.h>
 
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 2ecf61194..6525fbcb4 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -421,6 +421,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 5740544ca..9f4becb40 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index d4dafcb0c..72022ed56 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -363,6 +363,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index fa46e79f1..686c1ce80 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.4.0dr1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.4.0rc1" "strongSwan"
 .
 .SH NAME
 .
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index 89c7ef753..a002614fe 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -259,10 +259,15 @@ stop)
 			loop=110
 			while [ $loop -gt 0 ] ; do
 				kill -0 $spid 2>/dev/null || break
-				sleep 0.1
+				sleep 0.1 2>/dev/null
+				if [ $? -ne 0 ]
+				then
+					sleep 1
+					loop=$(($loop - 9))
+				fi
 				loop=$(($loop - 1))
 			done
-			if [ $loop -eq 0 ]
+			if [ $loop -le 0 ]
 			then
 				kill -KILL $spid 2>/dev/null
 				rm -f $IPSEC_STARTER_PID
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 10085794b..55e6bc58b 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -47,7 +47,10 @@ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
 encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
-kernel/kernel_handler.c kernel/kernel_handler.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.c kernel/kernel_net.h \
+kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
@@ -56,6 +59,7 @@ processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
@@ -81,6 +85,7 @@ sa/child_sa_manager.c sa/child_sa_manager.h \
 sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
+sa/redirect_provider.h sa/redirect_manager.c sa/redirect_manager.h \
 sa/task.c sa/task.h
 
 libcharon_la_SOURCES += \
@@ -104,8 +109,10 @@ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
+sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
-sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 
 libcharon_la_SOURCES += \
 sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
@@ -149,6 +156,8 @@ endif
 
 LOCAL_SRC_FILES += $(call add_plugin, attr)
 
+LOCAL_SRC_FILES += $(call add_plugin, p-cscf)
+
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka)
 
 LOCAL_SRC_FILES += $(call add_plugin, eap-aka-3gpp2)
@@ -216,6 +225,10 @@ endif
 
 LOCAL_SRC_FILES += $(call add_plugin, load-tester)
 
+LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
+
+LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
+
 LOCAL_SRC_FILES += $(call add_plugin, socket-default)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-dynamic)
@@ -228,7 +241,6 @@ endif
 # build libcharon --------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan
 
 LOCAL_CFLAGS := $(strongswan_CFLAGS)
@@ -241,6 +253,6 @@ LOCAL_ARM_MODE := arm
 
 LOCAL_PRELINK_MODULE := false
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
+LOCAL_SHARED_LIBRARIES += libstrongswan
 
 include $(BUILD_SHARED_LIBRARY)
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index cd81a5eee..9f0707813 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -8,6 +8,7 @@ attributes/mem_pool.c attributes/mem_pool.h \
 bus/bus.c bus/bus.h \
 bus/listeners/listener.h \
 bus/listeners/logger.h \
+bus/listeners/custom_logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
 config/backend_manager.c config/backend_manager.h config/backend.h \
 config/child_cfg.c config/child_cfg.h \
@@ -45,7 +46,10 @@ encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
 encoding/payloads/hash_payload.c encoding/payloads/hash_payload.h \
 encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
-kernel/kernel_handler.c kernel/kernel_handler.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.c kernel/kernel_net.h \
+kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
@@ -54,6 +58,7 @@ processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
@@ -79,6 +84,7 @@ sa/child_sa_manager.c sa/child_sa_manager.h \
 sa/task_manager.h sa/task_manager.c \
 sa/shunt_manager.c sa/shunt_manager.h \
 sa/trap_manager.c sa/trap_manager.h \
+sa/redirect_provider.h sa/redirect_manager.c sa/redirect_manager.h \
 sa/task.c sa/task.h
 
 if USE_IKEV2
@@ -103,8 +109,10 @@ sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
 sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
+sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
-sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 endif
 
 if USE_IKEV1
@@ -142,7 +150,6 @@ daemon.lo :		$(top_builddir)/config.status
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
@@ -152,7 +159,6 @@ AM_LDFLAGS = \
 
 libcharon_la_LIBADD = \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(top_builddir)/src/libhydra/libhydra.la \
   -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
 if USE_WINDOWS
@@ -483,6 +489,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_P_CSCF
+  SUBDIRS += plugins/p_cscf
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/p_cscf/libstrongswan-p-cscf.la
+endif
+endif
+
 if USE_ANDROID_DNS
   SUBDIRS += plugins/android_dns
 if MONOLITHIC
@@ -511,6 +524,27 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_PFKEY
+  SUBDIRS += plugins/kernel_pfkey
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+endif
+endif
+
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+endif
+endif
+
+if USE_KERNEL_NETLINK
+  SUBDIRS += plugins/kernel_netlink
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+endif
+endif
+
 if USE_KERNEL_LIBIPSEC
   SUBDIRS += plugins/kernel_libipsec
 if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 3d425e0b4..2ccae216e 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -99,8 +99,10 @@ host_triplet = @host@
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 @USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
-@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
 
 @USE_IKEV1_TRUE@am__append_2 = \
 @USE_IKEV1_TRUE@sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
@@ -221,58 +223,66 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_85 = plugins/dhcp/libstrongswan-dhcp.la
 @USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr
 @MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la
-@USE_ANDROID_DNS_TRUE@am__append_88 = plugins/android_dns
-@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_89 = plugins/android_dns/libstrongswan-android-dns.la
-@USE_ANDROID_LOG_TRUE@am__append_90 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_91 = plugins/android_log/libstrongswan-android-log.la
-@USE_MAEMO_TRUE@am__append_92 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_93 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_94 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_95 = plugins/ha/libstrongswan-ha.la
-@USE_KERNEL_LIBIPSEC_TRUE@am__append_96 = plugins/kernel_libipsec
-@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_97 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
-@USE_KERNEL_WFP_TRUE@am__append_98 = plugins/kernel_wfp
-@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_99 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
-@USE_KERNEL_IPH_TRUE@am__append_100 = plugins/kernel_iph
-@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_101 = plugins/kernel_iph/libstrongswan-kernel-iph.la
-@USE_WHITELIST_TRUE@am__append_102 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_103 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_104 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_105 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_106 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_107 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_108 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_109 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_SYSTIME_FIX_TRUE@am__append_110 = plugins/systime_fix
-@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_111 = plugins/systime_fix/libstrongswan-systime-fix.la
-@USE_LED_TRUE@am__append_112 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_113 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_114 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_115 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_116 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_117 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_118 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_119 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_120 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_121 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_122 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_123 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_124 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_125 = plugins/unity/libstrongswan-unity.la
-@USE_XAUTH_GENERIC_TRUE@am__append_126 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_127 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_128 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_129 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_130 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_131 = plugins/xauth_pam/libstrongswan-xauth-pam.la
-@USE_XAUTH_NOAUTH_TRUE@am__append_132 = plugins/xauth_noauth
-@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_133 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
-@USE_RESOLVE_TRUE@am__append_134 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_135 = plugins/resolve/libstrongswan-resolve.la
-@USE_ATTR_TRUE@am__append_136 = plugins/attr
-@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_137 = plugins/attr/libstrongswan-attr.la
-@USE_ATTR_SQL_TRUE@am__append_138 = plugins/attr_sql
-@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_139 = plugins/attr_sql/libstrongswan-attr-sql.la
+@USE_P_CSCF_TRUE@am__append_88 = plugins/p_cscf
+@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_89 = plugins/p_cscf/libstrongswan-p-cscf.la
+@USE_ANDROID_DNS_TRUE@am__append_90 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_91 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_92 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_93 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_94 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_95 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_96 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_97 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_PFKEY_TRUE@am__append_98 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_99 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_100 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_101 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_NETLINK_TRUE@am__append_102 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_103 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_104 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_105 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_KERNEL_WFP_TRUE@am__append_106 = plugins/kernel_wfp
+@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_107 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+@USE_KERNEL_IPH_TRUE@am__append_108 = plugins/kernel_iph
+@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_109 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+@USE_WHITELIST_TRUE@am__append_110 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_111 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_112 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_113 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_114 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_115 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_116 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_117 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_118 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_119 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_120 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_121 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_122 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_123 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_124 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_125 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_126 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_127 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_128 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_129 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_130 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_131 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_132 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_133 = plugins/unity/libstrongswan-unity.la
+@USE_XAUTH_GENERIC_TRUE@am__append_134 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_135 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_136 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_137 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_138 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_139 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_140 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_141 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_RESOLVE_TRUE@am__append_142 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_143 = plugins/resolve/libstrongswan-resolve.la
+@USE_ATTR_TRUE@am__append_144 = plugins/attr
+@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_145 = plugins/attr/libstrongswan-attr.la
+@USE_ATTR_SQL_TRUE@am__append_146 = plugins/attr_sql
+@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_147 = plugins/attr_sql/libstrongswan-attr-sql.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -325,47 +335,47 @@ LTLIBRARIES = $(ipseclib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_7) $(am__append_9) \
-	$(am__append_11) $(am__append_13) $(am__append_15) \
-	$(am__append_17) $(am__append_19) $(am__append_21) \
-	$(am__append_23) $(am__append_25) $(am__append_27) \
-	$(am__append_29) $(am__append_31) $(am__append_33) \
-	$(am__append_35) $(am__append_37) $(am__append_39) \
-	$(am__append_41) $(am__append_43) $(am__append_45) \
-	$(am__append_47) $(am__append_49) $(am__append_51) \
-	$(am__append_53) $(am__append_54) $(am__append_56) \
-	$(am__append_58) $(am__append_60) $(am__append_62) \
-	$(am__append_64) $(am__append_66) $(am__append_68) \
-	$(am__append_70) $(am__append_72) $(am__append_73) \
-	$(am__append_74) $(am__append_76) $(am__append_78) \
-	$(am__append_79) $(am__append_81) $(am__append_83) \
-	$(am__append_85) $(am__append_87) $(am__append_89) \
-	$(am__append_91) $(am__append_93) $(am__append_95) \
-	$(am__append_97) $(am__append_99) $(am__append_101) \
-	$(am__append_103) $(am__append_105) $(am__append_107) \
-	$(am__append_109) $(am__append_111) $(am__append_113) \
-	$(am__append_115) $(am__append_117) $(am__append_119) \
-	$(am__append_121) $(am__append_123) $(am__append_125) \
-	$(am__append_127) $(am__append_129) $(am__append_131) \
-	$(am__append_133) $(am__append_135) $(am__append_137) \
-	$(am__append_139)
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) $(am__append_7) \
+	$(am__append_9) $(am__append_11) $(am__append_13) \
+	$(am__append_15) $(am__append_17) $(am__append_19) \
+	$(am__append_21) $(am__append_23) $(am__append_25) \
+	$(am__append_27) $(am__append_29) $(am__append_31) \
+	$(am__append_33) $(am__append_35) $(am__append_37) \
+	$(am__append_39) $(am__append_41) $(am__append_43) \
+	$(am__append_45) $(am__append_47) $(am__append_49) \
+	$(am__append_51) $(am__append_53) $(am__append_54) \
+	$(am__append_56) $(am__append_58) $(am__append_60) \
+	$(am__append_62) $(am__append_64) $(am__append_66) \
+	$(am__append_68) $(am__append_70) $(am__append_72) \
+	$(am__append_73) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_79) $(am__append_81) \
+	$(am__append_83) $(am__append_85) $(am__append_87) \
+	$(am__append_89) $(am__append_91) $(am__append_93) \
+	$(am__append_95) $(am__append_97) $(am__append_99) \
+	$(am__append_101) $(am__append_103) $(am__append_105) \
+	$(am__append_107) $(am__append_109) $(am__append_111) \
+	$(am__append_113) $(am__append_115) $(am__append_117) \
+	$(am__append_119) $(am__append_121) $(am__append_123) \
+	$(am__append_125) $(am__append_127) $(am__append_129) \
+	$(am__append_131) $(am__append_133) $(am__append_135) \
+	$(am__append_137) $(am__append_139) $(am__append_141) \
+	$(am__append_143) $(am__append_145) $(am__append_147)
 am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	attributes/attributes.h attributes/attribute_provider.h \
 	attributes/attribute_handler.h attributes/attribute_manager.c \
 	attributes/attribute_manager.h attributes/mem_pool.c \
 	attributes/mem_pool.h bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/logger.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	control/controller.c control/controller.h daemon.c daemon.h \
-	encoding/generator.c encoding/generator.h encoding/message.c \
-	encoding/message.h encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
+	bus/listeners/custom_logger.h bus/listeners/file_logger.c \
+	bus/listeners/file_logger.h config/backend_manager.c \
+	config/backend_manager.h config/backend.h config/child_cfg.c \
+	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
+	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
+	config/proposal.h control/controller.c control/controller.h \
+	daemon.c daemon.h encoding/generator.c encoding/generator.h \
+	encoding/message.c encoding/message.h encoding/parser.c \
+	encoding/parser.h encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -407,7 +417,10 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	encoding/payloads/hash_payload.c \
 	encoding/payloads/hash_payload.h \
 	encoding/payloads/fragment_payload.c \
-	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_interface.c \
+	kernel/kernel_interface.h kernel/kernel_ipsec.c \
+	kernel/kernel_ipsec.h kernel/kernel_net.c kernel/kernel_net.h \
+	kernel/kernel_listener.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -420,6 +433,7 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 	processing/jobs/process_message_job.c \
 	processing/jobs/process_message_job.h \
+	processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 	processing/jobs/rekey_child_sa_job.c \
 	processing/jobs/rekey_child_sa_job.h \
 	processing/jobs/rekey_ike_sa_job.c \
@@ -449,7 +463,8 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	sa/ike_sa_manager.h sa/child_sa_manager.c \
 	sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
-	sa/trap_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
+	sa/trap_manager.h sa/redirect_provider.h sa/redirect_manager.c \
+	sa/redirect_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
 	sa/ikev2/keymat_v2.h sa/ikev2/task_manager_v2.c \
 	sa/ikev2/task_manager_v2.h \
 	sa/ikev2/authenticators/eap_authenticator.c \
@@ -474,9 +489,12 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
 	sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
 	sa/ikev2/tasks/ike_reauth_complete.c \
 	sa/ikev2/tasks/ike_reauth_complete.h \
+	sa/ikev2/tasks/ike_redirect.c sa/ikev2/tasks/ike_redirect.h \
 	sa/ikev2/tasks/ike_auth_lifetime.c \
 	sa/ikev2/tasks/ike_auth_lifetime.h sa/ikev2/tasks/ike_vendor.c \
-	sa/ikev2/tasks/ike_vendor.h sa/ikev1/keymat_v1.c \
+	sa/ikev2/tasks/ike_vendor.h \
+	sa/ikev2/tasks/ike_verify_peer_cert.c \
+	sa/ikev2/tasks/ike_verify_peer_cert.h sa/ikev1/keymat_v1.c \
 	sa/ikev1/keymat_v1.h sa/ikev1/task_manager_v1.c \
 	sa/ikev1/task_manager_v1.h \
 	sa/ikev1/authenticators/psk_v1_authenticator.c \
@@ -535,8 +553,10 @@ am__dirstamp = $(am__leading_dot)dirstamp
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_rekey.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_reauth_complete.lo \
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_redirect.lo \
 @USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_auth_lifetime.lo \
-@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_vendor.lo
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_vendor.lo \
+@USE_IKEV2_TRUE@	sa/ikev2/tasks/ike_verify_peer_cert.lo
 @USE_IKEV1_TRUE@am__objects_2 = sa/ikev1/keymat_v1.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/task_manager_v1.lo \
 @USE_IKEV1_TRUE@	sa/ikev1/authenticators/psk_v1_authenticator.lo \
@@ -595,13 +615,16 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \
 	encoding/payloads/unknown_payload.lo \
 	encoding/payloads/vendor_id_payload.lo \
 	encoding/payloads/hash_payload.lo \
-	encoding/payloads/fragment_payload.lo kernel/kernel_handler.lo \
+	encoding/payloads/fragment_payload.lo \
+	kernel/kernel_interface.lo kernel/kernel_ipsec.lo \
+	kernel/kernel_net.lo kernel/kernel_handler.lo \
 	network/receiver.lo network/sender.lo network/socket.lo \
 	network/socket_manager.lo processing/jobs/acquire_job.lo \
 	processing/jobs/delete_child_sa_job.lo \
 	processing/jobs/delete_ike_sa_job.lo \
 	processing/jobs/migrate_job.lo \
 	processing/jobs/process_message_job.lo \
+	processing/jobs/redirect_job.lo \
 	processing/jobs/rekey_child_sa_job.lo \
 	processing/jobs/rekey_ike_sa_job.lo \
 	processing/jobs/retransmit_job.lo \
@@ -616,8 +639,9 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \
 	sa/xauth/xauth_manager.lo sa/authenticator.lo sa/child_sa.lo \
 	sa/ike_sa.lo sa/ike_sa_id.lo sa/keymat.lo sa/ike_sa_manager.lo \
 	sa/child_sa_manager.lo sa/task_manager.lo sa/shunt_manager.lo \
-	sa/trap_manager.lo sa/task.lo $(am__objects_1) \
-	$(am__objects_2) $(am__objects_3) $(am__objects_4)
+	sa/trap_manager.lo sa/redirect_manager.lo sa/task.lo \
+	$(am__objects_1) $(am__objects_2) $(am__objects_3) \
+	$(am__objects_4)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -712,12 +736,14 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/eap_tls plugins/eap_ttls plugins/eap_peap \
 	plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \
 	plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \
-	plugins/android_dns plugins/android_log plugins/maemo \
-	plugins/ha plugins/kernel_libipsec plugins/kernel_wfp \
-	plugins/kernel_iph plugins/whitelist plugins/lookip \
-	plugins/error_notify plugins/certexpire plugins/systime_fix \
-	plugins/led plugins/duplicheck plugins/coupling \
-	plugins/radattr plugins/uci plugins/addrblock plugins/unity \
+	plugins/p_cscf plugins/android_dns plugins/android_log \
+	plugins/maemo plugins/ha plugins/kernel_pfkey \
+	plugins/kernel_pfroute plugins/kernel_netlink \
+	plugins/kernel_libipsec plugins/kernel_wfp plugins/kernel_iph \
+	plugins/whitelist plugins/lookip plugins/error_notify \
+	plugins/certexpire plugins/systime_fix plugins/led \
+	plugins/duplicheck plugins/coupling plugins/radattr \
+	plugins/uci plugins/addrblock plugins/unity \
 	plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \
 	plugins/xauth_noauth plugins/resolve plugins/attr \
 	plugins/attr_sql tests
@@ -959,6 +985,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -978,15 +1006,15 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	attributes/attribute_manager.c attributes/attribute_manager.h \
 	attributes/mem_pool.c attributes/mem_pool.h bus/bus.c \
 	bus/bus.h bus/listeners/listener.h bus/listeners/logger.h \
-	bus/listeners/file_logger.c bus/listeners/file_logger.h \
-	config/backend_manager.c config/backend_manager.h \
-	config/backend.h config/child_cfg.c config/child_cfg.h \
-	config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
-	config/peer_cfg.h config/proposal.c config/proposal.h \
-	control/controller.c control/controller.h daemon.c daemon.h \
-	encoding/generator.c encoding/generator.h encoding/message.c \
-	encoding/message.h encoding/parser.c encoding/parser.h \
-	encoding/payloads/auth_payload.c \
+	bus/listeners/custom_logger.h bus/listeners/file_logger.c \
+	bus/listeners/file_logger.h config/backend_manager.c \
+	config/backend_manager.h config/backend.h config/child_cfg.c \
+	config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
+	config/peer_cfg.c config/peer_cfg.h config/proposal.c \
+	config/proposal.h control/controller.c control/controller.h \
+	daemon.c daemon.h encoding/generator.c encoding/generator.h \
+	encoding/message.c encoding/message.h encoding/parser.c \
+	encoding/parser.h encoding/payloads/auth_payload.c \
 	encoding/payloads/auth_payload.h \
 	encoding/payloads/cert_payload.c \
 	encoding/payloads/cert_payload.h \
@@ -1028,7 +1056,10 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	encoding/payloads/hash_payload.c \
 	encoding/payloads/hash_payload.h \
 	encoding/payloads/fragment_payload.c \
-	encoding/payloads/fragment_payload.h kernel/kernel_handler.c \
+	encoding/payloads/fragment_payload.h kernel/kernel_interface.c \
+	kernel/kernel_interface.h kernel/kernel_ipsec.c \
+	kernel/kernel_ipsec.h kernel/kernel_net.c kernel/kernel_net.h \
+	kernel/kernel_listener.h kernel/kernel_handler.c \
 	kernel/kernel_handler.h network/receiver.c network/receiver.h \
 	network/sender.c network/sender.h network/socket.c \
 	network/socket.h network/socket_manager.c \
@@ -1041,6 +1072,7 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
 	processing/jobs/process_message_job.c \
 	processing/jobs/process_message_job.h \
+	processing/jobs/redirect_job.c processing/jobs/redirect_job.h \
 	processing/jobs/rekey_child_sa_job.c \
 	processing/jobs/rekey_child_sa_job.h \
 	processing/jobs/rekey_ike_sa_job.c \
@@ -1070,12 +1102,12 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
 	sa/ike_sa_manager.h sa/child_sa_manager.c \
 	sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
 	sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
-	sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
+	sa/trap_manager.h sa/redirect_provider.h sa/redirect_manager.c \
+	sa/redirect_manager.h sa/task.c sa/task.h $(am__append_1) \
 	$(am__append_2) $(am__append_3) $(am__append_5)
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
@@ -1084,32 +1116,33 @@ AM_LDFLAGS = \
   -no-undefined
 
 libcharon_la_LIBADD =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la -lm $(PTHREADLIB) \
-	$(DLLIB) $(SOCKLIB) $(am__append_4) $(am__append_7) \
-	$(am__append_9) $(am__append_11) $(am__append_13) \
-	$(am__append_15) $(am__append_17) $(am__append_19) \
-	$(am__append_21) $(am__append_23) $(am__append_25) \
-	$(am__append_27) $(am__append_29) $(am__append_31) \
-	$(am__append_33) $(am__append_35) $(am__append_37) \
-	$(am__append_39) $(am__append_41) $(am__append_43) \
-	$(am__append_45) $(am__append_47) $(am__append_49) \
-	$(am__append_51) $(am__append_53) $(am__append_54) \
-	$(am__append_56) $(am__append_58) $(am__append_60) \
-	$(am__append_62) $(am__append_64) $(am__append_66) \
-	$(am__append_68) $(am__append_70) $(am__append_72) \
-	$(am__append_73) $(am__append_74) $(am__append_76) \
-	$(am__append_78) $(am__append_79) $(am__append_81) \
-	$(am__append_83) $(am__append_85) $(am__append_87) \
-	$(am__append_89) $(am__append_91) $(am__append_93) \
-	$(am__append_95) $(am__append_97) $(am__append_99) \
-	$(am__append_101) $(am__append_103) $(am__append_105) \
-	$(am__append_107) $(am__append_109) $(am__append_111) \
-	$(am__append_113) $(am__append_115) $(am__append_117) \
-	$(am__append_119) $(am__append_121) $(am__append_123) \
-	$(am__append_125) $(am__append_127) $(am__append_129) \
-	$(am__append_131) $(am__append_133) $(am__append_135) \
-	$(am__append_137) $(am__append_139)
+	$(top_builddir)/src/libstrongswan/libstrongswan.la -lm \
+	$(PTHREADLIB) $(DLLIB) $(SOCKLIB) $(am__append_4) \
+	$(am__append_7) $(am__append_9) $(am__append_11) \
+	$(am__append_13) $(am__append_15) $(am__append_17) \
+	$(am__append_19) $(am__append_21) $(am__append_23) \
+	$(am__append_25) $(am__append_27) $(am__append_29) \
+	$(am__append_31) $(am__append_33) $(am__append_35) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_53) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_73) $(am__append_74) \
+	$(am__append_76) $(am__append_78) $(am__append_79) \
+	$(am__append_81) $(am__append_83) $(am__append_85) \
+	$(am__append_87) $(am__append_89) $(am__append_91) \
+	$(am__append_93) $(am__append_95) $(am__append_97) \
+	$(am__append_99) $(am__append_101) $(am__append_103) \
+	$(am__append_105) $(am__append_107) $(am__append_109) \
+	$(am__append_111) $(am__append_113) $(am__append_115) \
+	$(am__append_117) $(am__append_119) $(am__append_121) \
+	$(am__append_123) $(am__append_125) $(am__append_127) \
+	$(am__append_129) $(am__append_131) $(am__append_133) \
+	$(am__append_135) $(am__append_137) $(am__append_139) \
+	$(am__append_141) $(am__append_143) $(am__append_145) \
+	$(am__append_147)
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_6) $(am__append_8) \
 @MONOLITHIC_FALSE@	$(am__append_10) $(am__append_12) \
@@ -1143,7 +1176,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@	$(am__append_126) $(am__append_128) \
 @MONOLITHIC_FALSE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_FALSE@	$(am__append_134) $(am__append_136) \
-@MONOLITHIC_FALSE@	$(am__append_138) tests
+@MONOLITHIC_FALSE@	$(am__append_138) $(am__append_140) \
+@MONOLITHIC_FALSE@	$(am__append_142) $(am__append_144) \
+@MONOLITHIC_FALSE@	$(am__append_146) tests
 
 # build optional plugins
 ########################
@@ -1179,7 +1214,9 @@ EXTRA_DIST = Android.mk
 @MONOLITHIC_TRUE@	$(am__append_126) $(am__append_128) \
 @MONOLITHIC_TRUE@	$(am__append_130) $(am__append_132) \
 @MONOLITHIC_TRUE@	$(am__append_134) $(am__append_136) \
-@MONOLITHIC_TRUE@	$(am__append_138) . tests
+@MONOLITHIC_TRUE@	$(am__append_138) $(am__append_140) \
+@MONOLITHIC_TRUE@	$(am__append_142) $(am__append_144) \
+@MONOLITHIC_TRUE@	$(am__append_146) . tests
 all: all-recursive
 
 .SUFFIXES:
@@ -1386,6 +1423,12 @@ kernel/$(am__dirstamp):
 kernel/$(DEPDIR)/$(am__dirstamp):
 	@$(MKDIR_P) kernel/$(DEPDIR)
 	@: > kernel/$(DEPDIR)/$(am__dirstamp)
+kernel/kernel_interface.lo: kernel/$(am__dirstamp) \
+	kernel/$(DEPDIR)/$(am__dirstamp)
+kernel/kernel_ipsec.lo: kernel/$(am__dirstamp) \
+	kernel/$(DEPDIR)/$(am__dirstamp)
+kernel/kernel_net.lo: kernel/$(am__dirstamp) \
+	kernel/$(DEPDIR)/$(am__dirstamp)
 kernel/kernel_handler.lo: kernel/$(am__dirstamp) \
 	kernel/$(DEPDIR)/$(am__dirstamp)
 network/$(am__dirstamp):
@@ -1420,6 +1463,8 @@ processing/jobs/migrate_job.lo: processing/jobs/$(am__dirstamp) \
 processing/jobs/process_message_job.lo:  \
 	processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
+processing/jobs/redirect_job.lo: processing/jobs/$(am__dirstamp) \
+	processing/jobs/$(DEPDIR)/$(am__dirstamp)
 processing/jobs/rekey_child_sa_job.lo:  \
 	processing/jobs/$(am__dirstamp) \
 	processing/jobs/$(DEPDIR)/$(am__dirstamp)
@@ -1483,6 +1528,8 @@ sa/child_sa_manager.lo: sa/$(am__dirstamp) \
 sa/task_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/shunt_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/trap_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
+sa/redirect_manager.lo: sa/$(am__dirstamp) \
+	sa/$(DEPDIR)/$(am__dirstamp)
 sa/task.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/$(am__dirstamp):
 	@$(MKDIR_P) sa/ikev2
@@ -1545,10 +1592,15 @@ sa/ikev2/tasks/ike_reauth.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_reauth_complete.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_redirect.lo: sa/ikev2/tasks/$(am__dirstamp) \
+	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_auth_lifetime.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev2/tasks/ike_vendor.lo: sa/ikev2/tasks/$(am__dirstamp) \
 	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_verify_peer_cert.lo:  \
+	sa/ikev2/tasks/$(am__dirstamp) \
+	sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
 sa/ikev1/$(am__dirstamp):
 	@$(MKDIR_P) sa/ikev1
 	@: > sa/ikev1/$(am__dirstamp)
@@ -1720,6 +1772,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@encoding/payloads/$(DEPDIR)/unknown_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@encoding/payloads/$(DEPDIR)/vendor_id_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@network/$(DEPDIR)/receiver.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@network/$(DEPDIR)/sender.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@network/$(DEPDIR)/socket.Plo@am__quote@
@@ -1735,6 +1790,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/migrate_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/process_message_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/redirect_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/rekey_child_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/rekey_ike_sa_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/retransmit_job.Plo@am__quote@
@@ -1751,6 +1807,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_id.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/keymat.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/redirect_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/shunt_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/task.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/task_manager.Plo@am__quote@
@@ -1799,8 +1856,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth_complete.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_redirect.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_rekey.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_vendor.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_verify_peer_cert.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_method.Plo@am__quote@
 
diff --git a/src/libcharon/attributes/attributes.c b/src/libcharon/attributes/attributes.c
index 9fabcf4e4..0f28d55fa 100644
--- a/src/libcharon/attributes/attributes.c
+++ b/src/libcharon/attributes/attributes.c
@@ -17,7 +17,7 @@
 
 #include "attributes.h"
 
-ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS,
+ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, P_CSCF_IP6_ADDRESS,
 	"INTERNAL_IP4_ADDRESS",
 	"INTERNAL_IP4_NETMASK",
 	"INTERNAL_IP4_DNS",
@@ -36,8 +36,10 @@ ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_
 	"MIP6_HOME_PREFIX",
 	"INTERNAL_IP6_LINK",
 	"INTERNAL_IP6_PREFIX",
-	"HOME_AGENT_ADDRESS");
-ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS,
+	"HOME_AGENT_ADDRESS",
+	"P_CSCF_IP4_ADDRESS",
+	"P_CSCF_IP6_ADDRESS");
+ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, P_CSCF_IP6_ADDRESS,
 	"XAUTH_TYPE",
 	"XAUTH_USER_NAME",
 	"XAUTH_USER_PASSWORD",
@@ -65,7 +67,7 @@ ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME,
 	"UNITY_DDNS_HOSTNAME");
 ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME);
 
-ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, HOME_AGENT_ADDRESS,
+ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, P_CSCF_IP6_ADDRESS,
 	"ADDR",
 	"MASK",
 	"DNS",
@@ -84,8 +86,10 @@ ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, HOME_
 	"MIP6HPFX",
 	"LINK6",
 	"PFX6",
-	"HOA");
-ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, HOME_AGENT_ADDRESS,
+	"HOA",
+	"PCSCF4",
+	"PCSCF6");
+ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, P_CSCF_IP6_ADDRESS,
 	"X_TYPE",
 	"X_USER",
 	"X_PWD",
diff --git a/src/libcharon/attributes/attributes.h b/src/libcharon/attributes/attributes.h
index 5d1e9f9ba..dd1db4fc3 100644
--- a/src/libcharon/attributes/attributes.h
+++ b/src/libcharon/attributes/attributes.h
@@ -49,6 +49,9 @@ enum configuration_attribute_type_t {
 	INTERNAL_IP6_LINK       = 17,
 	INTERNAL_IP6_PREFIX     = 18,
 	HOME_AGENT_ADDRESS		= 19,
+	/* RFC 7651 */
+	P_CSCF_IP4_ADDRESS		= 20,
+	P_CSCF_IP6_ADDRESS		= 21,
 	/* XAUTH attributes */
 	XAUTH_TYPE              = 16520,
 	XAUTH_USER_NAME         = 16521,
diff --git a/src/libcharon/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c
index 279668249..833c3e950 100644
--- a/src/libcharon/attributes/mem_pool.c
+++ b/src/libcharon/attributes/mem_pool.c
@@ -17,7 +17,6 @@
 #include "mem_pool.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <utils/debug.h>
 #include <collections/hashtable.h>
 #include <collections/array.h>
diff --git a/src/libcharon/bus/listeners/custom_logger.h b/src/libcharon/bus/listeners/custom_logger.h
new file mode 100644
index 000000000..a256ad1ec
--- /dev/null
+++ b/src/libcharon/bus/listeners/custom_logger.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup custom_logger custom_logger
+ * @{ @ingroup listeners
+ */
+
+#ifndef CUSTOM_LOGGER_H_
+#define CUSTOM_LOGGER_H_
+
+#include <bus/listeners/logger.h>
+
+typedef struct custom_logger_t custom_logger_t;
+
+/**
+ * Custom logger which implements listener_t.
+ */
+struct custom_logger_t {
+
+	/**
+	 * Implements the logger_t interface.
+	 */
+	logger_t logger;
+
+	/**
+	 * Set the loglevel for a debug group.
+	 *
+	 * @param group		debug group to set
+	 * @param level		max level to log (0..4)
+	 */
+	void (*set_level) (custom_logger_t *this, debug_t group, level_t level);
+
+	/**
+	 * Destroy the custom_logger_t object.
+	 */
+	void (*destroy) (custom_logger_t *this);
+};
+
+/**
+ * Prototype for custom logger construction function pointer.
+ */
+typedef custom_logger_t *(*custom_logger_constructor_t)(const char *name);
+
+#endif /** CUSTOM_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index ed7c0d406..3d3c7419b 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -531,6 +531,57 @@ METHOD(child_cfg_t, install_policy, bool,
 	return this->install_policy;
 }
 
+#define LT_PART_EQUALS(a, b) ({ a.life == b.life && a.rekey == b.rekey && a.jitter == b.jitter; })
+#define LIFETIME_EQUALS(a, b) ({  LT_PART_EQUALS(a.time, b.time) && LT_PART_EQUALS(a.bytes, b.bytes) && LT_PART_EQUALS(a.packets, b.packets); })
+
+METHOD(child_cfg_t, equals, bool,
+	private_child_cfg_t *this, child_cfg_t *other_pub)
+{
+	private_child_cfg_t *other = (private_child_cfg_t*)other_pub;
+
+	if (this == other)
+	{
+		return TRUE;
+	}
+	if (this->public.equals != other->public.equals)
+	{
+		return FALSE;
+	}
+	if (!this->proposals->equals_offset(this->proposals, other->proposals,
+										offsetof(proposal_t, equals)))
+	{
+		return FALSE;
+	}
+	if (!this->my_ts->equals_offset(this->my_ts, other->my_ts,
+									offsetof(traffic_selector_t, equals)))
+	{
+		return FALSE;
+	}
+	if (!this->other_ts->equals_offset(this->other_ts, other->other_ts,
+									   offsetof(traffic_selector_t, equals)))
+	{
+		return FALSE;
+	}
+	return this->hostaccess == other->hostaccess &&
+		this->mode == other->mode &&
+		this->start_action == other->start_action &&
+		this->dpd_action == other->dpd_action &&
+		this->close_action == other->close_action &&
+		LIFETIME_EQUALS(this->lifetime, other->lifetime) &&
+		this->use_ipcomp == other->use_ipcomp &&
+		this->inactivity == other->inactivity &&
+		this->reqid == other->reqid &&
+		this->mark_in.value == other->mark_in.value &&
+		this->mark_in.mask == other->mark_in.mask &&
+		this->mark_out.value == other->mark_out.value &&
+		this->mark_out.mask == other->mark_out.mask &&
+		this->tfc == other->tfc &&
+		this->replay_window == other->replay_window &&
+		this->proxy_mode == other->proxy_mode &&
+		this->install_policy == other->install_policy &&
+		streq(this->updown, other->updown);
+}
+
 METHOD(child_cfg_t, get_ref, child_cfg_t*,
 	private_child_cfg_t *this)
 {
@@ -593,6 +644,7 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
 			.set_replay_window = _set_replay_window,
 			.use_proxy_mode = _use_proxy_mode,
 			.install_policy = _install_policy,
+			.equals = _equals,
 			.get_ref = _get_ref,
 			.destroy = _destroy,
 		},
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 9f7a92b70..22641f77e 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -274,6 +274,14 @@ struct child_cfg_t {
 	bool (*install_policy)(child_cfg_t *this);
 
 	/**
+	 * Check if two child_cfg objects are equal.
+	 *
+	 * @param other			candidate to check for equality against this
+	 * @return				TRUE if equal
+	 */
+	bool (*equals)(child_cfg_t *this, child_cfg_t *other);
+
+	/**
 	 * Increase the reference count.
 	 *
 	 * @return				reference to this
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index dee9e4c29..a720e1493 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -371,9 +371,6 @@ METHOD(ike_cfg_t, equals, bool,
 	private_ike_cfg_t *this, ike_cfg_t *other_public)
 {
 	private_ike_cfg_t *other = (private_ike_cfg_t*)other_public;
-	enumerator_t *e1, *e2;
-	proposal_t *p1, *p2;
-	bool eq = TRUE;
 
 	if (this == other)
 	{
@@ -383,25 +380,12 @@ METHOD(ike_cfg_t, equals, bool,
 	{
 		return FALSE;
 	}
-	if (this->proposals->get_count(this->proposals) !=
-		other->proposals->get_count(other->proposals))
+	if (!this->proposals->equals_offset(this->proposals, other->proposals,
+										offsetof(proposal_t, equals)))
 	{
 		return FALSE;
 	}
-	e1 = this->proposals->create_enumerator(this->proposals);
-	e2 = other->proposals->create_enumerator(other->proposals);
-	while (e1->enumerate(e1, &p1) && e2->enumerate(e2, &p2))
-	{
-		if (!p1->equals(p1, p2))
-		{
-			eq = FALSE;
-			break;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	return (eq &&
+	return
 		this->version == other->version &&
 		this->certreq == other->certreq &&
 		this->force_encap == other->force_encap &&
@@ -409,7 +393,7 @@ METHOD(ike_cfg_t, equals, bool,
 		streq(this->me, other->me) &&
 		streq(this->other, other->other) &&
 		this->my_port == other->my_port &&
-		this->other_port == other->other_port);
+		this->other_port == other->other_port;
 }
 
 METHOD(ike_cfg_t, get_ref, ike_cfg_t*,
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index aa2a39ce5..d28a79507 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2008 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -200,6 +200,117 @@ METHOD(peer_cfg_t, add_child_cfg, void,
 	this->mutex->unlock(this->mutex);
 }
 
+typedef struct {
+	enumerator_t public;
+	linked_list_t *removed;
+	linked_list_t *added;
+	enumerator_t *wrapped;
+	bool add;
+} child_cfgs_replace_enumerator_t;
+
+METHOD(enumerator_t, child_cfgs_replace_enumerate, bool,
+	child_cfgs_replace_enumerator_t *this, child_cfg_t **chd, bool *added)
+{
+	child_cfg_t *child_cfg;
+
+	if (!this->wrapped)
+	{
+		this->wrapped = this->removed->create_enumerator(this->removed);
+	}
+	while (TRUE)
+	{
+		if (this->wrapped->enumerate(this->wrapped, &child_cfg))
+		{
+			if (chd)
+			{
+				*chd = child_cfg;
+			}
+			if (added)
+			{
+				*added = this->add;
+			}
+			return TRUE;
+		}
+		if (this->add)
+		{
+			break;
+		}
+		this->wrapped = this->added->create_enumerator(this->added);
+		this->add = TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, child_cfgs_replace_enumerator_destroy, void,
+	child_cfgs_replace_enumerator_t *this)
+{
+	DESTROY_IF(this->wrapped);
+	this->removed->destroy_offset(this->removed, offsetof(child_cfg_t, destroy));
+	this->added->destroy_offset(this->added, offsetof(child_cfg_t, destroy));
+	free(this);
+}
+
+METHOD(peer_cfg_t, replace_child_cfgs, enumerator_t*,
+	private_peer_cfg_t *this, peer_cfg_t *other_pub)
+{
+	private_peer_cfg_t *other = (private_peer_cfg_t*)other_pub;
+	linked_list_t *removed, *added;
+	enumerator_t *mine, *others;
+	child_cfg_t *my_cfg, *other_cfg;
+	child_cfgs_replace_enumerator_t *enumerator;
+	bool found;
+
+	removed = linked_list_create();
+
+	other->mutex->lock(other->mutex);
+	added = linked_list_create_from_enumerator(
+					other->child_cfgs->create_enumerator(other->child_cfgs));
+	added->invoke_offset(added, offsetof(child_cfg_t, get_ref));
+	other->mutex->unlock(other->mutex);
+
+	this->mutex->lock(this->mutex);
+	others = added->create_enumerator(added);
+	mine = this->child_cfgs->create_enumerator(this->child_cfgs);
+	while (mine->enumerate(mine, &my_cfg))
+	{
+		found = FALSE;
+		while (others->enumerate(others, &other_cfg))
+		{
+			if (my_cfg->equals(my_cfg, other_cfg))
+			{
+				added->remove_at(added, others);
+				other_cfg->destroy(other_cfg);
+				found = TRUE;
+				break;
+			}
+		}
+		added->reset_enumerator(added, others);
+		if (!found)
+		{
+			this->child_cfgs->remove_at(this->child_cfgs, mine);
+			removed->insert_last(removed, my_cfg);
+		}
+	}
+	while (others->enumerate(others, &other_cfg))
+	{
+		this->child_cfgs->insert_last(this->child_cfgs,
+									  other_cfg->get_ref(other_cfg));
+	}
+	others->destroy(others);
+	mine->destroy(mine);
+	this->mutex->unlock(this->mutex);
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_child_cfgs_replace_enumerate,
+			.destroy = (void*)_child_cfgs_replace_enumerator_destroy,
+		},
+		.removed = removed,
+		.added = added,
+	);
+	return &enumerator->public;
+}
+
 /**
  * child_cfg enumerator
  */
@@ -538,10 +649,6 @@ static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
 METHOD(peer_cfg_t, equals, bool,
 	private_peer_cfg_t *this, private_peer_cfg_t *other)
 {
-	enumerator_t *e1, *e2;
-	host_t *vip1, *vip2;
-	char *pool1, *pool2;
-
 	if (this == other)
 	{
 		return TRUE;
@@ -550,44 +657,15 @@ METHOD(peer_cfg_t, equals, bool,
 	{
 		return FALSE;
 	}
-
-	if (this->vips->get_count(this->vips) != other->vips->get_count(other->vips))
+	if (!this->vips->equals_offset(this->vips, other->vips,
+								   offsetof(host_t, ip_equals)))
 	{
 		return FALSE;
 	}
-	e1 = create_virtual_ip_enumerator(this);
-	e2 = create_virtual_ip_enumerator(other);
-	if (e1->enumerate(e1, &vip1) && e2->enumerate(e2, &vip2))
-	{
-		if (!vip1->ip_equals(vip1, vip2))
-		{
-			e1->destroy(e1);
-			e2->destroy(e2);
-			return FALSE;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
-	if (this->pools->get_count(this->pools) !=
-		other->pools->get_count(other->pools))
+	if (!this->pools->equals_function(this->pools, other->pools, (void*)streq))
 	{
 		return FALSE;
 	}
-	e1 = create_pool_enumerator(this);
-	e2 = create_pool_enumerator(other);
-	if (e1->enumerate(e1, &pool1) && e2->enumerate(e2, &pool2))
-	{
-		if (!streq(pool1, pool2))
-		{
-			e1->destroy(e1);
-			e2->destroy(e2);
-			return FALSE;
-		}
-	}
-	e1->destroy(e1);
-	e2->destroy(e2);
-
 	return (
 		get_ike_version(this) == get_ike_version(other) &&
 		this->cert_policy == other->cert_policy &&
@@ -666,6 +744,10 @@ peer_cfg_t *peer_cfg_create(char *name,
 	{
 		jitter_time = reauth_time;
 	}
+	if (dpd && dpd_timeout && dpd > dpd_timeout)
+	{
+		dpd_timeout = dpd;
+	}
 
 	INIT(this,
 		.public = {
@@ -674,6 +756,7 @@ peer_cfg_t *peer_cfg_create(char *name,
 			.get_ike_cfg = _get_ike_cfg,
 			.add_child_cfg = _add_child_cfg,
 			.remove_child_cfg = (void*)_remove_child_cfg,
+			.replace_child_cfgs = _replace_child_cfgs,
 			.create_child_cfg_enumerator = _create_child_cfg_enumerator,
 			.select_child_cfg = _select_child_cfg,
 			.get_cert_policy = _get_cert_policy,
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 3e780394a..b612a2ef1 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2008 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -154,6 +154,20 @@ struct peer_cfg_t {
 	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
 
 	/**
+	 * Replace the CHILD configs with those in the given PEER config.
+	 *
+	 * Configs that are equal are not replaced.
+	 *
+	 * The enumerator enumerates the removed and added CHILD configs
+	 * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
+	 * TRUE for added configs.
+	 *
+	 * @param other			other config to get CHILD configs from
+	 * @return				an enumerator over removed/added CHILD configs
+	 */
+	enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);
+
+	/**
 	 * Create an enumerator for all attached CHILD configs.
 	 *
 	 * @return				an enumerator over all CHILD configs.
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index e59dcd9ec..95b6a00ea 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2008-2014 Tobias Brunner
  * Copyright (C) 2006-2010 Martin Willi
+ * Copyright (C) 2013-2015 Andreas Steffen
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -640,20 +641,41 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 
 	if (aead)
 	{
+		/* Round 1 adds algorithms with at least 128 bit security strength */
 		enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 		{
 			switch (encryption)
 			{
-				case ENCR_AES_CCM_ICV8:
-				case ENCR_AES_CCM_ICV12:
+				case ENCR_AES_GCM_ICV16:
 				case ENCR_AES_CCM_ICV16:
-				case ENCR_AES_GCM_ICV8:
+				case ENCR_CAMELLIA_CCM_ICV16:
+					/* we assume that we support all AES/Camellia sizes */
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					break;
+				case ENCR_CHACHA20_POLY1305:
+					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* Round 2 adds algorithms with less than 128 bit security strength */
+		enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+		{
+			switch (encryption)
+			{
 				case ENCR_AES_GCM_ICV12:
-				case ENCR_AES_GCM_ICV16:
-				case ENCR_CAMELLIA_CCM_ICV8:
+				case ENCR_AES_GCM_ICV8:
+				case ENCR_AES_CCM_ICV12:
+				case ENCR_AES_CCM_ICV8:
 				case ENCR_CAMELLIA_CCM_ICV12:
-				case ENCR_CAMELLIA_CCM_ICV16:
+				case ENCR_CAMELLIA_CCM_ICV8:
 					/* we assume that we support all AES/Camellia sizes */
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
@@ -672,6 +694,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 	}
 	else
 	{
+		/* Round 1 adds algorithms with at least 128 bit security strength */
 		enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
 		{
@@ -686,6 +709,18 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
 					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* Round 2 adds algorithms with less than 128 bit security strength */
+		enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+		{
+			switch (encryption)
+			{
 				case ENCR_3DES:
 					add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
 					break;
@@ -703,18 +738,33 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			return FALSE;
 		}
 
+		/* Round 1 adds algorithms with at least 128 bit security strength */
 		enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
 		while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
 		{
 			switch (integrity)
 			{
-				case AUTH_HMAC_SHA1_96:
 				case AUTH_HMAC_SHA2_256_128:
 				case AUTH_HMAC_SHA2_384_192:
 				case AUTH_HMAC_SHA2_512_256:
-				case AUTH_HMAC_MD5_96:
+					add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
+					break;
+				default:
+					break;
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		/* Round 2 adds algorithms with less than 128 bit security strength */
+		enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+		{
+			switch (integrity)
+			{
 				case AUTH_AES_XCBC_96:
 				case AUTH_AES_CMAC_96:
+				case AUTH_HMAC_SHA1_96:
+				case AUTH_HMAC_MD5_96:
 					add_algorithm(this, INTEGRITY_ALGORITHM, integrity, 0);
 					break;
 				default:
@@ -724,16 +774,15 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 		enumerator->destroy(enumerator);
 	}
 
+	/* Round 1 adds algorithms with at least 128 bit security strength */
 	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
 	{
 		switch (prf)
 		{
-			case PRF_HMAC_SHA1:
 			case PRF_HMAC_SHA2_256:
 			case PRF_HMAC_SHA2_384:
 			case PRF_HMAC_SHA2_512:
-			case PRF_HMAC_MD5:
 			case PRF_AES128_XCBC:
 			case PRF_AES128_CMAC:
 				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
@@ -744,6 +793,63 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 	}
 	enumerator->destroy(enumerator);
 
+	/* Round 2 adds algorithms with less than 128 bit security strength */
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
+	{
+		switch (prf)
+		{
+			case PRF_HMAC_SHA1:
+			case PRF_HMAC_MD5:
+				add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* Round 1 adds ECC and NTRU algorithms with at least 128 bit security strength */
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
+	{
+		switch (group)
+		{
+			case ECP_256_BIT:
+			case ECP_384_BIT:
+			case ECP_521_BIT:
+			case ECP_256_BP:
+			case ECP_384_BP:
+			case ECP_512_BP:
+			case NTRU_128_BIT:
+			case NTRU_192_BIT:
+			case NTRU_256_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* Round 2 adds other algorithms with at least 128 bit security strength */
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
+	{
+		switch (group)
+		{
+			case MODP_3072_BIT:
+			case MODP_4096_BIT:
+			case MODP_8192_BIT:
+				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* Round 3 adds algorithms with less than 128 bit security strength */
 	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &group, &plugin_name))
 	{
@@ -755,28 +861,16 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
-			case MODP_1024_BIT:
-			case MODP_1536_BIT:
 			case MODP_2048_BIT:
-			case MODP_3072_BIT:
-			case MODP_4096_BIT:
-			case MODP_8192_BIT:
-			case ECP_256_BIT:
-			case ECP_384_BIT:
-			case ECP_521_BIT:
-			case MODP_1024_160:
-			case MODP_2048_224:
 			case MODP_2048_256:
-			case ECP_192_BIT:
+			case MODP_2048_224:
+			case MODP_1536_BIT:
+			case MODP_1024_BIT:
+			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
-			case ECP_256_BP:
-			case ECP_384_BP:
-			case ECP_512_BP:
+			case ECP_192_BIT:
 			case NTRU_112_BIT:
-			case NTRU_128_BIT:
-			case NTRU_192_BIT:
-			case NTRU_256_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default:
@@ -805,21 +899,27 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 			}
 			break;
 		case PROTO_ESP:
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
-			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,        256);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,          128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,          192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC,          256);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES,               0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,         256);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,        0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,        0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 			break;
 		case PROTO_AH:
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
-			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
-			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,  0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,        0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,        0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
 			break;
 		default:
 			break;
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index dce2a7144..cef8b8992 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -16,6 +16,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -111,6 +134,70 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 }
 
 /**
+ * Data for registered custom loggers
+ */
+typedef struct {
+	/**
+	 * Name of the custom logger (also used for loglevel configuration)
+	 */
+	char *name;
+
+	/**
+	 * Constructor to be called for custom logger creation
+	 */
+	custom_logger_constructor_t constructor;
+
+} custom_logger_entry_t;
+
+#define MAX_CUSTOM_LOGGERS 10
+
+/**
+ * Static array for logger registration using __attribute__((constructor))
+ */
+static custom_logger_entry_t custom_loggers[MAX_CUSTOM_LOGGERS];
+static int custom_logger_count;
+
+/**
+ * Described in header
+ */
+void register_custom_logger(char *name,
+							custom_logger_constructor_t constructor)
+{
+	if (custom_logger_count < MAX_CUSTOM_LOGGERS - 1)
+	{
+		custom_loggers[custom_logger_count].name = name;
+		custom_loggers[custom_logger_count].constructor = constructor;
+		custom_logger_count++;
+	}
+	else
+	{
+		fprintf(stderr, "failed to register custom logger, please increase "
+				"MAX_CUSTOM_LOGGERS");
+	}
+}
+
+/**
+ * Types of supported loggers
+ */
+typedef enum {
+	/**
+	 * Syslog logger instance
+	 */
+	SYS_LOGGER,
+
+	/**
+	 * File logger instance
+	 */
+	FILE_LOGGER,
+
+	/**
+	 * Custom logger instance
+	 */
+	CUSTOM_LOGGER,
+
+} logger_type_t;
+
+/**
  * Some metadata about configured loggers
  */
 typedef struct {
@@ -120,9 +207,9 @@ typedef struct {
 	char *target;
 
 	/**
-	 * TRUE if this is a file logger
+	 * Type of logger
 	 */
-	bool file;
+	logger_type_t type;
 
 	/**
 	 * The actual logger
@@ -130,6 +217,7 @@ typedef struct {
 	union {
 		sys_logger_t *sys;
 		file_logger_t *file;
+		custom_logger_t *custom;
 	} logger;
 
 } logger_entry_t;
@@ -139,13 +227,17 @@ typedef struct {
  */
 static void logger_entry_destroy(logger_entry_t *this)
 {
-	if (this->file)
-	{
-		DESTROY_IF(this->logger.file);
-	}
-	else
+	switch (this->type)
 	{
-		DESTROY_IF(this->logger.sys);
+		case FILE_LOGGER:
+			DESTROY_IF(this->logger.file);
+			break;
+		case SYS_LOGGER:
+			DESTROY_IF(this->logger.sys);
+			break;
+		case CUSTOM_LOGGER:
+			DESTROY_IF(this->logger.custom);
+			break;
 	}
 	free(this->target);
 	free(this);
@@ -156,13 +248,18 @@ static void logger_entry_destroy(logger_entry_t *this)
  */
 static void logger_entry_unregister_destroy(logger_entry_t *this)
 {
-	if (this->file)
+	switch (this->type)
 	{
-		charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
-	}
-	else
-	{
-		charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+		case FILE_LOGGER:
+			charon->bus->remove_logger(charon->bus, &this->logger.file->logger);
+			break;
+		case SYS_LOGGER:
+			charon->bus->remove_logger(charon->bus, &this->logger.sys->logger);
+			break;
+		case CUSTOM_LOGGER:
+			charon->bus->remove_logger(charon->bus,
+									   &this->logger.custom->logger);
+			break;
 	}
 	logger_entry_destroy(this);
 }
@@ -170,9 +267,10 @@ static void logger_entry_unregister_destroy(logger_entry_t *this)
 /**
  * Match a logger entry by target and whether it is a file or syslog logger
  */
-static bool logger_entry_match(logger_entry_t *this, char *target, bool *file)
+static bool logger_entry_match(logger_entry_t *this, char *target,
+							   logger_type_t *type)
 {
-	return this->file == *file && streq(this->target, target);
+	return this->type == *type && streq(this->target, target);
 }
 
 /**
@@ -228,28 +326,45 @@ static int get_syslog_facility(char *facility)
  * Returns an existing or newly created logger entry (if found, it is removed
  * from the given linked list of existing loggers)
  */
-static logger_entry_t *get_logger_entry(char *target, bool is_file_logger,
-										linked_list_t *existing)
+static logger_entry_t *get_logger_entry(char *target, logger_type_t type,
+										linked_list_t *existing,
+										custom_logger_constructor_t constructor)
 {
 	logger_entry_t *entry;
 
 	if (existing->find_first(existing, (void*)logger_entry_match,
-							(void**)&entry, target, &is_file_logger) != SUCCESS)
+							(void**)&entry, target, &type) != SUCCESS)
 	{
 		INIT(entry,
 			.target = strdup(target),
-			.file = is_file_logger,
+			.type = type,
 		);
-		if (is_file_logger)
+		switch (type)
 		{
-			entry->logger.file = file_logger_create(target);
-		}
+			case FILE_LOGGER:
+				entry->logger.file = file_logger_create(target);
+				break;
+			case SYS_LOGGER:
 #ifdef HAVE_SYSLOG
-		else
-		{
-			entry->logger.sys = sys_logger_create(get_syslog_facility(target));
-		}
+				entry->logger.sys = sys_logger_create(
+												get_syslog_facility(target));
+				break;
+#else
+				free(entry);
+				return NULL;
 #endif /* HAVE_SYSLOG */
+			case CUSTOM_LOGGER:
+				if (constructor)
+				{
+					entry->logger.custom = constructor(target);
+				}
+				if (!entry->logger.custom)
+				{
+					free(entry);
+					return NULL;
+				}
+				break;
+		}
 	}
 	else
 	{
@@ -266,9 +381,12 @@ static sys_logger_t *add_sys_logger(private_daemon_t *this, char *facility,
 {
 	logger_entry_t *entry;
 
-	entry = get_logger_entry(facility, FALSE, current_loggers);
-	this->loggers->insert_last(this->loggers, entry);
-	return entry->logger.sys;
+	entry = get_logger_entry(facility, SYS_LOGGER, current_loggers, NULL);
+	if (entry)
+	{
+		this->loggers->insert_last(this->loggers, entry);
+	}
+	return entry ? entry->logger.sys : NULL;
 }
 
 /**
@@ -279,9 +397,30 @@ static file_logger_t *add_file_logger(private_daemon_t *this, char *filename,
 {
 	logger_entry_t *entry;
 
-	entry = get_logger_entry(filename, TRUE, current_loggers);
-	this->loggers->insert_last(this->loggers, entry);
-	return entry->logger.file;
+	entry = get_logger_entry(filename, FILE_LOGGER, current_loggers, NULL);
+	if (entry)
+	{
+		this->loggers->insert_last(this->loggers, entry);
+	}
+	return entry ? entry->logger.file : NULL;
+}
+
+ /**
+ * Create or reuse a custom logger
+ */
+static custom_logger_t *add_custom_logger(private_daemon_t *this,
+										  custom_logger_entry_t *custom,
+										  linked_list_t *current_loggers)
+{
+	logger_entry_t *entry;
+
+	entry = get_logger_entry(custom->name, CUSTOM_LOGGER, current_loggers,
+							 custom->constructor);
+	if (entry)
+	{
+		this->loggers->insert_last(this->loggers, entry);
+	}
+	return entry ? entry->logger.custom : NULL;
 }
 
 /**
@@ -300,6 +439,11 @@ static void load_sys_logger(private_daemon_t *this, char *facility,
 	}
 
 	sys_logger = add_sys_logger(this, facility, current_loggers);
+	if (!sys_logger)
+	{
+		return;
+	}
+
 	sys_logger->set_options(sys_logger,
 				lib->settings->get_bool(lib->settings, "%s.syslog.%s.ike_name",
 										FALSE, lib->ns, facility));
@@ -339,6 +483,11 @@ static void load_file_logger(private_daemon_t *this, char *filename,
 						"%s.filelog.%s.append", TRUE, lib->ns, filename);
 
 	file_logger = add_file_logger(this, filename, current_loggers);
+	if (!file_logger)
+	{
+		return;
+	}
+
 	file_logger->set_options(file_logger, time_format, add_ms, ike_name);
 	file_logger->open(file_logger, flush_line, append);
 
@@ -353,12 +502,41 @@ static void load_file_logger(private_daemon_t *this, char *filename,
 	charon->bus->add_logger(charon->bus, &file_logger->logger);
 }
 
+/**
+ * Load the given custom logger configured in strongswan.conf
+ */
+static void load_custom_logger(private_daemon_t *this,
+							   custom_logger_entry_t *entry,
+							   linked_list_t *current_loggers)
+{
+	custom_logger_t *custom_logger;
+	debug_t group;
+	level_t def;
+
+	custom_logger = add_custom_logger(this, entry, current_loggers);
+	if (!custom_logger)
+	{
+		return;
+	}
+
+	def = lib->settings->get_int(lib->settings, "%s.customlog.%s.default", 1,
+								 lib->ns, entry->name);
+	for (group = 0; group < DBG_MAX; group++)
+	{
+		custom_logger->set_level(custom_logger, group,
+				lib->settings->get_int(lib->settings, "%s.customlog.%s.%N", def,
+							lib->ns, entry->name, debug_lower_names, group));
+	}
+	charon->bus->add_logger(charon->bus, &custom_logger->logger);
+}
+
 METHOD(daemon_t, load_loggers, void,
 	private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
 {
 	enumerator_t *enumerator;
 	linked_list_t *current_loggers;
 	char *target;
+	int i;
 
 	this->mutex->lock(this->mutex);
 	handle_syslog_identifier(this);
@@ -380,6 +558,11 @@ METHOD(daemon_t, load_loggers, void,
 	}
 	enumerator->destroy(enumerator);
 
+	for (i = 0; i < custom_logger_count; ++i)
+	{
+		load_custom_logger(this, &custom_loggers[i], current_loggers);
+	}
+
 	if (!this->loggers->get_count(this->loggers) && levels)
 	{	/* setup legacy style default loggers configured via command-line */
 		file_logger_t *file_logger;
@@ -431,15 +614,24 @@ METHOD(daemon_t, set_level, void,
 	enumerator = this->loggers->create_enumerator(this->loggers);
 	while (enumerator->enumerate(enumerator, &entry))
 	{
-		if (entry->file)
-		{
-			entry->logger.file->set_level(entry->logger.file, group, level);
-			charon->bus->add_logger(charon->bus, &entry->logger.file->logger);
-		}
-		else
+		switch (entry->type)
 		{
-			entry->logger.sys->set_level(entry->logger.sys, group, level);
-			charon->bus->add_logger(charon->bus, &entry->logger.sys->logger);
+			case FILE_LOGGER:
+				entry->logger.file->set_level(entry->logger.file, group, level);
+				charon->bus->add_logger(charon->bus,
+										&entry->logger.file->logger);
+				break;
+			case SYS_LOGGER:
+				entry->logger.sys->set_level(entry->logger.sys, group, level);
+				charon->bus->add_logger(charon->bus,
+										&entry->logger.sys->logger);
+				break;
+			case CUSTOM_LOGGER:
+				entry->logger.custom->set_level(entry->logger.custom, group,
+												level);
+				charon->bus->add_logger(charon->bus,
+										&entry->logger.sys->logger);
+				break;
 		}
 	}
 	enumerator->destroy(enumerator);
@@ -488,11 +680,13 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->kernel_handler);
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.shunts);
+	DESTROY_IF(this->public.redirect);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
 	DESTROY_IF(this->public.xauth);
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
+	DESTROY_IF(this->public.kernel);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -670,6 +864,7 @@ private_daemon_t *daemon_create()
 		.ref = 1,
 	);
 	charon = &this->public;
+	this->public.kernel = kernel_interface_create();
 	this->public.attributes = attribute_manager_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
@@ -678,6 +873,7 @@ private_daemon_t *daemon_create()
 	this->public.socket = socket_manager_create();
 	this->public.traps = trap_manager_create();
 	this->public.shunts = shunt_manager_create();
+	this->public.redirect = redirect_manager_create();
 	this->kernel_handler = kernel_handler_create();
 
 	return this;
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index d16bf1ddb..48b9c7ec3 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -16,6 +16,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 /**
  * @defgroup libcharon libcharon
  *
@@ -40,7 +63,7 @@
  * @defgroup payloads payloads
  * @ingroup encoding
  *
- * @defgroup ckernel kernel
+ * @defgroup kernel kernel
  * @ingroup libcharon
  *
  * @defgroup network network
@@ -156,15 +179,18 @@
 typedef struct daemon_t daemon_t;
 
 #include <attributes/attribute_manager.h>
+#include <kernel/kernel_interface.h>
 #include <network/sender.h>
 #include <network/receiver.h>
 #include <network/socket_manager.h>
 #include <control/controller.h>
 #include <bus/bus.h>
+#include <bus/listeners/custom_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <sa/child_sa_manager.h>
 #include <sa/trap_manager.h>
 #include <sa/shunt_manager.h>
+#include <sa/redirect_manager.h>
 #include <config/backend_manager.h>
 #include <sa/eap/eap_manager.h>
 #include <sa/xauth/xauth_manager.h>
@@ -215,6 +241,11 @@ struct daemon_t {
 	socket_manager_t *socket;
 
 	/**
+	 * Kernel interface to communicate with kernel
+	 */
+	kernel_interface_t *kernel;
+
+	/**
 	 * A ike_sa_manager_t instance.
 	 */
 	ike_sa_manager_t *ike_sa_manager;
@@ -235,6 +266,11 @@ struct daemon_t {
 	shunt_manager_t *shunts;
 
 	/**
+	 * Manager for IKE redirect providers
+	 */
+	redirect_manager_t *redirect;
+
+	/**
 	 * Manager for the different configuration backends.
 	 */
 	backend_manager_t *backends;
@@ -311,8 +347,8 @@ struct daemon_t {
 						 bool to_stderr);
 
 	/**
-	 * Set the log level for the given log group for all configured file- and
-	 * syslog-loggers.
+	 * Set the log level for the given log group for all configured file-,
+	 * syslog and custom-loggers.
 	 *
 	 * @param group		log group
 	 * @param level		log level
@@ -345,4 +381,15 @@ bool libcharon_init();
  */
 void libcharon_deinit();
 
+/**
+ * Register a custom logger constructor.
+ *
+ * To be called from __attribute__((constructor)) functions.
+ *
+ * @param name				name of the logger (also used for loglevel config)
+ * @param constructor		constructor to create custom logger
+ */
+void register_custom_logger(char *name,
+							custom_logger_constructor_t constructor);
+
 #endif /** DAEMON_H_ @}*/
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 3303024cd..bbdc4629d 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -551,13 +551,13 @@ static payload_order_t aggressive_i_order[] = {
 	{PLV1_NONCE,					0},
 	{PLV1_ID,						0},
 	{PLV1_CERTIFICATE,				0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
 	{PLV1_NAT_D,					0},
 	{PLV1_NAT_D_DRAFT_00_03,		0},
 	{PLV1_SIGNATURE,				0},
 	{PLV1_HASH,						0},
-	{PLV1_CERTREQ,					0},
-	{PLV1_NOTIFY,					0},
-	{PLV1_VENDOR_ID,				0},
 	{PLV1_FRAGMENT,					0},
 };
 
@@ -591,13 +591,13 @@ static payload_order_t aggressive_r_order[] = {
 	{PLV1_NONCE,					0},
 	{PLV1_ID,						0},
 	{PLV1_CERTIFICATE,				0},
+	{PLV1_CERTREQ,					0},
+	{PLV1_NOTIFY,					0},
+	{PLV1_VENDOR_ID,				0},
 	{PLV1_NAT_D,					0},
 	{PLV1_NAT_D_DRAFT_00_03,		0},
 	{PLV1_SIGNATURE,				0},
 	{PLV1_HASH,						0},
-	{PLV1_CERTREQ,					0},
-	{PLV1_NOTIFY,					0},
-	{PLV1_VENDOR_ID,				0},
 	{PLV1_FRAGMENT,					0},
 };
 
diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c
index 481bb7bc6..4ecdf569d 100644
--- a/src/libcharon/encoding/payloads/configuration_attribute.c
+++ b/src/libcharon/encoding/payloads/configuration_attribute.c
@@ -132,6 +132,7 @@ METHOD(payload_t, verify, status_t,
 		case INTERNAL_IP4_NBNS:
 		case INTERNAL_ADDRESS_EXPIRY:
 		case INTERNAL_IP4_DHCP:
+		case P_CSCF_IP4_ADDRESS:
 			if (this->length_or_value != 0 && this->length_or_value != 4)
 			{
 				failed = TRUE;
@@ -144,6 +145,13 @@ METHOD(payload_t, verify, status_t,
 			}
 			break;
 		case INTERNAL_IP6_ADDRESS:
+			if (this->type == PLV1_CONFIGURATION_ATTRIBUTE &&
+				this->length_or_value == 16)
+			{	/* 16 bytes are correct for IKEv1, but older releases sent a
+				 * prefix byte so we still accept 0 or 17 as in IKEv2 */
+				break;
+			}
+			/* fall-through */
 		case INTERNAL_IP6_SUBNET:
 			if (this->length_or_value != 0 && this->length_or_value != 17)
 			{
@@ -153,6 +161,7 @@ METHOD(payload_t, verify, status_t,
 		case INTERNAL_IP6_DNS:
 		case INTERNAL_IP6_NBNS:
 		case INTERNAL_IP6_DHCP:
+		case P_CSCF_IP6_ADDRESS:
 			if (this->length_or_value != 0 && this->length_or_value != 16)
 			{
 				failed = TRUE;
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
index 9c0e2602b..be37d30e5 100644
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -15,7 +15,6 @@
 
 #include "kernel_handler.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/acquire_job.h>
 #include <processing/jobs/delete_child_sa_job.h>
@@ -135,8 +134,7 @@ METHOD(kernel_listener_t, roam, bool,
 METHOD(kernel_handler_t, destroy, void,
 	private_kernel_handler_t *this)
 {
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 &this->public.listener);
+	charon->kernel->remove_listener(charon->kernel, &this->public.listener);
 	free(this);
 }
 
@@ -157,8 +155,7 @@ kernel_handler_t *kernel_handler_create()
 		},
 	);
 
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  &this->public.listener);
+	charon->kernel->add_listener(charon->kernel, &this->public.listener);
 
 	return &this->public;
 }
diff --git a/src/libcharon/kernel/kernel_handler.h b/src/libcharon/kernel/kernel_handler.h
index 48ad6889c..f1fa0bdfc 100644
--- a/src/libcharon/kernel/kernel_handler.h
+++ b/src/libcharon/kernel/kernel_handler.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_handler kernel_handler
- * @{ @ingroup ckernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_HANDLER_H_
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 89e95ade9..40c4ee589 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -39,7 +39,6 @@
 
 #include "kernel_interface.h"
 
-#include <hydra.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <collections/linked_list.h>
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index 45efe8946..6793c6cc6 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -40,7 +40,7 @@
 
 /**
  * @defgroup kernel_interface kernel_interface
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_INTERFACE_H_
diff --git a/src/libhydra/kernel/kernel_ipsec.c b/src/libcharon/kernel/kernel_ipsec.c
index 697b1b33d..0440f11bb 100644
--- a/src/libhydra/kernel/kernel_ipsec.c
+++ b/src/libcharon/kernel/kernel_ipsec.c
@@ -15,7 +15,7 @@
 
 #include "kernel_ipsec.h"
 
-#include <hydra.h>
+#include <daemon.h>
 
 /**
  * See header
@@ -25,14 +25,12 @@ bool kernel_ipsec_register(plugin_t *plugin, plugin_feature_t *feature,
 {
 	if (reg)
 	{
-		return hydra->kernel_interface->add_ipsec_interface(
-											hydra->kernel_interface,
+		return charon->kernel->add_ipsec_interface(charon->kernel,
 											(kernel_ipsec_constructor_t)data);
 	}
 	else
 	{
-		return hydra->kernel_interface->remove_ipsec_interface(
-											hydra->kernel_interface,
+		return charon->kernel->remove_ipsec_interface(charon->kernel,
 											(kernel_ipsec_constructor_t)data);
 	}
 }
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h
index 2458db5b9..31e06308e 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libcharon/kernel/kernel_ipsec.h
@@ -18,7 +18,7 @@
 
 /**
  * @defgroup kernel_ipsec kernel_ipsec
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_IPSEC_H_
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libcharon/kernel/kernel_listener.h
index 8074356a4..6426fae2a 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libcharon/kernel/kernel_listener.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_listener kernel_listener
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_LISTENER_H_
diff --git a/src/libhydra/kernel/kernel_net.c b/src/libcharon/kernel/kernel_net.c
index 07d8b2999..f169cad14 100644
--- a/src/libhydra/kernel/kernel_net.c
+++ b/src/libcharon/kernel/kernel_net.c
@@ -15,7 +15,7 @@
 
 #include "kernel_net.h"
 
-#include <hydra.h>
+#include <daemon.h>
 
 /**
  * See header
@@ -25,14 +25,12 @@ bool kernel_net_register(plugin_t *plugin, plugin_feature_t *feature,
 {
 	if (reg)
 	{
-		return hydra->kernel_interface->add_net_interface(
-											hydra->kernel_interface,
+		return charon->kernel->add_net_interface(charon->kernel,
 											(kernel_net_constructor_t)data);
 	}
 	else
 	{
-		return hydra->kernel_interface->remove_net_interface(
-											hydra->kernel_interface,
+		return charon->kernel->remove_net_interface(charon->kernel,
 											(kernel_net_constructor_t)data);
 	}
 }
diff --git a/src/libhydra/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
index 4312c17d1..7fc644a7e 100644
--- a/src/libhydra/kernel/kernel_net.h
+++ b/src/libcharon/kernel/kernel_net.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup kernel_net kernel_net
- * @{ @ingroup hkernel
+ * @{ @ingroup kernel
  */
 
 #ifndef KERNEL_NET_H_
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index a2f2016ff..ee357ca4d 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -20,7 +20,6 @@
 
 #include "receiver.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <network/socket.h>
 #include <processing/jobs/job.h>
@@ -451,9 +450,8 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 
 	dst = packet->get_destination(packet);
 	src = packet->get_source(packet);
-	if (!hydra->kernel_interface->all_interfaces_usable(hydra->kernel_interface)
-		&& !hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   dst, NULL))
+	if (!charon->kernel->all_interfaces_usable(charon->kernel)
+		&& !charon->kernel->get_interface(charon->kernel, dst, NULL))
 	{
 		DBG3(DBG_NET, "received packet from %#H to %#H on ignored interface",
 			 src, dst);
diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am
index 33ee60d86..ddb2706c8 100644
--- a/src/libcharon/plugins/addrblock/Makefile.am
+++ b/src/libcharon/plugins/addrblock/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 0554465b9..b4ae6fa3e 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_dns/Makefile.am b/src/libcharon/plugins/android_dns/Makefile.am
index 1a0d6e6f2..e606a832c 100644
--- a/src/libcharon/plugins/android_dns/Makefile.am
+++ b/src/libcharon/plugins/android_dns/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 58cf97b6e..d90149827 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_log/Makefile.am b/src/libcharon/plugins/android_log/Makefile.am
index 79c61b51e..9f82f6e60 100644
--- a/src/libcharon/plugins/android_log/Makefile.am
+++ b/src/libcharon/plugins/android_log/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 8ce92e577..64fecd9e3 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr/Makefile.am b/src/libcharon/plugins/attr/Makefile.am
index 6bc7e77d8..ecbb76d1a 100644
--- a/src/libcharon/plugins/attr/Makefile.am
+++ b/src/libcharon/plugins/attr/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 486b3c0b0..acb7d07c0 100644
--- a/src/libcharon/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -428,7 +430,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr/attr_provider.c b/src/libcharon/plugins/attr/attr_provider.c
index cac0ae4bf..1de571c3f 100644
--- a/src/libcharon/plugins/attr/attr_provider.c
+++ b/src/libcharon/plugins/attr/attr_provider.c
@@ -54,6 +54,8 @@ struct attribute_entry_t {
 	configuration_attribute_type_t type;
 	/** attribute value */
 	chunk_t value;
+	/** associated IKE version */
+	ike_version_t ike;
 };
 
 /**
@@ -66,26 +68,51 @@ static void attribute_destroy(attribute_entry_t *this)
 }
 
 /**
+ * Data for attribute enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	ike_version_t ike;
+} enumerator_data_t;
+
+/**
  * convert enumerator value from attribute_entry
  */
-static bool attr_enum_filter(void *null, attribute_entry_t **in,
+static bool attr_enum_filter(enumerator_data_t *data, attribute_entry_t **in,
 			configuration_attribute_type_t *type, void* none, chunk_t *value)
 {
-	*type = (*in)->type;
-	*value = (*in)->value;
-	return TRUE;
+	if ((*in)->ike == IKE_ANY || (*in)->ike == data->ike)
+	{
+		*type = (*in)->type;
+		*value = (*in)->value;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+CALLBACK(attr_enum_destroy, void,
+	enumerator_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
 }
 
 METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
 	private_attr_provider_t *this, linked_list_t *pools,
 	ike_sa_t *ike_sa, linked_list_t *vips)
 {
+	enumerator_data_t *data;
+
 	if (vips->get_count(vips))
 	{
+		INIT(data,
+			.lock = this->lock,
+			.ike = ike_sa->get_version(ike_sa),
+		);
 		this->lock->read_lock(this->lock);
 		return enumerator_create_filter(
 				this->attributes->create_enumerator(this->attributes),
-				(void*)attr_enum_filter, this->lock, (void*)this->lock->unlock);
+				(void*)attr_enum_filter, data, attr_enum_destroy);
 	}
 	return enumerator_create_empty();
 }
@@ -116,8 +143,6 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 		host = host_create_from_string(str, 0);
 		if (host)
 		{
-			entry = malloc_thing(attribute_entry_t);
-
 			if (host->get_family(host) == AF_INET6)
 			{
 				switch (type)
@@ -132,8 +157,11 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr,
 						break;
 				}
 			}
-			entry->type = type;
-			entry->value = chunk_clone(host->get_address(host));
+			INIT(entry,
+				.type = type,
+				.value = chunk_clone(host->get_address(host)),
+				.ike = IKE_ANY,
+			);
 			host->destroy(host);
 			DBG2(DBG_CFG, "loaded legacy entry attribute %N: %#B",
 				 configuration_attribute_type_names, entry->type, &entry->value);
@@ -149,18 +177,20 @@ typedef struct {
 	char *name;
 	configuration_attribute_type_t v4;
 	configuration_attribute_type_t v6;
+	ike_version_t ike;
 } attribute_type_key_t;
 
 static attribute_type_key_t keys[] = {
-	{"address",			INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS},
-	{"dns",				INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS},
-	{"nbns",			INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS},
-	{"dhcp",			INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP},
-	{"netmask",			INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK},
-	{"server",			INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER},
-	{"subnet",			INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET},
-	{"split-include",	UNITY_SPLIT_INCLUDE,	UNITY_SPLIT_INCLUDE},
-	{"split-exclude",	UNITY_LOCAL_LAN,		UNITY_LOCAL_LAN},
+	{"address",			INTERNAL_IP4_ADDRESS,	INTERNAL_IP6_ADDRESS,	IKE_ANY},
+	{"dns",				INTERNAL_IP4_DNS,		INTERNAL_IP6_DNS,		IKE_ANY},
+	{"nbns",			INTERNAL_IP4_NBNS,		INTERNAL_IP6_NBNS,		IKE_ANY},
+	{"dhcp",			INTERNAL_IP4_DHCP,		INTERNAL_IP6_DHCP,		IKE_ANY},
+	{"netmask",			INTERNAL_IP4_NETMASK,	INTERNAL_IP6_NETMASK,	IKE_ANY},
+	{"server",			INTERNAL_IP4_SERVER,	INTERNAL_IP6_SERVER,	IKE_ANY},
+	{"subnet",			INTERNAL_IP4_SUBNET,	INTERNAL_IP6_SUBNET,	IKE_ANY},
+	{"p-cscf",			P_CSCF_IP4_ADDRESS,		P_CSCF_IP6_ADDRESS,		IKEV2},
+	{"split-include",	UNITY_SPLIT_INCLUDE,	UNITY_SPLIT_INCLUDE,	IKEV1},
+	{"split-exclude",	UNITY_LOCAL_LAN,		UNITY_LOCAL_LAN,		IKEV1},
 };
 
 /**
@@ -275,6 +305,7 @@ static void load_entries(private_attr_provider_t *this)
 			INIT(entry,
 				.type = type,
 				.value = data,
+				.ike = mapped ? mapped->ike : IKE_ANY,
 			);
 			DBG2(DBG_CFG, "loaded attribute %N: %#B",
 				 configuration_attribute_type_names, entry->type, &entry->value);
diff --git a/src/libcharon/plugins/attr_sql/Makefile.am b/src/libcharon/plugins/attr_sql/Makefile.am
index 366c902f7..e65ef36a1 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.am
+++ b/src/libcharon/plugins/attr_sql/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 8f1b3c0ff..8ee9f3f92 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/certexpire/Makefile.am b/src/libcharon/plugins/certexpire/Makefile.am
index b8c241dfb..d2d38efea 100644
--- a/src/libcharon/plugins/certexpire/Makefile.am
+++ b/src/libcharon/plugins/certexpire/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index f946d73c1..be19d615e 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/connmark/Makefile.am b/src/libcharon/plugins/connmark/Makefile.am
index cc4d0ec8d..561efa0af 100644
--- a/src/libcharon/plugins/connmark/Makefile.am
+++ b/src/libcharon/plugins/connmark/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index 65f53fde9..eaf4f1ec9 100644
--- a/src/libcharon/plugins/connmark/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index 23df690e8..607316f7b 100644
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -25,6 +28,14 @@
 #include <linux/netfilter/xt_policy.h>
 #include <linux/netfilter/xt_CONNMARK.h>
 
+/**
+ * Add a struct at the current position in the buffer
+ */
+#define ADD_STRUCT(pos, st, ...) ({\
+	typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
+	*(st*)_cur = (st){ __VA_ARGS__ };\
+	(st*)_cur;\
+})
 
 typedef struct private_connmark_listener_t private_connmark_listener_t;
 
@@ -90,7 +101,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 	}
 	else
 	{
-		if (!iptc_delete_entry(chain, e, "", ipth))
+		u_char matchmask[e->next_offset];
+
+		memset(matchmask, 255, sizeof(matchmask));
+		if (!iptc_delete_entry(chain, e, matchmask, ipth))
 		{
 			DBG1(DBG_CFG, "deleting %s rule failed: %s",
 				 chain, iptc_strerror(errno));
@@ -108,54 +122,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
 								  u_int mark, u_int32_t spi,
 								  host_t *dst, host_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_udp udp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.udp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_UDP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_udp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_UDP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
-					.name = "udp",
-				},
+	);
+	if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(src, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "udp",
 			},
 		},
-		.udp = {
-			.spts = { src->get_port(src), src->get_port(src) },
-			.dpts = { dst->get_port(dst), dst->get_port(dst) },
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_udp,
+		.spts = { src->get_port(src), src->get_port(src) },
+		.dpts = { dst->get_port(dst), dst->get_port(dst) },
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
 			},
 		},
-		.tm = {
-			.mark = mark,
-			.mask = ~0,
-		},
-	};
-
-	if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -166,53 +180,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this,
 						   u_int mark, u_int32_t spi,
 						   host_t *dst, host_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_esp esp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.esp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_ESP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_esp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_ESP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
-					.name = "esp",
-				},
+	);
+	if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(src, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "esp",
 			},
 		},
-		.esp = {
-			.spis = { htonl(spi), htonl(spi) },
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_esp,
+		.spis = { htonl(spi), htonl(spi) },
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
 			},
 		},
-		.tm = {
-			.mark = mark,
-			.mask = ~0,
-		},
-	};
-
-	if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -238,99 +252,115 @@ static bool manage_in(private_connmark_listener_t *this,
 					  u_int mark, u_int32_t spi,
 					  traffic_selector_t *dst, traffic_selector_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_policy_info p;
-		struct ipt_entry_target t;
-		struct xt_connmark_tginfo1 cm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.p)),
-			.next_offset = sizeof(ipt),
-		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)),
-					.name = "policy",
-				},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_policy_info));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+	);
+	if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!ts2in(src, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "policy",
 			},
 		},
-		.p = {
-			.pol = {
-				{
-					.spi = spi,
-					.match.spi = 1,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_policy_info,
+		.pol = {
+			{
+				.spi = spi,
+				.match.spi = 1,
 			},
-			.len = 1,
-			.flags = XT_POLICY_MATCH_IN,
 		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
-					.name = "CONNMARK",
-					.revision = 1,
-				},
+		.len = 1,
+		.flags = XT_POLICY_MATCH_IN,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "CONNMARK",
+				.revision = 1,
 			},
 		},
-		.cm = {
-			.ctmark = mark,
-			.ctmask = ~0,
-			.nfmask = ~0,
-			.mode = XT_CONNMARK_SET,
-		},
-	};
-
-	if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "INPUT", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_connmark_tginfo1,
+		.ctmark = mark,
+		.ctmask = ~0,
+		.nfmask = ~0,
+		.mode = XT_CONNMARK_SET,
+	);
+	return manage_rule(ipth, "INPUT", add, e);
 }
 
 /**
- * Add outbund rule restoring CONNMARK on matching traffic
+ * Add outbund rule restoring CONNMARK on matching traffic unless the packet
+ * already has a mark set
  */
 static bool manage_out(private_connmark_listener_t *this,
 					   struct iptc_handle *ipth, bool add,
 					   traffic_selector_t *dst, traffic_selector_t *src)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_target t;
-		struct xt_connmark_tginfo1 cm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e)),
-			.next_offset = sizeof(ipt),
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
-					.name = "CONNMARK",
-					.revision = 1,
-				},
-			},
-		},
-		.cm = {
-			.ctmask = ~0,
-			.nfmask = ~0,
-			.mode = XT_CONNMARK_RESTORE,
-		},
-	};
-
-	if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_mark_mtinfo1));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+	);
+	if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+		!ts2in(src, &e->ip.src, &e->ip.smsk))
 	{
 		return FALSE;
 	}
-	return manage_rule(ipth, "OUTPUT", add, &ipt.e);
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "mark",
+				.revision = 1,
+			},
+		},
+	);
+	ADD_STRUCT(pos, struct xt_mark_mtinfo1,
+		.mask = ~0,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "CONNMARK",
+				.revision = 1,
+			},
+		},
+	);
+	ADD_STRUCT(pos, struct xt_connmark_tginfo1,
+		.ctmask = ~0,
+		.nfmask = ~0,
+		.mode = XT_CONNMARK_RESTORE,
+	);
+	return manage_rule(ipth, "OUTPUT", add, e);
 }
 
 /**
diff --git a/src/libcharon/plugins/coupling/Makefile.am b/src/libcharon/plugins/coupling/Makefile.am
index badc7b7b2..62695aabe 100644
--- a/src/libcharon/plugins/coupling/Makefile.am
+++ b/src/libcharon/plugins/coupling/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index dff80c37f..44598c3ea 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dhcp/Makefile.am b/src/libcharon/plugins/dhcp/Makefile.am
index 3c09db016..9ae68be35 100644
--- a/src/libcharon/plugins/dhcp/Makefile.am
+++ b/src/libcharon/plugins/dhcp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 1e84f04e2..3d39fda29 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index b8c1b4059..0fd1d33fd 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -31,7 +31,6 @@
 #include <threading/condvar.h>
 #include <threading/thread.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
@@ -209,8 +208,7 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	else
 	{
 		/* act as relay agent */
-		src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
-													   this->dst, NULL);
+		src = charon->kernel->get_source_addr(charon->kernel, this->dst, NULL);
 		if (src)
 		{
 			memcpy(&dhcp->gateway_address, src->get_address(src).ptr,
diff --git a/src/libcharon/plugins/dnscert/Makefile.am b/src/libcharon/plugins/dnscert/Makefile.am
index 145562522..8181bfc9e 100644
--- a/src/libcharon/plugins/dnscert/Makefile.am
+++ b/src/libcharon/plugins/dnscert/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index ed873b316..04fc31a3a 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/duplicheck/Makefile.am b/src/libcharon/plugins/duplicheck/Makefile.am
index 338a114fe..32b850ccb 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.am
+++ b/src/libcharon/plugins/duplicheck/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 41862cb2a..da4534c21 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -438,7 +440,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/duplicheck/duplicheck.c b/src/libcharon/plugins/duplicheck/duplicheck.c
index 508e8e386..7c4cd5ce1 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck.c
@@ -19,8 +19,10 @@
 #include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <string.h>
 #include <errno.h>
 #include <arpa/inet.h>
+#include <netinet/in.h>
 
 #include "duplicheck_msg.h"
 
diff --git a/src/libcharon/plugins/eap_aka/Makefile.am b/src/libcharon/plugins/eap_aka/Makefile.am
index 75e8eafb2..5d7ab8485 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.am
+++ b/src/libcharon/plugins/eap_aka/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index dacddfb87..b5ffd8c24 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
index ec145a39e..d68bfc4c4 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 3c26b8511..e0ad6fe2e 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.am b/src/libcharon/plugins/eap_dynamic/Makefile.am
index 58b827a78..fd08846a9 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.am
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index 402c7cadc..821f6de6c 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.am b/src/libcharon/plugins/eap_gtc/Makefile.am
index c3a12ba3e..a7d1f6275 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.am
+++ b/src/libcharon/plugins/eap_gtc/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 2279b2514..cfd7c4e24 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_identity/Makefile.am b/src/libcharon/plugins/eap_identity/Makefile.am
index 6c5b43f00..4c44962bd 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.am
+++ b/src/libcharon/plugins/eap_identity/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS =  \
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 30d2c88d1..1c544f360 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_md5/Makefile.am b/src/libcharon/plugins/eap_md5/Makefile.am
index 16aa1919b..b27e8cc54 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.am
+++ b/src/libcharon/plugins/eap_md5/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 14616c214..e967262b6 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.am b/src/libcharon/plugins/eap_mschapv2/Makefile.am
index 4276a082d..ded9bbe3f 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.am
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 78dfd29e3..d96343a5c 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/eap_peap/Makefile.am b/src/libcharon/plugins/eap_peap/Makefile.am
index 8960b84bd..ef226169d 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.am
+++ b/src/libcharon/plugins/eap_peap/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 2f0d65d6d..0f920fef8 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index bc7a7765d..78cf99184 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 47534372b..881a5b7e3 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/eap_sim/Makefile.am b/src/libcharon/plugins/eap_sim/Makefile.am
index f68138579..8d93077e2 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.am
+++ b/src/libcharon/plugins/eap_sim/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 251eeeeba..aaa24bb17 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.am b/src/libcharon/plugins/eap_sim_file/Makefile.am
index c38e55e2c..5c5694c18 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index bffcbc0df..6e61f99de 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
index 22922049d..5e235e7ea 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 78682ce37..e821e3ee2 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -434,7 +436,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
index f40efbd6f..c0d7b914c 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 2a6be5fd9..b883f0abd 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -434,7 +436,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
index 0fb622220..9e55bb188 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index de504d4cd..5417f9639 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka
 
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
index b7d6fd43e..f4c478dba 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.am
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index de3508a07..c858e467c 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libsimaka \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\"
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
index 825beb841..551ecb380 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.am
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index d4219b876..c953d0e9c 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls
 
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
index 6fc78bc9a..186ae45e2 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.am
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 6c34ed098..2f197ed33 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 350001bb4..621caffee 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -328,7 +328,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
 						is_server, server, peer, server_ip, peer_ip,
 						(type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
-						is_server ? enforce_recommendation : NULL);
+						enforce_recommendation);
 	if (!tnccs)
 	{
 		DBG1(DBG_TNC, "TNCCS protocol '%s' not enabled", protocol);
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
index 3a7a8cda3..3db20e348 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.am
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 0babf1766..b563acdda 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libradius
diff --git a/src/libcharon/plugins/error_notify/Makefile.am b/src/libcharon/plugins/error_notify/Makefile.am
index 1c64bd2cc..766bb4c51 100644
--- a/src/libcharon/plugins/error_notify/Makefile.am
+++ b/src/libcharon/plugins/error_notify/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 0a07aa7a3..03dfe3d60 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -424,6 +424,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -439,7 +441,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/ext_auth/Makefile.am b/src/libcharon/plugins/ext_auth/Makefile.am
index d51ea8881..7028819aa 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.am
+++ b/src/libcharon/plugins/ext_auth/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index d23e680aa..fce2e8e63 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/farp/Makefile.am b/src/libcharon/plugins/farp/Makefile.am
index 0d862b0a9..6d96f3abb 100644
--- a/src/libcharon/plugins/farp/Makefile.am
+++ b/src/libcharon/plugins/farp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 318400fc9..2afc5ad76 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/forecast/Makefile.am b/src/libcharon/plugins/forecast/Makefile.am
index ce573135d..77535294e 100644
--- a/src/libcharon/plugins/forecast/Makefile.am
+++ b/src/libcharon/plugins/forecast/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
index 7b190ca25..4f2a407b4 100644
--- a/src/libcharon/plugins/forecast/Makefile.in
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c
index 07a3d4953..40aaa7f25 100644
--- a/src/libcharon/plugins/forecast/forecast_forwarder.c
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.c
@@ -27,7 +27,6 @@
 #include <ifaddrs.h>
 #include <net/if.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 #include <processing/jobs/callback_job.h>
@@ -428,8 +427,7 @@ METHOD(forecast_forwarder_t, destroy, void,
 		lib->watcher->remove(lib->watcher, this->kernel.pkt);
 		close(this->kernel.pkt);
 	}
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 &this->kernel.listener);
+	charon->kernel->remove_listener(charon->kernel, &this->kernel.listener);
 	free(this);
 }
 
@@ -486,8 +484,8 @@ forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener)
 
 	setup_interface(&this->kernel);
 
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  &this->kernel.listener);
+	charon->kernel->add_listener(charon->kernel,
+										   &this->kernel.listener);
 
 	lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ,
 					  (watcher_cb_t)receive_casts, this);
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 63a8cb15b..8f7f2600c 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010-2014 Martin Willi
  * Copyright (C) 2010-2014 revosec AG
  *
@@ -25,6 +28,15 @@
 #include <collections/hashtable.h>
 #include <threading/rwlock.h>
 
+/**
+ * Add a struct at the current position in the buffer
+ */
+#define ADD_STRUCT(pos, st, ...) ({\
+	typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
+	*(st*)_cur = (st){ __VA_ARGS__ };\
+	(st*)_cur;\
+})
+
 typedef struct private_forecast_listener_t private_forecast_listener_t;
 
 /**
@@ -148,7 +160,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 	}
 	else
 	{
-		if (!iptc_delete_entry(chain, e, "", ipth))
+		u_char matchmask[e->next_offset];
+
+		memset(matchmask, 255, sizeof(matchmask));
+		if (!iptc_delete_entry(chain, e, matchmask, ipth))
 		{
 			DBG1(DBG_CFG, "deleting %s rule failed: %s",
 				 chain, iptc_strerror(errno));
@@ -164,60 +179,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
 								  entry_t *entry, bool add)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_udp udp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.udp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_UDP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_udp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_UDP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
-					.name = "udp",
-				},
+	);
+	if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "udp",
 			},
 		},
-		.udp = {
-			.spts = {
-				entry->rhost->get_port(entry->rhost),
-				entry->rhost->get_port(entry->lhost)
-			},
-			.dpts = {
-				entry->lhost->get_port(entry->lhost),
-				entry->lhost->get_port(entry->lhost)
-			},
+	);
+	ADD_STRUCT(pos, struct xt_udp,
+		.spts = {
+			entry->rhost->get_port(entry->rhost),
+			entry->rhost->get_port(entry->lhost)
 		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
-			},
+		.dpts = {
+			entry->lhost->get_port(entry->lhost),
+			entry->lhost->get_port(entry->lhost)
 		},
-		.tm = {
-			.mark = entry->mark,
-			.mask = ~0,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
+			},
 		},
-	};
-
-	if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = entry->mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -225,53 +240,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
  */
 static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_match m;
-		struct xt_esp esp;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 tm;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-									  sizeof(ipt.esp)),
-			.next_offset = sizeof(ipt),
-			.ip = {
-				.proto = IPPROTO_ESP,
-			},
+	u_int16_t match_size	= XT_ALIGN(sizeof(struct ipt_entry_match)) +
+							  XT_ALIGN(sizeof(struct xt_esp));
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+		.ip = {
+			.proto = IPPROTO_ESP,
 		},
-		.m = {
-			.u = {
-				.user = {
-					.match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
-					.name = "esp",
-				},
+	);
+	if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
+		!host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
+	{
+		return FALSE;
+	}
+	ADD_STRUCT(pos, struct ipt_entry_match,
+		.u = {
+			.user = {
+				.match_size = match_size,
+				.name = "esp",
 			},
 		},
-		.esp = {
-			.spis = { htonl(entry->spi), htonl(entry->spi) },
-		},
-		.t = {
-			.u = {
-				.user = {
-					.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-					.name = "MARK",
-					.revision = 2,
-				},
+	);
+	ADD_STRUCT(pos, struct xt_esp,
+		.spis = { htonl(entry->spi), htonl(entry->spi) },
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
 			},
 		},
-		.tm = {
-			.mark = entry->mark,
-			.mask = ~0,
-		},
-	};
-
-	if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-		!host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
-	{
-		return FALSE;
-	}
-	return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = entry->mark,
+		.mask = ~0,
+	);
+	return manage_rule(ipth, "PREROUTING", add, e);
 }
 
 /**
@@ -291,45 +306,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
  */
 static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
 {
-	struct {
-		struct ipt_entry e;
-		struct ipt_entry_target t;
-		struct xt_mark_tginfo2 m;
-	} ipt = {
-		.e  = {
-			.target_offset = XT_ALIGN(sizeof(ipt.e)),
-			.next_offset = sizeof(ipt),
-		},
-		.t = {
-			.u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)),
-			.u.user.name = "MARK",
-			.u.user.revision = 2,
-		},
-		.m = {
-			.mark = entry->mark,
-			.mask = ~0,
+	u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
+	u_int16_t target_size	= XT_ALIGN(sizeof(struct ipt_entry_target)) +
+							  XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+	u_int16_t entry_size	= target_offset + target_size;
+	u_char ipt[entry_size], *pos = ipt;
+	struct ipt_entry *e;
+
+	memset(ipt, 0, sizeof(ipt));
+	e = ADD_STRUCT(pos, struct ipt_entry,
+		.target_offset = target_offset,
+		.next_offset = entry_size,
+	);
+	ADD_STRUCT(pos, struct ipt_entry_target,
+		.u = {
+			.user = {
+				.target_size = target_size,
+				.name = "MARK",
+				.revision = 2,
+			},
 		},
-	};
+	);
+	ADD_STRUCT(pos, struct xt_mark_tginfo2,
+		.mark = entry->mark,
+		.mask = ~0,
+	);
+
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 
 	enumerator = array_create_enumerator(entry->rts);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
-		if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk))
+		if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk))
 		{
 			continue;
 		}
-		if (ipt.e.ip.dst.s_addr == 0xffffffff ||
-			ipt.e.ip.dst.s_addr == entry->broadcast ||
-			memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1))
+		if (e->ip.dst.s_addr == 0xffffffff ||
+			e->ip.dst.s_addr == entry->broadcast ||
+			memeq(&e->ip.dst.s_addr, "\xe0", 1))
 		{
 			/* skip broadcast/multicast selectors, they are shared and the mark
 			 * is set by the socket we use for reinjection */
 			continue;
 		}
-		if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) ||
-			!manage_rule(ipth, "OUTPUT", add, &ipt.e))
+		if (!manage_rule(ipth, "PREROUTING", add, e) ||
+			!manage_rule(ipth, "OUTPUT", add, e))
 		{
 			enumerator->destroy(enumerator);
 			return FALSE;
diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am
index 50d342389..d501834d7 100644
--- a/src/libcharon/plugins/ha/Makefile.am
+++ b/src/libcharon/plugins/ha/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index de74f88cc..677c36afe 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index dbb6adc8f..7dafb1693 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -91,6 +91,10 @@ METHOD(listener_t, child_keys, bool,
 	{
 		m->add_attribute(m, HA_ALG_INTEG, alg);
 	}
+	if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_DH, alg);
+	}
 	if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, &alg, NULL))
 	{
 		m->add_attribute(m, HA_ESN, alg);
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 07ef607c6..ce90f5bfe 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -132,6 +132,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 	ike_sa_t *ike_sa = NULL, *old_sa = NULL;
 	ike_version_t version = IKEV2;
 	u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
+	u_int16_t dh_grp = 0;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
 	chunk_t secret = chunk_empty, old_skd = chunk_empty;
 	chunk_t dh_local = chunk_empty, dh_remote = chunk_empty, psk = chunk_empty;
@@ -193,6 +194,9 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 			case HA_ALG_OLD_PRF:
 				old_prf = value.u16;
 				break;
+			case HA_ALG_DH:
+				dh_grp = value.u16;
+				break;
 			default:
 				break;
 		}
@@ -217,6 +221,10 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		{
 			proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0);
 		}
+		if (dh_grp)
+		{
+			proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, dh_grp, 0);
+		}
 		charon->bus->set_sa(charon->bus, ike_sa);
 		dh = ha_diffie_hellman_create(secret, dh_local);
 		if (ike_sa->get_version(ike_sa) == IKEV2)
@@ -647,7 +655,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	u_int32_t inbound_spi = 0, outbound_spi = 0;
 	u_int16_t inbound_cpi = 0, outbound_cpi = 0;
 	u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
-	u_int16_t encr = 0, integ = 0, len = 0;
+	u_int16_t encr = 0, integ = 0, len = 0, dh_grp = 0;
 	u_int16_t esn = NO_EXT_SEQ_NUMBERS;
 	u_int seg_i, seg_o;
 	chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
@@ -697,6 +705,9 @@ static void process_child_add(private_ha_dispatcher_t *this,
 			case HA_ALG_INTEG:
 				integ = value.u16;
 				break;
+			case HA_ALG_DH:
+				dh_grp = value.u16;
+				break;
 			case HA_ESN:
 				esn = value.u16;
 				break;
@@ -747,6 +758,10 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	{
 		proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
 	}
+	if (dh_grp)
+	{
+		proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP, dh_grp, 0);
+	}
 	proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0);
 	if (secret.len)
 	{
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 7492dd06e..3ffcaee6b 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -121,6 +121,10 @@ METHOD(listener_t, ike_keys, bool,
 	{
 		m->add_attribute(m, HA_ALG_PRF, alg);
 	}
+	if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
+	{
+		m->add_attribute(m, HA_ALG_DH, alg);
+	}
 	m->add_attribute(m, HA_NONCE_I, nonce_i);
 	m->add_attribute(m, HA_NONCE_R, nonce_r);
 	m->add_attribute(m, HA_SECRET, secret);
@@ -310,27 +314,31 @@ METHOD(listener_t, message_hook, bool,
 			sync_vips(this, ike_sa);
 		}
 	}
-	if (!plain && ike_sa->get_version(ike_sa) == IKEV1)
+	if (ike_sa->get_version(ike_sa) == IKEV1)
 	{
 		ha_message_t *m;
 		keymat_v1_t *keymat;
-		u_int32_t mid;
 		chunk_t iv;
 
-		mid = message->get_message_id(message);
-		if (mid == 0)
+		/* we need the last block (or expected next IV) of Phase 1, which gets
+		 * upated after successful en-/decryption depending on direction */
+		if (incoming == plain)
 		{
-			keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
-			if (keymat->get_iv(keymat, mid, &iv))
+			if (message->get_message_id(message) == 0)
 			{
-				m = ha_message_create(HA_IKE_IV);
-				m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-				m->add_attribute(m, HA_IV, iv);
-				this->socket->push(this->socket, m);
-				this->cache->cache(this->cache, ike_sa, m);
+				keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
+				if (keymat->get_iv(keymat, 0, &iv))
+				{
+					m = ha_message_create(HA_IKE_IV);
+					m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
+					m->add_attribute(m, HA_IV, iv);
+					this->socket->push(this->socket, m);
+					this->cache->cache(this->cache, ike_sa, m);
+				}
 			}
 		}
-		if (!incoming && message->get_exchange_type(message) == TRANSACTION)
+		if (!plain && !incoming &&
+			message->get_exchange_type(message) == TRANSACTION)
 		{
 			sync_vips(this, ike_sa);
 		}
diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c
index 6b00ed83f..b40219ce1 100644
--- a/src/libcharon/plugins/ha/ha_message.c
+++ b/src/libcharon/plugins/ha/ha_message.c
@@ -230,6 +230,7 @@ METHOD(ha_message_t, add_attribute, void,
 			break;
 		}
 		/* u_int16_t */
+		case HA_ALG_DH:
 		case HA_ALG_PRF:
 		case HA_ALG_OLD_PRF:
 		case HA_ALG_ENCR:
@@ -450,6 +451,7 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 			return TRUE;
 		}
 		/** u_int16_t */
+		case HA_ALG_DH:
 		case HA_ALG_PRF:
 		case HA_ALG_OLD_PRF:
 		case HA_ALG_ENCR:
diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h
index 2ccb1fc55..fe1786edf 100644
--- a/src/libcharon/plugins/ha/ha_message.h
+++ b/src/libcharon/plugins/ha/ha_message.h
@@ -122,6 +122,8 @@ enum ha_message_attribute_t {
 	HA_ALG_ENCR_LEN,
 	/** u_int16_t, integrity protection algorithm */
 	HA_ALG_INTEG,
+	/** u_int16_t, DH group */
+	HA_ALG_DH,
 	/** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */
 	HA_IPSEC_MODE,
 	/** u_int8_t, IPComp protocol */
diff --git a/src/libcharon/plugins/ipseckey/Makefile.am b/src/libcharon/plugins/ipseckey/Makefile.am
index aed63c122..b8933008c 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.am
+++ b/src/libcharon/plugins/ipseckey/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index f98e78ffc..0b7a29194 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.am b/src/libcharon/plugins/kernel_iph/Makefile.am
index 56946ae1f..707570195 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.am
+++ b/src/libcharon/plugins/kernel_iph/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index 7a2583d06..de5bfd517 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
index a4be4041e..6a8a96821 100644
--- a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c
@@ -24,7 +24,7 @@
 
 #include "kernel_iph_net.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <threading/mutex.h>
 #include <collections/linked_list.h>
 #include <processing/jobs/callback_job.h>
@@ -130,7 +130,7 @@ static job_requeue_t roam_event(private_kernel_iph_net_t *this)
 	this->roam_address = FALSE;
 	this->mutex->unlock(this->mutex);
 
-	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	charon->kernel->roam(charon->kernel, address);
 	return JOB_REQUEUE_NONE;
 }
 
diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
index c5475e30b..c16381440 100644
--- a/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
+++ b/src/libcharon/plugins/kernel_iph/kernel_iph_plugin.c
@@ -17,8 +17,6 @@
 #include "kernel_iph_plugin.h"
 #include "kernel_iph_net.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_iph_plugin_t private_kernel_iph_plugin_t;
 
 /**
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.am b/src/libcharon/plugins/kernel_libipsec/Makefile.am
index eca2b2325..4757280b4 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.am
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libipsec
 
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 6b6c95688..018a25a62 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libipsec
 
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index d738e6d13..4c8771e96 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -17,7 +17,7 @@
 
 #include <library.h>
 #include <ipsec.h>
-#include <hydra.h>
+#include <daemon.h>
 #include <networking/tun_device.h>
 #include <threading/mutex.h>
 #include <utils/debug.h>
@@ -224,8 +224,7 @@ static inline bool policy_entry_equals(policy_entry_t *a,
  */
 static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard)
 {
-	hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-									spi, dst, hard);
+	charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
 }
 
 METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
@@ -313,16 +312,13 @@ static void add_exclude_route(private_kernel_libipsec_ipsec_t *this,
 	if (!route->exclude)
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
-		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-												   dst, -1, NULL);
+		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
 
-			if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface, src, &if_name) &&
-				hydra->kernel_interface->add_route(hydra->kernel_interface,
-									dst->get_address(dst),
+			if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+				charon->kernel->add_route(charon->kernel, dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									gtw, src, if_name) == SUCCESS)
 			{
@@ -367,14 +363,12 @@ static void remove_exclude_route(private_kernel_libipsec_ipsec_t *this,
 	dst = route->exclude->dst;
 	DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
 		 dst, route->exclude->src);
-	if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface,
-									route->exclude->src, &if_name) &&
-		hydra->kernel_interface->del_route(hydra->kernel_interface,
-									dst->get_address(dst),
-									dst->get_family(dst) == AF_INET ? 32 : 128,
-									route->exclude->gtw, route->exclude->src,
-									if_name) != SUCCESS)
+	if (charon->kernel->get_interface(charon->kernel, route->exclude->src,
+									  &if_name) &&
+		charon->kernel->del_route(charon->kernel, dst->get_address(dst),
+								  dst->get_family(dst) == AF_INET ? 32 : 128,
+								  route->exclude->gtw, route->exclude->src,
+								  if_name) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "uninstalling exclude route for %H failed", dst);
 	}
@@ -402,8 +396,8 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 		return TRUE;
 	}
 
-	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-									src_ts, &src_ip, &is_virtual) != SUCCESS)
+	if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src_ip,
+										  &is_virtual) != SUCCESS)
 	{
 		traffic_selector_t *multicast, *broadcast = NULL;
 		bool ignore = FALSE;
@@ -444,8 +438,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 	);
 #ifndef __linux__
 	/* on Linux we cant't install a gateway */
-	route->gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, dst, -1, src);
+	route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1, src);
 #endif
 
 	if (policy->route)
@@ -459,9 +452,9 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 			return TRUE;
 		}
 		/* uninstall previously installed route */
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-									old->dst_net, old->prefixlen, old->gateway,
-									old->src_ip, old->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, old->dst_net,
+									  old->prefixlen, old->gateway,
+									  old->src_ip, old->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with policy "
 				 "%R === %R %N", src_ts, dst_ts, policy_dir_names,
@@ -490,9 +483,9 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this,
 	DBG2(DBG_KNL, "installing route: %R src %H dev %s",
 		 dst_ts, route->src_ip, route->if_name);
 
-	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
-							route->dst_net, route->prefixlen, route->gateway,
-							route->src_ip, route->if_name))
+	switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name))
 	{
 		case ALREADY_DONE:
 			/* route exists, do not uninstall */
@@ -571,8 +564,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	policy_entry_t *policy, *found = NULL;
 	status_t status;
 
-	status = ipsec->policies->del_policy(ipsec->policies, src_ts, dst_ts,
-										 direction, sa->reqid, mark, priority);
+	status = ipsec->policies->del_policy(ipsec->policies, src, dst, src_ts,
+								dst_ts, direction, type, sa, mark, priority);
 
 	policy = create_policy_entry(src_ts, dst_ts, direction);
 
@@ -598,9 +591,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	{
 		route_entry_t *route = policy->route;
 
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway, route->src_ip,
-				route->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
@@ -629,9 +622,9 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
 		{
 			route_entry_t *route = pol->route;
 
-			hydra->kernel_interface->del_route(hydra->kernel_interface,
-					route->dst_net, route->prefixlen, route->gateway,
-					route->src_ip, route->if_name);
+			charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name);
 			remove_exclude_route(this, route);
 		}
 		policy_entry_destroy(pol);
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
index 830954e11..66141ad56 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -19,7 +19,6 @@
 #include "kernel_libipsec_router.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <ipsec.h>
 #include <collections/hashtable.h>
 #include <networking/tun_device.h>
@@ -298,8 +297,7 @@ METHOD(kernel_libipsec_router_t, destroy, void,
 										 (ipsec_outbound_cb_t)send_esp);
 	ipsec->processor->unregister_inbound(ipsec->processor,
 										 (ipsec_inbound_cb_t)deliver_plain);
-	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
-											 &this->public.listener);
+	charon->kernel->remove_listener(charon->kernel, &this->public.listener);
 	this->lock->destroy(this->lock);
 	this->tuns->destroy(this->tuns);
 	close(this->notify[0]);
@@ -351,8 +349,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
 								  (hashtable_equals_t)tun_entry_equals, 4);
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
-	hydra->kernel_interface->add_listener(hydra->kernel_interface,
-										  &this->public.listener);
+	charon->kernel->add_listener(charon->kernel, &this->public.listener);
 	ipsec->processor->register_outbound(ipsec->processor, send_esp, NULL);
 	ipsec->processor->register_inbound(ipsec->processor,
 									(ipsec_inbound_cb_t)deliver_plain, this);
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libcharon/plugins/kernel_netlink/Makefile.am
index cc8855406..973e2c2f4 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.am
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.am
@@ -1,7 +1,7 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DROUTING_TABLE=${routing_table} \
 	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index 962fe1ba1..55dcabf6f 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -80,7 +80,7 @@ build_triplet = @build@
 host_triplet = @host@
 TESTS = tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
-subdir = src/libhydra/plugins/kernel_netlink
+subdir = src/libcharon/plugins/kernel_netlink
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -454,6 +454,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -470,7 +472,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-DROUTING_TABLE=${routing_table} \
 	-DROUTING_TABLE_PRIO=${routing_table_prio}
 
@@ -515,9 +517,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8c506d9f4..6d9d63a98 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2006-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2008 Andreas Steffen
+ * Copyright (C) 2008-2016 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -35,7 +35,7 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_shared.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <collections/array.h>
@@ -262,8 +262,8 @@ static char* lookup_algorithm(transform_type_t type, int ikev2)
 			return list[i].name;
 		}
 	}
-	if (hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface,
-												  ikev2, type, NULL, &name))
+	if (charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, NULL,
+										 &name))
 	{
 		return name;
 	}
@@ -702,15 +702,13 @@ static void ts2subnet(traffic_selector_t* ts,
 static void ts2ports(traffic_selector_t* ts,
 					 u_int16_t *port, u_int16_t *mask)
 {
-	/* Linux does not seem to accept complex portmasks. Only
-	 * any or a specific port is allowed. We set to any, if we have
-	 * a port range, or to a specific, if we have one port only.
-	 */
-	u_int16_t from, to;
+	uint16_t from, to, bitmask;
+	int bit;
 
 	from = ts->get_from_port(ts);
 	to = ts->get_to_port(ts);
 
+	/* Quick check for a single port */
 	if (from == to)
 	{
 		*port = htons(from);
@@ -718,9 +716,23 @@ static void ts2ports(traffic_selector_t* ts,
 	}
 	else
 	{
-		*port = 0;
+		/* Compute the port mask for port ranges */
 		*mask = 0;
+
+		for (bit = 15; bit >= 0; bit--)
+		{
+			bitmask = 1 << bit;
+
+			if ((bitmask & from) != (bitmask & to))
+			{
+				*port = htons(from & *mask);
+				*mask = htons(*mask);
+				return;
+			}
+			*mask |= bitmask;
+		}
 	}
+	return;
 }
 
 /**
@@ -856,8 +868,7 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
 	src_ts = selector2ts(&acquire->sel, TRUE);
 	dst_ts = selector2ts(&acquire->sel, FALSE);
 
-	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
-									 dst_ts);
+	charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
 }
 
 /**
@@ -882,8 +893,8 @@ static void process_expire(private_kernel_netlink_ipsec_t *this,
 		dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
 		if (dst)
 		{
-			hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-											spi, dst, expire->hard != 0);
+			charon->kernel->expire(charon->kernel, protocol, spi, dst,
+								   expire->hard != 0);
 			dst->destroy(dst);
 		}
 	}
@@ -951,8 +962,8 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this,
 
 	if (src_ts && dst_ts && local && remote)
 	{
-		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
-										 src_ts, dst_ts, dir, local, remote);
+		charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
+								local, remote);
 	}
 	else
 	{
@@ -988,8 +999,8 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 							mapping->new_sport);
 			if (new)
 			{
-				hydra->kernel_interface->mapping(hydra->kernel_interface,
-												 IPPROTO_ESP, spi, dst, new);
+				charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst,
+										new);
 				new->destroy(new);
 			}
 			dst->destroy(dst);
@@ -2202,22 +2213,21 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 			.prefixlen = policy->sel.prefixlen_s,
 		);
 
-		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-				fwd->dst_ts, &route->src_ip, NULL) == SUCCESS)
+		if (charon->kernel->get_address_by_ts(charon->kernel, fwd->dst_ts,
+											  &route->src_ip, NULL) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD) */
 			if (!ipsec->src->is_anyaddr(ipsec->src))
 			{
-				route->gateway = hydra->kernel_interface->get_nexthop(
-											hydra->kernel_interface, ipsec->src,
-											-1, ipsec->dst);
+				route->gateway = charon->kernel->get_nexthop(charon->kernel,
+													ipsec->src, -1, ipsec->dst);
 			}
 			else
 			{	/* for shunt policies */
 				iface = xfrm2host(policy->sel.family, &policy->sel.saddr, 0);
-				route->gateway = hydra->kernel_interface->get_nexthop(
-										hydra->kernel_interface, iface,
-										policy->sel.prefixlen_s, route->src_ip);
+				route->gateway = charon->kernel->get_nexthop(charon->kernel,
+												iface, policy->sel.prefixlen_s,
+												route->src_ip);
 				iface->destroy(iface);
 			}
 			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
@@ -2232,8 +2242,8 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 				iface = route->src_ip;
 			}
 			/* install route via outgoing interface */
-			if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
-														iface, &route->if_name))
+			if (!charon->kernel->get_interface(charon->kernel, iface,
+											   &route->if_name))
 			{
 				this->mutex->unlock(this->mutex);
 				route_entry_destroy(route);
@@ -2250,9 +2260,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 					return SUCCESS;
 				}
 				/* uninstall previously installed route */
-				if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-						old->dst_net, old->prefixlen, old->gateway,
-						old->src_ip, old->if_name) != SUCCESS)
+				if (charon->kernel->del_route(charon->kernel, old->dst_net,
+										old->prefixlen, old->gateway,
+										old->src_ip, old->if_name) != SUCCESS)
 				{
 					DBG1(DBG_KNL, "error uninstalling route installed with "
 								  "policy %R === %R %N", fwd->src_ts,
@@ -2265,10 +2275,9 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 
 			DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
 				 fwd->src_ts, route->gateway, route->src_ip, route->if_name);
-			switch (hydra->kernel_interface->add_route(
-								hydra->kernel_interface, route->dst_net,
-								route->prefixlen, route->gateway,
-								route->src_ip, route->if_name))
+			switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+											  route->prefixlen, route->gateway,
+											  route->src_ip, route->if_name))
 			{
 				default:
 					DBG1(DBG_KNL, "unable to install source route for %H",
@@ -2579,9 +2588,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	if (current->route)
 	{
 		route_entry_t *route = current->route;
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
index 3a45cce06..3a45cce06 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index 4e5e02d07..f4394a14f 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -51,7 +51,7 @@
 #include "kernel_netlink_net.h"
 #include "kernel_netlink_shared.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
@@ -893,7 +893,7 @@ static job_requeue_t roam_event(private_kernel_netlink_net_t *this)
 	address = this->roam_address;
 	this->roam_address = FALSE;
 	this->roam_lock->unlock(this->roam_lock);
-	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	charon->kernel->roam(charon->kernel, address);
 	return JOB_REQUEUE_NONE;
 }
 
@@ -1004,8 +1004,8 @@ static void process_link(private_kernel_netlink_net_t *this,
 				INIT(entry,
 					.ifindex = msg->ifi_index,
 					.addrs = linked_list_create(),
-					.usable = hydra->kernel_interface->is_interface_usable(
-												hydra->kernel_interface, name),
+					.usable = charon->kernel->is_interface_usable(
+														charon->kernel, name),
 				);
 				this->ifaces->insert_last(this->ifaces, entry);
 			}
@@ -1710,9 +1710,10 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 		chunk = candidate->get_address(candidate);
 		netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
 	}
+	/* we use this below to match against the routes */
+	chunk = dest->get_address(dest);
 	if (!match_net)
 	{
-		chunk = dest->get_address(dest);
 		netlink_add_attribute(hdr, RTA_DST, chunk, sizeof(request));
 	}
 
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
index ff9831d3c..ff9831d3c 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
index 8d5a0d5e8..8bafc3c55 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -19,8 +19,6 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_net.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
 
 /**
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
index a795486ca..74c9ae24f 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_netlink kernel_netlink
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup kernel_netlink_plugin kernel_netlink_plugin
  * @{ @ingroup kernel_netlink
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index f7ce992a3..f7ce992a3 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
index 66682907d..b034326d7 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -21,14 +21,22 @@
 #include <linux/rtnetlink.h>
 
 /**
+ * Default buffer size.
+ *
+ * 1024 byte is currently sufficient for all operations.
+ */
+#ifndef KERNEL_NETLINK_BUFSIZE
+#define KERNEL_NETLINK_BUFSIZE 1024
+#endif
+
+/**
  * General purpose netlink buffer.
  *
- * 1024 byte is currently sufficient for all operations. Some platform
- * require an enforced aligment to four bytes (e.g. ARM).
+ * Some platforms require an enforced aligment to four bytes (e.g. ARM).
  */
 typedef union {
 	struct nlmsghdr hdr;
-	u_char bytes[1024];
+	u_char bytes[KERNEL_NETLINK_BUFSIZE];
 } netlink_buf_t __attribute__((aligned(RTA_ALIGNTO)));
 
 typedef struct netlink_socket_t netlink_socket_t;
diff --git a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c b/src/libcharon/plugins/kernel_netlink/suites/test_socket.c
index 3e8facd0a..3e8facd0a 100644
--- a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c
+++ b/src/libcharon/plugins/kernel_netlink/suites/test_socket.c
diff --git a/src/libhydra/plugins/kernel_netlink/tests.c b/src/libcharon/plugins/kernel_netlink/tests.c
index 52985b438..a1799ea70 100644
--- a/src/libhydra/plugins/kernel_netlink/tests.c
+++ b/src/libcharon/plugins/kernel_netlink/tests.c
@@ -15,8 +15,6 @@
 
 #include <test_runner.h>
 
-#include <hydra.h>
-
 /* declare test suite constructors */
 #define TEST_SUITE(x) test_suite_t* x();
 #include "tests.h"
diff --git a/src/libhydra/plugins/kernel_netlink/tests.h b/src/libcharon/plugins/kernel_netlink/tests.h
index 2b6715a78..2b6715a78 100644
--- a/src/libhydra/plugins/kernel_netlink/tests.h
+++ b/src/libcharon/plugins/kernel_netlink/tests.h
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.am b/src/libcharon/plugins/kernel_pfkey/Makefile.am
index f645528d9..8fdca93a5 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.am
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.am
@@ -1,7 +1,7 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index 177d2f23f..f2876a272 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/kernel_pfkey
+subdir = src/libcharon/plugins/kernel_pfkey
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -457,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a2fccd1d3..d505f1c33 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -78,7 +78,7 @@
 
 #include "kernel_pfkey_ipsec.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <networking/host.h>
 #include <collections/linked_list.h>
@@ -922,8 +922,7 @@ static int lookup_algorithm(transform_type_t type, int ikev2)
 		}
 		list++;
 	}
-	hydra->kernel_interface->lookup_algorithm(hydra->kernel_interface, ikev2,
-											  type, &alg, NULL);
+	charon->kernel->lookup_algorithm(charon->kernel, ikev2, type, &alg, NULL);
 	return alg;
 }
 
@@ -1283,8 +1282,7 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this,
 	src_ts = sadb_address2ts(response.src);
 	dst_ts = sadb_address2ts(response.dst);
 
-	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
-									 dst_ts);
+	charon->kernel->acquire(charon->kernel, reqid, src_ts, dst_ts);
 }
 
 /**
@@ -1316,8 +1314,7 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
 		dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
 		if (dst)
 		{
-			hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-											spi, dst, hard);
+			charon->kernel->expire(charon->kernel, protocol, spi, dst, hard);
 			dst->destroy(dst);
 		}
 	}
@@ -1366,8 +1363,8 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this,
 
 	if (src_ts && dst_ts && local && remote)
 	{
-		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
-										 src_ts, dst_ts, dir, local, remote);
+		charon->kernel->migrate(charon->kernel, reqid, src_ts, dst_ts, dir,
+								local, remote);
 	}
 	else
 	{
@@ -1437,8 +1434,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
 		new = host_create_from_sockaddr(sa);
 		if (new)
 		{
-			hydra->kernel_interface->mapping(hydra->kernel_interface,
-											 IPPROTO_ESP, spi, dst, new);
+			charon->kernel->mapping(charon->kernel, IPPROTO_ESP, spi, dst, new);
 			new->destroy(new);
 		}
 		dst->destroy(dst);
@@ -2142,15 +2138,13 @@ static void add_exclude_route(private_kernel_pfkey_ipsec_t *this,
 	if (!route->exclude)
 	{
 		DBG2(DBG_KNL, "installing new exclude route for %H src %H", dst, src);
-		gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-												   dst, -1, NULL);
+		gtw = charon->kernel->get_nexthop(charon->kernel, dst, -1, NULL);
 		if (gtw)
 		{
 			char *if_name = NULL;
 
-			if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface, src, &if_name) &&
-				hydra->kernel_interface->add_route(hydra->kernel_interface,
+			if (charon->kernel->get_interface(charon->kernel, src, &if_name) &&
+				charon->kernel->add_route(charon->kernel,
 									dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									gtw, src, if_name) == SUCCESS)
@@ -2213,10 +2207,10 @@ static void remove_exclude_route(private_kernel_pfkey_ipsec_t *this,
 			dst = route->exclude->dst;
 			DBG2(DBG_KNL, "uninstalling exclude route for %H src %H",
 				 dst, route->exclude->src);
-			if (hydra->kernel_interface->get_interface(
-									hydra->kernel_interface,
+			if (charon->kernel->get_interface(
+									charon->kernel,
 									route->exclude->src, &if_name) &&
-				hydra->kernel_interface->del_route(hydra->kernel_interface,
+				charon->kernel->del_route(charon->kernel,
 									dst->get_address(dst),
 									dst->get_family(dst) == AF_INET ? 32 : 128,
 									route->exclude->gtw, route->exclude->src,
@@ -2241,8 +2235,8 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	host_t *host, *src, *dst;
 	bool is_virtual;
 
-	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-									in->dst_ts, &host, &is_virtual) != SUCCESS)
+	if (charon->kernel->get_address_by_ts(charon->kernel, in->dst_ts, &host,
+										  &is_virtual) != SUCCESS)
 	{
 		return FALSE;
 	}
@@ -2259,8 +2253,8 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 
 	if (!dst->is_anyaddr(dst))
 	{
-		route->gateway = hydra->kernel_interface->get_nexthop(
-									hydra->kernel_interface, dst, -1, src);
+		route->gateway = charon->kernel->get_nexthop(charon->kernel, dst, -1,
+													 src);
 
 		/* if the IP is virtual, we install the route over the interface it has
 		 * been installed on. Otherwise we use the interface we use for IKE, as
@@ -2272,17 +2266,16 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	}
 	else
 	{	/* for shunt policies */
-		route->gateway = hydra->kernel_interface->get_nexthop(
-									hydra->kernel_interface, policy->src.net,
-									policy->src.mask, route->src_ip);
+		route->gateway = charon->kernel->get_nexthop(charon->kernel,
+											policy->src.net, policy->src.mask,
+											route->src_ip);
 
 		/* we don't have a source address, use the address we found */
 		src = route->src_ip;
 	}
 
 	/* get interface for route, using source address */
-	if (!hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												src, &route->if_name))
+	if (!charon->kernel->get_interface(charon->kernel, src, &route->if_name))
 	{
 		route_entry_destroy(route);
 		return FALSE;
@@ -2298,9 +2291,9 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 			return TRUE;
 		}
 		/* uninstall previously installed route */
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-									old->dst_net, old->prefixlen, old->gateway,
-									old->src_ip, old->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, old->dst_net,
+									  old->prefixlen, old->gateway,
+									  old->src_ip, old->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with policy "
 				 "%R === %R %N", in->src_ts, in->dst_ts,
@@ -2311,8 +2304,7 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	}
 
 	/* if remote traffic selector covers the IKE peer, add an exclude route */
-	if (hydra->kernel_interface->get_features(
-					hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
+	if (charon->kernel->get_features(charon->kernel) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
 	{
 		if (in->src_ts->is_host(in->src_ts, dst))
 		{
@@ -2331,9 +2323,9 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
 		 in->src_ts, route->gateway, route->src_ip, route->if_name);
 
-	switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
-							route->dst_net, route->prefixlen, route->gateway,
-							route->src_ip, route->if_name))
+	switch (charon->kernel->add_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name))
 	{
 		case ALREADY_DONE:
 			/* route exists, do not uninstall */
@@ -2813,9 +2805,9 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	if (policy->route)
 	{
 		route_entry_t *route = policy->route;
-		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
-				route->dst_net, route->prefixlen, route->gateway,
-				route->src_ip, route->if_name) != SUCCESS)
+		if (charon->kernel->del_route(charon->kernel, route->dst_net,
+									  route->prefixlen, route->gateway,
+									  route->src_ip, route->if_name) != SUCCESS)
 		{
 			DBG1(DBG_KNL, "error uninstalling route installed with "
 						  "policy %R === %R %N", src_ts, dst_ts,
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
index 649f93733..649f93733 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 61d576547..d49fe2422 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -18,8 +18,6 @@
 
 #include "kernel_pfkey_ipsec.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
 
 /**
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
index 51db4d8d3..ecccc6303 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_pfkey kernel_pfkey
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
  * @{ @ingroup kernel_pfkey
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.am b/src/libcharon/plugins/kernel_pfroute/Makefile.am
index 5129c02f6..51047e38a 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.am
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.am
@@ -1,7 +1,7 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index 9f676d21d..77d83cbca 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libhydra/plugins/kernel_pfroute
+subdir = src/libcharon/plugins/kernel_pfroute
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,7 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra
+	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
 	$(PLUGIN_CFLAGS)
@@ -457,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
index df80c29b8..4eebdfdad 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -24,7 +24,7 @@
 
 #include "kernel_pfroute_net.h"
 
-#include <hydra.h>
+#include <daemon.h>
 #include <utils/debug.h>
 #include <networking/host.h>
 #include <networking/tun_device.h>
@@ -555,7 +555,7 @@ static job_requeue_t roam_event(private_kernel_pfroute_net_t *this)
 	address = this->roam_address;
 	this->roam_address = FALSE;
 	this->roam_lock->unlock(this->roam_lock);
-	hydra->kernel_interface->roam(hydra->kernel_interface, address);
+	charon->kernel->roam(charon->kernel, address);
 	return JOB_REQUEUE_NONE;
 }
 
@@ -862,8 +862,8 @@ static void process_link(private_kernel_pfroute_net_t *this,
 		if (if_indextoname(iface->ifindex, iface->ifname))
 		{
 			DBG1(DBG_KNL, "interface %s appeared", iface->ifname);
-			iface->usable = hydra->kernel_interface->is_interface_usable(
-										hydra->kernel_interface, iface->ifname);
+			iface->usable = charon->kernel->is_interface_usable(charon->kernel,
+																iface->ifname);
 			repopulate_iface(this, iface);
 			this->ifaces->insert_last(this->ifaces, iface);
 			if (iface->usable)
@@ -1266,7 +1266,7 @@ METHOD(kernel_net_t, add_ip, status_t,
 	/* lets do this while holding the lock, thus preventing another thread
 	 * from deleting the TUN device concurrently, hopefully listeners are quick
 	 * and cause no deadlocks */
-	hydra->kernel_interface->tun(hydra->kernel_interface, tun, TRUE);
+	charon->kernel->tun(charon->kernel, tun, TRUE);
 	this->lock->unlock(this->lock);
 
 	return SUCCESS;
@@ -1294,8 +1294,7 @@ METHOD(kernel_net_t, del_ip, status_t,
 		if (addr && addr->ip_equals(addr, vip))
 		{
 			this->tuns->remove_at(this->tuns, enumerator);
-			hydra->kernel_interface->tun(hydra->kernel_interface, tun,
-										 FALSE);
+			charon->kernel->tun(charon->kernel, tun, FALSE);
 			tun->destroy(tun);
 			found = TRUE;
 			break;
@@ -1738,8 +1737,8 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this)
 						.ifindex = if_nametoindex(ifa->ifa_name),
 						.flags = ifa->ifa_flags,
 						.addrs = linked_list_create(),
-						.usable = hydra->kernel_interface->is_interface_usable(
-										hydra->kernel_interface, ifa->ifa_name),
+						.usable = charon->kernel->is_interface_usable(
+												charon->kernel, ifa->ifa_name),
 					);
 					memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
 					this->ifaces->insert_last(this->ifaces, iface);
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
index 10c3c9eb7..10c3c9eb7 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
index 09068b33e..acd834ba3 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -18,8 +18,6 @@
 
 #include "kernel_pfroute_net.h"
 
-#include <hydra.h>
-
 typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
 
 /**
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
index b8ee31a1d..50642a572 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_pfroute kernel_pfroute
- * @ingroup hplugins
+ * @ingroup cplugins
  *
  * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
  * @{ @ingroup kernel_pfroute
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.am b/src/libcharon/plugins/kernel_wfp/Makefile.am
index 85e5089a3..737a79b6c 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.am
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index efb214b88..cfe643f26 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -424,6 +424,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -439,7 +441,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 95f79f168..e1c429885 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -20,7 +20,6 @@
 #include "kernel_wfp_ipsec.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <threading/mutex.h>
 #include <collections/array.h>
 #include <collections/hashtable.h>
@@ -1396,10 +1395,9 @@ static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
 	{
 		if (--route->refs == 0)
 		{
-			if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-													   src, &name))
+			if (charon->kernel->get_interface(charon->kernel, src, &name))
 			{
-				res = hydra->kernel_interface->del_route(hydra->kernel_interface,
+				res = charon->kernel->del_route(charon->kernel,
 						dst->get_address(dst), mask, gtw, src, name) == SUCCESS;
 				free(name);
 			}
@@ -1442,10 +1440,9 @@ static bool install_route(private_kernel_wfp_ipsec_t *this,
 	}
 	else
 	{
-		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   src, &name))
+		if (charon->kernel->get_interface(charon->kernel, src, &name))
 		{
-			if (hydra->kernel_interface->add_route(hydra->kernel_interface,
+			if (charon->kernel->add_route(charon->kernel,
 						dst->get_address(dst), mask, gtw, src, name) == SUCCESS)
 			{
 				INIT(route,
@@ -1486,14 +1483,13 @@ static bool manage_route(private_kernel_wfp_ipsec_t *this,
 	{
 		return FALSE;
 	}
-	if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
-												src_ts, &src, NULL) != SUCCESS)
+	if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src,
+										  NULL) != SUCCESS)
 	{
 		dst->destroy(dst);
 		return FALSE;
 	}
-	gtw = hydra->kernel_interface->get_nexthop(hydra->kernel_interface,
-											   remote, -1, local);
+	gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local);
 	if (add)
 	{
 		done = install_route(this, dst, mask, src, gtw);
@@ -1650,8 +1646,7 @@ static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
 	{
 		src = src ? src->clone(src) : NULL;
 		dst = dst ? dst->clone(dst) : NULL;
-		hydra->kernel_interface->acquire(hydra->kernel_interface, reqid,
-										 src, dst);
+		charon->kernel->acquire(charon->kernel, reqid, src, dst);
 	}
 }
 
@@ -2069,8 +2064,8 @@ static job_requeue_t expire_job(expire_data_t *data)
 
 	if (entry)
 	{
-		hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
-										data->spi, data->dst, data->hard);
+		charon->kernel->expire(charon->kernel, protocol, data->spi, data->dst,
+							   data->hard);
 	}
 
 	return JOB_REQUEUE_NONE;
diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am
index 18d6af399..9868f9efa 100644
--- a/src/libcharon/plugins/led/Makefile.am
+++ b/src/libcharon/plugins/led/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 7942868f6..63bbf1975 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -428,7 +430,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/load_tester/Makefile.am b/src/libcharon/plugins/load_tester/Makefile.am
index 31e1b5c6f..af3adb257 100644
--- a/src/libcharon/plugins/load_tester/Makefile.am
+++ b/src/libcharon/plugins/load_tester/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 52dbec53f..14fcd6f4c 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -426,6 +426,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -441,7 +443,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 8a500635c..8f6abde0c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -18,7 +18,6 @@
 #include <netdb.h>
 
 #include <daemon.h>
-#include <hydra.h>
 #include <attributes/mem_pool.h>
 #include <collections/hashtable.h>
 #include <threading/mutex.h>
@@ -656,8 +655,8 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
 		id->destroy(id);
 		return NULL;
 	}
-	if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
-										found, this->prefix, iface) != SUCCESS)
+	if (charon->kernel->add_ip(charon->kernel, found, this->prefix,
+							   iface) != SUCCESS)
 	{
 		DBG1(DBG_CFG, "installing load-tester IP %H on %s failed", found, iface);
 		found->destroy(found);
@@ -852,8 +851,8 @@ METHOD(load_tester_config_t, delete_ip, void,
 		{
 			if (pool->release_address(pool, entry->host, entry->id))
 			{
-				hydra->kernel_interface->del_ip(hydra->kernel_interface,
-											entry->host, this->prefix, FALSE);
+				charon->kernel->del_ip(charon->kernel, entry->host,
+									   this->prefix, FALSE);
 				break;
 			}
 		}
@@ -882,8 +881,8 @@ static void cleanup_leases(private_load_tester_config_t *this)
 		{
 			if (online)
 			{
-				hydra->kernel_interface->del_ip(hydra->kernel_interface,
-												addr, this->prefix, FALSE);
+				charon->kernel->del_ip(charon->kernel, addr, this->prefix,
+									   FALSE);
 				entry = this->leases->remove(this->leases, addr);
 				if (entry)
 				{
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index c7380b974..6cf3a909c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -23,7 +23,6 @@
 
 #include <unistd.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/condvar.h>
@@ -240,16 +239,24 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
 				PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+		PLUGIN_CALLBACK(kernel_ipsec_register, load_tester_ipsec_create),
+			PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
 	};
+	int count = countof(f);
+
 	*features = f;
-	return countof(f);
+
+	if (!lib->settings->get_bool(lib->settings,
+			"%s.plugins.load-tester.fake_kernel", FALSE, lib->ns))
+	{
+		count -= 2;
+	}
+	return count;
 }
 
 METHOD(plugin_t, destroy, void,
 	private_load_tester_plugin_t *this)
 {
-	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
-						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	this->mutex->destroy(this->mutex);
 	this->condvar->destroy(this->condvar);
 	free(this);
@@ -289,12 +296,5 @@ plugin_t *load_tester_plugin_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
 	);
-
-	if (lib->settings->get_bool(lib->settings,
-			"%s.plugins.load-tester.fake_kernel", FALSE, lib->ns))
-	{
-		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
-						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
-	}
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/lookip/Makefile.am b/src/libcharon/plugins/lookip/Makefile.am
index 223654ea9..623275b21 100644
--- a/src/libcharon/plugins/lookip/Makefile.am
+++ b/src/libcharon/plugins/lookip/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 264c58ff5..9b56d94fe 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -422,6 +422,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -437,7 +439,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
index fe5c963fd..02c283f5b 100644
--- a/src/libcharon/plugins/maemo/Makefile.am
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 76c9012b2..5cc654967 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medcli/Makefile.am b/src/libcharon/plugins/medcli/Makefile.am
index cfa825980..0408c8963 100644
--- a/src/libcharon/plugins/medcli/Makefile.am
+++ b/src/libcharon/plugins/medcli/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index 35740c369..32c428487 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medsrv/Makefile.am b/src/libcharon/plugins/medsrv/Makefile.am
index f21220260..1d1cb4465 100644
--- a/src/libcharon/plugins/medsrv/Makefile.am
+++ b/src/libcharon/plugins/medsrv/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 8fe160ef3..de0217a80 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/osx_attr/Makefile.am b/src/libcharon/plugins/osx_attr/Makefile.am
index aa1d46290..908aa8806 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.am
+++ b/src/libcharon/plugins/osx_attr/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 9a5e438e1..6a1a81f08 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/p_cscf/Makefile.am b/src/libcharon/plugins/p_cscf/Makefile.am
new file mode 100644
index 000000000..1e00a56a8
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/Makefile.am
@@ -0,0 +1,19 @@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-p-cscf.la
+else
+plugin_LTLIBRARIES = libstrongswan-p-cscf.la
+endif
+
+libstrongswan_p_cscf_la_SOURCES = \
+	p_cscf_plugin.c p_cscf_plugin.h \
+	p_cscf_handler.c p_cscf_handler.h
+
+libstrongswan_p_cscf_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/tests/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in
index 1fa889d67..7f78db85a 100644
--- a/src/libhydra/tests/Makefile.in
+++ b/src/libcharon/plugins/p_cscf/Makefile.in
@@ -13,6 +13,7 @@
 # PARTICULAR PURPOSE.
 
 @SET_MAKE@
+
 VPATH = @srcdir@
 am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
@@ -77,9 +78,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-TESTS = hydra_tests$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1)
-subdir = src/libhydra/tests
+subdir = src/libcharon/plugins/p_cscf
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -99,19 +98,51 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = hydra_tests$(EXEEXT)
-am_hydra_tests_OBJECTS = hydra_tests-hydra_tests.$(OBJEXT)
-hydra_tests_OBJECTS = $(am_hydra_tests_OBJECTS)
-hydra_tests_DEPENDENCIES = $(top_builddir)/src/libhydra/libhydra.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libstrongswan/tests/libtest.la
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_p_cscf_la_LIBADD =
+am_libstrongswan_p_cscf_la_OBJECTS = p_cscf_plugin.lo \
+	p_cscf_handler.lo
+libstrongswan_p_cscf_la_OBJECTS =  \
+	$(am_libstrongswan_p_cscf_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
 am__v_lt_1 = 
-hydra_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(hydra_tests_CFLAGS) \
-	$(CFLAGS) $(hydra_tests_LDFLAGS) $(LDFLAGS) -o $@
+libstrongswan_p_cscf_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_p_cscf_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_p_cscf_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_p_cscf_la_rpath =
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
 am__v_P_0 = false
@@ -146,8 +177,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
 am__v_CCLD_0 = @echo "  CCLD    " $@;
 am__v_CCLD_1 = 
-SOURCES = $(hydra_tests_SOURCES)
-DIST_SOURCES = $(hydra_tests_SOURCES)
+SOURCES = $(libstrongswan_p_cscf_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_p_cscf_la_SOURCES)
 am__can_run_installinfo = \
   case $$AM_UPDATE_INFO_DIR in \
     n|no|NO) false;; \
@@ -172,28 +203,6 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__tty_colors_dummy = \
-  mgn= red= grn= lgn= blu= brg= std=; \
-  am__color_tests=no
-am__tty_colors = { \
-  $(am__tty_colors_dummy); \
-  if test "X$(AM_COLOR_TESTS)" = Xno; then \
-    am__color_tests=no; \
-  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
-    am__color_tests=yes; \
-  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
-    am__color_tests=yes; \
-  fi; \
-  if test $$am__color_tests = yes; then \
-    red='[0;31m'; \
-    grn='[0;32m'; \
-    lgn='[1;32m'; \
-    blu='[1;34m'; \
-    mgn='[0;35m'; \
-    brg='[1m'; \
-    std='[m'; \
-  fi; \
-}
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
@@ -407,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -420,21 +431,21 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-hydra_tests_SOURCES = \
-  hydra_tests.h hydra_tests.c
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
 
-hydra_tests_CFLAGS = \
-  -I$(top_srcdir)/src/libhydra \
-  -I$(top_srcdir)/src/libstrongswan \
-  -I$(top_srcdir)/src/libstrongswan/tests \
-  @COVERAGE_CFLAGS@
+AM_CFLAGS = \
+	$(PLUGIN_CFLAGS)
 
-hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
-hydra_tests_LDADD = \
-  $(top_builddir)/src/libhydra/libhydra.la \
-  $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(top_builddir)/src/libstrongswan/tests/libtest.la
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-p-cscf.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-p-cscf.la
+libstrongswan_p_cscf_la_SOURCES = \
+	p_cscf_plugin.c p_cscf_plugin.h \
+	p_cscf_handler.c p_cscf_handler.h
 
+libstrongswan_p_cscf_la_LDFLAGS = -module -avoid-version
 all: all-am
 
 .SUFFIXES:
@@ -448,9 +459,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/tests/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/p_cscf/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/tests/Makefile
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/p_cscf/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -470,18 +481,54 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 
-clean-checkPROGRAMS:
-	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
 
-hydra_tests$(EXEEXT): $(hydra_tests_OBJECTS) $(hydra_tests_DEPENDENCIES) $(EXTRA_hydra_tests_DEPENDENCIES) 
-	@rm -f hydra_tests$(EXEEXT)
-	$(AM_V_CCLD)$(hydra_tests_LINK) $(hydra_tests_OBJECTS) $(hydra_tests_LDADD) $(LIBS)
+libstrongswan-p-cscf.la: $(libstrongswan_p_cscf_la_OBJECTS) $(libstrongswan_p_cscf_la_DEPENDENCIES) $(EXTRA_libstrongswan_p_cscf_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libstrongswan_p_cscf_la_LINK) $(am_libstrongswan_p_cscf_la_rpath) $(libstrongswan_p_cscf_la_OBJECTS) $(libstrongswan_p_cscf_la_LIBADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -489,7 +536,8 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra_tests-hydra_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/p_cscf_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/p_cscf_plugin.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -515,20 +563,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
-hydra_tests-hydra_tests.o: hydra_tests.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.o -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
-
-hydra_tests-hydra_tests.obj: hydra_tests.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.obj -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
@@ -587,99 +621,6 @@ cscopelist-am: $(am__tagged_files)
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
-	srcdir=$(srcdir); export srcdir; \
-	list=' $(TESTS) '; \
-	$(am__tty_colors); \
-	if test -n "$$list"; then \
-	  for tst in $$list; do \
-	    if test -f ./$$tst; then dir=./; \
-	    elif test -f $$tst; then dir=; \
-	    else dir="$(srcdir)/"; fi; \
-	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xpass=`expr $$xpass + 1`; \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=XPASS; \
-	      ;; \
-	      *) \
-		col=$$grn; res=PASS; \
-	      ;; \
-	      esac; \
-	    elif test $$? -ne 77; then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xfail=`expr $$xfail + 1`; \
-		col=$$lgn; res=XFAIL; \
-	      ;; \
-	      *) \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=FAIL; \
-	      ;; \
-	      esac; \
-	    else \
-	      skip=`expr $$skip + 1`; \
-	      col=$$blu; res=SKIP; \
-	    fi; \
-	    echo "$${col}$$res$${std}: $$tst"; \
-	  done; \
-	  if test "$$all" -eq 1; then \
-	    tests="test"; \
-	    All=""; \
-	  else \
-	    tests="tests"; \
-	    All="All "; \
-	  fi; \
-	  if test "$$failed" -eq 0; then \
-	    if test "$$xfail" -eq 0; then \
-	      banner="$$All$$all $$tests passed"; \
-	    else \
-	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
-	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
-	    fi; \
-	  else \
-	    if test "$$xpass" -eq 0; then \
-	      banner="$$failed of $$all $$tests failed"; \
-	    else \
-	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
-	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
-	    fi; \
-	  fi; \
-	  dashes="$$banner"; \
-	  skipped=""; \
-	  if test "$$skip" -ne 0; then \
-	    if test "$$skip" -eq 1; then \
-	      skipped="($$skip test was not run)"; \
-	    else \
-	      skipped="($$skip tests were not run)"; \
-	    fi; \
-	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$skipped"; \
-	  fi; \
-	  report=""; \
-	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
-	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$report"; \
-	  fi; \
-	  dashes=`echo "$$dashes" | sed s/./=/g`; \
-	  if test "$$failed" -eq 0; then \
-	    col="$$grn"; \
-	  else \
-	    col="$$red"; \
-	  fi; \
-	  echo "$${col}$$dashes$${std}"; \
-	  echo "$${col}$$banner$${std}"; \
-	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
-	  test -z "$$report" || echo "$${col}$$report$${std}"; \
-	  echo "$${col}$$dashes$${std}"; \
-	  test "$$failed" -eq 0; \
-	else :; fi
-
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -711,11 +652,12 @@ distdir: $(DISTFILES)
 	  fi; \
 	done
 check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
-	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
 check: check-am
-all-am: Makefile
+all-am: Makefile $(LTLIBRARIES)
 installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
 install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
@@ -748,8 +690,8 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
-	mostlyclean-am
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -769,7 +711,7 @@ info: info-am
 
 info-am:
 
-install-data-am:
+install-data-am: install-pluginLTLIBRARIES
 
 install-dvi: install-dvi-am
 
@@ -815,23 +757,24 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am:
-
-.MAKE: check-am install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
-	clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
-	ctags ctags-am distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-dvi install-dvi-am install-exec \
-	install-exec-am install-html install-html-am install-info \
-	install-info-am install-man install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-am uninstall uninstall-am
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pluginLTLIBRARIES install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pluginLTLIBRARIES
 
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_handler.c b/src/libcharon/plugins/p_cscf/p_cscf_handler.c
new file mode 100644
index 000000000..76633845e
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_handler.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "p_cscf_handler.h"
+
+#include <networking/host.h>
+#include <utils/debug.h>
+
+typedef struct private_p_cscf_handler_t private_p_cscf_handler_t;
+
+/**
+ * Private data
+ */
+struct private_p_cscf_handler_t {
+
+	/**
+	 * Public interface
+	 */
+	p_cscf_handler_t public;
+};
+
+METHOD(attribute_handler_t, handle, bool,
+	private_p_cscf_handler_t *this, ike_sa_t *ike_sa,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	host_t *server;
+	int family = AF_INET6;
+
+	switch (type)
+	{
+		case P_CSCF_IP4_ADDRESS:
+			family = AF_INET;
+			/* fall-through */
+		case P_CSCF_IP6_ADDRESS:
+			server = host_create_from_chunk(family, data, 0);
+			if (!server)
+			{
+				DBG1(DBG_CFG, "received invalid P-CSCF server IP");
+				return FALSE;
+			}
+			DBG1(DBG_CFG, "received P-CSCF server IP %H", server);
+			server->destroy(server);
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(attribute_handler_t, release, void,
+	private_p_cscf_handler_t *this, ike_sa_t *ike_sa,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	switch (type)
+	{
+		case P_CSCF_IP4_ADDRESS:
+		case P_CSCF_IP6_ADDRESS:
+			/* nothing to do as we only log the server IPs */
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Data for attribute enumerator
+ */
+typedef struct {
+	enumerator_t public;
+	bool request_ipv4;
+	bool request_ipv6;
+} attr_enumerator_t;
+
+METHOD(enumerator_t, enumerate_attrs, bool,
+	attr_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *data)
+{
+	if (this->request_ipv4)
+	{
+		*type = P_CSCF_IP4_ADDRESS;
+		*data = chunk_empty;
+		this->request_ipv4 = FALSE;
+		return TRUE;
+	}
+	if (this->request_ipv6)
+	{
+		*type = P_CSCF_IP6_ADDRESS;
+		*data = chunk_empty;
+		this->request_ipv6 = FALSE;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Check if the given host has a matching address family
+ */
+static bool is_family(host_t *host, int *family)
+{
+	return host->get_family(host) == *family;
+}
+
+/**
+ * Check if a list has a host of a given family
+ */
+static bool has_host_family(linked_list_t *list, int family)
+{
+	return list->find_first(list, (void*)is_family, NULL, &family) == SUCCESS;
+}
+
+METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
+	private_p_cscf_handler_t *this, ike_sa_t *ike_sa,
+	linked_list_t *vips)
+{
+	attr_enumerator_t *enumerator;
+
+	if (ike_sa->get_version(ike_sa) == IKEV1)
+	{
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_attrs,
+			.destroy = (void*)free,
+		},
+	);
+	if (lib->settings->get_bool(lib->settings, "%s.plugins.p-cscf.enable.%s",
+								FALSE, lib->ns, ike_sa->get_name(ike_sa)))
+	{
+		enumerator->request_ipv4 = has_host_family(vips, AF_INET);
+		enumerator->request_ipv6 = has_host_family(vips, AF_INET6);
+	}
+	return &enumerator->public;
+}
+
+METHOD(p_cscf_handler_t, destroy, void,
+	private_p_cscf_handler_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+p_cscf_handler_t *p_cscf_handler_create()
+{
+	private_p_cscf_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.handler = {
+				.handle = _handle,
+				.release = _release,
+				.create_attribute_enumerator = _create_attribute_enumerator,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_handler.h b/src/libcharon/plugins/p_cscf/p_cscf_handler.h
new file mode 100644
index 000000000..ad4f1acce
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup p_cscf_handler p_cscf_handler
+ * @{ @ingroup p_cscf
+ */
+
+#ifndef P_CSCF_HANDLER_H_
+#define P_CSCF_HANDLER_H_
+
+#include <attributes/attribute_handler.h>
+
+typedef struct p_cscf_handler_t p_cscf_handler_t;
+
+/**
+ * Attribute handler for P-CSCF server addresses.
+ */
+struct p_cscf_handler_t {
+
+	/**
+	 * Implements attribute_handler_t.
+	 */
+	attribute_handler_t handler;
+
+	/**
+	 * Destroy a p_cscf_handler_t.
+	 */
+	void (*destroy)(p_cscf_handler_t *this);
+};
+
+/**
+ * Create an p_cscf_handler_t instance.
+ */
+p_cscf_handler_t *p_cscf_handler_create();
+
+#endif /** P_CSCF_HANDLER_H_ @}*/
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_plugin.c b/src/libcharon/plugins/p_cscf/p_cscf_plugin.c
new file mode 100644
index 000000000..8e2bc727e
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_plugin.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "p_cscf_plugin.h"
+#include "p_cscf_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_p_cscf_plugin_t private_p_cscf_plugin_t;
+
+/**
+ * Private data
+ */
+struct private_p_cscf_plugin_t {
+
+	/**
+	 * Public interface
+	 */
+	p_cscf_plugin_t public;
+
+	/**
+	 * P-CSCF server address attribute handler
+	 */
+	p_cscf_handler_t *handler;
+};
+
+METHOD(plugin_t, get_name, char*,
+	private_p_cscf_plugin_t *this)
+{
+	return "p-cscf";
+}
+
+/**
+ * Register handler
+ */
+static bool plugin_cb(private_p_cscf_plugin_t *this,
+					  plugin_feature_t *feature, bool reg, void *cb_data)
+{
+	if (reg)
+	{
+		charon->attributes->add_handler(charon->attributes,
+										&this->handler->handler);
+	}
+	else
+	{
+		charon->attributes->remove_handler(charon->attributes,
+										   &this->handler->handler);
+	}
+	return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+	private_p_cscf_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+			PLUGIN_PROVIDE(CUSTOM, "p-cscf"),
+	};
+	*features = f;
+	return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+	private_p_cscf_plugin_t *this)
+{
+	this->handler->destroy(this->handler);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *p_cscf_plugin_create()
+{
+	private_p_cscf_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
+		},
+		.handler = p_cscf_handler_create(),
+	);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/p_cscf/p_cscf_plugin.h b/src/libcharon/plugins/p_cscf/p_cscf_plugin.h
new file mode 100644
index 000000000..51b17674d
--- /dev/null
+++ b/src/libcharon/plugins/p_cscf/p_cscf_plugin.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup p_cscf p_cscf
+ * @ingroup cplugins
+ *
+ * @defgroup p_cscf_plugin p_cscf_plugin
+ * @{ @ingroup p_cscf
+ */
+
+#ifndef P_CSCF_PLUGIN_H_
+#define P_CSCF_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct p_cscf_plugin_t p_cscf_plugin_t;
+
+/**
+ * Plugin that requests P-CSCF server addresses from an ePDG as specified
+ * in RFC 7651.
+ */
+struct p_cscf_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** P_CSCF_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/radattr/Makefile.am b/src/libcharon/plugins/radattr/Makefile.am
index 15d5a0a1f..74d9351f2 100644
--- a/src/libcharon/plugins/radattr/Makefile.am
+++ b/src/libcharon/plugins/radattr/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index baff3fc76..3f39ba237 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius
 
diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am
index 9cfc370c0..d3d4e73cf 100644
--- a/src/libcharon/plugins/resolve/Makefile.am
+++ b/src/libcharon/plugins/resolve/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 91479bf52..70d97cc32 100644
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
index 74c3960ff..ec3decc4d 100644
--- a/src/libcharon/plugins/resolve/resolve_handler.c
+++ b/src/libcharon/plugins/resolve/resolve_handler.c
@@ -20,7 +20,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-#include <hydra.h>
 #include <utils/debug.h>
 #include <threading/mutex.h>
 
diff --git a/src/libcharon/plugins/smp/Makefile.am b/src/libcharon/plugins/smp/Makefile.am
index 3aa533e56..252db32a6 100644
--- a/src/libcharon/plugins/smp/Makefile.am
+++ b/src/libcharon/plugins/smp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 572e7fc2f..221cda71a 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 2aa061fd2..56b19c792 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -229,8 +229,8 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		local = ike_sa->get_my_host(ike_sa);
 		xmlTextWriterStartElement(writer, "local");
 		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
-							id->is_initiator(id) ? id->get_initiator_spi(id)
-												 : id->get_responder_spi(id));
+					be64toh(id->is_initiator(id) ? id->get_initiator_spi(id)
+												 : id->get_responder_spi(id)));
 		write_id(writer, "identification", ike_sa->get_my_id(ike_sa));
 		write_address(writer, "address", local);
 		xmlTextWriterWriteFormatElement(writer, "port", "%d",
@@ -246,8 +246,8 @@ static void request_query_ikesa(xmlTextReaderPtr reader, xmlTextWriterPtr writer
 		remote = ike_sa->get_other_host(ike_sa);
 		xmlTextWriterStartElement(writer, "remote");
 		xmlTextWriterWriteFormatElement(writer, "spi", "%.16llx",
-							id->is_initiator(id) ? id->get_responder_spi(id)
-												 : id->get_initiator_spi(id));
+					be64toh(id->is_initiator(id) ? id->get_responder_spi(id)
+												 : id->get_initiator_spi(id)));
 		write_id(writer, "identification", ike_sa->get_other_id(ike_sa));
 		write_address(writer, "address", remote);
 		xmlTextWriterWriteFormatElement(writer, "port", "%d",
diff --git a/src/libcharon/plugins/socket_default/Makefile.am b/src/libcharon/plugins/socket_default/Makefile.am
index e524ffd18..7231703b3 100644
--- a/src/libcharon/plugins/socket_default/Makefile.am
+++ b/src/libcharon/plugins/socket_default/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 25b40995b..3dcfaf4a6 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 13bf3e775..6e432d9cf 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -41,7 +41,6 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 
@@ -720,16 +719,15 @@ static int open_socket(private_socket_default_socket_t *this,
 	}
 #endif
 
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												skt, family))
+	if (!charon->kernel->bypass_socket(charon->kernel, skt, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
 
 	/* enable UDP decapsulation for NAT-T sockets */
 	if (port == &this->natt &&
-		!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
-												   skt, family, this->natt))
+		!charon->kernel->enable_udp_decap(charon->kernel, skt, family,
+										  this->natt))
 	{
 		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
 			 family == AF_INET ? "IPv4" : "IPv6", this->natt);
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.am b/src/libcharon/plugins/socket_dynamic/Makefile.am
index a1e21b98b..087ebb728 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.am
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 5c010a59a..88bc22f5e 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index a032134c3..b89cae47b 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -36,7 +36,6 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
@@ -438,15 +437,13 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 		return 0;
 	}
 
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												fd, family))
+	if (!charon->kernel->bypass_socket(charon->kernel, fd, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
 
 	/* enable UDP decapsulation on each socket */
-	if (!hydra->kernel_interface->enable_udp_decap(hydra->kernel_interface,
-												   fd, family, *port))
+	if (!charon->kernel->enable_udp_decap(charon->kernel, fd, family, *port))
 	{
 		DBG1(DBG_NET, "enabling UDP decapsulation for %s on port %d failed",
 			 family == AF_INET ? "IPv4" : "IPv6", *port);
diff --git a/src/libcharon/plugins/socket_win/Makefile.am b/src/libcharon/plugins/socket_win/Makefile.am
index f01178fcc..293d9bc9f 100644
--- a/src/libcharon/plugins/socket_win/Makefile.am
+++ b/src/libcharon/plugins/socket_win/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index 0c3bf31b9..683011062 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -432,7 +434,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/socket_win/socket_win_socket.c b/src/libcharon/plugins/socket_win/socket_win_socket.c
index fbfbedae1..94af08e80 100644
--- a/src/libcharon/plugins/socket_win/socket_win_socket.c
+++ b/src/libcharon/plugins/socket_win/socket_win_socket.c
@@ -19,7 +19,6 @@
 #include "socket_win_socket.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <threading/thread.h>
 #include <daemon.h>
 
@@ -397,13 +396,11 @@ static SOCKET open_socket(private_socket_win_socket_t *this, int i)
 		closesocket(s);
 		return INVALID_SOCKET;
 	}
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												s, AF_INET))
+	if (!charon->kernel->bypass_socket(charon->kernel, s, AF_INET))
 	{
 		DBG1(DBG_NET, "installing IPv4 IKE bypass policy failed");
 	}
-	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
-												s, AF_INET6))
+	if (!charon->kernel->bypass_socket(charon->kernel, s, AF_INET6))
 	{
 		DBG1(DBG_NET, "installing IPv6 IKE bypass policy failed");
 	}
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
index c947db892..44a3d5f4a 100644
--- a/src/libcharon/plugins/sql/Makefile.am
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index f74257af2..b09379b02 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am
index b90688791..26edc3dcd 100644
--- a/src/libcharon/plugins/stroke/Makefile.am
+++ b/src/libcharon/plugins/stroke/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/stroke \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index a316f5c25..2b22b333a 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -433,7 +435,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/stroke \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 68cf83089..d0eb2aac3 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -16,7 +16,6 @@
 
 #include "stroke_config.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <utils/lexparser.h>
@@ -201,8 +200,7 @@ static bool is_local(char *address, bool any_allowed)
 			host = host_create_from_dns(token, 0, 0);
 			if (host)
 			{
-				if (hydra->kernel_interface->get_interface(
-										hydra->kernel_interface, host, NULL))
+				if (charon->kernel->get_interface(charon->kernel, host, NULL))
 				{
 					found = TRUE;
 				}
@@ -313,117 +311,6 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
 }
 
 /**
- * Parse public key / signature strength constraints
- */
-static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
-{
-	enumerator_t *enumerator;
-	bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE,
-		 rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE;
-	int strength;
-	char *token;
-
-	enumerator = enumerator_create_token(auth, "-", "");
-	while (enumerator->enumerate(enumerator, &token))
-	{
-		bool found = FALSE;
-		int i;
-		struct {
-			char *name;
-			signature_scheme_t scheme;
-			key_type_t key;
-		} schemes[] = {
-			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
-			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
-			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA224,		KEY_RSA,	},
-			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA256,		KEY_RSA,	},
-			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA384,		KEY_RSA,	},
-			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA512,		KEY_RSA,	},
-			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
-			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
-			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
-			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	},
-			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
-			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
-			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
-			{ "sha256",		SIGN_BLISS_WITH_SHA2_256,		KEY_BLISS,	},
-			{ "sha384",		SIGN_BLISS_WITH_SHA2_384,		KEY_BLISS,	},
-			{ "sha512",		SIGN_BLISS_WITH_SHA2_512,		KEY_BLISS,	},
-		};
-
-		if (rsa_len || ecdsa_len || bliss_strength)
-		{	/* expecting a key strength token */
-			strength = atoi(token);
-			if (strength)
-			{
-				if (rsa_len)
-				{
-					cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength);
-				}
-				else if (ecdsa_len)
-				{
-					cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
-				}
-				else if (bliss_strength)
-				{
-					cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength);
-				}
-			}
-			rsa_len = ecdsa_len = bliss_strength = FALSE;
-			if (strength)
-			{
-				continue;
-			}
-		}
-		if (streq(token, "rsa"))
-		{
-			rsa = rsa_len = TRUE;
-			continue;
-		}
-		if (streq(token, "ecdsa"))
-		{
-			ecdsa = ecdsa_len = TRUE;
-			continue;
-		}
-		if (streq(token, "bliss"))
-		{
-			bliss = bliss_strength = TRUE;
-			continue;
-		}
-		if (streq(token, "pubkey"))
-		{
-			continue;
-		}
-
-		for (i = 0; i < countof(schemes); i++)
-		{
-			if (streq(schemes[i].name, token))
-			{
-				/* for each matching string, allow the scheme, if:
-				 * - it is an RSA scheme, and we enforced RSA
-				 * - it is an ECDSA scheme, and we enforced ECDSA
-				 * - it is not a key type specific scheme
-				 */
-				if ((rsa && schemes[i].key == KEY_RSA) ||
-					(ecdsa && schemes[i].key == KEY_ECDSA) ||
-					(bliss && schemes[i].key == KEY_BLISS) ||
-					(!rsa && !ecdsa && !bliss))
-				{
-					cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
-							 (uintptr_t)schemes[i].scheme);
-				}
-				found = TRUE;
-			}
-		}
-		if (!found)
-		{
-			DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
  * build authentication config
  */
 static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
@@ -619,15 +506,15 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	}
 
 	/* authentication metod (class, actually) */
-	if (strpfx(auth, "pubkey") ||
+	if (strpfx(auth, "ike:") ||
+		strpfx(auth, "pubkey") ||
 		strpfx(auth, "rsa") ||
 		strpfx(auth, "ecdsa") ||
 		strpfx(auth, "bliss"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 		build_crl_policy(cfg, local, msg->add_conn.crl_policy);
-
-		parse_pubkey_constraints(auth, cfg);
+		cfg->add_pubkey_constraints(cfg, auth, TRUE);
 	}
 	else if (streq(auth, "psk") || streq(auth, "secret"))
 	{
@@ -660,7 +547,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 		if (pos)
 		{
 			*pos = 0;
-			parse_pubkey_constraints(pos + 1, cfg);
+			cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
 		}
 		type = eap_vendor_type_from_string(auth);
 		if (type)
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index 5a1a5074d..36da5ff21 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -16,7 +16,6 @@
 
 #include "stroke_control.h"
 
-#include <hydra.h>
 #include <daemon.h>
 
 #include <processing/jobs/delete_ike_sa_job.h>
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index c0192b5c0..0371c7032 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,22 +26,12 @@
 #include <malloc.h>
 #endif /* HAVE_MALLINFO */
 
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/linked_list.h>
 #include <plugins/plugin.h>
 #include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/certificates/certificate_printer.h>
 #include <config/peer_cfg.h>
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
-
-/* warning intervals for list functions */
-#define CERT_WARNING_INTERVAL  30	/* days */
-#define CRL_WARNING_INTERVAL	7	/* days */
-#define AC_WARNING_INTERVAL		1	/* day */
 
 typedef struct private_stroke_list_t private_stroke_list_t;
 
@@ -69,6 +62,11 @@ struct private_stroke_list_t {
 };
 
 /**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
  * Log tasks of a specific queue to out
  */
 static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name)
@@ -139,8 +137,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 		fprintf(out, "%12s[%d]: %N SPIs: %.16"PRIx64"_i%s %.16"PRIx64"_r%s",
 				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
 				ike_version_names, ike_sa->get_version(ike_sa),
-				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
-				id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
+				be64toh(id->get_initiator_spi(id)),
+				id->is_initiator(id) ? "*" : "",
+				be64toh(id->get_responder_spi(id)),
+				id->is_initiator(id) ? "" : "*");
 
 
 		if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
@@ -244,40 +244,36 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 			proposal = child_sa->get_proposal(child_sa);
 			if (proposal)
 			{
-				u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
-				u_int16_t encr_size = 0, int_size = 0;
-				u_int16_t esn = NO_EXT_SEQ_NUMBERS;
+				u_int16_t alg, ks;
 				bool first = TRUE;
 
-				proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
-										&encr_alg, &encr_size);
-				proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-										&int_alg, &int_size);
-				proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
-										&esn, NULL);
-
-				if (encr_alg != ENCR_UNDEFINED)
+				if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+											&alg, &ks) && alg != ENCR_UNDEFINED)
 				{
-					fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+					fprintf(out, "%N", encryption_algorithm_names, alg);
 					first = FALSE;
-					if (encr_size)
+					if (ks)
 					{
-						fprintf(out, "_%u", encr_size);
+						fprintf(out, "_%u", ks);
 					}
 				}
-				if (int_alg != AUTH_UNDEFINED)
+				if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+											&alg, &ks) && alg != AUTH_UNDEFINED)
 				{
-					if (!first)
-					{
-						fprintf(out, "/");
-					}
-					fprintf(out, "%N", integrity_algorithm_names, int_alg);
-					if (int_size)
+					fprintf(out, "%s%N", first ? "" : "/",
+							integrity_algorithm_names, alg);
+					if (ks)
 					{
-						fprintf(out, "_%u", int_size);
+						fprintf(out, "_%u", ks);
 					}
 				}
-				if (esn == EXT_SEQ_NUMBERS)
+				if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
+											&alg, NULL))
+				{
+					fprintf(out, "/%N", diffie_hellman_group_names, alg);
+				}
+				if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
+											&alg, NULL) && alg == EXT_SEQ_NUMBERS)
 				{
 					fprintf(out, "/ESN");
 				}
@@ -538,8 +534,8 @@ METHOD(stroke_list_t, status, void,
 		}
 		enumerator->destroy(enumerator);
 
-		enumerator = hydra->kernel_interface->create_address_enumerator(
-								hydra->kernel_interface, ADDR_TYPE_REGULAR);
+		enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+															ADDR_TYPE_REGULAR);
 		fprintf(out, "Listening IP addresses:\n");
 		while (enumerator->enumerate(enumerator, (void**)&host))
 		{
@@ -738,14 +734,20 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
 }
 
 /**
- * Print a single public key.
+ * Is there a matching private key?
  */
-static void list_public_key(public_key_t *public, FILE *out)
+static bool has_privkey(certificate_t *cert)
 {
+	public_key_t *public;
 	private_key_t *private = NULL;
 	chunk_t keyid;
 	identification_t *id;
 
+	public = cert->get_public_key(cert);
+	if (!public)
+	{
+		return FALSE;
+	}
 	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
 	{
 		id = identification_create_from_encoding(ID_KEY_ID, keyid);
@@ -753,521 +755,56 @@ static void list_public_key(public_key_t *public, FILE *out)
 									public->get_type(public), id, NULL);
 		id->destroy(id);
 	}
-
-	fprintf(out, "  pubkey:    %N %d bits%s\n",
-			key_type_names, public->get_type(public),
-			public->get_keysize(public),
-			private ? ", has private key" : "");
-	if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
-	{
-		fprintf(out, "  keyid:     %#B\n", &keyid);
-	}
-	if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid))
-	{
-		fprintf(out, "  subjkey:   %#B\n", &keyid);
-	}
+	public->destroy(public);
 	DESTROY_IF(private);
-}
-
-/**
- * list all raw public keys
- */
-static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t now = time(NULL), notBefore, notAfter;
-	enumerator_t *enumerator;
-	certificate_t *cert;
-
-	enumerator = list->create_enumerator(list);
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		identification_t *subject = cert->get_subject(cert);
-		public_key_t *public = cert->get_public_key(cert);
-
-		if (public)
-		{
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of Raw Public Keys:\n");
-				first = FALSE;
-			}
-			fprintf(out, "\n");
-
-			/* list subject if available */
-			if (subject->get_type(subject) != ID_KEY_ID)
-			{
-				fprintf(out, "  subject:   %#Y\n", subject);
-			}
-
-			/* list validity if available*/
-			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
-			{
-				fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-				if (now < notBefore)
-				{
-					fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-				}
-				else
-				{
-					fprintf(out, "ok\n");
-				}
-				fprintf(out, "             not after  %T, ", &notAfter, utc);
-				if (now > notAfter)
-				{
-					fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-				}
-				else
-				{
-					fprintf(out, "ok");
-					if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-					{
-						fprintf(out, " (expires in %V)", &now, &notAfter);
-					}
-					fprintf(out, " \n");
-				}
-			}
-
-			list_public_key(public, out);
-			public->destroy(public);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list OpenPGP certificates
- */
-static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		time_t created, until;
-		public_key_t *public;
-		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
-		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
-
-		if (first)
-		{
 
-			fprintf(out, "\n");
-				fprintf(out, "List of PGP End Entity Certificates:\n");
-				first = FALSE;
-		}
-		fprintf(out, "\n");
-		fprintf(out, "  userid:   '%Y'\n", cert->get_subject(cert));
-
-		fprintf(out, "  digest:    %#B\n", &fingerprint);
-
-		/* list validity */
-		cert->get_validity(cert, &now, &created, &until);
-		fprintf(out, "  created:   %T\n", &created, utc);
-		fprintf(out, "  until:     %T%s\n", &until, utc,
-			(until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
-
-		public = cert->get_public_key(cert);
-		if (public)
-		{
-			list_public_key(public, out);
-			public->destroy(public);
-		}
-	}
-	enumerator->destroy(enumerator);
+	return (private != NULL);
 }
 
 /**
  * list all X.509 certificates matching the flags
  */
-static void stroke_list_certs(linked_list_t *list, char *label,
-							  x509_flag_t flags, bool utc, FILE *out)
+static void stroke_list_x509_certs(linked_list_t *list, x509_flag_t flag)
 {
-	bool first = TRUE;
-	time_t now = time(NULL);
 	enumerator_t *enumerator;
 	certificate_t *cert;
-	x509_flag_t flag_mask;
-
-	/* mask all auxiliary flags */
-	flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH | X509_IKE_INTERMEDIATE |
-				  X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS);
 
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
 		x509_t *x509 = (x509_t*)cert;
-		x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
+		x509_flag_t flags = x509->get_flags(x509) & X509_ANY;
 
 		/* list only if flag is set or flag == 0 */
-		if ((x509_flags & flags) || (x509_flags == flags))
+		if ((flags & flag) || flags == flag)
 		{
-			enumerator_t *enumerator;
-			identification_t *altName;
-			bool first_altName = TRUE;
-			u_int pathlen;
-			chunk_t serial, authkey;
-			time_t notBefore, notAfter;
-			public_key_t *public;
-
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of %s:\n", label);
-				first = FALSE;
-			}
-			fprintf(out, "\n");
-
-			/* list subjectAltNames */
-			enumerator = x509->create_subjectAltName_enumerator(x509);
-			while (enumerator->enumerate(enumerator, (void**)&altName))
-			{
-				if (first_altName)
-				{
-					fprintf(out, "  altNames:  ");
-					first_altName = FALSE;
-				}
-				else
-				{
-					fprintf(out, ", ");
-				}
-				fprintf(out, "%Y", altName);
-			}
-			if (!first_altName)
-			{
-				fprintf(out, "\n");
-			}
-			enumerator->destroy(enumerator);
-
-			fprintf(out, "  subject:  \"%Y\"\n", cert->get_subject(cert));
-			fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-			serial = chunk_skip_zero(x509->get_serial(x509));
-			fprintf(out, "  serial:    %#B\n", &serial);
-
-			/* list validity */
-			cert->get_validity(cert, &now, &notBefore, &notAfter);
-			fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-			if (now < notBefore)
-			{
-				fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-			}
-			else
-			{
-				fprintf(out, "ok\n");
-			}
-			fprintf(out, "             not after  %T, ", &notAfter, utc);
-			if (now > notAfter)
-			{
-				fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-			}
-			else
-			{
-				fprintf(out, "ok");
-				if (now > notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
-				{
-					fprintf(out, " (expires in %V)", &now, &notAfter);
-				}
-				fprintf(out, " \n");
-			}
-
-			public = cert->get_public_key(cert);
-			if (public)
-			{
-				list_public_key(public, out);
-				public->destroy(public);
-			}
-
-			/* list optional authorityKeyIdentifier */
-			authkey = x509->get_authKeyIdentifier(x509);
-			if (authkey.ptr)
-			{
-				fprintf(out, "  authkey:   %#B\n", &authkey);
-			}
-
-			/* list optional pathLenConstraint */
-			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
-			if (pathlen != X509_NO_CONSTRAINT)
-			{
-				fprintf(out, "  pathlen:   %u\n", pathlen);
-			}
-
-			/* list optional ipAddrBlocks */
-			if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-			{
-				traffic_selector_t *ipAddrBlock;
-				bool first_ipAddrBlock = TRUE;
-
-				fprintf(out, "  addresses: ");
-				enumerator = x509->create_ipAddrBlock_enumerator(x509);
-				while (enumerator->enumerate(enumerator, &ipAddrBlock))
-				{
-					if (first_ipAddrBlock)
-					{
-						first_ipAddrBlock = FALSE;
-					}
-					else
-					{
-						fprintf(out, ", ");
-					}
-					fprintf(out, "%R", ipAddrBlock);
-				}
-				enumerator->destroy(enumerator);
-				fprintf(out, "\n");
-			}
+			cert_printer->print_caption(cert_printer, CERT_X509, flag);
+			cert_printer->print(cert_printer, cert, has_privkey(cert));
 		}
 	}
 	enumerator->destroy(enumerator);
 }
 
 /**
- * list all X.509 attribute certificates
+ * list all other certificates types
  */
-static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
+static void stroke_list_other_certs(certificate_type_t type)
 {
-	bool first = TRUE;
-	time_t notBefore, notAfter, now = time(NULL);
 	enumerator_t *enumerator;
 	certificate_t *cert;
+	linked_list_t *list;
+
+	list = create_unique_cert_list(type);
 
 	enumerator = list->create_enumerator(list);
 	while (enumerator->enumerate(enumerator, &cert))
 	{
-		ac_t *ac = (ac_t*)cert;
-		ac_group_type_t type;
-		identification_t *id;
-		enumerator_t *groups;
-		chunk_t chunk;
-		bool firstgroup = TRUE;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 Attribute Certificates:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-
-		id = cert->get_subject(cert);
-		if (id)
-		{
-			fprintf(out, "  holder:   \"%Y\"\n", id);
-		}
-		id = ac->get_holderIssuer(ac);
-		if (id)
-		{
-			fprintf(out, "  hissuer:  \"%Y\"\n", id);
-		}
-		chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-		if (chunk.ptr)
-		{
-			fprintf(out, "  hserial:   %#B\n", &chunk);
-		}
-		groups = ac->create_group_enumerator(ac);
-		while (groups->enumerate(groups, &type, &chunk))
-		{
-			int oid;
-			char *str;
-
-			if (firstgroup)
-			{
-				fprintf(out, "  groups:    ");
-				firstgroup = FALSE;
-			}
-			else
-			{
-				fprintf(out, "             ");
-			}
-			switch (type)
-			{
-				case AC_GROUP_TYPE_STRING:
-					fprintf(out, "%.*s", (int)chunk.len, chunk.ptr);
-					break;
-				case AC_GROUP_TYPE_OID:
-					oid = asn1_known_oid(chunk);
-					if (oid == OID_UNKNOWN)
-					{
-						str = asn1_oid_to_string(chunk);
-						if (str)
-						{
-							fprintf(out, "%s", str);
-							free(str);
-						}
-						else
-						{
-							fprintf(out, "OID:%#B", &chunk);
-						}
-					}
-					else
-					{
-						fprintf(out, "%s", oid_names[oid].name);
-					}
-					break;
-				case AC_GROUP_TYPE_OCTETS:
-					fprintf(out, "%#B", &chunk);
-					break;
-			}
-			fprintf(out, "\n");
-		}
-		groups->destroy(groups);
-		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-		chunk  = chunk_skip_zero(ac->get_serial(ac));
-		fprintf(out, "  serial:    %#B\n", &chunk);
-
-		/* list validity */
-		cert->get_validity(cert, &now, &notBefore, &notAfter);
-		fprintf(out, "  validity:  not before %T, ", &notBefore, utc);
-		if (now < notBefore)
-		{
-			fprintf(out, "not valid yet (valid in %V)\n", &now, &notBefore);
-		}
-		else
-		{
-			fprintf(out, "ok\n");
-		}
-		fprintf(out, "             not after  %T, ", &notAfter, utc);
-		if (now > notAfter)
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &notAfter);
-		}
-		else
-		{
-			fprintf(out, "ok");
-			if (now > notAfter - AC_WARNING_INTERVAL * 60 * 60 * 24)
-			{
-				fprintf(out, " (expires in %V)", &now, &notAfter);
-			}
-			fprintf(out, " \n");
-		}
-
-		/* list optional authorityKeyIdentifier */
-		chunk = ac->get_authKeyIdentifier(ac);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  authkey:   %#B\n", &chunk);
-		}
+		cert_printer->print_caption(cert_printer, cert->get_type(cert), X509_NONE);
+		cert_printer->print(cert_printer, cert, has_privkey(cert));
 	}
 	enumerator->destroy(enumerator);
-}
-
-/**
- * list all X.509 CRLs
- */
-static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	time_t thisUpdate, nextUpdate, now = time(NULL);
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
 
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		crl_t *crl = (crl_t*)cert;
-		chunk_t chunk;
-
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 CRLs:\n");
-			first = FALSE;
-		}
-		fprintf(out, "\n");
-
-		fprintf(out, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-		/* list optional crlNumber */
-		chunk = chunk_skip_zero(crl->get_serial(crl));
-		if (chunk.ptr)
-		{
-			fprintf(out, "  serial:    %#B\n", &chunk);
-		}
-		if (crl->is_delta_crl(crl, &chunk))
-		{
-			chunk = chunk_skip_zero(chunk);
-			fprintf(out, "  delta for: %#B\n", &chunk);
-		}
-
-		/* count the number of revoked certificates */
-		{
-			int count = 0;
-			enumerator_t *enumerator = crl->create_enumerator(crl);
-
-			while (enumerator->enumerate(enumerator, NULL, NULL, NULL))
-			{
-				count++;
-			}
-			fprintf(out, "  revoked:   %d certificate%s\n", count,
-							(count == 1)? "" : "s");
-			enumerator->destroy(enumerator);
-		}
-
-		/* list validity */
-		cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
-		fprintf(out, "  updates:   this %T\n",  &thisUpdate, utc);
-		fprintf(out, "             next %T, ", &nextUpdate, utc);
-		if (now > nextUpdate)
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
-		}
-		else
-		{
-			fprintf(out, "ok");
-			if (now > nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
-			{
-				fprintf(out, " (expires in %V)", &now, &nextUpdate);
-			}
-			fprintf(out, " \n");
-		}
-
-		/* list optional authorityKeyIdentifier */
-		chunk = crl->get_authKeyIdentifier(crl);
-		if (chunk.ptr)
-		{
-			fprintf(out, "  authkey:   %#B\n", &chunk);
-		}
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * list all OCSP responses
- */
-static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
-{
-	bool first = TRUE, ok;
-	enumerator_t *enumerator = list->create_enumerator(list);
-	certificate_t *cert;
-	time_t produced, usable, now = time(NULL);
-
-	while (enumerator->enumerate(enumerator, (void**)&cert))
-	{
-		if (first)
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of OCSP responses:\n");
-			fprintf(out, "\n");
-			first = FALSE;
-		}
-		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
-
-		/* check validity */
-		ok = cert->get_validity(cert, &now, &produced, &usable);
-		fprintf(out, "  validity:  produced at %T\n", &produced, utc);
-		fprintf(out, "             usable till %T, ", &usable, utc);
-		if (ok)
-		{
-			fprintf(out, "ok\n");
-		}
-		else
-		{
-			fprintf(out, "expired (%V ago)\n", &now, &usable);
-		}
-	}
-	enumerator->destroy(enumerator);
+	list->destroy_offset(list, offsetof(certificate_t, destroy));
 }
 
 /**
@@ -1439,19 +976,15 @@ METHOD(stroke_list_t, list, void,
 {
 	linked_list_t *cert_list = NULL;
 
+	cert_printer = certificate_printer_create(out, TRUE, msg->list.utc);
+
 	if (msg->list.flags & LIST_PUBKEYS)
 	{
-		linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
-
-		stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
-		pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_TRUSTED_PUBKEY);
 	}
 	if (msg->list.flags & LIST_CERTS)
 	{
-		linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
-
-		stroke_list_pgp(pgp_list, msg->list.utc, out);
-		pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_GPG);
 	}
 	if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
 	{
@@ -1459,47 +992,33 @@ METHOD(stroke_list_t, list, void,
 	}
 	if (msg->list.flags & LIST_CERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 End Entity Certificates",
-						  X509_NONE, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_NONE);
 	}
 	if (msg->list.flags & LIST_CACERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 CA Certificates",
-						  X509_CA, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_CA);
 	}
 	if (msg->list.flags & LIST_OCSPCERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 OCSP Signer Certificates",
-						  X509_OCSP_SIGNER, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_OCSP_SIGNER);
 	}
 	if (msg->list.flags & LIST_AACERTS)
 	{
-		stroke_list_certs(cert_list, "X.509 AA Certificates",
-						  X509_AA, msg->list.utc, out);
+		stroke_list_x509_certs(cert_list, X509_AA);
 	}
 	DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
 
 	if (msg->list.flags & LIST_ACERTS)
 	{
-		linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
-
-		stroke_list_acerts(ac_list, msg->list.utc, out);
-		ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_X509_AC);
 	}
 	if (msg->list.flags & LIST_CRLS)
 	{
-		linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
-
-		stroke_list_crls(crl_list, msg->list.utc, out);
-		crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_X509_CRL);
 	}
 	if (msg->list.flags & LIST_OCSP)
 	{
-		linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
-
-		stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
-		ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+		stroke_list_other_certs(CERT_X509_OCSP_RESPONSE);
 	}
 	if (msg->list.flags & LIST_ALGS)
 	{
@@ -1509,6 +1028,8 @@ METHOD(stroke_list_t, list, void,
 	{
 		list_plugins(out);
 	}
+	cert_printer->destroy(cert_printer);
+	cert_printer = NULL;
 }
 
 /**
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 29563e32f..ee32dbca2 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -590,17 +590,10 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		fprintf(out, "command not allowed!\n");
 		return;
 	}
-	if (strcaseeq(msg->loglevel.type, "any"))
+	if (!enum_from_name(debug_names, msg->loglevel.type, &group))
 	{
-		group = DBG_ANY;
-	}
-	else
-	{
-		if (!enum_from_name(debug_names, msg->loglevel.type, &group))
-		{
-			fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
-			return;
-		}
+		fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
+		return;
 	}
 	charon->set_level(charon, group, msg->loglevel.level);
 }
diff --git a/src/libcharon/plugins/systime_fix/Makefile.am b/src/libcharon/plugins/systime_fix/Makefile.am
index 40a346440..95a33230f 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.am
+++ b/src/libcharon/plugins/systime_fix/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 if MONOLITHIC
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index be148b6c3..0daff4434 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-systime-fix.la
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.am b/src/libcharon/plugins/tnc_ifmap/Makefile.am
index 90fbf4651..dab98129d 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.am
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.am
@@ -1,7 +1,6 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 17cc341c5..f124a1b38 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -435,7 +437,6 @@ xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libtls \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
index d2ba2e345..2bad4fab0 100644
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_listener.c
@@ -18,7 +18,6 @@
 #include "tnc_ifmap_renew_session_job.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <utils/debug.h>
 
 #define IFMAP_RENEW_SESSION_INTERVAL	150
@@ -51,8 +50,8 @@ static bool publish_device_ip_addresses(private_tnc_ifmap_listener_t *this)
 	host_t *host;
 	bool success = TRUE;
 
-	enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+														   ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, &host))
 	{
 		if (!this->ifmap->publish_device_ip(this->ifmap, host))
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am
index 3478c5b30..fcda7d76f 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index ef05275b7..bfd8cf820 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -420,6 +420,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -435,7 +437,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libradius \
 	-I$(top_srcdir)/src/libtncif \
diff --git a/src/libcharon/plugins/uci/Makefile.am b/src/libcharon/plugins/uci/Makefile.am
index 134ced0e3..296c8db04 100644
--- a/src/libcharon/plugins/uci/Makefile.am
+++ b/src/libcharon/plugins/uci/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 2c031383a..a1c64ca1b 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -429,7 +431,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/unity/Makefile.am b/src/libcharon/plugins/unity/Makefile.am
index 38923e068..1244cb317 100644
--- a/src/libcharon/plugins/unity/Makefile.am
+++ b/src/libcharon/plugins/unity/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 4f0a7e736..00bb1498c 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/updown/Makefile.am b/src/libcharon/plugins/updown/Makefile.am
index f03f4744c..f8738adee 100644
--- a/src/libcharon/plugins/updown/Makefile.am
+++ b/src/libcharon/plugins/updown/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 619d17a0e..863e14430 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 96282bee0..e51caab10 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,7 +22,6 @@
 #include "updown_listener.h"
 
 #include <utils/process.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <config/child_cfg.h>
 
@@ -205,25 +205,47 @@ static void push_vip_env(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	enumerator->destroy(enumerator);
 }
 
+#define	PORT_BUF_LEN	12
+
 /**
  * Determine proper values for port env variable
  */
-static u_int16_t get_port(traffic_selector_t *me,
-						  traffic_selector_t *other, bool local)
+static char* get_port(traffic_selector_t *me, traffic_selector_t *other,
+					  char *port_buf, bool local)
 {
+	uint16_t port, to, from;
+
 	switch (max(me->get_protocol(me), other->get_protocol(other)))
 	{
 		case IPPROTO_ICMP:
 		case IPPROTO_ICMPV6:
 		{
-			u_int16_t port = me->get_from_port(me);
-
-			port = max(port, other->get_from_port(other));
-			return local ? traffic_selector_icmp_type(port)
-						 : traffic_selector_icmp_code(port);
+			port = max(me->get_from_port(me), other->get_from_port(other));
+			snprintf(port_buf, PORT_BUF_LEN, "%u",
+					 local ? traffic_selector_icmp_type(port)
+						   : traffic_selector_icmp_code(port));
+			return port_buf;
 		}
 	}
-	return local ? me->get_from_port(me) : other->get_from_port(other);
+	if (local)
+	{
+		from = me->get_from_port(me);
+		to   = me->get_to_port(me);
+	}
+	else
+	{
+		from = other->get_from_port(other);
+		to   = other->get_to_port(other);
+	}
+	if (from == to || (from == 0 && to == 65535))
+	{
+		snprintf(port_buf, PORT_BUF_LEN, "%u", from);
+	}
+	else
+	{
+		snprintf(port_buf, PORT_BUF_LEN, "%u:%u", from, to);
+	}
+	return port_buf;
 }
 
 /**
@@ -241,6 +263,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	int out;
 	FILE *shell;
 	process_t *process;
+	char port_buf[PORT_BUF_LEN];
 	char *envp[128] = {};
 
 	me = ike_sa->get_my_host(ike_sa);
@@ -265,8 +288,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 			 config->get_name(config));
 	if (up)
 	{
-		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   me, &iface))
+		if (charon->kernel->get_interface(charon->kernel, me, &iface))
 		{
 			cache_iface(this, child_sa->get_reqid(child_sa), iface);
 		}
@@ -289,25 +311,29 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 			 ike_sa->get_unique_id(ike_sa));
 	push_env(envp, countof(envp), "PLUTO_ME=%H", me);
 	push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
-	if (my_ts->to_subnet(my_ts, &host, &mask))
+	if (!my_ts->to_subnet(my_ts, &host, &mask))
 	{
-		push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
-		host->destroy(host);
+		DBG1(DBG_CHD, "updown approximates local TS %R "
+					  "by next larger subnet", my_ts);
 	}
-	push_env(envp, countof(envp), "PLUTO_MY_PORT=%u",
-			 get_port(my_ts, other_ts, TRUE));
+	push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
+	host->destroy(host);
+	push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
+			 get_port(my_ts, other_ts, port_buf, TRUE));
 	push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
 			 my_ts->get_protocol(my_ts));
 	push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
 	push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
 			 ike_sa->get_other_id(ike_sa));
-	if (other_ts->to_subnet(other_ts, &host, &mask))
+	if (!other_ts->to_subnet(other_ts, &host, &mask))
 	{
-		push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
-		host->destroy(host);
+		DBG1(DBG_CHD, "updown approximates remote TS %R "
+					  "by next larger subnet", other_ts);
 	}
-	push_env(envp, countof(envp), "PLUTO_PEER_PORT=%u",
-			 get_port(my_ts, other_ts, FALSE));
+	push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
+	host->destroy(host);
+	push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
+			 get_port(my_ts, other_ts, port_buf, FALSE));
 	push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",
 			 other_ts->get_protocol(other_ts));
 	if (ike_sa->has_condition(ike_sa, COND_EAP_AUTHENTICATED) ||
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index c99d23e4e..ca9b49906 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -1,6 +1,6 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
@@ -18,6 +18,7 @@ libstrongswan_vici_la_SOURCES = \
 	vici_message.h vici_message.c \
 	vici_builder.h vici_builder.c \
 	vici_dispatcher.h vici_dispatcher.c \
+	vici_cert_info.h vici_cert_info.c \
 	vici_query.h vici_query.c \
 	vici_control.h vici_control.c \
 	vici_config.h vici_config.c \
@@ -38,6 +39,7 @@ ipseclib_LTLIBRARIES = libvici.la
 libvici_la_SOURCES = \
 	vici_message.c vici_message.h \
 	vici_builder.c vici_builder.h \
+	vici_cert_info.h vici_cert_info.c \
 	libvici.c libvici.h
 
 libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -79,3 +81,7 @@ endif
 if USE_PYTHON_EGGS
 SUBDIRS += python
 endif
+
+if USE_PERL_CPAN
+SUBDIRS += perl
+endif
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index 1a7870ae9..86ed00792 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -82,6 +82,7 @@ TESTS = vici_tests$(EXEEXT)
 check_PROGRAMS = $(am__EXEEXT_1)
 @USE_RUBY_GEMS_TRUE@am__append_1 = ruby
 @USE_PYTHON_EGGS_TRUE@am__append_2 = python
+@USE_PERL_CPAN_TRUE@am__append_3 = perl
 subdir = src/libcharon/plugins/vici
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
@@ -134,9 +135,10 @@ LTLIBRARIES = $(ipseclib_LTLIBRARIES) $(noinst_LTLIBRARIES) \
 	$(plugin_LTLIBRARIES)
 libstrongswan_vici_la_LIBADD =
 am_libstrongswan_vici_la_OBJECTS = vici_socket.lo vici_message.lo \
-	vici_builder.lo vici_dispatcher.lo vici_query.lo \
-	vici_control.lo vici_config.lo vici_cred.lo vici_attribute.lo \
-	vici_authority.lo vici_logger.lo vici_plugin.lo
+	vici_builder.lo vici_dispatcher.lo vici_cert_info.lo \
+	vici_query.lo vici_control.lo vici_config.lo vici_cred.lo \
+	vici_attribute.lo vici_authority.lo vici_logger.lo \
+	vici_plugin.lo
 libstrongswan_vici_la_OBJECTS = $(am_libstrongswan_vici_la_OBJECTS)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -150,7 +152,8 @@ libstrongswan_vici_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
 @MONOLITHIC_TRUE@am_libstrongswan_vici_la_rpath =
 libvici_la_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la
-am_libvici_la_OBJECTS = vici_message.lo vici_builder.lo libvici.lo
+am_libvici_la_OBJECTS = vici_message.lo vici_builder.lo \
+	vici_cert_info.lo libvici.lo
 libvici_la_OBJECTS = $(am_libvici_la_OBJECTS)
 am__EXEEXT_1 = vici_tests$(EXEEXT)
 am__dirstamp = $(am__leading_dot)dirstamp
@@ -270,7 +273,7 @@ am__tty_colors = { \
     std='[m'; \
   fi; \
 }
-DIST_SUBDIRS = ruby python
+DIST_SUBDIRS = ruby python perl
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -509,6 +512,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -524,7 +529,7 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
@@ -538,6 +543,7 @@ libstrongswan_vici_la_SOURCES = \
 	vici_message.h vici_message.c \
 	vici_builder.h vici_builder.c \
 	vici_dispatcher.h vici_dispatcher.c \
+	vici_cert_info.h vici_cert_info.c \
 	vici_query.h vici_query.c \
 	vici_control.h vici_control.c \
 	vici_config.h vici_config.c \
@@ -553,6 +559,7 @@ ipseclib_LTLIBRARIES = libvici.la
 libvici_la_SOURCES = \
 	vici_message.c vici_message.h \
 	vici_builder.c vici_builder.h \
+	vici_cert_info.h vici_cert_info.c \
 	libvici.c libvici.h
 
 libvici_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -578,7 +585,7 @@ vici_tests_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
 
-SUBDIRS = $(am__append_1) $(am__append_2)
+SUBDIRS = $(am__append_1) $(am__append_2) $(am__append_3)
 all: all-recursive
 
 .SUFFIXES:
@@ -739,6 +746,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_authority.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_cert_info.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_config.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_control.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vici_cred.Plo@am__quote@
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index b9531d8a5..52929bd74 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -258,7 +258,8 @@ Initiates an SA while streaming _control-log_ events.
 
 	{
 		child = <CHILD_SA configuration name to initiate>
-		timeout = <timeout in seconds before returning>
+		ike = <optional IKE_SA configuraiton name to find child under>
+		timeout = <timeout in ms before returning>
 		init-limits = <whether limits may prevent initiating the CHILD_SA>
 		loglevel = <loglevel to issue "control-log" events for>
 	} => {
@@ -266,6 +267,9 @@ Initiates an SA while streaming _control-log_ events.
 		errmsg = <error string on failure or timeout>
 	}
 
+The default timeout of 0 waits indefinitely for a result, and a timeout value
+of -1 returns a result immediately.
+
 ### terminate() ###
 
 Terminates an SA while streaming _control-log_ events.
@@ -275,19 +279,40 @@ Terminates an SA while streaming _control-log_ events.
 		ike = <terminate an IKE_SA by configuration name>
 		child_id = <terminate a CHILD_SA by its reqid>
 		ike_id = <terminate an IKE_SA by its unique id>
-		timeout = <timeout in seconds before returning>
+		timeout = <timeout in ms before returning>
 		loglevel = <loglevel to issue "control-log" events for>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure or timeout>
 	}
 
+The default timeout of 0 waits indefinitely for a result, and a timeout value
+of -1 returns a result immediately.
+
+### redirect() ###
+
+Redirect a client-initiated IKE_SA to another gateway.  Only for IKEv2 and if
+supported by the peer.
+
+	{
+		ike = <redirect an IKE_SA by configuration name>
+		ike-id = <redirect an IKE_SA by its unique id>
+		peer-ip = <redirect an IKE_SA with matching peer IP, may also be a
+				   subnet in CIDR notation or an IP range>
+		peer-id = <redirect an IKE_SA with matching peer identity, may contain
+				   wildcards>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
 ### install() ###
 
 Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
 	{
 		child = <CHILD_SA configuration name to install>
+		ike = <optional IKE_SA configuraiton name to find child under>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>
@@ -361,7 +386,9 @@ call includes all certificates known by the daemon, not only those loaded
 over vici.
 
 	{
-		type = <certificate type to filter for, or ANY>
+		type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+												OCSP_RESPONSE|PUBKEY  or ANY>
+		flag = <X.509 certificate flag to filter for, NONE|CA|AA|OCSP or ANY>
 		subject = <set to list only certificates having subject>
 	} => {
 		# completes after streaming list-cert events
@@ -419,7 +446,8 @@ Unload a previously loaded connection definition by name.
 Load a certificate into the daemon.
 
 	{
-		type = <certificate type, X509|X509CA|X509AA|X509CRL|X509AC>
+		type = <certificate type, X509|X509_AC|X509_CRL>
+		flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
 		data = <PEM or DER encoded certificate data>
 	} => {
 		success = <yes or no>
@@ -544,6 +572,16 @@ List the currently loaded pools.
 		}
 	}
 
+### get-algorithms() ###
+
+List currently loaded algorithms and their implementation.
+
+	{} => {
+		<algorithm type> = {
+			<algorithm> = <plugin providing the implementation>
+		}
+	}
+
 ## Server-issued events ##
 
 Based on the packet layer, the vici plugin raises event messages using named
@@ -588,8 +626,10 @@ command.
 			version = <IKE version, 1 or 2>
 			state = <IKE_SA state name>
 			local-host = <local IKE endpoint address>
+			local-port = <local IKE endpoint port>
 			local-id = <local IKE identity>
 			remote-host = <remote IKE endpoint address>
+			remote-port = <remote IKE endpoint port>
 			remote-id = <remote IKE identity>
 			remote-xauth-id = <remote XAuth identity, if XAuth-authenticated>
 			remote-eap-id = <remote EAP identity, if EAP-authenticated>
@@ -735,9 +775,13 @@ The _list-cert_ event is issued to stream loaded certificates during an active
 _list-certs_ command.
 
 	{
-		type = <certificate type>
+		type = <certificate type, X509|X509_AC|X509_CRL|OCSP_RESPONSE|PUBKEY>
+		flag = <X.509 certificate flag, NONE|CA|AA|OCSP>
 		has_privkey = <set if a private key for the certificate is available>
 		data = <ASN1 encoded certificate data>
+		subject = <subject string if defined and certificate type is PUBKEY>
+		not-before = <time string if defined and certificate type is PUBKEY>
+		not-after  = <time string if defined and certificate type is PUBKEY>
 	}
 
 ### list-authority ###
@@ -763,7 +807,7 @@ information during an active_list-authorities_ command.
 The _ike-updown_ event is issued when an IKE_SA is established or terminated.
 
 	{
-		up = <yes or no>
+		up = <set if up event>
 		<IKE_SA config name> = {
 			<same data as in the list-sas event, but without child-sas section>
 		}
@@ -789,7 +833,7 @@ The _ike-rekey_ event is issued when an IKE_SA is rekeyed.
 The _child-updown_ event is issued when a CHILD_SA is established or terminated.
 
 	{
-		up = <yes or no>
+		up = <set if up event>
 		<IKE_SA config name> = {
 			<same data as in the list-sas event, but with only the affected
 			 CHILD_SA in the child-sas section>
@@ -1068,3 +1112,43 @@ dictionaries. Objects returned by the library use OrderedDicts.
 
 For more details about the Python egg refer to the comments in the Python source
 code.
+
+# Vici::Session Perl CPAN module #
+
+The _Vici::Session Perl CPAN module_ is a pure Perl implementation of the VICI
+protocol to implement client applications. It is provided in the _perl_
+subdirectory, and gets built and installed if strongSwan has been
+ _./configure_'d with_--enable-vici_ and _--enable-perl-cpan_.
+
+The _Vici::Session_ module provides a _new()_ constructor for a high level
+interface, the underlying _Vici::Packet_ and _Vici::Transport_ classes are
+usually not required to build Perl applications using VICI. The _Vici::Session_
+class provides methods for the supported VICI commands. The auxiliare
+ _Vici::Message_ class is used to encode configuration parameters sent to
+the daemon and decode data returned by the daemon.
+
+## Connecting to the daemon ##
+
+	use IO::Socket::UNIX;
+	use Vici::Session;
+	use Vici::Message;
+
+	my $socket = IO::Socket::UNIX->new(
+			Type => SOCK_STREAM,
+			Peer => '/var/run/charon.vici',
+	) or die "Vici socket: $!";
+
+	my $session = Vici::Session->new($socket);
+
+## A simple client request ##
+
+An example to print the daemon version information is as simple as:
+
+	my $version = $session->version()->hash();
+
+	foreach my $key ('daemon', 'version', 'sysname', 'release', 'machine' ) {
+		print $version->{$key}, " ";
+	}
+
+The _Vici::Session_ methods are explained in the perl/Vici-Session/README.pod
+document.
diff --git a/src/libcharon/plugins/vici/perl/Makefile.am b/src/libcharon/plugins/vici/perl/Makefile.am
new file mode 100644
index 000000000..9bc6262ac
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Makefile.am
@@ -0,0 +1,27 @@
+EXTRA_DIST = \
+	Vici-Session/Changes \
+	Vici-Session/Makefile.PL \
+	Vici-Session/MANIFEST \
+	Vici-Session/README.pod \
+	Vici-Session/t/Vici-Session.t \
+	Vici-Session/lib/Vici/Message.pm \
+	Vici-Session/lib/Vici/Packet.pm \
+	Vici-Session/lib/Vici/Session.pm \
+	Vici-Session/lib/Vici/Transport.pm
+
+all-local: Vici-Session/pm_to_blib
+
+Vici-Session/Makefile: $(srcdir)/Vici-Session/Makefile.PL
+	(cd $(srcdir)/Vici-Session; $(PERL) Makefile.PL)
+
+Vici-Session/pm_to_blib: $(EXTRA_DIST) $(srcdir)/Vici-Session/Makefile
+	(cd $(srcdir)/Vici-Session; make)
+
+clean-local:
+	(cd $(srcdir)/Vici-Session; [ ! -f Makefile ] || make clean)
+
+if PERL_CPAN_INSTALL
+install-exec-local: Vici-Session/pm_to_blib
+	(cd $(srcdir)/Vici-Session; make install)
+endif
+
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
new file mode 100644
index 000000000..550d3e980
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -0,0 +1,567 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/vici/perl
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/split-package-version.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+EXTRA_DIST = \
+	Vici-Session/Changes \
+	Vici-Session/Makefile.PL \
+	Vici-Session/MANIFEST \
+	Vici-Session/README.pod \
+	Vici-Session/t/Vici-Session.t \
+	Vici-Session/lib/Vici/Message.pm \
+	Vici-Session/lib/Vici/Packet.pm \
+	Vici-Session/lib/Vici/Session.pm \
+	Vici-Session/lib/Vici/Transport.pm
+
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/perl/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/vici/perl/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+@PERL_CPAN_INSTALL_FALSE@install-exec-local:
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-exec-local
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am all-local check check-am clean clean-generic \
+	clean-libtool clean-local cscopelist-am ctags-am distclean \
+	distclean-generic distclean-libtool distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-exec-local install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am
+
+
+all-local: Vici-Session/pm_to_blib
+
+Vici-Session/Makefile: $(srcdir)/Vici-Session/Makefile.PL
+	(cd $(srcdir)/Vici-Session; $(PERL) Makefile.PL)
+
+Vici-Session/pm_to_blib: $(EXTRA_DIST) $(srcdir)/Vici-Session/Makefile
+	(cd $(srcdir)/Vici-Session; make)
+
+clean-local:
+	(cd $(srcdir)/Vici-Session; [ ! -f Makefile ] || make clean)
+
+@PERL_CPAN_INSTALL_TRUE@install-exec-local: Vici-Session/pm_to_blib
+@PERL_CPAN_INSTALL_TRUE@	(cd $(srcdir)/Vici-Session; make install)
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/Changes b/src/libcharon/plugins/vici/perl/Vici-Session/Changes
new file mode 100644
index 000000000..0c30328fd
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/Changes
@@ -0,0 +1,6 @@
+Revision history for Perl extension Vici::Session.
+
+0.9  Tue Nov 17 11:45:21 2015
+	- original version; created by h2xs 1.23 with options
+		-X -n Vici::Session
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/MANIFEST b/src/libcharon/plugins/vici/perl/Vici-Session/MANIFEST
new file mode 100644
index 000000000..c19032a08
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/MANIFEST
@@ -0,0 +1,9 @@
+Changes
+Makefile.PL
+MANIFEST
+README.pod
+t/Vici-Session.t
+lib/Vici/Session.pm
+lib/Vici/Message.pm
+lib/Vici/Packet.pm
+lib/Vici/Transport.pm
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/Makefile.PL b/src/libcharon/plugins/vici/perl/Vici-Session/Makefile.PL
new file mode 100644
index 000000000..65f494557
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/Makefile.PL
@@ -0,0 +1,11 @@
+use ExtUtils::MakeMaker;
+# See lib/ExtUtils/MakeMaker.pm for details of how to influence
+# the contents of the Makefile that is written.
+WriteMakefile(
+    NAME              => 'Vici::Session',
+    VERSION_FROM      => 'lib/Vici/Session.pm', # finds $VERSION
+    PREREQ_PM         => {}, # e.g., Module::Name => 1.1
+    ($] >= 5.005 ?     ## Add these new keywords supported since 5.005
+      (ABSTRACT_FROM  => 'lib/Vici/Session.pm', # retrieve abstract from module
+       AUTHOR         => 'Andreas Steffen <andreas.steffen@>strongswan.org') : ()),
+);
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
new file mode 100644
index 000000000..de374aa11
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
@@ -0,0 +1,649 @@
+
+=head1 NAME
+
+Vici::Session - Perl binding for the strongSwan VICI configuration interface
+
+=head1 DESCRIPTION
+
+The Vici::Session module allows a Perl script to communicate with the open
+source strongSwan IPsec daemon (https://www.strongswan.org) via the documented
+Versatile IKE Configuration Interface (VICI). VICI allows the configuration,
+management and monitoring of multiple IPsec connections.
+
+=head1 INSTALLATION
+
+To install this module type the following:
+
+  perl Makefile.PL
+  make
+  make install
+
+=head1 DEPENDENCIES
+
+This module requires the standard networking module:
+
+  IO::Socket::UNIX
+
+=head1 METHODS
+
+The following examples show the use of the Vici::Session interface in a
+a "net-net" connection between the VPN gateways "moon" and "sun".
+
+=cut
+
+use strict;
+use warnings;
+use IO::Socket::UNIX;
+use Vici::Message;
+use Vici::Session;
+
+my $moon_key = "-----BEGIN RSA PRIVATE KEY-----\n" .
+    "MIIEowIBAAKCAQEApHwF+sUXQdH+WwYzdPMzpjuwhGGvHgsmBah1IQsPsddL9gZy" .
+    "gerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IABr87L9JAva56EHIAiUMuG8WizVbIK" .
+    "IhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6xvMJbwHLi0h7BUO9tBVLPy72YeGNB" .
+    "Y6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL0DgYP/n2maPEJGEivTFunkJD/mJ8" .
+    "DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhyYK5wsATB1ANeAtlFfgH+wsuHjZwt" .
+    "TJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47nwIDAQABAoIBAAQDXqX6rxGVDQ6t" .
+    "fQ3qbSUuKaVhOMOT5A6ZSJpQycY+CYVsLNkMoXszX6lUDhlH/Letcme03OAKMM77" .
+    "JGn9wYzHj+RcrDuE95Y2bh/oh1dWhaGeoW6pbSwpvD0FzkQKpANlOCr/5bltVxmb" .
+    "nHftI/sGBvUQGIal53ORE+jgV1+SK6I0oAIWiCpU2oZpYMAtp7WxOngsAJaGtk//" .
+    "m2ckH+T8uVHwe9gJ9HZnEk+Io6BXScMNNrsbd2J+pQ75wQXfzHEzHAj+ElhWzhtc" .
+    "5XefqHw/DfpPDX/lby3VoSoagqzsVuUx7LylgzIDxTsb9HQVOLjDzOQ+vn22Xj7g" .
+    "UCEjwLkCgYEA2EZguuzJdxRIWBSnIyzpCzfqm0EgybpeLuJVfzWla0yKWI6AeLhW" .
+    "cr+7o9UE8nCQHVffIrgjWksjc/S5FhzC9TYSHpPa8TPgebTQK4VxnP9Qkh/XRpJj" .
+    "CqgJ8k2MYleHYxa+AKQv/25yNhLdowkNR0iU1kbiaYRJMP0WigAmdAUCgYEAwrJe" .
+    "Y3LAawOkalJFMFTtLXsqZE91TFwMt9TQnzysGH3Q6+9N+qypS5KCes650+qgrwBV" .
+    "RmRNc1ixylToP3B0BKY5OD/BwMx1L/zSO3x7I4ZDasCu33y2ukGLcVSxrxTPTGdd" .
+    "8fhEiVO1CDXcM08/kSeQa049J8ziY3M+4NDchlMCgYEAw2VCO1923Tjb64gtQOBw" .
+    "ZAxOz5nVz6urL9yYted33is2yq9kbqzMnbuQAYKRh6Ae9APRuwJ2HjvIehjdp5aw" .
+    "pO4HDM00f7sI0ayEbu2PKfKZjotp6X6UMKqE4f8iGC9QSDvhyZ6NJs9YLHZ6+7NP" .
+    "5dkzbyx3njFAFxxxYpikJSkCgYByShB8YlUvvKCcRRUWbRQZWa6l2brqizJwCz43" .
+    "636+lcS5au2klAyBL0zm2Elfa+DNOe3U93Y7mrorIrJ+4v1H6We3bD3JdnvoIooq" .
+    "n0UNsngKx3cf++6r4WQAsA3pz9ZsbFVKgEmDL58aZbuQZxnSlJ4DT5c4sN3IMVOc" .
+    "1x5MvwKBgHudAaLvioIopBpYzOsK2OtEn6NQ7SwH0BLEUulHysaHqan5oExmM1bm" .
+    "YeivMDc9hj0YLXA47ryQHTx4vB5Nv3TI/LoUG6VrCvZvocQOXe/n7TguwAjJj7ef" .
+    "E55Gy8lXDRENyJMP1vif3N2iH8eQ1ASf8k/+gnBNkjSlYSSQUDfV\n" .
+    "-----END RSA PRIVATE KEY-----\n";
+ 
+my $moon_cert = "-----BEGIN CERTIFICATE-----\n" .
+    "MIIEIjCCAwqgAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ" .
+    "MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS" .
+    "b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE" .
+    "BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u" .
+    "c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk" .
+    "fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68" .
+    "TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz" .
+    "oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7" .
+    "MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw" .
+    "Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0" .
+    "87ryFUdshlmPpIHxfjufAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQE" .
+    "AwIDqDAdBgNVHQ4EFgQU2CY9Iex8275aOQxbcMsDgCHerhMwbQYDVR0jBGYwZIAU" .
+    "XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK" .
+    "ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC" .
+    "AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggr" .
+    "BgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u" .
+    "b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCpnj6Nc+PuPLPi" .
+    "4E3g5hyJkr5VZy7SSglcs1uyVP2mfwj6JR9SLd5+JOsL1aCTm0y9qLcqdbHBxG8i" .
+    "LNLtwVKU3s1hV4EIO3saHe4XUEjxN9bDtLWEoeq5ipmYX8RJ/fXKR8/8vurBARP2" .
+    "xu1+wqwEhymp4jBmF0LVovT1+o+GhH66zIJnx3zR9BtfMkaeL6804hrx2ygeopeo" .
+    "buGvMDQ8HcnMB9OU7Y8fK0oY1kULl6hf36K5ApPA6766sRRKRvBSKlmViKSQTq5a" .
+    "4c8gCWAZbtdT+N/fa8hKDlZt5q10EgjTqDfGTj50xKvAneq7XdfKmYYGnIWoNLY9" .
+    "ga8NOzX8\n" .
+    "-----END CERTIFICATE-----\n";
+
+my $ca_cert = "-----BEGIN CERTIFICATE-----\n" .
+    "MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ" .
+    "MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS" .
+    "b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE" .
+    "BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u" .
+    "Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y" .
+    "X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f" .
+    "FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc" .
+    "4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/" .
+    "7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5" .
+    "gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr" .
+    "K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG" .
+    "A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j" .
+    "BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw" .
+    "FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv" .
+    "b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in" .
+    "Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n" .
+    "1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y" .
+    "vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si" .
+    "7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa" .
+    "Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=\n" .
+    "-----END CERTIFICATE-----\n" ;
+
+=pod
+
+The VICI interface requires a UNIX socket in order to communicate with the
+strongSwan charon daemon:
+
+  use IO::Socket::UNIX;
+
+  my $socket = IO::Socket::UNIX->new(
+          Type => SOCK_STREAM,
+          Peer => '/var/run/charon.vici',
+  ) or die "Vici socket: $!";
+
+=cut
+
+my $socket = IO::Socket::UNIX->new(
+            Type => SOCK_STREAM,
+            Peer => '/var/run/charon.vici',
+) or die "Vici socket: $!";
+
+=over
+
+=item new()
+
+creates a new Vici::Session object.
+
+  use Vici::Session;
+  use Vici::Message;
+
+  my $session = Vici::Session->new($socket);
+
+=cut
+
+my $session = Vici::Session->new($socket);
+
+=item version()
+
+returns daemon and system specific version information.
+
+  my $version = $session->version();
+
+=cut
+
+print "----- version -----\n";
+my $version = $session->version();
+print $version->raw(), "\n";
+
+=item load_cert()
+
+loads a certificate into the daemon.
+
+  my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
+  my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-cert -----\n";
+my %vars = ( type => 'X509', flag => 'CA', data => $ca_cert );
+my ($res, $errmsg) = $session->load_cert(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_key()
+
+loads a private key into the daemon.
+
+  my %vars = ( type => 'RSA', data => $moon_key );
+  my ($res, $errmsg) = $session->load_key(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-key -----\n";
+%vars = ( type => 'RSA', data => $moon_key );
+($res, $errmsg) = $session->load_key(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_shared()
+
+loads a shared IKE PSK, EAP or XAuth secret into the daemon.
+
+  my @owners = ( 'carol' );
+  my %vars = ( type => 'EAP', data => 'Ar3etTnp', owners => \@owners );
+  my ($res, $errmsg) = $session->load_shared(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-shared -----\n";
+my @owners = ( 'carol' );
+%vars = ( type => 'EAP', data => 'Ar3etTnp', owners => \@owners );
+($res, $errmsg) = $session->load_shared(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_authority()
+
+loads a single certification authority definition into the daemon. An existing
+authority with the same name gets replaced.
+
+  my @crl_uris  = ( 'http://crl.strongswan.org/strongswan.crl' );
+  my @ocsp_uris = ( 'http://ocsp.strongswan.org:8880' );
+
+  my %auth = (
+      cacert => $ca_cert,
+      crl_uris  => \@crl_uris,
+      ocsp_uris => \@ocsp_uris
+  );
+
+  my %vars = ( strongswan => \%auth );
+  my ($res, $errmsg) = $session->load_authority(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-authority -----\n";
+my @crl_uris  = ( 'http://crl.strongswan.org/strongswan.crl' );
+my @ocsp_uris = ( 'http://ocsp.strongswan.org:8880' );
+my %auth = (
+    cacert => $ca_cert,
+    crl_uris  => \@crl_uris,
+    ocsp_uris => \@ocsp_uris
+);
+%vars = ( strongswan => \%auth );
+($res, $errmsg) = $session->load_authority(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_conn()
+
+loads a single connection definition into the daemon. An existing connection
+with the same name gets updated or replaced.
+
+  my @l_ts = ( '10.1.0.0/16' );
+  my @r_ts = ( '10.2.0.0/16' );
+  my @esp  = ( 'aes128gcm128-modp3072' );
+
+  my %child = (
+      local_ts  => \@l_ts,
+      remote_ts => \@r_ts,
+      esp_proposals => \@esp,
+  );
+  my %children = ( 'net-net' => \%child );
+
+  my @l_addrs = ( '192.168.0.1' );
+  my @r_addrs = ( '192.168.0.2' );
+  my @l_certs = ( $moon_cert );
+  my %l = ( auth => 'pubkey', id => 'moon.strongswan.org',
+            certs => \@l_certs );
+  my %r = ( auth => 'pubkey', id => 'sun.strongswan.org');
+  my @ike = ( 'aes128-sha256-modp3072' );
+
+  my %gw = (
+      version => 2,
+      mobike => 'no',
+      proposals => \@ike,
+      local_addrs  => \@l_addrs,
+      remote_addrs => \@r_addrs,
+      local  => \%l,
+      remote => \%r,
+      children => \%children,
+  );
+
+  my %vars = ( 'gw-gw' => \%gw);
+  my ($res, $errmsg) = $session->load_conn(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-conn -----\n";
+my @l_ts = ( '10.1.0.0/16' );
+my @r_ts = ( '10.2.0.0/16' );
+my @esp  = ( 'aes128gcm128-modp3072' );
+my %child = (
+    local_ts  => \@l_ts,
+    remote_ts => \@r_ts,
+    esp_proposals => \@esp,
+);  
+my %children = ( 'net-net' => \%child );
+my @l_addrs = ( '192.168.0.1' );
+my @r_addrs = ( '192.168.0.2' );
+my @l_certs = ( $moon_cert );
+my %l = ( auth => 'pubkey', id => 'moon.strongswan.org', certs => \@l_certs );
+my %r = ( auth => 'pubkey', id => 'sun.strongswan.org');
+my @ike = ( 'aes128-sha256-modp3072' );
+my %gw = (
+    version => 2,
+    mobike => 'no',
+    proposals => \@ike,
+    local_addrs  => \@l_addrs,
+    remote_addrs => \@r_addrs,
+    local  => \%l,
+    remote => \%r,
+    children => \%children,
+);
+%vars = ( 'gw-gw' => \%gw);
+($res, $errmsg) = $session->load_conn(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item get_algorithms()
+
+lists all currently loaded algorithms and their implementation.
+
+  my $algs = $session->get_algorithms();
+
+=cut
+
+print "----- get-algorithms -----\n";
+my $algs = $session->get_algorithms();
+print $algs->raw(), "\n";
+
+=item get_conns()
+
+returns a list of connection names loaded exclusively over VICI, not including
+connections found in other backends.
+
+  my $conns = $session->get_conns();
+
+=cut
+
+print "----- get-conns -----\n";
+my $conns = $session->get_conns();
+print $conns->raw(), "\n";
+
+=item list_conns()
+
+lists currently loaded connections by streaming list-conn events. This
+call includes all connections known by the daemon, not only those loaded
+over VICI.
+
+  my $conns = $session->list_conns();
+
+  foreach my $conn (@$conns)
+  {
+      print $conn->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-conns -----\n";
+$conns = $session->list_conns();
+foreach my $conn (@$conns)
+{
+    print $conn->raw(), "\n";
+}
+
+=item initiate()
+
+initiates a CHILD_SA.
+
+  my %vars = ( child => 'net-net' );
+  my($res, $errmsg) = $session->initiate(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- initiate -----\n";
+%vars = ( child => 'net-net' );
+($res, $errmsg) = $session->initiate(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item list_sas()
+
+lists currently active IKE_SAs and associated CHILD_SAs by streaming list-sa
+events.
+
+  my $sas = $session->list_sas();
+
+  foreach my $sa (@$sas)
+  {
+      print $sa->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-sas -----\n";
+my $sas = $session->list_sas();
+foreach my $sa (@$sas)
+{
+    print $sa->raw(), "\n";
+}
+
+=item get_authorities()
+
+returns a list of currently loaded certification authority names.
+
+  my $auths = $session->get_authorities();
+
+=cut
+
+print "----- get-authorities -----\n";
+my $auths = $session->get_authorities();
+print $auths->raw(), "\n";
+
+=item list-authorities()
+
+lists currently loaded certification authority information by streaming
+list-authority events.
+
+  my $auths = $session->list_authorities();
+
+  foreach my $auth (@$auths)
+  {
+      print $auth->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-authorities -----\n";
+$auths = $session->list_authorities();
+foreach my $auth (@$auths)
+{
+    print $auth->raw(), "\n";
+}
+
+=item list_certs()
+
+lists currently loaded certificates by streaming list-cert events. This
+call includes all certificates known by the daemon, not only those loaded
+over VICI.
+
+  my %vars = ( subject => 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' );
+  my $certs = $session->list_certs(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- list-certs -----\n";
+%vars = ( subject => 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' );
+my $certs = $session->list_certs(Vici::Message->new(\%vars));
+foreach my $cert (@$certs)
+{
+    my $hash = $cert->hash();
+    print $hash->{'type'}, ": ", length($hash->{'data'}), ' bytes',
+          $hash->{'has_privkey'} ? ', has private key' : '', "\n";
+}
+
+=item stats()
+
+returns IKE daemon statistics and load information.
+
+  my $stats = $session->stats();
+
+=cut
+
+print "----- stats -----\n";
+my $stats = $session->stats();
+print $stats->raw(), "\n";
+
+=item terminate()
+
+terminates an IKE_SA or CHILD_SA.
+
+  my %vars = ( ike => 'gw-gw' );
+  my ($res, $errmsg) = $session->terminate(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- terminate -----\n";
+%vars = ( ike => 'gw-gw' );
+($res, $errmsg) = $session->terminate(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item install()
+
+installs a trap, drop or bypass policy defined by a CHILD_SA config.
+
+  my %vars = ( child => 'net-net' );
+  my ($res, $errmsg) = $session->install(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- install -----\n";
+%vars = ( child => 'net-net' );
+($res, $errmsg) = $session->install(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item list_policies()
+
+lists currently installed trap, drop and bypass policies by streaming
+list-policy events.
+
+  my %vars = ( trap => 'yes' );
+  my $pols = $session->list_policies(Vici::Message->new(\%vars));
+
+  foreach my $pol (@$pols)
+  {
+      print $pol->raw(), "\n";
+  }
+
+=cut
+
+print "----- list-policies -----\n";
+%vars = ( trap => 'yes' );
+my $pols = $session->list_policies(Vici::Message->new(\%vars));
+foreach my $pol (@$pols)
+{
+    print $pol->raw(), "\n";
+}
+
+=item uninstall()
+
+uninstalls a trap, drop or bypass policy defined by a CHILD_SA config.
+
+  my %vars = ( child => 'net-net' );
+  my ($res, $errmsg) = $session->uninstall(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- uninstall -----\n";
+%vars = ( child => 'net-net' );
+($res, $errmsg) = $session->uninstall(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item reload_settings()
+
+reloads strongswan.conf settings and all plugins supporting configuration
+reload.
+
+  my ($res, $errmsg) = $session->reload_settings();
+  print $res ? "ok\n" : "failed: $errmsg\n";
+
+=cut
+
+print "----- reload-settings -----\n";
+($res, $errmsg) = $session->reload_settings();
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item unload_conn()
+
+unloads a previously loaded connection definition by name.
+
+  my %vars = ( name => 'gw-gw' );
+  my ($res, $errmsg) = $session->unload_conn(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- unload-conn -----\n";
+%vars = ( name => 'gw-gw' );
+($res, $errmsg) = $session->unload_conn(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item unload_authority()
+
+unloads a previously loaded certification authority definition by name.
+
+  my %vars = ( name => 'strongswan' );
+  my ($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- unload-authority -----\n";
+%vars = ( name => 'strongswan' );
+($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item clear_creds()
+
+clears all loaded certificate, private key and shared key credentials. This
+affects only credentials loaded over vici, but additionally flushes the
+credential cache.
+
+  my ($res, $errmsg) = $session->clear_creds();
+
+=cut
+
+print "----- clear-creds -----\n";
+($res, $errmsg) = $session->clear_creds();
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item load_pool()
+
+loads an in-memory virtual IP and configuration attribute pool. Existing
+pools with the same name get updated, if possible.
+
+  my %pool = ( addrs => '10.3.0.0/23' );
+  my %vars = ( my_pool => \%pool );
+  my ($res, $errmsg) = $session->load_pool(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- load-pool -----\n";
+my %pool = ( addrs => '10.3.0.0/23' );
+%vars = ( my_pool => \%pool );
+($res, $errmsg) = $session->load_pool(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=item get_pools()
+
+lists the currently loaded pools.
+
+  my $pools = $session->get_pools();
+
+=cut
+
+print "----- get-pools -----\n";
+my $pools = $session->get_pools();
+print $pools->raw(), "\n";
+
+=item unload_pool()
+
+unloads a previously loaded virtual IP and configuration attribute pool.
+Unloading fails for pools with leases currently online.
+
+  my %vars = ( name => 'my_pool' );
+  my ($res, $errmsg) = $session->unload_pool(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- unload-pool -----\n";
+%vars = ( name => 'my_pool' );
+($res, $errmsg) = $session->unload_pool(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
+=back
+
+=cut
+
+# close vici socket
+close($socket);
+
+=head1 COPYRIGHT AND LICENCE
+
+Copyright (c) 2015 Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
new file mode 100644
index 000000000..b0a942c04
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Message.pm
@@ -0,0 +1,256 @@
+package Vici::Message;
+
+our $VERSION = '0.9';
+
+use strict;
+use Vici::Transport;
+
+use constant {
+    SECTION_START => 1,   # Begin a new section having a name
+    SECTION_END   => 2,   # End a previously started section
+    KEY_VALUE     => 3,   # Define a value for a named key in the section
+    LIST_START    => 4,   # Begin a named list for list items
+    LIST_ITEM     => 5,   # Define an unnamed item value in the current list
+    LIST_END      => 6,   # End a previously started list
+};
+
+sub new {
+    my $class = shift;
+    my $hash = shift;
+    my $self = {
+        Hash => $hash
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub from_data {
+    my $class = shift;
+    my $data = shift;
+    my %hash = ();
+
+    parse($data, \%hash);
+
+    my $self = {
+        Hash => \%hash
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub hash {
+    my $self = shift;
+    return $self->{Hash};
+}
+
+sub encode {
+    my $self = shift;
+    return encode_hash($self->{'Hash'});
+}
+
+sub raw {
+    my $self = shift;
+    return '{' . raw_hash($self->{'Hash'}) . '}';
+}
+
+sub result {
+    my $self = shift;
+    my $result = $self->{'Hash'};
+    return ($result->{'success'} eq 'yes', $result->{'errmsg'});
+}
+
+# private functions
+
+sub parse {
+    my $data = shift;
+    my $hash = shift;
+
+    while (length($data) > 0)
+    {
+        (my $type, $data) = unpack('Ca*', $data);
+
+		if ($type == SECTION_END)
+		{
+			return $data;
+		}
+
+        (my $key, $data) = unpack('C/a*a*', $data);
+
+        if ( $type == KEY_VALUE )
+        {
+            (my $value, $data) = unpack('n/a*a*', $data);
+            $hash->{$key} = $value;
+        }
+        elsif ( $type == SECTION_START )
+        {
+            my %section = ();
+            $data = parse($data, \%section);
+            $hash->{$key} = \%section;
+        }
+        elsif ( $type == LIST_START )
+        {
+            my @list = ();
+            my $more = 1;
+
+            while (length($data) > 0 and $more)
+            {
+                (my $type, $data) = unpack('Ca*', $data);
+                if ( $type == LIST_ITEM )
+                {
+                    (my $value, $data) = unpack('n/a*a*', $data);
+                    push(@list, $value);
+                }
+                elsif ( $type == LIST_END )
+                {
+                    $more = 0;
+                    $hash->{$key} = \@list;
+                 }
+                else
+                {
+                    die "message parsing error: ", $type, "\n"
+                }
+            }
+        }
+        else
+        {
+            die "message parsing error: ", $type, "\n"
+        }
+    }
+    return $data;
+}
+
+
+sub encode_hash {
+    my $hash = shift;
+    my $enc = '';
+
+    while ( (my $key, my $value) = each %$hash )
+    {
+        if ( ref($value) eq 'HASH' )
+        {
+            $enc .= pack('CC/a*', SECTION_START, $key);
+            $enc .= encode_hash($value);
+            $enc .= pack('C', SECTION_END);
+        }
+        elsif ( ref($value) eq 'ARRAY' )
+        {
+            $enc .= pack('CC/a*', LIST_START, $key);
+
+            foreach my $item (@$value)
+            {
+                $enc .= pack('Cn/a*', LIST_ITEM, $item);
+            }
+            $enc .= pack('C', LIST_END);
+        }
+        else
+        {
+            $enc .= pack('CC/a*n/a*', KEY_VALUE, $key, $value);
+        }
+    }
+    return $enc;
+}
+
+sub raw_hash {
+    my $hash = shift;
+    my $raw = '';
+    my $first = 1;
+
+    while ( (my $key, my $value) = each %$hash )
+    {
+        if ($first)
+        {
+            $first = 0;
+        }
+        else
+        {
+            $raw .= ' ';
+        }
+        $raw .= $key;
+
+        if ( ref($value) eq 'HASH' )
+        {
+            $raw .= '{' . raw_hash($value) . '}';
+        }
+        elsif ( ref($value) eq 'ARRAY' )
+        {
+            my $first_item = 1;
+            $raw .= '[';
+
+            foreach my $item (@$value)
+            {
+                if ($first_item)
+                {
+                    $first_item = 0;
+                }
+                else
+                {
+                    $raw .= ' ';
+                }
+                $raw .= $item;
+            }
+            $raw .= ']';
+        }
+        else
+        {
+            $raw .= '=' . $value;
+        }
+    }
+    return $raw;
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Message - Perl extension for building and parsing strongSwan VICI messages
+
+=head1 SYNOPSIS
+
+  use Vici::Message;
+
+=head1 DESCRIPTION
+
+The Vici::Message module is needed by the Vici::Session module to build and
+parse messages used in the communication with the open source strongSwan IPsec
+daemon (https://www.strongswan.com) via the documented Versatile IKE
+Configuration Interface (VICI). VICI allows the configuration, management and
+monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Packet.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Packet.pm
new file mode 100644
index 000000000..9e2b77fa5
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Packet.pm
@@ -0,0 +1,191 @@
+package Vici::Packet;
+
+our $VERSION = '0.9';
+
+use strict;
+use Vici::Message;
+use Vici::Transport;
+
+use constant {
+    CMD_REQUEST      => 0,  # Named request message
+    CMD_RESPONSE     => 1,  # Unnamed response message for a request
+    CMD_UNKNOWN      => 2,  # Unnamed response if requested command is unknown
+    EVENT_REGISTER   => 3,  # Named event registration request
+    EVENT_UNREGISTER => 4,  # Named event de-registration request
+    EVENT_CONFIRM    => 5,  # Unnamed confirmation for event (de-)registration
+    EVENT_UNKNOWN    => 6,  # Unnamed response if event (de-)registration failed
+    EVENT            => 7,  # Named event message
+};
+
+sub new {
+    my $class = shift;
+    my $socket = shift;
+    my $self = {
+       Transport => Vici::Transport->new($socket),
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub request {
+    my ($self, $command, $vars) = @_;
+    my $out = defined $vars ? $vars->encode() : '';
+    my $request = pack('CC/a*a*', CMD_REQUEST, $command, $out);
+    $self->{'Transport'}->send($request);
+
+    my $response = $self->{'Transport'}->receive();
+    my ($type, $data) = unpack('Ca*', $response);
+
+    if ( $type == CMD_RESPONSE )
+    {
+        return Vici::Message->from_data($data);
+    }
+    elsif ( $type == CMD_UNKNOWN )
+    {
+        die "unknown command '", $command, "'\n"
+    }
+    else
+    {
+        die "invalid response type\n"
+    }
+}
+
+sub register {
+    my ($self, $event) = @_;
+    my $request = pack('CC/a*a*', EVENT_REGISTER, $event);
+    $self->{'Transport'}->send($request);
+
+    my $response = $self->{'Transport'}->receive();
+    my ($type, $data) = unpack('Ca*', $response);
+
+    if ( $type == EVENT_CONFIRM )
+    {
+        return
+    }
+    elsif ( $type == EVENT_UNKNOWN )
+    {
+        die "unknown event '", $event, "'\n"
+    }
+    else
+    {
+        die "invalid response type\n"
+    }
+}
+
+sub unregister {
+    my ($self, $event) = @_;
+    my $request = pack('CC/a*a*', EVENT_UNREGISTER, $event);
+    $self->{'Transport'}->send($request);
+
+    my $response = $self->{'Transport'}->receive();
+    my ($type, $data) = unpack('Ca*', $response);
+
+    if ( $type == EVENT_CONFIRM )
+    {
+        return
+    }
+    elsif ( $type == EVENT_UNKNOWN )
+    {
+        die "unknown event '", $event, "'\n"
+    }
+    else
+    {
+        die "invalid response type\n"
+    }
+}
+
+sub streamed_request {
+    my ($self, $command, $event, $vars) = @_;
+    my $out = defined $vars ? $vars->encode() : '';
+
+   $self->register($event);
+
+    my $request = pack('CC/a*a*', CMD_REQUEST, $command, $out);
+    $self->{'Transport'}->send($request);
+    my $more = 1;
+    my @list = ();
+
+    while ($more)
+    {
+        my $response = $self->{'Transport'}->receive();
+        my ($type, $data) = unpack('Ca*', $response);
+
+        if ( $type == EVENT )
+        {
+           (my $event_name, $data) = unpack('C/a*a*', $data);
+
+           if ($event_name eq $event)
+           {
+               my $msg = Vici::Message->from_data($data);
+               push(@list, $msg);
+           }
+        }
+        elsif ( $type == CMD_RESPONSE )
+        {
+            $self->unregister($event);
+            $more = 0;
+        }
+        else
+        {
+            $self->unregister($event);
+            die "invalid response type\n";
+        }
+    }
+    return \@list;
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Packet - Perl extension for sending and receiving strongSwan VICI packets
+
+=head1 SYNOPSIS
+
+  use Vici::Packet;
+
+=head1 DESCRIPTION
+
+The Vici::Packet module is needed by the Vici::Session module to send and
+receive packets used in the communication with the open source strongSwan IPsec
+daemon (https://www.strongswan.com) via the documented Versatile IKE
+Configuration Interface (VICI). VICI allows the configuration, management and
+monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
new file mode 100644
index 000000000..78197136a
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
@@ -0,0 +1,204 @@
+package Vici::Session;
+
+our $VERSION = '0.9';
+
+use strict;
+use Vici::Packet;
+use Vici::Message;
+
+sub new {
+    my $class = shift;
+    my $socket = shift;
+    my $self = {
+        Packet => Vici::Packet->new($socket),
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub version {
+    return request('version', @_);
+}
+
+sub stats {
+    return request('stats', @_);
+}
+
+sub reload_settings {
+   return request_res('reload-settings', @_);
+}
+
+sub initiate {
+    return request_vars_res('initiate', @_);
+}
+
+sub terminate {
+    return request_vars_res('terminate', @_);
+}
+
+sub redirect {
+    return request_vars_res('redirect', @_);
+}
+
+sub install {
+    return request_vars_res('install', @_);
+}
+
+sub uninstall {
+    return request_vars_res('uninstall', @_);
+}
+
+sub list_sas {
+    return request_list('list-sas', 'list-sa', @_);
+}
+
+sub list_policies {
+    return request_list('list-policies', 'list-policy', @_);
+}
+
+sub list_conns {
+    return request_list('list-conns', 'list-conn', @_);
+}
+
+sub get_conns {
+    return request('get-conns', @_);
+}
+
+sub list_certs {
+    return request_list('list-certs', 'list-cert', @_);
+}
+
+sub list_authorities {
+    return request_list('list-authorities', 'list-authority', @_);
+}
+
+sub get_authorities {
+    return request('get-authorities', @_);
+}
+
+sub load_conn {
+    return request_vars_res('load-conn', @_);
+}
+
+sub unload_conn {
+    return request_vars_res('unload-conn', @_);
+}
+
+sub load_cert {
+    return request_vars_res('load-cert', @_);
+}
+
+sub load_key {
+    return request_vars_res('load-key', @_);
+}
+
+sub load_shared {
+    return request_vars_res('load-shared', @_);
+}
+
+sub clear_creds {
+   return request_res('clear-creds', @_);
+}
+
+sub load_authority {
+    return request_vars_res('load-authority', @_);
+}
+
+sub unload_authority {
+    return request_vars_res('unload-authority', @_);
+}
+
+sub load_pool {
+    return request_vars_res('load-pool', @_);
+}
+
+sub unload_pool {
+    return request_vars_res('unload-pool', @_);
+}
+
+sub get_pools {
+    return request('get-pools', @_);
+}
+
+sub get_algorithms {
+    return request('get-algorithms', @_);
+}
+
+# Private functions
+
+sub request {
+    my ($command, $self) = @_;
+    return $self->{'Packet'}->request($command);
+}
+
+sub request_res {
+    my ($command, $self) = @_;
+    my $msg = $self->{'Packet'}->request($command);
+    return $msg->result();
+}
+
+sub request_vars_res {
+    my ($command, $self, $vars) = @_;
+    my $msg = $self->{'Packet'}->request($command, $vars);
+    return $msg->result();
+}
+
+sub request_list {
+    my ($command, $event, $self, $vars) = @_;
+    return $self->{'Packet'}->streamed_request($command, $event, $vars);
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Session - Perl binding for the strongSwan VICI configuration interface
+
+=head1 SYNOPSIS
+
+  use Vici::Session;
+
+=head1 DESCRIPTION
+
+The Vici::Session module allows a Perl script to communicate with the open
+source strongSwan IPsec daemon (https://www.strongswan.com) via the documented
+Versatile IKE Configuration Interface (VICI). VICI allows the configuration,
+management and monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Transport.pm b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Transport.pm
new file mode 100644
index 000000000..6524bf76d
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Transport.pm
@@ -0,0 +1,88 @@
+package Vici::Transport;
+
+our $VERSION = '0.9';
+
+use strict;
+
+sub new {
+    my $class = shift;
+    my $self = {
+        Socket => shift,
+    };
+    bless($self, $class);
+    return $self;
+}
+
+sub send {
+    my ($self, $data) = @_;
+    my $packet = pack('N/a*', $data);
+    $self->{'Socket'}->send($packet);
+}
+
+sub receive {
+    my $self = shift;
+    my $packet_header;
+    my $data;
+
+    $self->{'Socket'}->recv($packet_header, 4);
+    my $packet_len = unpack('N', $packet_header);
+    $self->{'Socket'}->recv($data, $packet_len);
+	return $data;
+}
+
+1;
+__END__
+=head1 NAME
+
+Vici::Transport - Perl extension for communicating via a strongSwan VICI socket
+
+=head1 SYNOPSIS
+
+  use Vici::Transport;
+
+=head1 DESCRIPTION
+
+The Vici::Transport module is needed by the Vici::Packet module to send
+and receive packets over the UNIX socket used in the communication with the
+open source strongSwan IPsec daemon (https://www.strongswan.com) via the
+documented Versatile IKE Configuration Interface (VICI). VICI allows the
+onfiguration, management and monitoring of multiple IPsec connections.
+
+=head2 EXPORT
+
+None by default.
+
+=head1 SEE ALSO
+
+strongSwan Wiki:  https://wiki.strongswan.org/projects/strongswan/wiki/Vici
+
+strongSwan Mailing list:  users@lists.strongswan.org
+
+=head1 AUTHOR
+
+Andreas Steffen, E<lt>andreas.steffen@strongswan.orgE<gt>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright (C) 2015 by Andreas Steffen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+=cut
+
diff --git a/src/libcharon/plugins/vici/perl/Vici-Session/t/Vici-Session.t b/src/libcharon/plugins/vici/perl/Vici-Session/t/Vici-Session.t
new file mode 100644
index 000000000..4c321f3e1
--- /dev/null
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/t/Vici-Session.t
@@ -0,0 +1,18 @@
+# Before 'make install' is performed this script should be runnable with
+# 'make test'. After 'make install' it should work as 'perl Vici-Session.t'
+
+#########################
+
+# change 'tests => 1' to 'tests => last_test_to_print';
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+BEGIN { use_ok('Vici::Session') };
+
+#########################
+
+# Insert your test code below, the Test::More module is use()ed here so read
+# its man page ( perldoc Test::More ) for help writing this test script.
+
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index eb4bab6ca..894a7e275 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -351,6 +351,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
index 283e3d13d..66de8590a 100644
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -53,6 +53,14 @@ class Session(object):
         """
         return self.handler.streamed_request("terminate", "control-log", sa)
 
+    def redirect(self, sa):
+        """Redirect an IKE_SA.
+
+        :param sa: the SA to redirect
+        :type sa: dict
+        """
+        self.handler.request("redirect", sa)
+
     def install(self, policy):
         """Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index bf81e5395..b87d83de4 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index f8169add0..018f50766 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -505,6 +505,12 @@ module Vici
     end
 
     ##
+    # Redirect an IKE_SA.
+    def redirect(options)
+      check_success(@transp.request("redirect", Message.new(options)))
+    end
+
+    ##
     # Install a shunt/route policy.
     def install(policy)
       check_success(@transp.request("install", Message.new(policy)))
diff --git a/src/libcharon/plugins/vici/vici_cert_info.c b/src/libcharon/plugins/vici/vici_cert_info.c
new file mode 100644
index 000000000..2f278de5e
--- /dev/null
+++ b/src/libcharon/plugins/vici/vici_cert_info.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "vici_cert_info.h"
+
+/**
+ * Legacy vici certificate types and directories created by swanctl
+ */
+typedef struct {
+
+	/** Certificate type string used in legacy vici messages */
+	char *type_str;
+	/** Base certificate type */
+	certificate_type_t type;
+	/** X.509 flag */
+	x509_flag_t flag;
+} cert_type_t;
+
+static cert_type_t cert_types[] = {
+	{ "x509",     CERT_X509,           X509_NONE        },
+	{ "x509ca",   CERT_X509,           X509_CA          },
+	{ "x509ocsp", CERT_X509,           X509_OCSP_SIGNER },
+	{ "x509aa",   CERT_X509,           X509_AA          },
+	{ "x509ac",   CERT_X509_AC,        X509_NONE        },
+	{ "x509crl",  CERT_X509_CRL,       X509_NONE        },
+	{ "pubkey",   CERT_TRUSTED_PUBKEY, X509_NONE        },
+};
+
+bool vici_cert_info_from_str(char *type_str, certificate_type_t *type,
+							 x509_flag_t *flag)
+{
+	int i;
+
+	for (i = 0; i < countof(cert_types); i++)
+	{
+		if (strcaseeq(type_str, cert_types[i].type_str))
+		{
+			*type = cert_types[i].type;
+			*flag = cert_types[i].flag;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
diff --git a/src/libcharon/plugins/vici/vici_cert_info.h b/src/libcharon/plugins/vici/vici_cert_info.h
new file mode 100644
index 000000000..e2a8c4d9f
--- /dev/null
+++ b/src/libcharon/plugins/vici/vici_cert_info.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup vici_cert_info vici_cert_info
+ * @{ @ingroup vici
+ */
+
+#ifndef VICI_CERT_INFO_H_
+#define VICI_CERT_INFO_H_
+
+typedef struct vici_cert_info_t vici_cert_info_t;
+
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
+
+bool vici_cert_info_from_str(char *type_str, certificate_type_t *type,
+							 x509_flag_t *flag);
+
+#endif /** VICI_CERT_INFO_H_ @}*/
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index ea6d2958a..6ebbedc47 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2,7 +2,8 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -45,9 +46,12 @@
 
 #include <daemon.h>
 #include <threading/rwlock.h>
+#include <threading/rwlock_condvar.h>
 #include <collections/array.h>
 #include <collections/linked_list.h>
 
+#include <pubkey_cert.h>
+
 #include <stdio.h>
 
 /**
@@ -98,6 +102,21 @@ struct private_vici_config_t {
 	rwlock_t *lock;
 
 	/**
+	 * Condvar used to snyc running actions
+	 */
+	rwlock_condvar_t *condvar;
+
+	/**
+	 * True while we run or undo a start action
+	 */
+	bool handling_actions;
+
+	/**
+	 * Credential backend managed by VICI used for our certificates
+	 */
+	vici_cred_t *cred;
+
+	/**
 	 * Auxiliary certification authority information
 	 */
 	vici_authority_t *authority;
@@ -218,6 +237,24 @@ typedef struct {
 } request_data_t;
 
 /**
+ * Auth config data
+ */
+typedef struct {
+	request_data_t *request;
+	auth_cfg_t *cfg;
+	u_int32_t round;
+} auth_data_t;
+
+/**
+ * Clean up auth config data
+ */
+static void free_auth_data(auth_data_t *data)
+{
+	DESTROY_IF(data->cfg);
+	free(data);
+}
+
+/**
  * Data associated to a peer config
  */
 typedef struct {
@@ -311,7 +348,7 @@ static void log_auth(auth_cfg_t *auth)
 static void log_peer_data(peer_data_t *data)
 {
 	enumerator_t *enumerator;
-	auth_cfg_t *auth;
+	auth_data_t *auth;
 	host_t *host;
 
 	DBG2(DBG_CFG, "  version = %u", data->version);
@@ -350,7 +387,7 @@ static void log_peer_data(peer_data_t *data)
 	while (enumerator->enumerate(enumerator, &auth))
 	{
 		DBG2(DBG_CFG, "  local:");
-		log_auth(auth);
+		log_auth(auth->cfg);
 	}
 	enumerator->destroy(enumerator);
 
@@ -358,7 +395,7 @@ static void log_peer_data(peer_data_t *data)
 	while (enumerator->enumerate(enumerator, &auth))
 	{
 		DBG2(DBG_CFG, "  remote:");
-		log_auth(auth);
+		log_auth(auth->cfg);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -368,10 +405,8 @@ static void log_peer_data(peer_data_t *data)
  */
 static void free_peer_data(peer_data_t *data)
 {
-	data->local->destroy_offset(data->local,
-									offsetof(auth_cfg_t, destroy));
-	data->remote->destroy_offset(data->remote,
-									offsetof(auth_cfg_t, destroy));
+	data->local->destroy_function(data->local, (void*)free_auth_data);
+	data->remote->destroy_function(data->remote, (void*)free_auth_data);
 	data->children->destroy_offset(data->children,
 									offsetof(child_cfg_t, destroy));
 	data->proposals->destroy_offset(data->proposals,
@@ -461,14 +496,6 @@ static void free_child_data(child_data_t *data)
 }
 
 /**
- * Auth config data
- */
-typedef struct {
-	request_data_t *request;
-	auth_cfg_t *cfg;
-} auth_data_t;
-
-/**
  * Common proposal parsing
  */
 static bool parse_proposal(linked_list_t *list, protocol_id_t proto, chunk_t v)
@@ -537,7 +564,7 @@ CALLBACK(parse_ts, bool,
 	linked_list_t *out, chunk_t v)
 {
 	char buf[128], *protoport, *sep, *port = "", *end;
-	traffic_selector_t *ts;
+	traffic_selector_t *ts = NULL;
 	struct protoent *protoent;
 	struct servent *svc;
 	long int p;
@@ -630,6 +657,22 @@ CALLBACK(parse_ts, bool,
 	{
 		ts = traffic_selector_create_dynamic(proto, from, to);
 	}
+	else if (strchr(buf, '-'))
+	{
+		host_t *lower, *upper;
+		ts_type_t type;
+
+		if (host_create_from_range(buf, &lower, &upper))
+		{
+			type = (lower->get_family(lower) == AF_INET) ?
+						 		TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+			ts = traffic_selector_create_from_bytes(proto, type,
+								lower->get_address(lower), from,
+								upper->get_address(upper), to);
+			lower->destroy(lower);
+			upper->destroy(upper);
+		}
+	}
 	else
 	{
 		ts = traffic_selector_create_from_cidr(buf, proto, from, to);
@@ -948,9 +991,14 @@ CALLBACK(parse_auth, bool,
 	{
 		return FALSE;
 	}
-	if (strcaseeq(buf, "pubkey"))
+	if (strpfx(buf, "ike:") ||
+		strpfx(buf, "pubkey") ||
+		strpfx(buf, "rsa") ||
+		strpfx(buf, "ecdsa") ||
+		strpfx(buf, "bliss"))
 	{
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+		cfg->add_pubkey_constraints(cfg, buf, TRUE);
 		return TRUE;
 	}
 	if (strcaseeq(buf, "psk"))
@@ -970,8 +1018,16 @@ CALLBACK(parse_auth, bool,
 	}
 	if (strcasepfx(buf, "eap"))
 	{
+		char *pos;
+
 		cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
 
+		pos = strchr(buf, ':');
+		if (pos)
+		{
+			*pos = 0;
+			cfg->add_pubkey_constraints(cfg, pos + 1, FALSE);
+		}
 		type = eap_vendor_type_from_string(buf);
 		if (type)
 		{
@@ -1053,6 +1109,7 @@ CALLBACK(parse_group, bool,
 static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
 {
 	vici_authority_t *authority;
+	vici_cred_t *cred;
 	certificate_t *cert;
 
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
@@ -1064,6 +1121,8 @@ static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
 			authority = auth->request->this->authority;
 			authority->check_for_hash_and_url(authority, cert);
 		}
+		cred = auth->request->this->cred;
+		cert = cred->add_cert(cred, cert);
 		auth->cfg->add(auth->cfg, rule, cert);
 		return TRUE;
 	}
@@ -1089,6 +1148,27 @@ CALLBACK(parse_cacerts, bool,
 }
 
 /**
+ * Parse raw public keys
+ */
+CALLBACK(parse_pubkeys, bool,
+	auth_data_t *auth, chunk_t v)
+{
+	vici_cred_t *cred;
+	certificate_t *cert;
+
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+							  BUILD_BLOB_PEM, v, BUILD_END);
+	if (cert)
+	{
+		cred = auth->request->this->cred;
+		cert = cred->add_cert(cred, cert);
+		auth->cfg->add(auth->cfg, AUTH_RULE_SUBJECT_CERT, cert);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Parse revocation status
  */
 CALLBACK(parse_revocation, bool,
@@ -1283,6 +1363,7 @@ CALLBACK(auth_li, bool,
 		{ "groups",			parse_group,		auth->cfg					},
 		{ "certs",			parse_certs,		auth						},
 		{ "cacerts",		parse_cacerts,		auth						},
+		{ "pubkeys",		parse_pubkeys,		auth						},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1299,6 +1380,7 @@ CALLBACK(auth_kv, bool,
 		{ "eap_id",			parse_eap_id,		auth->cfg					},
 		{ "xauth_id",		parse_xauth_id,		auth->cfg					},
 		{ "revocation",		parse_revocation,	auth->cfg					},
+		{ "round",			parse_uint32,		&auth->round				},
 	};
 
 	return parse_rules(rules, countof(rules), name, value,
@@ -1502,40 +1584,62 @@ CALLBACK(peer_sn, bool,
 	if (strcasepfx(name, "local") ||
 		strcasepfx(name, "remote"))
 	{
-		auth_data_t auth = {
+		enumerator_t *enumerator;
+		linked_list_t *auths;
+		auth_data_t *auth, *current;
+		auth_rule_t rule;
+		certificate_t *cert;
+		pubkey_cert_t *pubkey_cert;
+		identification_t *id;
+		bool default_id = FALSE;
+
+		INIT(auth,
 			.request = peer->request,
 			.cfg = auth_cfg_create(),
-		};
+		);
 
-		if (!message->parse(message, ctx, NULL, auth_kv, auth_li, &auth))
+		if (!message->parse(message, ctx, NULL, auth_kv, auth_li, auth))
 		{
-			auth.cfg->destroy(auth.cfg);
+			free_auth_data(auth);
 			return FALSE;
 		}
+		id = auth->cfg->get(auth->cfg, AUTH_RULE_IDENTITY);
 
-		if (!auth.cfg->get(auth.cfg, AUTH_RULE_IDENTITY))
+		enumerator = auth->cfg->create_enumerator(auth->cfg);
+		while (enumerator->enumerate(enumerator, &rule, &cert))
 		{
-			identification_t *id;
-			certificate_t *cert;
-
-			cert = auth.cfg->get(auth.cfg, AUTH_RULE_SUBJECT_CERT);
-			if (cert)
+			if (rule == AUTH_RULE_SUBJECT_CERT && !default_id)
 			{
-				id = cert->get_subject(cert);
-				DBG1(DBG_CFG, "  id not specified, defaulting to cert id '%Y'",
-					 id);
-				auth.cfg->add(auth.cfg, AUTH_RULE_IDENTITY, id->clone(id));
+				if (id == NULL)
+				{
+					id = cert->get_subject(cert);
+					DBG1(DBG_CFG, "  id not specified, defaulting to"
+								  " cert subject '%Y'", id);
+					auth->cfg->add(auth->cfg, AUTH_RULE_IDENTITY, id->clone(id));
+					default_id = TRUE;
+				}
+				else if (cert->get_type(cert) == CERT_TRUSTED_PUBKEY &&
+						 id->get_type != ID_ANY)
+				{
+					/* set the subject of all raw public keys to the id */
+					pubkey_cert = (pubkey_cert_t*)cert;
+					pubkey_cert->set_subject(pubkey_cert, id);
+				}
 			}
 		}
+		enumerator->destroy(enumerator);
 
-		if (strcasepfx(name, "local"))
+		auths = strcasepfx(name, "local") ? peer->local : peer->remote;
+		enumerator = auths->create_enumerator(auths);
+		while (enumerator->enumerate(enumerator, &current))
 		{
-			peer->local->insert_last(peer->local, auth.cfg);
-		}
-		else
-		{
-			peer->remote->insert_last(peer->remote, auth.cfg);
+			if (auth->round < current->round)
+			{
+				break;
+			}
 		}
+		auths->insert_before(auths, enumerator, auth);
+		enumerator->destroy(enumerator);
 		return TRUE;
 	}
 	peer->request->reply = create_reply("invalid section: %s", name);
@@ -1578,7 +1682,7 @@ static u_int32_t find_reqid(child_cfg_t *cfg)
 }
 
 /**
- * Perform start actions associated to a child config
+ * Perform start actions associated with a child config
  */
 static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 							 child_cfg_t *child_cfg)
@@ -1611,19 +1715,20 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 }
 
 /**
- * Undo start actions associated to a child config
+ * Undo start actions associated with a child config
  */
-static void clear_start_action(private_vici_config_t *this,
+static void clear_start_action(private_vici_config_t *this, char *peer_name,
 							   child_cfg_t *child_cfg)
 {
 	enumerator_t *enumerator, *children;
 	child_sa_t *child_sa;
 	ike_sa_t *ike_sa;
-	u_int32_t id = 0, *del;
-	array_t *ids = NULL;
+	u_int32_t id = 0, others;
+	array_t *ids = NULL, *ikeids = NULL;
 	char *name;
 
 	name = child_cfg->get_name(child_cfg);
+
 	switch (child_cfg->get_start_action(child_cfg))
 	{
 		case ACTION_RESTART:
@@ -1631,29 +1736,72 @@ static void clear_start_action(private_vici_config_t *this,
 													charon->controller, TRUE);
 			while (enumerator->enumerate(enumerator, &ike_sa))
 			{
+				if (!streq(ike_sa->get_name(ike_sa), peer_name))
+				{
+					continue;
+				}
+				others = id = 0;
 				children = ike_sa->create_child_sa_enumerator(ike_sa);
 				while (children->enumerate(children, &child_sa))
 				{
-					if (streq(name, child_sa->get_name(child_sa)))
+					if (child_sa->get_state(child_sa) != CHILD_DELETING)
 					{
-						id = child_sa->get_unique_id(child_sa);
-						array_insert_create(&ids, ARRAY_TAIL, &id);
+						if (streq(name, child_sa->get_name(child_sa)))
+						{
+							id = child_sa->get_unique_id(child_sa);
+						}
+						else
+						{
+							others++;
+						}
 					}
 				}
 				children->destroy(children);
+
+				if (id && !others)
+				{
+					/* found matching children only, delete full IKE_SA */
+					id = ike_sa->get_unique_id(ike_sa);
+					array_insert_create_value(&ikeids, sizeof(id),
+											  ARRAY_TAIL, &id);
+				}
+				else
+				{
+					children = ike_sa->create_child_sa_enumerator(ike_sa);
+					while (children->enumerate(children, &child_sa))
+					{
+						if (streq(name, child_sa->get_name(child_sa)))
+						{
+							id = child_sa->get_unique_id(child_sa);
+							array_insert_create_value(&ids, sizeof(id),
+													  ARRAY_TAIL, &id);
+						}
+					}
+					children->destroy(children);
+				}
 			}
 			enumerator->destroy(enumerator);
 
 			if (array_count(ids))
 			{
-				while (array_remove(ids, ARRAY_HEAD, &del))
+				while (array_remove(ids, ARRAY_HEAD, &id))
 				{
-					DBG1(DBG_CFG, "closing '%s' #%u", name, *del);
+					DBG1(DBG_CFG, "closing '%s' #%u", name, id);
 					charon->controller->terminate_child(charon->controller,
-														*del, NULL, NULL, 0);
+														id, NULL, NULL, 0);
 				}
 				array_destroy(ids);
 			}
+			if (array_count(ikeids))
+			{
+				while (array_remove(ikeids, ARRAY_HEAD, &id))
+				{
+					DBG1(DBG_CFG, "closing IKE_SA #%u", id);
+					charon->controller->terminate_ike(charon->controller,
+													  id, NULL, NULL, 0);
+				}
+				array_destroy(ikeids);
+			}
 			break;
 		case ACTION_ROUTE:
 			DBG1(DBG_CFG, "uninstalling '%s'", name);
@@ -1687,36 +1835,56 @@ static void clear_start_action(private_vici_config_t *this,
 }
 
 /**
- * Run start actions associated to all child configs of a peer config
+ * Run or undo a start actions associated with a child config
  */
-static void run_start_actions(private_vici_config_t *this, peer_cfg_t *peer_cfg)
+static void handle_start_action(private_vici_config_t *this,
+								peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+								bool undo)
 {
-	enumerator_t *enumerator;
-	child_cfg_t *child_cfg;
+	this->handling_actions = TRUE;
+	this->lock->unlock(this->lock);
 
-	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
-	while (enumerator->enumerate(enumerator, &child_cfg))
+	if (undo)
+	{
+		clear_start_action(this, peer_cfg->get_name(peer_cfg), child_cfg);
+	}
+	else
 	{
 		run_start_action(this, peer_cfg, child_cfg);
 	}
-	enumerator->destroy(enumerator);
+
+	this->lock->write_lock(this->lock);
+	this->handling_actions = FALSE;
 }
 
 /**
- * Undo start actions associated to all child configs of a peer config
+ * Run or undo start actions associated with all child configs of a peer config
  */
-static void clear_start_actions(private_vici_config_t *this,
-								peer_cfg_t *peer_cfg)
+static void handle_start_actions(private_vici_config_t *this,
+								 peer_cfg_t *peer_cfg, bool undo)
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child_cfg;
 
+	this->handling_actions = TRUE;
+	this->lock->unlock(this->lock);
+
 	enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 	while (enumerator->enumerate(enumerator, &child_cfg))
 	{
-		clear_start_action(this, child_cfg);
+		if (undo)
+		{
+			clear_start_action(this, peer_cfg->get_name(peer_cfg), child_cfg);
+		}
+		else
+		{
+			run_start_action(this, peer_cfg, child_cfg);
+		}
 	}
 	enumerator->destroy(enumerator);
+
+	this->lock->write_lock(this->lock);
+	this->handling_actions = FALSE;
 }
 
 /**
@@ -1727,22 +1895,12 @@ static void replace_children(private_vici_config_t *this,
 {
 	enumerator_t *enumerator;
 	child_cfg_t *child;
+	bool added;
 
-	enumerator = to->create_child_cfg_enumerator(to);
-	while (enumerator->enumerate(enumerator, &child))
+	enumerator = to->replace_child_cfgs(to, from);
+	while (enumerator->enumerate(enumerator, &child, &added))
 	{
-		to->remove_child_cfg(to, enumerator);
-		clear_start_action(this, child);
-		child->destroy(child);
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = from->create_child_cfg_enumerator(from);
-	while (enumerator->enumerate(enumerator, &child))
-	{
-		from->remove_child_cfg(from, enumerator);
-		to->add_child_cfg(to, child);
-		run_start_action(this, to, child);
+		handle_start_action(this, to, child, !added);
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1758,6 +1916,10 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 	bool merged = FALSE;
 
 	this->lock->write_lock(this->lock);
+	while (this->handling_actions)
+	{
+		this->condvar->wait(this->condvar, this->lock);
+	}
 
 	enumerator = this->conns->create_enumerator(this->conns);
 	while (enumerator->enumerate(enumerator, &current))
@@ -1778,10 +1940,10 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 				DBG1(DBG_CFG, "replaced vici connection: %s",
 					 peer_cfg->get_name(peer_cfg));
 				this->conns->remove_at(this->conns, enumerator);
-				clear_start_actions(this, current);
-				current->destroy(current);
 				this->conns->insert_last(this->conns, peer_cfg);
-				run_start_actions(this, peer_cfg);
+				handle_start_actions(this, current, TRUE);
+				handle_start_actions(this, peer_cfg, FALSE);
+				current->destroy(current);
 			}
 			merged = TRUE;
 			break;
@@ -1793,9 +1955,9 @@ static void merge_config(private_vici_config_t *this, peer_cfg_t *peer_cfg)
 	{
 		DBG1(DBG_CFG, "added vici connection: %s", peer_cfg->get_name(peer_cfg));
 		this->conns->insert_last(this->conns, peer_cfg);
-		run_start_actions(this, peer_cfg);
+		handle_start_actions(this, peer_cfg, FALSE);
 	}
-
+	this->condvar->signal(this->condvar);
 	this->lock->unlock(this->lock);
 }
 
@@ -1828,7 +1990,7 @@ CALLBACK(config_sn, bool,
 	peer_cfg_t *peer_cfg;
 	ike_cfg_t *ike_cfg;
 	child_cfg_t *child_cfg;
-	auth_cfg_t *auth_cfg;
+	auth_data_t *auth;
 	proposal_t *proposal;
 	host_t *host;
 	char *str;
@@ -1843,14 +2005,17 @@ CALLBACK(config_sn, bool,
 
 	if (peer.local->get_count(peer.local) == 0)
 	{
-		free_peer_data(&peer);
-		peer.request->reply = create_reply("missing local auth config");
-		return FALSE;
+		INIT(auth,
+			.cfg = auth_cfg_create(),
+		);
+		peer.local->insert_last(peer.local, auth);
 	}
 	if (peer.remote->get_count(peer.remote) == 0)
 	{
-		auth_cfg = auth_cfg_create();
-		peer.remote->insert_last(peer.remote, auth_cfg);
+		INIT(auth,
+			.cfg = auth_cfg_create(),
+		);
+		peer.remote->insert_last(peer.remote, auth);
 	}
 	if (peer.proposals->get_count(peer.proposals) == 0)
 	{
@@ -1926,14 +2091,18 @@ CALLBACK(config_sn, bool,
 						FALSE, NULL, NULL);
 
 	while (peer.local->remove_first(peer.local,
-									(void**)&auth_cfg) == SUCCESS)
+									(void**)&auth) == SUCCESS)
 	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
+		peer_cfg->add_auth_cfg(peer_cfg, auth->cfg, TRUE);
+		auth->cfg = NULL;
+		free_auth_data(auth);
 	}
 	while (peer.remote->remove_first(peer.remote,
-									 (void**)&auth_cfg) == SUCCESS)
+									 (void**)&auth) == SUCCESS)
 	{
-		peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
+		peer_cfg->add_auth_cfg(peer_cfg, auth->cfg, FALSE);
+		auth->cfg = NULL;
+		free_auth_data(auth);
 	}
 	while (peer.children->remove_first(peer.children,
 									   (void**)&child_cfg) == SUCCESS)
@@ -1999,18 +2168,24 @@ CALLBACK(unload_conn, vici_message_t*,
 	}
 
 	this->lock->write_lock(this->lock);
+	while (this->handling_actions)
+	{
+		this->condvar->wait(this->condvar, this->lock);
+	}
 	enumerator = this->conns->create_enumerator(this->conns);
 	while (enumerator->enumerate(enumerator, &cfg))
 	{
 		if (streq(cfg->get_name(cfg), conn_name))
 		{
 			this->conns->remove_at(this->conns, enumerator);
+			handle_start_actions(this, cfg, TRUE);
 			cfg->destroy(cfg);
 			found = TRUE;
 			break;
 		}
 	}
 	enumerator->destroy(enumerator);
+	this->condvar->signal(this->condvar);
 	this->lock->unlock(this->lock);
 
 	if (!found)
@@ -2066,6 +2241,7 @@ METHOD(vici_config_t, destroy, void,
 {
 	manage_commands(this, FALSE);
 	this->conns->destroy_offset(this->conns, offsetof(peer_cfg_t, destroy));
+	this->condvar->destroy(this->condvar);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -2074,7 +2250,8 @@ METHOD(vici_config_t, destroy, void,
  * See header
  */
 vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
-								  vici_authority_t *authority)
+								  vici_authority_t *authority,
+								  vici_cred_t *cred)
 {
 	private_vici_config_t *this;
 
@@ -2090,7 +2267,9 @@ vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
 		.dispatcher = dispatcher,
 		.conns = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.condvar = rwlock_condvar_create(),
 		.authority = authority,
+		.cred = cred,
 	);
 
 	manage_commands(this, TRUE);
diff --git a/src/libcharon/plugins/vici/vici_config.h b/src/libcharon/plugins/vici/vici_config.h
index c3245bf5c..0c237e7de 100644
--- a/src/libcharon/plugins/vici/vici_config.h
+++ b/src/libcharon/plugins/vici/vici_config.h
@@ -26,6 +26,7 @@
 
 #include "vici_dispatcher.h"
 #include "vici_authority.h"
+#include "vici_cred.h"
 
 #include <config/backend.h>
 
@@ -51,9 +52,11 @@ struct vici_config_t {
  *
  * @param dispatcher		dispatcher to receive requests from
  * @param authority			Auxiliary certification authority information
+ * @param cred				in-memory credential backend managed by VICI
  * @return					config backend
  */
 vici_config_t *vici_config_create(vici_dispatcher_t *dispatcher,
-								  vici_authority_t *authority);
+								  vici_authority_t *authority,
+								  vici_cred_t *cred);
 
 #endif /** VICI_CONFIG_H_ @}*/
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 752007c24..c526d2fda 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -20,6 +23,7 @@
 
 #include <daemon.h>
 #include <collections/array.h>
+#include <processing/jobs/redirect_job.h>
 
 typedef struct private_vici_control_t private_vici_control_t;
 
@@ -134,7 +138,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 /**
  * Find a peer/child config from a child config name
  */
-static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
+static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 {
 	enumerator_t *enumerator;
 	peer_cfg_t *peer_cfg;
@@ -144,6 +148,10 @@ static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
 							charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
 	while (enumerator->enumerate(enumerator, &peer_cfg))
 	{
+		if (pname && !streq(pname, peer_cfg->get_name(peer_cfg)))
+		{
+			continue;
+		}
 		child_cfg = get_child_from_peer(peer_cfg, name);
 		if (child_cfg)
 		{
@@ -161,15 +169,17 @@ CALLBACK(initiate, vici_message_t*,
 {
 	child_cfg_t *child_cfg = NULL;
 	peer_cfg_t *peer_cfg;
-	char *child;
-	u_int timeout;
+	char *child, *ike;
+	int timeout;
 	bool limits;
+	controller_cb_t log_cb = NULL;
 	log_info_t log = {
 		.dispatcher = this->dispatcher,
 		.id = id,
 	};
 
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 	timeout = request->get_int(request, 0, "timeout");
 	limits = request->get_bool(request, FALSE, "init-limits");
 	log.level = request->get_int(request, 1, "loglevel");
@@ -178,16 +188,20 @@ CALLBACK(initiate, vici_message_t*,
 	{
 		return send_reply(this, "missing configuration name");
 	}
+	if (timeout >= 0)
+	{
+		log_cb = (controller_cb_t)log_vici;
+	}
 
 	DBG1(DBG_CFG, "vici initiate '%s'", child);
 
-	child_cfg = find_child_cfg(child, &peer_cfg);
+	child_cfg = find_child_cfg(child, ike, &peer_cfg);
 	if (!child_cfg)
 	{
 		return send_reply(this, "CHILD_SA config '%s' not found", child);
 	}
 	switch (charon->controller->initiate(charon->controller, peer_cfg,
-				child_cfg, (controller_cb_t)log_vici, &log, timeout, limits))
+									child_cfg, log_cb, &log, timeout, limits))
 	{
 		case SUCCESS:
 			return send_reply(this, NULL);
@@ -208,11 +222,13 @@ CALLBACK(terminate, vici_message_t*,
 {
 	enumerator_t *enumerator, *isas, *csas;
 	char *child, *ike, *errmsg = NULL;
-	u_int timeout, child_id, ike_id, current, *del, done = 0;
+	u_int child_id, ike_id, current, *del, done = 0;
+	int timeout;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
 	array_t *ids;
 	vici_builder_t *builder;
+	controller_cb_t log_cb = NULL;
 	log_info_t log = {
 		.dispatcher = this->dispatcher,
 		.id = id,
@@ -247,6 +263,11 @@ CALLBACK(terminate, vici_message_t*,
 		DBG1(DBG_CFG, "vici terminate CHILD_SA '%s'", child);
 	}
 
+	if (timeout >= 0)
+	{
+		log_cb = (controller_cb_t)log_vici;
+	}
+
 	ids = array_create(sizeof(u_int), 0);
 
 	isas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
@@ -296,7 +317,7 @@ CALLBACK(terminate, vici_message_t*,
 		if (child || child_id)
 		{
 			if (charon->controller->terminate_child(charon->controller, *del,
-						(controller_cb_t)log_vici, &log, timeout) == SUCCESS)
+											log_cb, &log, timeout) == SUCCESS)
 			{
 				done++;
 			}
@@ -304,7 +325,7 @@ CALLBACK(terminate, vici_message_t*,
 		else
 		{
 			if (charon->controller->terminate_ike(charon->controller, *del,
-						(controller_cb_t)log_vici, &log, timeout) == SUCCESS)
+											log_cb, &log, timeout) == SUCCESS)
 			{
 				done++;
 			}
@@ -340,6 +361,150 @@ CALLBACK(terminate, vici_message_t*,
 }
 
 /**
+ * Parse a peer-ip specified, which can be a subnet in CIDR notation, a range
+ * or a single IP address.
+ */
+static traffic_selector_t *parse_peer_ip(char *ip)
+{
+	traffic_selector_t *ts;
+	host_t *from, *to;
+	ts_type_t type;
+
+	if (host_create_from_range(ip, &from, &to))
+	{
+		if (to->get_family(to) == AF_INET)
+		{
+			type = TS_IPV4_ADDR_RANGE;
+		}
+		else
+		{
+			type = TS_IPV6_ADDR_RANGE;
+		}
+		ts = traffic_selector_create_from_bytes(0, type,
+												from->get_address(from), 0,
+												to->get_address(to), 0xFFFF);
+		from->destroy(from);
+		to->destroy(to);
+		return ts;
+	}
+	return traffic_selector_create_from_cidr(ip, 0, 0, 0xFFFF);
+}
+
+CALLBACK(redirect, vici_message_t*,
+	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+{
+	enumerator_t *sas;
+	char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL;
+	u_int ike_id, current, found = 0;
+	identification_t *gateway, *identity = NULL, *other_id;
+	traffic_selector_t *ts = NULL;
+	ike_sa_t *ike_sa;
+	vici_builder_t *builder;
+
+	ike = request->get_str(request, NULL, "ike");
+	ike_id = request->get_int(request, 0, "ike-id");
+	peer_ip = request->get_str(request, NULL, "peer-ip");
+	peer_id = request->get_str(request, NULL, "peer-id");
+	gw = request->get_str(request, NULL, "gateway");
+
+	if (!gw || !(gateway = identification_create_from_string(gw)))
+	{
+		return send_reply(this, "missing target gateway");
+	}
+	switch (gateway->get_type(gateway))
+	{
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+		case ID_FQDN:
+			break;
+		default:
+			return send_reply(this, "unsupported gateway identity");
+	}
+	if (peer_ip)
+	{
+		ts = parse_peer_ip(peer_ip);
+		if (!ts)
+		{
+			return send_reply(this, "invalid peer IP selector");
+		}
+		DBG1(DBG_CFG, "vici redirect IKE_SAs with src %R to %Y", ts,
+			 gateway);
+	}
+	if (peer_id)
+	{
+		identity = identification_create_from_string(peer_id);
+		if (!identity)
+		{
+			DESTROY_IF(ts);
+			return send_reply(this, "invalid peer identity selector");
+		}
+		DBG1(DBG_CFG, "vici redirect IKE_SAs with ID '%Y' to %Y", identity,
+			 gateway);
+	}
+	if (ike_id)
+	{
+		DBG1(DBG_CFG, "vici redirect IKE_SA #%d to '%Y'", ike_id, gateway);
+	}
+	if (ike)
+	{
+		DBG1(DBG_CFG, "vici redirect IKE_SA '%s' to '%Y'", ike, gateway);
+	}
+	if (!peer_ip && !peer_id && !ike && !ike_id)
+	{
+		return send_reply(this, "missing redirect selector");
+	}
+
+	sas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
+	while (sas->enumerate(sas, &ike_sa))
+	{
+		if (ike_sa->get_version(ike_sa) != IKEV2)
+		{
+			continue;
+		}
+		current = ike_sa->get_unique_id(ike_sa);
+		if (ike_id && ike_id != current)
+		{
+			continue;
+		}
+		if (ike && !streq(ike, ike_sa->get_name(ike_sa)))
+		{
+			continue;
+		}
+		if (ts && !ts->includes(ts, ike_sa->get_other_host(ike_sa)))
+		{
+			continue;
+		}
+		if (identity)
+		{
+			other_id = ike_sa->get_other_eap_id(ike_sa);
+			if (!other_id->matches(other_id, identity))
+			{
+				continue;
+			}
+		}
+		lib->processor->queue_job(lib->processor,
+				(job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway));
+		found++;
+	}
+	sas->destroy(sas);
+
+	builder = vici_builder_create();
+	if (!found)
+	{
+		errmsg = "no matching SAs to redirect found";
+	}
+	builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+	if (errmsg)
+	{
+		builder->add_kv(builder, "errmsg", "%s", errmsg);
+	}
+	gateway->destroy(gateway);
+	DESTROY_IF(identity);
+	DESTROY_IF(ts);
+	return builder->finalize(builder);
+}
+
+/**
  * Find reqid of an existing CHILD_SA
  */
 static u_int32_t find_reqid(child_cfg_t *cfg)
@@ -379,10 +544,11 @@ CALLBACK(install, vici_message_t*,
 {
 	child_cfg_t *child_cfg = NULL;
 	peer_cfg_t *peer_cfg;
-	char *child;
+	char *child, *ike;
 	bool ok;
 
 	child = request->get_str(request, NULL, "child");
+	ike = request->get_str(request, NULL, "ike");
 	if (!child)
 	{
 		return send_reply(this, "missing configuration name");
@@ -390,7 +556,7 @@ CALLBACK(install, vici_message_t*,
 
 	DBG1(DBG_CFG, "vici install '%s'", child);
 
-	child_cfg = find_child_cfg(child, &peer_cfg);
+	child_cfg = find_child_cfg(child, ike, &peer_cfg);
 	if (!child_cfg)
 	{
 		return send_reply(this, "configuration name not found");
@@ -480,6 +646,7 @@ static void manage_commands(private_vici_control_t *this, bool reg)
 {
 	manage_command(this, "initiate", initiate, reg);
 	manage_command(this, "terminate", terminate, reg);
+	manage_command(this, "redirect", redirect, reg);
 	manage_command(this, "install", install, reg);
 	manage_command(this, "uninstall", uninstall, reg);
 	manage_command(this, "reload-settings", reload_settings, reg);
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index 6631184b5..3411b7d6c 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -15,6 +18,7 @@
 
 #include "vici_cred.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <credentials/sets/mem_cred.h>
 #include <credentials/certificates/ac.h>
@@ -66,9 +70,9 @@ static vici_message_t* create_reply(char *fmt, ...)
 CALLBACK(load_cert, vici_message_t*,
 	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
 {
-	certificate_type_t type;
-	x509_flag_t required_flags = 0, additional_flags = 0;
 	certificate_t *cert;
+	certificate_type_t type;
+	x509_flag_t ext_flag, flag = X509_NONE;
 	x509_t *x509;
 	chunk_t data;
 	bool trusted = TRUE;
@@ -79,60 +83,55 @@ CALLBACK(load_cert, vici_message_t*,
 	{
 		return create_reply("certificate type missing");
 	}
-	if (strcaseeq(str, "x509"))
-	{
-		type = CERT_X509;
-	}
-	else if (strcaseeq(str, "x509ca"))
-	{
-		type = CERT_X509;
-		required_flags = X509_CA;
-	}
-	else if (strcaseeq(str, "x509aa"))
-	{
-		type = CERT_X509;
-		additional_flags = X509_AA;
-	}
-	else if (strcaseeq(str, "x509crl"))
+	if (enum_from_name(certificate_type_names, str, &type))
 	{
-		type = CERT_X509_CRL;
-	}
-	else if (strcaseeq(str, "x509ac"))
-	{
-		type = CERT_X509_AC;
-		trusted = FALSE;
+		if (type == CERT_X509)
+		{
+			str = message->get_str(message, "NONE", "flag");
+			if (!enum_from_name(x509_flag_names, str, &flag))
+			{
+				return create_reply("invalid certificate flag '%s'", str);
+			}
+		}
 	}
-	else
+	else if	(!vici_cert_info_from_str(str, &type, &flag))
 	{
-		return create_reply("invalid certificate type: %s", str);
+		return create_reply("invalid certificate type '%s'", str);
 	}
+
 	data = message->get_value(message, chunk_empty, "data");
 	if (!data.len)
 	{
 		return create_reply("certificate data missing");
 	}
+
+	/* do not set CA flag externally */
+	ext_flag = (flag & X509_CA) ? X509_NONE : flag;
+
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
 							  BUILD_BLOB_PEM, data,
-							  BUILD_X509_FLAG, additional_flags,
+							  BUILD_X509_FLAG, ext_flag,
 							  BUILD_END);
 	if (!cert)
 	{
 		return create_reply("parsing %N certificate failed",
 							certificate_type_names, type);
 	}
-	if (cert->get_type(cert) == CERT_X509)
+	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
+
+	/* check if CA certificate has CA basic constraint set */
+	if (flag & X509_CA)
 	{
+		char err_msg[] = "ca certificate lacks CA basic constraint, rejected";
 		x509 = (x509_t*)cert;
 
-		if ((required_flags & x509->get_flags(x509)) != required_flags)
+		if (!(x509->get_flags(x509) & X509_CA))
 		{
 			cert->destroy(cert);
-			return create_reply("certificate misses required flag, rejected");
+			DBG1(DBG_CFG, "  %s", err_msg);
+			return create_reply(err_msg);
 		}
 	}
-
-	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
-
 	if (type == CERT_X509_CRL)
 	{
 		this->creds->add_crl(this->creds, (crl_t*)cert);
@@ -169,6 +168,10 @@ CALLBACK(load_key, vici_message_t*,
 	{
 		type = KEY_ECDSA;
 	}
+	else if (strcaseeq(str, "bliss"))
+	{
+		type = KEY_BLISS;
+	}
 	else
 	{
 		return create_reply("invalid key type: %s", str);
@@ -305,7 +308,7 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
 METHOD(vici_cred_t, add_cert, certificate_t*,
 	private_vici_cred_t *this, certificate_t *cert)
 {
-	return this->creds->get_cert_ref(this->creds, cert);
+	return this->creds->add_cert_ref(this->creds, TRUE, cert);
 }
 
 METHOD(vici_cred_t, destroy, void,
diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c
index 53ed8cdfb..ed7c743c7 100644
--- a/src/libcharon/plugins/vici/vici_plugin.c
+++ b/src/libcharon/plugins/vici/vici_plugin.c
@@ -131,7 +131,8 @@ static bool register_vici(private_vici_plugin_t *this,
 			this->authority = vici_authority_create(this->dispatcher,
 													this->cred);
 			lib->credmgr->add_set(lib->credmgr, &this->authority->set);
-			this->config = vici_config_create(this->dispatcher, this->authority);
+			this->config = vici_config_create(this->dispatcher, this->authority,
+											  this->cred);
 			this->attrs = vici_attribute_create(this->dispatcher);
 			this->logger = vici_logger_create(this->dispatcher);
 
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 9a3d832da..284c23ee0 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner, Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
@@ -37,6 +40,7 @@
 
 #include "vici_query.h"
 #include "vici_builder.h"
+#include "vici_cert_info.h"
 
 #include <inttypes.h>
 #include <time.h>
@@ -48,6 +52,9 @@
 #endif
 
 #include <daemon.h>
+#include <asn1/asn1.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_vici_query_t private_vici_query_t;
 
@@ -120,7 +127,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 				}
 			}
 			if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
-										&alg, &ks) && alg != ENCR_UNDEFINED)
+										&alg, &ks) && alg != AUTH_UNDEFINED)
 			{
 				b->add_kv(b, "integ-alg", "%N", integrity_algorithm_names, alg);
 				if (ks)
@@ -128,11 +135,6 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 					b->add_kv(b, "integ-keysize", "%u", ks);
 				}
 			}
-			if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION,
-										&alg, NULL))
-			{
-				b->add_kv(b, "prf-alg", "%N", pseudo_random_function_names, alg);
-			}
 			if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
 										&alg, NULL))
 			{
@@ -271,15 +273,20 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	identification_t *eap;
 	proposal_t *proposal;
 	u_int16_t alg, ks;
+	host_t *host;
 
 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
 	b->add_kv(b, "state", "%N", ike_sa_state_names, ike_sa->get_state(ike_sa));
 
-	b->add_kv(b, "local-host", "%H", ike_sa->get_my_host(ike_sa));
+	host = ike_sa->get_my_host(ike_sa);
+	b->add_kv(b, "local-host", "%H", host);
+	b->add_kv(b, "local-port", "%d", host->get_port(host));
 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
 
-	b->add_kv(b, "remote-host", "%H", ike_sa->get_other_host(ike_sa));
+	host = ike_sa->get_other_host(ike_sa);
+	b->add_kv(b, "remote-host", "%H", host);
+	b->add_kv(b, "remote-port", "%d", host->get_port(host));
 	b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa));
 
 	eap = ike_sa->get_other_eap_id(ike_sa);
@@ -301,8 +308,10 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	{
 		b->add_kv(b, "initiator", "yes");
 	}
-	b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id));
-	b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id));
+	b->add_kv(b, "initiator-spi", "%.16"PRIx64,
+			  be64toh(id->get_initiator_spi(id)));
+	b->add_kv(b, "responder-spi", "%.16"PRIx64,
+			  be64toh(id->get_responder_spi(id)));
 
 	add_condition(b, ike_sa, "nat-local", COND_NAT_HERE);
 	add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE);
@@ -772,7 +781,7 @@ CALLBACK(list_conns, vici_message_t*,
 /**
  * Do we have a private key for given certificate
  */
-static bool has_privkey(private_vici_query_t *this, certificate_t *cert)
+static bool has_privkey(certificate_t *cert)
 {
 	private_key_t *private;
 	public_key_t *public;
@@ -800,81 +809,332 @@ static bool has_privkey(private_vici_query_t *this, certificate_t *cert)
 	return found;
 }
 
-CALLBACK(list_certs, vici_message_t*,
-	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
+/**
+ * Store cert filter data
+ */
+typedef struct {
+	certificate_type_t type;
+	x509_flag_t flag;
+	identification_t *subject;
+} cert_filter_t;
+
+/**
+ * Enumerate all X.509 certificates with a given flag
+ */
+static void enum_x509(private_vici_query_t *this, u_int id,
+					  linked_list_t *certs, cert_filter_t *filter,
+					  x509_flag_t flag)
 {
-	enumerator_t *enumerator, *added;
-	linked_list_t *list;
-	certificate_t *cert, *current;
-	chunk_t encoding;
-	identification_t *subject = NULL;
-	int type;
+	enumerator_t *enumerator;
+	certificate_t *cert;
 	vici_builder_t *b;
-	bool found;
-	char *str;
+	chunk_t encoding;
+	x509_t *x509;
 
-	str = request->get_str(request, "ANY", "type");
-	if (!enum_from_name(certificate_type_names, str, &type))
+	if (filter->type != CERT_ANY && filter->flag != X509_ANY &&
+		filter->flag != flag)
 	{
-		b = vici_builder_create();
-		return b->finalize(b);
-	}
-	str = request->get_str(request, NULL, "subject");
-	if (str)
-	{
-		subject = identification_create_from_string(str);
+		return;
 	}
 
-	list = linked_list_create();
-	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
-												type, KEY_ANY, subject, FALSE);
+	enumerator = certs->create_enumerator(certs);
 	while (enumerator->enumerate(enumerator, &cert))
 	{
-		found = FALSE;
-		added = list->create_enumerator(list);
-		while (added->enumerate(added, &current))
+		x509 = (x509_t*)cert;
+		if ((x509->get_flags(x509) & X509_ANY) != flag)
 		{
-			if (current->equals(current, cert))
+			continue;
+		}
+
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+		{
+			b = vici_builder_create();
+			b->add_kv(b, "type", "%N", certificate_type_names, CERT_X509);
+			b->add_kv(b, "flag", "%N", x509_flag_names, flag);
+			if (has_privkey(cert))
 			{
-				found = TRUE;
-				break;
+				b->add_kv(b, "has_privkey", "yes");
 			}
+			b->add(b, VICI_KEY_VALUE, "data", encoding);
+			free(encoding.ptr);
+
+			this->dispatcher->raise_event(this->dispatcher, "list-cert", id,
+										  b->finalize(b));
 		}
-		added->destroy(added);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Enumerate all non-X.509 certificate types
+ */
+static void enum_others(private_vici_query_t *this, u_int id,
+						linked_list_t *certs, certificate_type_t type)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	vici_builder_t *b;
+	chunk_t encoding, t_ch;
+	cred_encoding_type_t encoding_type;
+	identification_t *subject;
+	time_t not_before, not_after;
+
+	encoding_type = (type == CERT_TRUSTED_PUBKEY) ? PUBKEY_SPKI_ASN1_DER :
+													CERT_ASN1_DER;
 
-		if (!found && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+	enumerator = certs->create_enumerator(certs);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		if (cert->get_encoding(cert, encoding_type, &encoding))
 		{
 			b = vici_builder_create();
-			b->add_kv(b, "type", "%N",
-					  certificate_type_names, cert->get_type(cert));
-			if (has_privkey(this, cert))
+			b->add_kv(b, "type", "%N", certificate_type_names, type);
+			if (has_privkey(cert))
 			{
 				b->add_kv(b, "has_privkey", "yes");
 			}
 			b->add(b, VICI_KEY_VALUE, "data", encoding);
 			free(encoding.ptr);
 
+			if (type == CERT_TRUSTED_PUBKEY)
+			{
+				subject = cert->get_subject(cert);
+				if (subject->get_type(subject) != ID_KEY_ID)
+				{
+					b->add_kv(b, "subject", "%Y", cert->get_subject(cert));
+				}
+				cert->get_validity(cert, NULL, &not_before, &not_after);
+				if (not_before != UNDEFINED_TIME)
+				{
+					t_ch = asn1_from_time(&not_before, ASN1_GENERALIZEDTIME);
+					b->add(b, VICI_KEY_VALUE, "not-before", chunk_skip(t_ch, 2));
+					chunk_free(&t_ch);
+				}
+				if (not_after != UNDEFINED_TIME)
+				{
+					t_ch = asn1_from_time(&not_after, ASN1_GENERALIZEDTIME);
+					b->add(b, VICI_KEY_VALUE, "not-after", chunk_skip(t_ch, 2));
+					chunk_free(&t_ch);
+				}
+			}
 			this->dispatcher->raise_event(this->dispatcher, "list-cert", id,
 										  b->finalize(b));
-			list->insert_last(list, cert->get_ref(cert));
 		}
 	}
 	enumerator->destroy(enumerator);
+}
 
-	list->destroy_offset(list, offsetof(certificate_t, destroy));
-	DESTROY_IF(subject);
+/**
+ * Enumerate all certificates of a given type
+ */
+static void enum_certs(private_vici_query_t *this,	u_int id,
+					   cert_filter_t *filter, certificate_type_t type)
+{
+	enumerator_t *e1, *e2;
+	certificate_t *cert, *current;
+	linked_list_t *certs;
+	bool found;
 
+	if (filter->type != CERT_ANY && filter->type != type)
+	{
+		return;
+	}
+	certs = linked_list_create();
+
+	e1 = lib->credmgr->create_cert_enumerator(lib->credmgr, type, KEY_ANY,
+											  filter->subject, FALSE);
+	while (e1->enumerate(e1, &cert))
+	{
+		found = FALSE;
+
+		e2 = certs->create_enumerator(certs);
+		while (e2->enumerate(e2, &current))
+		{
+			if (current->equals(current, cert))
+			{
+				found = TRUE;
+				break;
+			}
+		}
+		e2->destroy(e2);
+
+		if (!found)
+		{
+			certs->insert_last(certs, cert->get_ref(cert));
+		}
+	}
+	e1->destroy(e1);
+
+	if (type == CERT_X509)
+	{
+		enum_x509(this, id, certs, filter, X509_NONE);
+		enum_x509(this, id, certs, filter, X509_CA);
+		enum_x509(this, id, certs, filter, X509_AA);
+		enum_x509(this, id, certs, filter, X509_OCSP_SIGNER);
+	}
+	else
+	{
+		enum_others(this, id, certs, type);
+	}
+	certs->destroy_offset(certs, offsetof(certificate_t, destroy));
+}
+
+CALLBACK(list_certs, vici_message_t*,
+	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
+{
+	cert_filter_t filter = {
+		.type = CERT_ANY,
+		.flag = X509_ANY,
+		.subject = NULL
+	};
+	vici_builder_t *b;
+	char *str;
+
+	str = request->get_str(request, "ANY", "type");
+	if (enum_from_name(certificate_type_names, str, &filter.type))
+	{
+		if (filter.type == CERT_X509)
+		{
+			str = request->get_str(request, "ANY", "flag");
+			if (!enum_from_name(x509_flag_names, str, &filter.flag))
+			{
+				DBG1(DBG_CFG, "invalid certificate flag '%s'", str);
+				goto finalize;
+			}
+		}
+	}
+	else if	(!vici_cert_info_from_str(str, &filter.type, &filter.flag))
+	{
+		DBG1(DBG_CFG, "invalid certificate type '%s'", str);
+		goto finalize;
+	}
+
+	str = request->get_str(request, NULL, "subject");
+	if (str)
+	{
+		filter.subject = identification_create_from_string(str);
+	}
+
+	enum_certs(this, id, &filter, CERT_TRUSTED_PUBKEY);
+	enum_certs(this, id, &filter, CERT_X509);
+	enum_certs(this, id, &filter, CERT_X509_AC);
+	enum_certs(this, id, &filter, CERT_X509_CRL);
+	enum_certs(this, id, &filter, CERT_X509_OCSP_RESPONSE);
+	DESTROY_IF(filter.subject);
+
+finalize:
 	b = vici_builder_create();
 	return b->finalize(b);
 }
 
-CALLBACK(version, vici_message_t*,
+/**
+ * Add a key/value pair of ALG => plugin
+ */
+static void add_algorithm(vici_builder_t *b, enum_name_t *alg_names,
+						  int alg_type, const char *plugin_name)
+{
+	char alg_name[BUF_LEN];
+
+	sprintf(alg_name, "%N", alg_names, alg_type);
+	b->add_kv(b, alg_name, (char*)plugin_name);
+}
+
+CALLBACK(get_algorithms, vici_message_t*,
 	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
 {
 	vici_builder_t *b;
+	enumerator_t *enumerator;
+	encryption_algorithm_t encryption;
+	integrity_algorithm_t integrity;
+	hash_algorithm_t hash;
+	pseudo_random_function_t prf;
+	diffie_hellman_group_t group;
+	rng_quality_t quality;
+	const char *plugin_name;
 
 	b = vici_builder_create();
 
+	b->begin_section(b, "encryption");
+	enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	{
+		add_algorithm(b, encryption_algorithm_names, encryption, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "integrity");
+	enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
+	{
+		add_algorithm(b, integrity_algorithm_names, integrity, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "aead");
+	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
+	{
+		add_algorithm(b, encryption_algorithm_names, encryption, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "hasher");
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &hash, &plugin_name))
+	{
+		add_algorithm(b, hash_algorithm_names, hash, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "prf");
+	enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &prf, &plugin_name))
+	{
+		add_algorithm(b, pseudo_random_function_names, prf, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "dh");
+	enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &group, &plugin_name))
+	{
+		add_algorithm(b, diffie_hellman_group_names, group, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "rng");
+	enumerator = lib->crypto->create_rng_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &quality, &plugin_name))
+	{
+		add_algorithm(b, rng_quality_names, quality, plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	b->begin_section(b, "nonce-gen");
+	enumerator = lib->crypto->create_nonce_gen_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &plugin_name))
+	{
+		b->add_kv(b, "NONCE_GEN", (char*)plugin_name);
+	}
+	enumerator->destroy(enumerator);
+	b->end_section(b);
+
+	return b->finalize(b);
+}
+
+CALLBACK(version, vici_message_t*,
+	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
+{
+	vici_builder_t *b;
+
+	b = vici_builder_create();
 	b->add_kv(b, "daemon", "%s", lib->ns);
 	b->add_kv(b, "version", "%s", VERSION);
 
@@ -915,18 +1175,6 @@ CALLBACK(version, vici_message_t*,
 	return b->finalize(b);
 }
 
-/**
- * Callback function for memusage summary
- */
-CALLBACK(sum_usage, void,
-	vici_builder_t *b, int count, size_t bytes, int whitelisted)
-{
-	b->begin_section(b, "mem");
-	b->add_kv(b, "total", "%zu", bytes);
-	b->add_kv(b, "allocs", "%d", count);
-	b->end_section(b);
-}
-
 CALLBACK(stats, vici_message_t*,
 	private_vici_query_t *this, char *name, u_int id, vici_message_t *request)
 {
@@ -988,12 +1236,7 @@ CALLBACK(stats, vici_message_t*,
 	enumerator->destroy(enumerator);
 	b->end_list(b);
 
-	if (lib->leak_detective)
-	{
-		lib->leak_detective->usage(lib->leak_detective, NULL, sum_usage, b);
-	}
 #ifdef WIN32
-	else
 	{
 		DWORD lasterr = ERROR_INVALID_HANDLE;
 		HANDLE heaps[32];
@@ -1085,6 +1328,7 @@ static void manage_commands(private_vici_query_t *this, bool reg)
 	manage_command(this, "list-policies", list_policies, reg);
 	manage_command(this, "list-conns", list_conns, reg);
 	manage_command(this, "list-certs", list_certs, reg);
+	manage_command(this, "get-algorithms", get_algorithms, reg);
 	manage_command(this, "version", version, reg);
 	manage_command(this, "stats", stats, reg);
 }
diff --git a/src/libcharon/plugins/vici/vici_tests.c b/src/libcharon/plugins/vici/vici_tests.c
index 434aa5e18..d1f8097bf 100644
--- a/src/libcharon/plugins/vici/vici_tests.c
+++ b/src/libcharon/plugins/vici/vici_tests.c
@@ -16,7 +16,6 @@
 #include <test_runner.h>
 
 #include <daemon.h>
-#include <hydra.h>
 
 /* declare test suite constructors */
 #define TEST_SUITE(x) test_suite_t* x();
diff --git a/src/libcharon/plugins/whitelist/Makefile.am b/src/libcharon/plugins/whitelist/Makefile.am
index 1fd01c888..7f6bfff14 100644
--- a/src/libcharon/plugins/whitelist/Makefile.am
+++ b/src/libcharon/plugins/whitelist/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index e400d9f35..549ef6bce 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -438,7 +440,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.am b/src/libcharon/plugins/xauth_eap/Makefile.am
index ea75c1581..5c7228e85 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.am
+++ b/src/libcharon/plugins/xauth_eap/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index a9684455d..6992df820 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.am b/src/libcharon/plugins/xauth_generic/Makefile.am
index 1ecd9fd14..282bfc4fe 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.am
+++ b/src/libcharon/plugins/xauth_generic/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 5170c924f..057a734a3 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.am b/src/libcharon/plugins/xauth_noauth/Makefile.am
index 3902471fe..bb41f2169 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.am
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index 087f5b350..6b0104e30 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am b/src/libcharon/plugins/xauth_pam/Makefile.am
index abf83ca75..cee8bf811 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 29441bcb5..ae6a4d070 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -431,7 +433,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = \
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index b4f135a57..c39689012 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -19,7 +19,6 @@
 #include "adopt_children_job.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <collections/array.h>
 #include <processing/jobs/delete_ike_sa_job.h>
 
diff --git a/src/libcharon/processing/jobs/redirect_job.c b/src/libcharon/processing/jobs/redirect_job.c
new file mode 100644
index 000000000..e1af662c9
--- /dev/null
+++ b/src/libcharon/processing/jobs/redirect_job.c
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+#include "redirect_job.h"
+
+typedef struct private_redirect_job_t private_redirect_job_t;
+
+/**
+ * Private data
+ */
+struct private_redirect_job_t {
+
+	/**
+	 * Public interface
+	 */
+	redirect_job_t public;
+
+	/**
+	 * ID of the IKE_SA to redirect
+	 */
+	ike_sa_id_t *ike_sa_id;
+
+	/**
+	 * Target gateway identity
+	 */
+	identification_t *gateway;
+};
+
+
+METHOD(job_t, destroy, void,
+	private_redirect_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	this->gateway->destroy(this->gateway);
+	free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+	private_redirect_job_t *this)
+{
+	ike_sa_t *ike_sa;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			return JOB_REQUEUE_NONE;
+		}
+		if (ike_sa->redirect(ike_sa, this->gateway) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+	private_redirect_job_t *this)
+{
+	return JOB_PRIO_MEDIUM;
+}
+
+/*
+ * Described in header
+ */
+redirect_job_t *redirect_job_create(ike_sa_id_t *ike_sa_id,
+									identification_t *gateway)
+{
+	private_redirect_job_t *this;
+
+	INIT(this,
+		.public = {
+			.job_interface = {
+				.execute = _execute,
+				.get_priority = _get_priority,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa_id = ike_sa_id->clone(ike_sa_id),
+		.gateway = gateway->clone(gateway),
+	);
+
+	return &(this->public);
+}
diff --git a/src/libcharon/processing/jobs/redirect_job.h b/src/libcharon/processing/jobs/redirect_job.h
new file mode 100644
index 000000000..fe4b34ee9
--- /dev/null
+++ b/src/libcharon/processing/jobs/redirect_job.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup redirect_job redirect_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef REDIRECT_JOB_H_
+#define REDIRECT_JOB_H_
+
+typedef struct redirect_job_t redirect_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+/**
+ * Job used to redirect an IKE_SA.
+ */
+struct redirect_job_t {
+
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * Creates a job to redirect an IKE_SA.
+ *
+ * @param ike_sa_id			id of the IKE_SA to redirect (cloned)
+ * @param gateway			gateway identity (IP or FQDN) of target (cloned)
+ * @return					created redirect_job_t object
+ */
+redirect_job_t *redirect_job_create(ike_sa_id_t *ike_sa_id,
+									identification_t *gateway);
+
+#endif /** REDIRECT_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c
index 3e3477679..e06eae3d3 100644
--- a/src/libcharon/processing/jobs/send_keepalive_job.c
+++ b/src/libcharon/processing/jobs/send_keepalive_job.c
@@ -54,7 +54,7 @@ METHOD(job_t, execute, job_requeue_t,
 											  this->ike_sa_id);
 	if (ike_sa)
 	{
-		ike_sa->send_keepalive(ike_sa);
+		ike_sa->send_keepalive(ike_sa, TRUE);
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
 	return JOB_REQUEUE_NONE;
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index b0f163c83..56b7cb5a4 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -23,7 +23,6 @@
 #include <string.h>
 #include <time.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/array.h>
 
@@ -469,10 +468,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->my_spi)
 		{
-			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
-							this->other_addr, this->my_addr, this->my_spi,
-							proto_ike2ip(this->protocol), this->mark_in,
-							&bytes, &packets, &time);
+			status = charon->kernel->query_sa(charon->kernel, this->other_addr,
+									this->my_addr, this->my_spi,
+									proto_ike2ip(this->protocol), this->mark_in,
+									&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
@@ -493,10 +492,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->other_spi)
 		{
-			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
-							this->my_addr, this->other_addr, this->other_spi,
-							proto_ike2ip(this->protocol), this->mark_out,
-							&bytes, &packets, &time);
+			status = charon->kernel->query_sa(charon->kernel, this->my_addr,
+								this->other_addr, this->other_spi,
+								proto_ike2ip(this->protocol), this->mark_out,
+								&bytes, &packets, &time);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
@@ -532,15 +531,15 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 
 		if (inbound)
 		{
-			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-						other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
+			if (charon->kernel->query_policy(charon->kernel, other_ts,
+							my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
 			{
 				last_use = max(last_use, in);
 			}
 			if (this->mode != MODE_TRANSPORT)
 			{
-				if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-						other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
+				if (charon->kernel->query_policy(charon->kernel, other_ts,
+							my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
 				{
 					last_use = max(last_use, fwd);
 				}
@@ -548,8 +547,8 @@ static bool update_usetime(private_child_sa_t *this, bool inbound)
 		}
 		else
 		{
-			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
-						my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
+			if (charon->kernel->query_policy(charon->kernel, my_ts,
+							other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
 			{
 				last_use = max(last_use, out);
 			}
@@ -629,10 +628,8 @@ METHOD(child_sa_t, get_installtime, time_t,
 METHOD(child_sa_t, alloc_spi, u_int32_t,
 	   private_child_sa_t *this, protocol_id_t protocol)
 {
-	if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
-										 this->other_addr, this->my_addr,
-										 proto_ike2ip(protocol),
-										 &this->my_spi) == SUCCESS)
+	if (charon->kernel->get_spi(charon->kernel, this->other_addr, this->my_addr,
+							proto_ike2ip(protocol), &this->my_spi) == SUCCESS)
 	{
 		/* if we allocate a SPI, but then are unable to establish the SA, we
 		 * need to know the protocol family to delete the partial SA */
@@ -645,9 +642,8 @@ METHOD(child_sa_t, alloc_spi, u_int32_t,
 METHOD(child_sa_t, alloc_cpi, u_int16_t,
 	   private_child_sa_t *this)
 {
-	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
-										 this->other_addr, this->my_addr,
-										 &this->my_cpi) == SUCCESS)
+	if (charon->kernel->get_cpi(charon->kernel, this->other_addr, this->my_addr,
+								&this->my_cpi) == SUCCESS)
 	{
 		return this->my_cpi;
 	}
@@ -711,9 +707,8 @@ METHOD(child_sa_t, install, status_t,
 
 	if (!this->reqid_allocated && !this->static_reqid)
 	{
-		status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
-							my_ts, other_ts, this->mark_in, this->mark_out,
-							&this->reqid);
+		status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts,
+								this->mark_in, this->mark_out, &this->reqid);
 		if (status != SUCCESS)
 		{
 			return status;
@@ -757,7 +752,7 @@ METHOD(child_sa_t, install, status_t,
 		dst_ts = other_ts;
 	}
 
-	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
+	status = charon->kernel->add_sa(charon->kernel,
 				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
 				inbound ? this->mark_in : this->mark_out, tfc,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
@@ -776,7 +771,7 @@ static bool require_policy_update()
 {
 	kernel_feature_t f;
 
-	f = hydra->kernel_interface->get_features(hydra->kernel_interface);
+	f = charon->kernel->get_features(charon->kernel);
 	return !(f & KERNEL_NO_POLICY_UPDATES);
 }
 
@@ -833,18 +828,18 @@ static status_t install_policies_internal(private_child_sa_t *this,
 	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
 {
 	status_t status = SUCCESS;
-	status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+	status |= charon->kernel->add_policy(charon->kernel,
 							my_addr, other_addr, my_ts, other_ts,
 							POLICY_OUT, type, other_sa,
 							this->mark_out, priority);
 
-	status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+	status |= charon->kernel->add_policy(charon->kernel,
 							other_addr, my_addr, other_ts, my_ts,
 							POLICY_IN, type, my_sa,
 							this->mark_in, priority);
 	if (this->mode != MODE_TRANSPORT)
 	{
-		status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
+		status |= charon->kernel->add_policy(charon->kernel,
 							other_addr, my_addr, other_ts, my_ts,
 							POLICY_FWD, type, my_sa,
 							this->mark_in, priority);
@@ -861,15 +856,15 @@ static void del_policies_internal(private_child_sa_t *this,
 	ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
 {
 
-	hydra->kernel_interface->del_policy(hydra->kernel_interface,
+	charon->kernel->del_policy(charon->kernel,
 						my_addr, other_addr, my_ts, other_ts, POLICY_OUT, type,
 						other_sa, this->mark_out, priority);
-	hydra->kernel_interface->del_policy(hydra->kernel_interface,
+	charon->kernel->del_policy(charon->kernel,
 						other_addr, my_addr, other_ts, my_ts, POLICY_IN,
 						type, my_sa, this->mark_in, priority);
 	if (this->mode != MODE_TRANSPORT)
 	{
-		hydra->kernel_interface->del_policy(hydra->kernel_interface,
+		charon->kernel->del_policy(charon->kernel,
 						other_addr, my_addr, other_ts, my_ts, POLICY_FWD,
 						type, my_sa, this->mark_in, priority);
 	}
@@ -886,8 +881,8 @@ METHOD(child_sa_t, add_policies, status_t,
 	if (!this->reqid_allocated && !this->static_reqid)
 	{
 		/* trap policy, get or confirm reqid */
-		status = hydra->kernel_interface->alloc_reqid(
-							hydra->kernel_interface, my_ts_list, other_ts_list,
+		status = charon->kernel->alloc_reqid(
+							charon->kernel, my_ts_list, other_ts_list,
 							this->mark_in, this->mark_out, &this->reqid);
 		if (status != SUCCESS)
 		{
@@ -967,11 +962,10 @@ static void reinstall_vip(host_t *vip, host_t *me)
 {
 	char *iface;
 
-	if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-											   me, &iface))
+	if (charon->kernel->get_interface(charon->kernel, me, &iface))
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
-		hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
+		charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
+		charon->kernel->add_ip(charon->kernel, vip, -1, iface);
 		free(iface);
 	}
 }
@@ -1000,7 +994,7 @@ METHOD(child_sa_t, update, status_t,
 		/* update our (initiator) SA */
 		if (this->my_spi)
 		{
-			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+			if (charon->kernel->update_sa(charon->kernel,
 							this->my_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
 							this->other_addr, this->my_addr, other, me,
@@ -1014,7 +1008,7 @@ METHOD(child_sa_t, update, status_t,
 		/* update his (responder) SA */
 		if (this->other_spi)
 		{
-			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+			if (charon->kernel->update_sa(charon->kernel,
 							this->other_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
 							this->my_addr, this->other_addr, me, other,
@@ -1143,14 +1137,14 @@ METHOD(child_sa_t, destroy, void,
 	/* delete SAs in the kernel, if they are set up */
 	if (this->my_spi)
 	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface,
+		charon->kernel->del_sa(charon->kernel,
 					this->other_addr, this->my_addr, this->my_spi,
 					proto_ike2ip(this->protocol), this->my_cpi,
 					this->mark_in);
 	}
 	if (this->other_spi)
 	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface,
+		charon->kernel->del_sa(charon->kernel,
 					this->my_addr, this->other_addr, this->other_spi,
 					proto_ike2ip(this->protocol), this->other_cpi,
 					this->mark_out);
@@ -1158,7 +1152,7 @@ METHOD(child_sa_t, destroy, void,
 
 	if (this->reqid_allocated)
 	{
-		if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,
+		if (charon->kernel->release_reqid(charon->kernel,
 						this->reqid, this->mark_in, this->mark_out) != SUCCESS)
 		{
 			DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index dcf9d5f2c..bcbff3211 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -46,7 +46,6 @@
 #include "ike_sa.h"
 
 #include <library.h>
-#include <hydra.h>
 #include <daemon.h>
 #include <collections/array.h>
 #include <utils/lexparser.h>
@@ -57,6 +56,9 @@
 #include <processing/jobs/rekey_ike_sa_job.h>
 #include <processing/jobs/retry_initiate_job.h>
 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
+#include <sa/ikev2/tasks/ike_reauth_complete.h>
+#include <sa/ikev2/tasks/ike_redirect.h>
+#include <credentials/sets/auth_cfg_wrapper.h>
 
 #ifdef ME
 #include <sa/ikev2/tasks/ike_me.h>
@@ -239,6 +241,11 @@ struct private_ike_sa_t {
 	u_int32_t keepalive_interval;
 
 	/**
+	 * The schedueld keep alive job, if any
+	 */
+	send_keepalive_job_t *keepalive_job;
+
+	/**
 	 * interval for retries during initiation (e.g. if DNS resolution failed),
 	 * 0 to disable (default)
 	 */
@@ -278,6 +285,21 @@ struct private_ike_sa_t {
 	 * Maximum length of a single fragment, 0 for address-specific defaults
 	 */
 	size_t fragment_size;
+
+	/**
+	 * Whether to follow IKEv2 redirects
+	 */
+	bool follow_redirects;
+
+	/**
+	 * Original gateway address from which we got redirected
+	 */
+	host_t *redirected_from;
+
+	/**
+	 * Timestamps of redirect attempts to handle loops
+	 */
+	array_t *redirected_at;
 };
 
 /**
@@ -382,6 +404,12 @@ METHOD(ike_sa_t, set_other_host, void,
 	this->other_host = other;
 }
 
+METHOD(ike_sa_t, get_redirected_from, host_t*,
+	private_ike_sa_t *this)
+{
+	return this->redirected_from;
+}
+
 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
 	private_ike_sa_t *this)
 {
@@ -455,6 +483,113 @@ static void flush_auth_cfgs(private_ike_sa_t *this)
 	}
 }
 
+METHOD(ike_sa_t, verify_peer_certificate, bool,
+	private_ike_sa_t *this)
+{
+	enumerator_t *e1, *e2, *certs;
+	auth_cfg_t *cfg, *cfg_done;
+	certificate_t *peer, *cert;
+	public_key_t *key;
+	auth_cfg_t *auth;
+	auth_cfg_wrapper_t *wrapper;
+	time_t not_before, not_after;
+	bool valid = TRUE, found;
+
+	if (this->state != IKE_ESTABLISHED)
+	{
+		DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
+			 ike_sa_state_names, this->state);
+		return FALSE;
+	}
+
+	if (!this->flush_auth_cfg &&
+		lib->settings->get_bool(lib->settings,
+								"%s.flush_auth_cfg", FALSE, lib->ns))
+	{	/* we can do this check only once if auth configs are flushed */
+		DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
+			 "information has been flushed");
+		return FALSE;
+	}
+	this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
+							   FALSE);
+
+	e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
+	e2 = array_create_enumerator(this->other_auths);
+	while (e1->enumerate(e1, &cfg))
+	{
+		if (!e2->enumerate(e2, &cfg_done))
+		{	/* this should not happen as the authentication should never have
+			 * succeeded */
+			valid = FALSE;
+			break;
+		}
+		if ((uintptr_t)cfg_done->get(cfg_done,
+									 AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
+		{
+			continue;
+		}
+		peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
+		if (!peer)
+		{
+			DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
+				 "verification");
+			continue;
+		}
+		if (!peer->get_validity(peer, NULL, &not_before, &not_after))
+		{
+			DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
+				 &not_before, FALSE, &not_after, FALSE);
+			valid = FALSE;
+			break;
+		}
+		key = peer->get_public_key(peer);
+		if (!key)
+		{
+			DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
+				 "verification");
+			continue;
+		}
+		DBG1(DBG_IKE, "verifying peer certificate");
+		/* serve received certificates */
+		wrapper = auth_cfg_wrapper_create(cfg_done);
+		lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
+		certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
+							key->get_type(key), peer->get_subject(peer), TRUE);
+		key->destroy(key);
+
+		found = FALSE;
+		while (certs->enumerate(certs, &cert, &auth))
+		{
+			if (peer->equals(peer, cert))
+			{
+				cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
+							  FALSE);
+				cfg_done->merge(cfg_done, auth, FALSE);
+				valid = cfg_done->complies(cfg_done, cfg, TRUE);
+				found = TRUE;
+				break;
+			}
+		}
+		certs->destroy(certs);
+		lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
+		wrapper->destroy(wrapper);
+		if (!found || !valid)
+		{
+			valid = FALSE;
+			break;
+		}
+	}
+	e1->destroy(e1);
+	e2->destroy(e2);
+
+	if (this->flush_auth_cfg)
+	{
+		this->flush_auth_cfg = FALSE;
+		flush_auth_cfgs(this);
+	}
+	return valid;
+}
+
 METHOD(ike_sa_t, get_proposal, proposal_t*,
 	private_ike_sa_t *this)
 {
@@ -482,14 +617,20 @@ METHOD(ike_sa_t, set_message_id, void,
 }
 
 METHOD(ike_sa_t, send_keepalive, void,
-	private_ike_sa_t *this)
+	private_ike_sa_t *this, bool scheduled)
 {
-	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
 
-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
-		this->state == IKE_PASSIVE)
-	{	/* disable keep alives if we are not NATed anymore, or we are passive */
+	if (scheduled)
+	{
+		this->keepalive_job = NULL;
+	}
+	if (!this->keepalive_interval || this->state == IKE_PASSIVE)
+	{	/* keepalives disabled either by configuration or for passive IKE_SAs */
+		return;
+	}
+	if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
+	{	/* disable keepalives if we are not NATed anymore, or the SA is stale */
 		return;
 	}
 
@@ -514,9 +655,12 @@ METHOD(ike_sa_t, send_keepalive, void,
 		charon->sender->send_no_marker(charon->sender, packet);
 		diff = 0;
 	}
-	job = send_keepalive_job_create(this->ike_sa_id);
-	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
-								 this->keepalive_interval - diff);
+	if (!this->keepalive_job)
+	{
+		this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
+									 this->keepalive_interval - diff);
+	}
 }
 
 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
@@ -563,7 +707,7 @@ METHOD(ike_sa_t, set_condition, void,
 				case COND_NAT_HERE:
 					DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
 					this->conditions |= COND_NAT_ANY;
-					send_keepalive(this);
+					send_keepalive(this, FALSE);
 					break;
 				case COND_NAT_THERE:
 					DBG1(DBG_IKE, "remote host is behind NAT");
@@ -590,6 +734,9 @@ METHOD(ike_sa_t, set_condition, void,
 								  has_condition(this, COND_NAT_THERE) ||
 								  has_condition(this, COND_NAT_FAKE));
 					break;
+				case COND_STALE:
+					send_keepalive(this, FALSE);
+					break;
 				default:
 					break;
 			}
@@ -727,6 +874,8 @@ METHOD(ike_sa_t, set_state, void,
 				{
 					keepalives = TRUE;
 				}
+				DESTROY_IF(this->redirected_from);
+				this->redirected_from = NULL;
 			}
 			break;
 		}
@@ -749,7 +898,7 @@ METHOD(ike_sa_t, set_state, void,
 	}
 	if (keepalives)
 	{
-		send_keepalive(this);
+		send_keepalive(this, FALSE);
 	}
 }
 
@@ -786,12 +935,12 @@ METHOD(ike_sa_t, add_virtual_ip, void,
 	{
 		char *iface;
 
-		if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
-												   this->my_host, &iface))
+		if (charon->kernel->get_interface(charon->kernel, this->my_host,
+										  &iface))
 		{
 			DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-			if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
-												ip, -1, iface) == SUCCESS)
+			if (charon->kernel->add_ip(charon->kernel, ip, -1,
+									   iface) == SUCCESS)
 			{
 				array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
 			}
@@ -828,8 +977,7 @@ METHOD(ike_sa_t, clear_virtual_ips, void,
 	{
 		if (local)
 		{
-			hydra->kernel_interface->del_ip(hydra->kernel_interface,
-											vip, -1, TRUE);
+			charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
 		}
 		vip->destroy(vip);
 	}
@@ -1265,8 +1413,8 @@ static void resolve_hosts(private_ike_sa_t *this)
 			!this->other_host->is_anyaddr(this->other_host))
 		{
 			host->destroy(host);
-			host = hydra->kernel_interface->get_source_addr(
-							hydra->kernel_interface, this->other_host, NULL);
+			host = charon->kernel->get_source_addr(charon->kernel,
+												   this->other_host, NULL);
 			if (host)
 			{
 				host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
@@ -1401,9 +1549,14 @@ METHOD(ike_sa_t, process_message, status_t,
 	status = this->task_manager->process_message(this->task_manager, message);
 	if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
 	{
-		/* authentication completed */
-		this->flush_auth_cfg = FALSE;
-		flush_auth_cfgs(this);
+		/* authentication completed but if the online validation is suspended we
+		 * need the auth cfgs until we did the delayed verification, we flush
+		 * them afterwards */
+		if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
+		{
+			this->flush_auth_cfg = FALSE;
+			flush_auth_cfgs(this);
+		}
 	}
 	return status;
 }
@@ -1735,6 +1888,86 @@ static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
 	return found;
 }
 
+/**
+ * Reestablish CHILD_SAs and migrate queued tasks.
+ *
+ * If force is true all SAs are restarted, otherwise their close/dpd_action
+ * is followed.
+ */
+static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
+									 bool force)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	child_cfg_t *child_cfg;
+	action_t action;
+	status_t status = FAILED;
+
+	/* handle existing CHILD_SAs */
+	enumerator = create_child_sa_enumerator(this);
+	while (enumerator->enumerate(enumerator, (void**)&child_sa))
+	{
+		if (force)
+		{
+			switch (child_sa->get_state(child_sa))
+			{
+				case CHILD_ROUTED:
+				{	/* move routed child directly */
+					remove_child_sa(this, enumerator);
+					new->add_child_sa(new, child_sa);
+					action = ACTION_NONE;
+					break;
+				}
+				default:
+				{	/* initiate/queue all other CHILD_SAs */
+					action = ACTION_RESTART;
+					break;
+				}
+			}
+		}
+		else
+		{	/* only restart CHILD_SAs that are configured accordingly */
+			if (this->state == IKE_DELETING)
+			{
+				action = child_sa->get_close_action(child_sa);
+			}
+			else
+			{
+				action = child_sa->get_dpd_action(child_sa);
+			}
+		}
+		switch (action)
+		{
+			case ACTION_RESTART:
+				child_cfg = child_sa->get_config(child_sa);
+				DBG1(DBG_IKE, "restarting CHILD_SA %s",
+					 child_cfg->get_name(child_cfg));
+				child_cfg->get_ref(child_cfg);
+				status = new->initiate(new, child_cfg,
+								child_sa->get_reqid(child_sa), NULL, NULL);
+				break;
+			default:
+				continue;
+		}
+		if (status == DESTROY_ME)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	/* adopt any active or queued CHILD-creating tasks */
+	if (status != DESTROY_ME)
+	{
+		task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
+		other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
+		if (new->get_state(new) == IKE_CREATED)
+		{
+			status = new->initiate(new, NULL, 0, NULL, NULL);
+		}
+	}
+	return status;
+}
+
 METHOD(ike_sa_t, reestablish, status_t,
 	private_ike_sa_t *this)
 {
@@ -1743,7 +1976,6 @@ METHOD(ike_sa_t, reestablish, status_t,
 	action_t action;
 	enumerator_t *enumerator;
 	child_sa_t *child_sa;
-	child_cfg_t *child_cfg;
 	bool restart = FALSE;
 	status_t status = FAILED;
 
@@ -1836,8 +2068,11 @@ METHOD(ike_sa_t, reestablish, status_t,
 	host = this->my_host;
 	new->set_my_host(new, host->clone(host));
 	charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
-	/* resolve hosts but use the old addresses above as fallback */
-	resolve_hosts((private_ike_sa_t*)new);
+	if (!has_condition(this, COND_REAUTHENTICATING))
+	{	/* reauthenticate to the same addresses, but resolve hosts if
+		 * reestablishing (old addresses serve as fallback) */
+		resolve_hosts((private_ike_sa_t*)new);
+	}
 	/* if we already have a virtual IP, we reuse it */
 	enumerator = array_create_enumerator(this->my_vips);
 	while (enumerator->enumerate(enumerator, &host))
@@ -1854,68 +2089,8 @@ METHOD(ike_sa_t, reestablish, status_t,
 	else
 #endif /* ME */
 	{
-		/* handle existing CHILD_SAs */
-		enumerator = create_child_sa_enumerator(this);
-		while (enumerator->enumerate(enumerator, (void**)&child_sa))
-		{
-			if (has_condition(this, COND_REAUTHENTICATING))
-			{
-				switch (child_sa->get_state(child_sa))
-				{
-					case CHILD_ROUTED:
-					{	/* move routed child directly */
-						remove_child_sa(this, enumerator);
-						new->add_child_sa(new, child_sa);
-						action = ACTION_NONE;
-						break;
-					}
-					default:
-					{	/* initiate/queue all other CHILD_SAs */
-						action = ACTION_RESTART;
-						break;
-					}
-				}
-			}
-			else
-			{	/* only restart CHILD_SAs that are configured accordingly */
-				if (this->state == IKE_DELETING)
-				{
-					action = child_sa->get_close_action(child_sa);
-				}
-				else
-				{
-					action = child_sa->get_dpd_action(child_sa);
-				}
-			}
-			switch (action)
-			{
-				case ACTION_RESTART:
-					child_cfg = child_sa->get_config(child_sa);
-					DBG1(DBG_IKE, "restarting CHILD_SA %s",
-						 child_cfg->get_name(child_cfg));
-					child_cfg->get_ref(child_cfg);
-					status = new->initiate(new, child_cfg,
-									child_sa->get_reqid(child_sa), NULL, NULL);
-					break;
-				default:
-					continue;
-			}
-			if (status == DESTROY_ME)
-			{
-				break;
-			}
-		}
-		enumerator->destroy(enumerator);
-		/* adopt any active or queued CHILD-creating tasks */
-		if (status != DESTROY_ME)
-		{
-			task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
-			other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
-			if (new->get_state(new) == IKE_CREATED)
-			{
-				status = new->initiate(new, NULL, 0, NULL, NULL);
-			}
-		}
+		status = reestablish_children(this, new,
+									has_condition(this, COND_REAUTHENTICATING));
 	}
 
 	if (status == DESTROY_ME)
@@ -1936,6 +2111,195 @@ METHOD(ike_sa_t, reestablish, status_t,
 	return status;
 }
 
+/**
+ * Resolve the given gateway ID
+ */
+static host_t *resolve_gateway_id(identification_t *gateway)
+{
+	char gw[BUF_LEN];
+	host_t *addr;
+
+	snprintf(gw, sizeof(gw), "%Y", gateway);
+	gw[sizeof(gw)-1] = '\0';
+	addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
+	if (!addr)
+	{
+		DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
+			 gateway);
+	}
+	return addr;
+}
+
+/**
+ * Redirect the current SA to the given target host
+ */
+static bool redirect_established(private_ike_sa_t *this, identification_t *to)
+{
+	private_ike_sa_t *new_priv;
+	ike_sa_t *new;
+	host_t *other;
+	time_t redirect;
+
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+											   this->version, TRUE);
+	if (!new)
+	{
+		return FALSE;
+	}
+	new_priv = (private_ike_sa_t*)new;
+	new->set_peer_cfg(new, this->peer_cfg);
+	new_priv->redirected_from = this->other_host->clone(this->other_host);
+	charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
+	other = resolve_gateway_id(to);
+	if (other)
+	{
+		set_my_host(new_priv, this->my_host->clone(this->my_host));
+		/* this allows us to force the remote address while we still properly
+		 * resolve the local address */
+		new_priv->remote_host = other;
+		resolve_hosts(new_priv);
+		new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
+		while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
+		{
+			array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
+		}
+		if (reestablish_children(this, new, TRUE) != DESTROY_ME)
+		{
+#ifdef USE_IKEV2
+			new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
+															 this->ike_sa_id));
+#endif
+			charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
+											  TRUE);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+			charon->bus->set_sa(charon->bus, &this->public);
+			return TRUE;
+		}
+	}
+	charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
+									  FALSE);
+	charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+	charon->bus->set_sa(charon->bus, &this->public);
+	return FALSE;
+}
+
+/**
+ * Redirect the current connecting SA to the given target host
+ */
+static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
+{
+	host_t *other;
+
+	other = resolve_gateway_id(to);
+	if (!other)
+	{
+		return FALSE;
+	}
+	reset(this);
+	DESTROY_IF(this->redirected_from);
+	this->redirected_from = this->other_host->clone(this->other_host);
+	DESTROY_IF(this->remote_host);
+	/* this allows us to force the remote address while we still properly
+	 * resolve the local address */
+	this->remote_host = other;
+	resolve_hosts(this);
+	return TRUE;
+}
+
+/**
+ * Check if the current redirect exceeds the limits for redirects
+ */
+static bool redirect_count_exceeded(private_ike_sa_t *this)
+{
+	time_t now, redirect;
+
+	now = time_monotonic(NULL);
+	/* remove entries outside the defined period */
+	while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
+		   now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
+	{
+		array_remove(this->redirected_at, ARRAY_HEAD, NULL);
+	}
+	if (array_count(this->redirected_at) < MAX_REDIRECTS)
+	{
+		if (!this->redirected_at)
+		{
+			this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
+		}
+		array_insert(this->redirected_at, ARRAY_TAIL, &now);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(ike_sa_t, handle_redirect, bool,
+	private_ike_sa_t *this, identification_t *gateway)
+{
+	DBG1(DBG_IKE, "redirected to %Y", gateway);
+	if (!this->follow_redirects)
+	{
+		DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
+		return FALSE;
+	}
+	if (redirect_count_exceeded(this))
+	{
+		DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
+			 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
+		return FALSE;
+	}
+
+	switch (this->state)
+	{
+		case IKE_CONNECTING:
+			return redirect_connecting(this, gateway);
+		case IKE_ESTABLISHED:
+			return redirect_established(this, gateway);
+		default:
+			DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
+				 ike_sa_state_names, this->state);
+			return FALSE;
+	}
+}
+
+METHOD(ike_sa_t, redirect, status_t,
+	private_ike_sa_t *this, identification_t *gateway)
+{
+	switch (this->state)
+	{
+		case IKE_CONNECTING:
+		case IKE_ESTABLISHED:
+		case IKE_REKEYING:
+			if (has_condition(this, COND_REDIRECTED))
+			{	/* IKE_SA already got redirected */
+				return SUCCESS;
+			}
+			if (has_condition(this, COND_ORIGINAL_INITIATOR))
+			{
+				DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
+				return FAILED;
+			}
+			if (this->version == IKEV1)
+			{
+				DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
+				return FAILED;
+			}
+			if (!supports_extension(this, EXT_IKE_REDIRECTION))
+			{
+				DBG1(DBG_IKE, "client does not support IKE redirection");
+				return FAILED;
+			}
+#ifdef USE_IKEV2
+			this->task_manager->queue_task(this->task_manager,
+						(task_t*)ike_redirect_create(&this->public, gateway));
+#endif
+			return this->task_manager->initiate(this->task_manager);
+		default:
+			DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
+				 ike_sa_state_names, this->state);
+			return INVALID_STATE;
+	}
+}
+
 METHOD(ike_sa_t, retransmit, status_t,
 	private_ike_sa_t *this, u_int32_t message_id)
 {
@@ -2067,8 +2431,8 @@ static bool is_current_path_valid(private_ike_sa_t *this)
 {
 	bool valid = FALSE;
 	host_t *src;
-	src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
-											this->other_host, this->my_host);
+	src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
+										  this->my_host);
 	if (src)
 	{
 		if (src->ip_equals(src, this->my_host))
@@ -2112,8 +2476,7 @@ static bool is_any_path_valid(private_ike_sa_t *this)
 			continue;
 		}
 		DBG1(DBG_IKE, "looking for a route to %H ...", addr);
-		src = hydra->kernel_interface->get_source_addr(
-										hydra->kernel_interface, addr, NULL);
+		src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
 		if (src)
 		{
 			break;
@@ -2323,7 +2686,7 @@ METHOD(ike_sa_t, inherit_post, void,
 	this->conditions = other->conditions;
 	if (this->conditions & COND_NAT_HERE)
 	{
-		send_keepalive(this);
+		send_keepalive(this, FALSE);
 	}
 
 #ifdef ME
@@ -2401,7 +2764,7 @@ METHOD(ike_sa_t, destroy, void,
 	}
 	while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
 	{
-		hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
+		charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
 		vip->destroy(vip);
 	}
 	if (array_count(this->other_vips))
@@ -2450,6 +2813,8 @@ METHOD(ike_sa_t, destroy, void,
 	DESTROY_IF(this->other_id);
 	DESTROY_IF(this->local_host);
 	DESTROY_IF(this->remote_host);
+	DESTROY_IF(this->redirected_from);
+	array_destroy(this->redirected_at);
 
 	DESTROY_IF(this->ike_cfg);
 	DESTROY_IF(this->peer_cfg);
@@ -2498,6 +2863,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.set_peer_cfg = _set_peer_cfg,
 			.get_auth_cfg = _get_auth_cfg,
 			.create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
+			.verify_peer_certificate = _verify_peer_certificate,
 			.add_auth_cfg = _add_auth_cfg,
 			.get_proposal = _get_proposal,
 			.set_proposal = _set_proposal,
@@ -2529,6 +2895,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 			.destroy = _destroy,
 			.send_dpd = _send_dpd,
 			.send_keepalive = _send_keepalive,
+			.redirect = _redirect,
+			.handle_redirect = _handle_redirect,
+			.get_redirected_from = _get_redirected_from,
 			.get_keymat = _get_keymat,
 			.add_child_sa = _add_child_sa,
 			.get_child_sa = _get_child_sa,
@@ -2594,6 +2963,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 								"%s.flush_auth_cfg", FALSE, lib->ns),
 		.fragment_size = lib->settings->get_int(lib->settings,
 								"%s.fragment_size", 0, lib->ns),
+		.follow_redirects = lib->settings->get_bool(lib->settings,
+								"%s.follow_redirects", TRUE, lib->ns),
 	);
 
 	if (version == IKEV2)
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 9dbc805c9..836360e3c 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2014 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -66,6 +66,16 @@ typedef struct ike_sa_t ike_sa_t;
 #define RETRY_JITTER 20
 
 /**
+ * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
+ */
+#define MAX_REDIRECTS 5
+
+/**
+ * Time period in seconds in which at most MAX_REDIRECTS are allowed.
+ */
+#define REDIRECT_LOOP_DETECT_PERIOD 300
+
+/**
  * Extensions (or optional features) the peer supports
  */
 enum ike_extension_t {
@@ -136,6 +146,11 @@ enum ike_extension_t {
 	 * Signature Authentication, RFC 7427
 	 */
 	EXT_SIGNATURE_AUTH = (1<<12),
+
+	/**
+	 * IKEv2 Redirect Mechanism, RFC 5685
+	 */
+	EXT_IKE_REDIRECTION = (1<<13),
 };
 
 /**
@@ -197,6 +212,16 @@ enum ike_condition_t {
 	 * This IKE_SA is currently being reauthenticated
 	 */
 	COND_REAUTHENTICATING = (1<<10),
+
+	/**
+	 * This IKE_SA has been redirected
+	 */
+	COND_REDIRECTED = (1<<11),
+
+	/**
+	 * Online certificate revocation checking is suspended for this IKE_SA
+	 */
+	COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
 };
 
 /**
@@ -502,6 +527,14 @@ struct ike_sa_t {
 	enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
 
 	/**
+	 * Verify the trustchains (validity, revocation) in completed public key
+	 * auth rounds.
+	 *
+	 * @return				TRUE if certificates were valid, FALSE otherwise
+	 */
+	bool (*verify_peer_certificate)(ike_sa_t *this);
+
+	/**
 	 * Get the selected proposal of this IKE_SA.
 	 *
 	 * @return				selected proposal
@@ -837,8 +870,36 @@ struct ike_sa_t {
 	 *
 	 * To refresh NAT tables in a NAT router between the peers, periodic empty
 	 * UDP packets are sent if no other traffic was sent.
+	 *
+	 * @param scheduled		if this is a scheduled keepalive
+	 */
+	void (*send_keepalive) (ike_sa_t *this, bool scheduled);
+
+	/**
+	 * Redirect an active IKE_SA.
+	 *
+	 * @param gateway		gateway ID (IP or FQDN) of the target
+	 * @return				state, including DESTROY_ME, if this IKE_SA MUST be
+	 * 						destroyed
+	 */
+	status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
+
+	/**
+	 * Handle a redirect request.
+	 *
+	 * The behavior is different depending on the state of the IKE_SA.
+	 *
+	 * @param gateway		gateway ID (IP or FQDN) of the target
+	 * @return				FALSE if redirect not possible, TRUE otherwise
+	 */
+	bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
+
+	/**
+	 * Get the address of the gateway that redirected us.
+	 *
+	 * @return				original gateway address
 	 */
-	void (*send_keepalive) (ike_sa_t *this);
+	host_t *(*get_redirected_from)(ike_sa_t *this);
 
 	/**
 	 * Get the keying material of this IKE_SA.
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 4625df5b8..307ea3b4a 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2005-2011 Martin Willi
  * Copyright (C) 2011 revosec AG
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -17,12 +17,14 @@
  */
 
 #include <string.h>
+#include <inttypes.h>
 
 #include "ike_sa_manager.h"
 
 #include <daemon.h>
 #include <sa/ike_sa_id.h>
 #include <bus/bus.h>
+#include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
@@ -57,9 +59,9 @@ struct entry_t {
 	condvar_t *condvar;
 
 	/**
-	 * Is this ike_sa currently checked out?
+	 * Thread by which this IKE_SA is currently checked out, if any
 	 */
-	bool checked_out;
+	thread_t *checked_out;
 
 	/**
 	 * Does this SA drives out new threads?
@@ -1142,13 +1144,16 @@ METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
 	entry_t *entry;
 	u_int segment;
 
-	DBG2(DBG_MGR, "checkout IKE_SA");
+	DBG2(DBG_MGR, "checkout %N SA with SPIs %.16"PRIx64"_i %.16"PRIx64"_r",
+		 ike_version_names, ike_sa_id->get_ike_version(ike_sa_id),
+		 be64toh(ike_sa_id->get_initiator_spi(ike_sa_id)),
+		 be64toh(ike_sa_id->get_responder_spi(ike_sa_id)));
 
 	if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
 	{
 		if (wait_for_entry(this, entry, segment))
 		{
-			entry->checked_out = TRUE;
+			entry->checked_out = thread_current();
 			ike_sa = entry->ike_sa;
 			DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
 					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
@@ -1156,6 +1161,11 @@ METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
 		unlock_single_segment(this, segment);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
+
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1228,7 +1238,10 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	id = id->clone(id);
 	id->switch_initiator(id);
 
-	DBG2(DBG_MGR, "checkout IKE_SA by message");
+	DBG2(DBG_MGR, "checkout %N SA by message with SPIs %.16"PRIx64"_i "
+		 "%.16"PRIx64"_r", ike_version_names, id->get_ike_version(id),
+		 be64toh(id->get_initiator_spi(id)),
+		 be64toh(id->get_responder_spi(id)));
 
 	if (id->get_responder_spi(id) == 0 &&
 		message->get_message_id(message) == 0)
@@ -1269,7 +1282,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 			DBG1(DBG_MGR, "ignoring message, failed to hash message");
 			DESTROY_IF(hasher);
 			id->destroy(id);
-			return NULL;
+			goto out;
 		}
 		hasher->destroy(hasher);
 
@@ -1288,20 +1301,17 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 						entry = entry_create();
 						entry->ike_sa = ike_sa;
 						entry->ike_sa_id = id;
+						entry->processing = get_message_id_or_hash(message);
+						entry->init_hash = hash;
 
 						segment = put_entry(this, entry);
-						entry->checked_out = TRUE;
+						entry->checked_out = thread_current();
 						unlock_single_segment(this, segment);
 
-						entry->processing = get_message_id_or_hash(message);
-						entry->init_hash = hash;
-
 						DBG2(DBG_MGR, "created IKE_SA %s[%u]",
 							 ike_sa->get_name(ike_sa),
 							 ike_sa->get_unique_id(ike_sa));
-
-						charon->bus->set_sa(charon->bus, ike_sa);
-						return ike_sa;
+						goto out;
 					}
 					else
 					{
@@ -1317,14 +1327,14 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 				remove_init_hash(this, hash);
 				chunk_free(&hash);
 				id->destroy(id);
-				return NULL;
+				goto out;
 			}
 			case FAILED:
 			{	/* we failed to allocate an SPI */
 				chunk_free(&hash);
 				id->destroy(id);
 				DBG1(DBG_MGR, "ignoring message, failed to allocate SPI");
-				return NULL;
+				goto out;
 			}
 			case ALREADY_DONE:
 			default:
@@ -1348,7 +1358,7 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 			ike_sa_id_t *ike_id;
 
 			ike_id = entry->ike_sa->get_id(entry->ike_sa);
-			entry->checked_out = TRUE;
+			entry->checked_out = thread_current();
 			if (message->get_first_payload_type(message) != PLV1_FRAGMENT &&
 				message->get_first_payload_type(message) != PLV2_FRAGMENT)
 			{	/* TODO-FRAG: this fails if there are unencrypted payloads */
@@ -1369,7 +1379,13 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 		charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message);
 	}
 	id->destroy(id);
+
+out:
 	charon->bus->set_sa(charon->bus, ike_sa);
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1385,11 +1401,11 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 
 	DBG2(DBG_MGR, "checkout IKE_SA by config");
 
-	if (!this->reuse_ikesa)
-	{	/* IKE_SA reuse disable by config */
+	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 		charon->bus->set_sa(charon->bus, ike_sa);
-		return ike_sa;
+		goto out;
 	}
 
 	enumerator = create_table_enumerator(this);
@@ -1411,7 +1427,7 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 			current_ike = current_peer->get_ike_cfg(current_peer);
 			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
 			{
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				ike_sa = entry->ike_sa;
 				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
 						ike_sa->get_unique_id(ike_sa),
@@ -1429,6 +1445,12 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
+
+out:
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1440,7 +1462,7 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
 	ike_sa_t *ike_sa = NULL;
 	u_int segment;
 
-	DBG2(DBG_MGR, "checkout IKE_SA by ID %u", id);
+	DBG2(DBG_MGR, "checkout IKE_SA by unique ID %u", id);
 
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
@@ -1450,7 +1472,7 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
 			if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
 			{
 				ike_sa = entry->ike_sa;
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				break;
 			}
 			/* other threads might be waiting for this entry */
@@ -1464,6 +1486,10 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
 		DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
 			 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 	}
+	else
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	charon->bus->set_sa(charon->bus, ike_sa);
 	return ike_sa;
 }
@@ -1477,6 +1503,8 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
 	child_sa_t *child_sa;
 	u_int segment;
 
+	DBG2(DBG_MGR, "checkout IKE_SA by%s name '%s'", child ? " child" : "", name);
+
 	enumerator = create_table_enumerator(this);
 	while (enumerator->enumerate(enumerator, &entry, &segment))
 	{
@@ -1506,7 +1534,7 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
 			/* got one, return */
 			if (ike_sa)
 			{
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
 						ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
 				break;
@@ -1518,6 +1546,11 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
 	enumerator->destroy(enumerator);
 
 	charon->bus->set_sa(charon->bus, ike_sa);
+
+	if (!ike_sa)
+	{
+		DBG2(DBG_MGR, "IKE_SA checkout not successful");
+	}
 	return ike_sa;
 }
 
@@ -1598,7 +1631,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 		/* ike_sa_id must be updated */
 		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
 		/* signal waiting threads */
-		entry->checked_out = FALSE;
+		entry->checked_out = NULL;
 		entry->processing = -1;
 		/* check if this SA is half-open */
 		if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
@@ -1623,7 +1656,6 @@ METHOD(ike_sa_manager_t, checkin, void,
 			entry->other = other->clone(other);
 			put_half_open(this, entry);
 		}
-		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
 		entry->condvar->signal(entry->condvar);
 	}
 	else
@@ -1639,6 +1671,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 		}
 		segment = put_entry(this, entry);
 	}
+	DBG2(DBG_MGR, "checkin of IKE_SA successful");
 
 	/* apply identities for duplicate test */
 	if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
@@ -1657,7 +1690,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 				 * thread can acquire it.  Since it is not yet in the list of
 				 * connected peers that will not cause a deadlock as no other
 				 * caller of check_unqiueness() will try to check out this SA */
-				entry->checked_out = TRUE;
+				entry->checked_out = thread_current();
 				unlock_single_segment(this, segment);
 
 				this->public.check_uniqueness(&this->public, ike_sa, TRUE);
@@ -1668,7 +1701,7 @@ METHOD(ike_sa_manager_t, checkin, void,
 				 * thread is waiting, but it should still exist, so there is no
 				 * need for a lookup via get_entry_by... */
 				lock_single_segment(this, segment);
-				entry->checked_out = FALSE;
+				entry->checked_out = NULL;
 				/* We already signaled waiting threads above, we have to do that
 				 * again after checking the SA out and back in again. */
 				entry->condvar->signal(entry->condvar);
@@ -1711,8 +1744,8 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 		if (entry->driveout_waiting_threads && entry->driveout_new_threads)
 		{	/* it looks like flush() has been called and the SA is being deleted
 			 * anyway, just check it in */
-			DBG2(DBG_MGR, "ignored check-in and destroy of IKE_SA during shutdown");
-			entry->checked_out = FALSE;
+			DBG2(DBG_MGR, "ignored checkin and destroy of IKE_SA during shutdown");
+			entry->checked_out = NULL;
 			entry->condvar->broadcast(entry->condvar);
 			unlock_single_segment(this, segment);
 			return;
@@ -1748,11 +1781,11 @@ METHOD(ike_sa_manager_t, checkin_and_destroy, void,
 
 		entry_destroy(entry);
 
-		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
+		DBG2(DBG_MGR, "checkin and destroy of IKE_SA successful");
 	}
 	else
 	{
-		DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
+		DBG1(DBG_MGR, "tried to checkin and delete nonexisting IKE_SA");
 		ike_sa->destroy(ike_sa);
 	}
 	charon->bus->set_sa(charon->bus, NULL);
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index 52228ef2e..eee7dd10b 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -173,13 +173,13 @@ METHOD(authenticator_t, process, status_t,
 	sig = sig_payload->get_hash(sig_payload);
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, this->type,
-														id, auth);
+														id, auth, TRUE);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, hash, sig))
 		{
 			DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-				 id, key_type_names, this->type);
+				 id, signature_scheme_names, scheme);
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index b7047e8fc..c968b2a9c 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -404,7 +404,7 @@ static auth_method_t get_pubkey_method(private_phase1_t *this, auth_cfg_t *auth)
 		id = (identification_t*)auth->get(auth, AUTH_RULE_IDENTITY);
 		if (id)
 		{
-			private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
+			private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, NULL);
 			if (private)
 			{
 				switch (private->get_type(private))
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
index b8af6f67b..cb1a31371 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_natd.c
@@ -41,7 +41,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <sa/ikev1/keymat_v1.h>
 #include <config/peer_cfg.h>
@@ -104,7 +103,7 @@ static bool force_encap(ike_cfg_t *ike_cfg)
 {
 	if (!ike_cfg->force_encap(ike_cfg))
 	{
-		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+		return charon->kernel->get_features(charon->kernel) &
 					KERNEL_REQUIRE_UDP_ENCAPSULATION;
 	}
 	return TRUE;
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index a03477e18..b9f924009 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -76,35 +76,20 @@ typedef struct {
  */
 static configuration_attribute_t *build_vip(host_t *vip)
 {
-	configuration_attribute_type_t type;
-	chunk_t chunk, prefix;
+	configuration_attribute_type_t type = INTERNAL_IP4_ADDRESS;
+	chunk_t chunk;
 
-	if (vip->get_family(vip) == AF_INET)
+	if (vip->get_family(vip) == AF_INET6)
 	{
-		type = INTERNAL_IP4_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			chunk = vip->get_address(vip);
-		}
+		type = INTERNAL_IP6_ADDRESS;
+	}
+	if (vip->is_anyaddr(vip))
+	{
+		chunk = chunk_empty;
 	}
 	else
 	{
-		type = INTERNAL_IP6_ADDRESS;
-		if (vip->is_anyaddr(vip))
-		{
-			chunk = chunk_empty;
-		}
-		else
-		{
-			prefix = chunk_alloca(1);
-			*prefix.ptr = 64;
-			chunk = vip->get_address(vip);
-			chunk = chunk_cata("cc", chunk, prefix);
-		}
+		chunk = vip->get_address(vip);
 	}
 	return configuration_attribute_create_chunk(PLV1_CONFIGURATION_ATTRIBUTE,
 												type, chunk);
@@ -165,8 +150,8 @@ static void process_attribute(private_mode_config_t *this,
 			}
 			else
 			{
-				/* skip prefix byte in IPv6 payload*/
-				if (family == AF_INET6)
+				/* skip prefix byte in IPv6 payload sent by older releases */
+				if (family == AF_INET6 && addr.len == 17)
 				{
 					addr.len--;
 				}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index e7d26443b..b4fe04663 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -171,6 +171,11 @@ struct private_quick_mode_t {
 	u_int32_t rekey;
 
 	/**
+	 * Delete old child after successful rekey
+	 */
+	bool delete;
+
+	/**
 	 * Negotiated mode, tunnel or transport
 	 */
 	ipsec_mode_t mode;
@@ -406,8 +411,17 @@ static bool install(private_quick_mode_t *this)
 	if (old)
 	{
 		charon->bus->child_rekey(charon->bus, old, this->child_sa);
-		/* rekeyed CHILD_SAs stay installed until they expire */
+		/* rekeyed CHILD_SAs stay installed until they expire or are deleted
+		 * by the other peer */
 		old->set_state(old, CHILD_REKEYED);
+		/* as initiator we delete the CHILD_SA if configured to do so */
+		if (this->initiator && this->delete)
+		{
+			this->ike_sa->queue_task(this->ike_sa,
+				(task_t*)quick_delete_create(this->ike_sa,
+								this->proposal->get_protocol(this->proposal),
+								this->rekey, TRUE, FALSE));
+		}
 	}
 	else
 	{
@@ -1450,6 +1464,8 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
 		.tsi = tsi ? tsi->clone(tsi) : NULL,
 		.tsr = tsr ? tsr->clone(tsr) : NULL,
 		.proto = PROTO_ESP,
+		.delete = lib->settings->get_bool(lib->settings,
+										  "%s.delete_rekeyed", FALSE, lib->ns),
 	);
 
 	if (config)
diff --git a/src/libcharon/sa/ikev1/tasks/xauth.c b/src/libcharon/sa/ikev1/tasks/xauth.c
index c0c91574c..ecdfc780d 100644
--- a/src/libcharon/sa/ikev1/tasks/xauth.c
+++ b/src/libcharon/sa/ikev1/tasks/xauth.c
@@ -16,7 +16,6 @@
 #include "xauth.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <encoding/payloads/cp_payload.h>
 #include <processing/jobs/adopt_children_job.h>
 #include <sa/ikev1/tasks/mode_config.h>
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 2284a484d..04ccd4f4f 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -55,11 +55,6 @@ struct private_pubkey_authenticator_t {
 	 * Reserved bytes of ID payload
 	 */
 	char reserved[3];
-
-	/**
-	 * Whether to store signature schemes on remote auth configs.
-	 */
-	bool store_signature_scheme;
 };
 
 /**
@@ -130,7 +125,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &rule, &config))
 	{
-		if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+		if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
 		{
 			continue;
 		}
@@ -369,6 +364,8 @@ METHOD(authenticator_t, process, status_t,
 	signature_scheme_t scheme;
 	status_t status = NOT_FOUND;
 	keymat_v2_t *keymat;
+	const char *reason = "unsupported";
+	bool online;
 
 	auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
 	if (!auth_payload)
@@ -397,8 +394,11 @@ METHOD(authenticator_t, process, status_t,
 			{
 				break;
 			}
+			reason = "payload invalid";
 			/* fall-through */
 		default:
+			DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
+				 auth_method, reason);
 			return INVALID_ARG;
 	}
 	id = this->ike_sa->get_other_id(this->ike_sa);
@@ -409,8 +409,10 @@ METHOD(authenticator_t, process, status_t,
 		return FAILED;
 	}
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+	online = !this->ike_sa->has_condition(this->ike_sa,
+										  COND_ONLINE_VALIDATION_SUSPENDED);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-														key_type, id, auth);
+													key_type, id, auth, online);
 	while (enumerator->enumerate(enumerator, &public, &current_auth))
 	{
 		if (public->verify(public, scheme, octets, auth_data))
@@ -421,9 +423,10 @@ METHOD(authenticator_t, process, status_t,
 			status = SUCCESS;
 			auth->merge(auth, current_auth, FALSE);
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-			if (this->store_signature_scheme)
+			auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+			if (!online)
 			{
-				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+				auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
 			}
 			break;
 		}
@@ -497,8 +500,6 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
 		.ike_sa = ike_sa,
 		.ike_sa_init = received_init,
 		.nonce = sent_nonce,
-		.store_signature_scheme = lib->settings->get_bool(lib->settings,
-					"%s.signature_authentication_constraints", TRUE, lib->ns),
 	);
 	memcpy(this->reserved, reserved, sizeof(this->reserved));
 
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 4676867df..c2f972ab1 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2014 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2007-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -30,10 +30,12 @@
 #include <sa/ikev2/tasks/ike_rekey.h>
 #include <sa/ikev2/tasks/ike_reauth.h>
 #include <sa/ikev2/tasks/ike_reauth_complete.h>
+#include <sa/ikev2/tasks/ike_redirect.h>
 #include <sa/ikev2/tasks/ike_delete.h>
 #include <sa/ikev2/tasks/ike_config.h>
 #include <sa/ikev2/tasks/ike_dpd.h>
 #include <sa/ikev2/tasks/ike_vendor.h>
+#include <sa/ikev2/tasks/ike_verify_peer_cert.h>
 #include <sa/ikev2/tasks/child_create.h>
 #include <sa/ikev2/tasks/child_rekey.h>
 #include <sa/ikev2/tasks/child_delete.h>
@@ -474,6 +476,11 @@ METHOD(task_manager_t, initiate, status_t,
 					exchange = INFORMATIONAL;
 					break;
 				}
+				if (activate_task(this, TASK_IKE_REDIRECT))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
 				if (activate_task(this, TASK_CHILD_DELETE))
 				{
 					exchange = INFORMATIONAL;
@@ -521,6 +528,11 @@ METHOD(task_manager_t, initiate, status_t,
 					exchange = INFORMATIONAL;
 					break;
 				}
+				if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
 			case IKE_REKEYING:
 				if (activate_task(this, TASK_IKE_DELETE))
 				{
@@ -618,7 +630,7 @@ METHOD(task_manager_t, initiate, status_t,
 	if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
 	{
 		message->destroy(message);
-		return SUCCESS;
+		return initiate(this);
 	}
 
 	if (!generate_message(this, message, &this->initiating.packets))
@@ -656,6 +668,32 @@ static status_t process_response(private_task_manager_t *this,
 		return DESTROY_ME;
 	}
 
+	enumerator = array_create_enumerator(this->active_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (!task->pre_process)
+		{
+			continue;
+		}
+		switch (task->pre_process(task, message))
+		{
+			case SUCCESS:
+				break;
+			case FAILED:
+			default:
+				/* just ignore the message */
+				DBG1(DBG_IKE, "ignore invalid %N response",
+					 exchange_type_names, message->get_exchange_type(message));
+				enumerator->destroy(enumerator);
+				return SUCCESS;
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				enumerator->destroy(enumerator);
+				return DESTROY_ME;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	/* catch if we get resetted while processing */
 	this->reset = FALSE;
 	enumerator = array_create_enumerator(this->active_tasks);
@@ -992,6 +1030,11 @@ static status_t process_request(private_task_manager_t *this,
 									 * invokes all the required hooks. */
 									task = (task_t*)ike_delete_create(
 														this->ike_sa, FALSE);
+									break;
+								case REDIRECT:
+									task = (task_t*)ike_redirect_create(
+															this->ike_sa, NULL);
+									break;
 								default:
 									break;
 							}
@@ -1041,6 +1084,44 @@ static status_t process_request(private_task_manager_t *this,
 		}
 	}
 
+	enumerator = array_create_enumerator(this->passive_tasks);
+	while (enumerator->enumerate(enumerator, &task))
+	{
+		if (!task->pre_process)
+		{
+			continue;
+		}
+		switch (task->pre_process(task, message))
+		{
+			case SUCCESS:
+				break;
+			case FAILED:
+			default:
+				/* just ignore the message */
+				DBG1(DBG_IKE, "ignore invalid %N request",
+					 exchange_type_names, message->get_exchange_type(message));
+				enumerator->destroy(enumerator);
+				switch (message->get_exchange_type(message))
+				{
+					case IKE_SA_INIT:
+						/* no point in keeping the SA when it was created with
+						 * an invalid IKE_SA_INIT message */
+						return DESTROY_ME;
+					default:
+						/* remove tasks we queued for this request */
+						flush_queue(this, TASK_QUEUE_PASSIVE);
+						/* fall-through */
+					case IKE_AUTH:
+						return NEED_MORE;
+				}
+			case DESTROY_ME:
+				/* critical failure, destroy IKE_SA */
+				enumerator->destroy(enumerator);
+				return DESTROY_ME;
+		}
+	}
+	enumerator->destroy(enumerator);
+
 	/* let the tasks process the message */
 	enumerator = array_create_enumerator(this->passive_tasks);
 	while (enumerator->enumerate(enumerator, (void*)&task))
@@ -1331,12 +1412,17 @@ METHOD(task_manager_t, process_message, status_t,
 			{	/* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
 				return SUCCESS;
 			}
-			if (process_request(this, msg) != SUCCESS)
+			switch (process_request(this, msg))
 			{
-				flush(this);
-				return DESTROY_ME;
+				case SUCCESS:
+					this->responding.mid++;
+					break;
+				case NEED_MORE:
+					break;
+				default:
+					flush(this);
+					return DESTROY_ME;
 			}
-			this->responding.mid++;
 		}
 		else if ((mid == this->responding.mid - 1) &&
 				 array_count(this->responding.packets))
@@ -1570,8 +1656,12 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 	}
 	enumerator->destroy(enumerator);
 
+	/* suspend online revocation checking until the SA is established */
+	new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
+
 	if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
 	{
+		new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
 		new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
 										this->ike_sa->get_id(this->ike_sa)));
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 97f73d851..3d4ded944 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -18,7 +18,6 @@
 #include "child_create.h"
 
 #include <daemon.h>
-#include <hydra.h>
 #include <sa/ikev2/keymat_v2.h>
 #include <crypto/diffie_hellman.h>
 #include <credentials/certificates/x509.h>
@@ -786,7 +785,7 @@ static bool build_payloads(private_child_create_t *this, message_t *message)
 			break;
 	}
 
-	features = hydra->kernel_interface->get_features(hydra->kernel_interface);
+	features = charon->kernel->get_features(charon->kernel);
 	if (!(features & KERNEL_ESP_V3_TFC))
 	{
 		message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
@@ -1221,6 +1220,10 @@ METHOD(task_t, build_r, status_t,
 			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
+			if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
+			{	/* no CHILD_SA is created for redirected SAs */
+				return SUCCESS;
+			}
 			ike_auth = TRUE;
 		default:
 			break;
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index c7a8a1342..6f0c2b2c7 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 			/* don't touch child other created, it has already been deleted */
 			if (!this->other_child_destroyed)
 			{
-				/* disable close action for the redundand child */
+				/* disable close action and updown event for redundant child */
 				child_sa = other->child_create->get_child(other->child_create);
 				if (child_sa)
 				{
 					child_sa->set_close_action(child_sa, ACTION_NONE);
+					if (child_sa->get_state(child_sa) != CHILD_REKEYING)
+					{
+						child_sa->set_state(child_sa, CHILD_REKEYING);
+					}
 				}
 			}
 		}
@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t,
 	{
 		return SUCCESS;
 	}
+	/* disable updown event for redundant CHILD_SA */
+	if (to_delete->get_state(to_delete) != CHILD_REKEYING)
+	{
+		to_delete->set_state(to_delete, CHILD_REKEYING);
+	}
 	spi = to_delete->get_spi(to_delete, TRUE);
 	protocol = to_delete->get_protocol(to_delete);
 
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 2554496c1..79a436fbf 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,6 +25,7 @@
 #include <encoding/payloads/eap_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <sa/ikev2/authenticators/eap_authenticator.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_ike_auth_t private_ike_auth_t;
 
@@ -117,6 +118,11 @@ struct private_ike_auth_t {
 	 * Is EAP acceptable, did we strictly authenticate peer?
 	 */
 	bool eap_acceptable;
+
+	/**
+	 * Gateway ID if redirected
+	 */
+	identification_t *redirect_to;
 };
 
 /**
@@ -685,6 +691,7 @@ METHOD(task_t, process_r, status_t,
 METHOD(task_t, build_r, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
+	identification_t *gateway;
 	auth_cfg_t *cfg;
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
@@ -817,34 +824,56 @@ METHOD(task_t, build_r, status_t,
 	{
 		this->do_another_auth = FALSE;
 	}
-	if (!this->do_another_auth && !this->expect_another_auth)
+	if (this->do_another_auth || this->expect_another_auth)
 	{
-		if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
-													 this->ike_sa, FALSE))
-		{
-			DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
-			charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
-			message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
-								chunk_empty);
-			return FAILED;
-		}
-		if (!charon->bus->authorize(charon->bus, TRUE))
-		{
-			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
-			goto peer_auth_failed;
-		}
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-		return SUCCESS;
+		return NEED_MORE;
 	}
-	return NEED_MORE;
+
+	if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+												 this->ike_sa, FALSE))
+	{
+		DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+		charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+							chunk_empty);
+		return FAILED;
+	}
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+		goto peer_auth_failed;
+	}
+	if (this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
+		charon->redirect->redirect_on_auth(charon->redirect, this->ike_sa,
+										   &gateway))
+	{
+		delete_ike_sa_job_t *job;
+		chunk_t data;
+
+		DBG1(DBG_IKE, "redirecting peer to %Y", gateway);
+		data = redirect_data_create(gateway, chunk_empty);
+		message->add_notify(message, FALSE, REDIRECT, data);
+		gateway->destroy(gateway);
+		chunk_free(&data);
+		/* we use this condition to prevent the CHILD_SA from getting created */
+		this->ike_sa->set_condition(this->ike_sa, COND_REDIRECTED, TRUE);
+		/* if the peer does not delete the SA we do so after a while */
+		job = delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE);
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+						lib->settings->get_int(lib->settings,
+							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+							lib->ns));
+	}
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+	return SUCCESS;
 
 peer_auth_failed:
 	message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
@@ -964,6 +993,15 @@ METHOD(task_t, process_i, status_t,
 				case ME_ENDPOINT:
 					/* handled in ike_me task */
 					break;
+				case REDIRECT:
+					DESTROY_IF(this->redirect_to);
+					this->redirect_to = redirect_data_parse(
+								notify->get_notification_data(notify), NULL);
+					if (!this->redirect_to)
+					{
+						DBG1(DBG_IKE, "received invalid REDIRECT notify");
+					}
+					break;
 				default:
 				{
 					if (type <= 16383)
@@ -1094,30 +1132,35 @@ METHOD(task_t, process_i, status_t,
 	{
 		this->expect_another_auth = FALSE;
 	}
-	if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
+	if (this->expect_another_auth || this->do_another_auth || this->my_auth)
 	{
-		if (!update_cfg_candidates(this, TRUE))
-		{
-			goto peer_auth_failed;
-		}
-		if (!charon->bus->authorize(charon->bus, TRUE))
-		{
-			DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
-					      "cancelling");
-			goto peer_auth_failed;
-		}
-		DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
-			 this->ike_sa->get_name(this->ike_sa),
-			 this->ike_sa->get_unique_id(this->ike_sa),
-			 this->ike_sa->get_my_host(this->ike_sa),
-			 this->ike_sa->get_my_id(this->ike_sa),
-			 this->ike_sa->get_other_host(this->ike_sa),
-			 this->ike_sa->get_other_id(this->ike_sa));
-		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
-		return SUCCESS;
+		return NEED_MORE;
 	}
-	return NEED_MORE;
+	if (!update_cfg_candidates(this, TRUE))
+	{
+		goto peer_auth_failed;
+	}
+	if (!charon->bus->authorize(charon->bus, TRUE))
+	{
+		DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
+				      "cancelling");
+		goto peer_auth_failed;
+	}
+	DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+		 this->ike_sa->get_name(this->ike_sa),
+		 this->ike_sa->get_unique_id(this->ike_sa),
+		 this->ike_sa->get_my_host(this->ike_sa),
+		 this->ike_sa->get_my_id(this->ike_sa),
+		 this->ike_sa->get_other_host(this->ike_sa),
+		 this->ike_sa->get_other_id(this->ike_sa));
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+
+	if (this->redirect_to)
+	{
+		this->ike_sa->handle_redirect(this->ike_sa, this->redirect_to);
+	}
+	return SUCCESS;
 
 peer_auth_failed:
 	charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
@@ -1141,6 +1184,7 @@ METHOD(task_t, migrate, void,
 	DESTROY_IF(this->peer_cfg);
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
+	DESTROY_IF(this->redirect_to);
 	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 
 	this->my_packet = NULL;
@@ -1149,6 +1193,7 @@ METHOD(task_t, migrate, void,
 	this->peer_cfg = NULL;
 	this->my_auth = NULL;
 	this->other_auth = NULL;
+	this->redirect_to = NULL;
 	this->do_another_auth = TRUE;
 	this->expect_another_auth = TRUE;
 	this->authentication_failed = FALSE;
@@ -1165,6 +1210,7 @@ METHOD(task_t, destroy, void,
 	DESTROY_IF(this->my_auth);
 	DESTROY_IF(this->other_auth);
 	DESTROY_IF(this->peer_cfg);
+	DESTROY_IF(this->redirect_to);
 	this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
 	free(this);
 }
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index 646f20c61..6c42b81a6 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -333,6 +333,11 @@ METHOD(task_t, build_r, status_t,
 		linked_list_t *vips, *pools;
 		host_t *requested;
 
+		if (this->ike_sa->has_condition(this->ike_sa, COND_REDIRECTED))
+		{	/* don't assign attributes for redirected SAs */
+			return SUCCESS;
+		}
+
 		id = this->ike_sa->get_other_eap_id(this->ike_sa);
 		config = this->ike_sa->get_peer_cfg(this->ike_sa);
 		vips = linked_list_create();
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 1ff643d62..78579be95 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -118,6 +118,11 @@ struct private_ike_init_t {
 	 * Whether to use Signature Authentication as per RFC 7427
 	 */
 	bool signature_authentication;
+
+	/**
+	 * Whether to follow IKEv2 redirects as per RFC 5685
+	 */
+	bool follow_redirects;
 };
 
 /**
@@ -166,7 +171,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 			enumerator = auth->create_enumerator(auth);
 			while (enumerator->enumerate(enumerator, &rule, &config))
 			{
-				if (rule == AUTH_RULE_SIGNATURE_SCHEME)
+				if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
 				{
 					hash = hasher_from_signature_scheme(config);
 					if (hasher_algorithm_for_ikev2(hash))
@@ -324,6 +329,29 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
 			send_supported_hash_algorithms(this, message);
 		}
 	}
+	/* notify other peer if we support redirection */
+	if (!this->old_sa && this->initiator && this->follow_redirects)
+	{
+		identification_t *gateway;
+		host_t *from;
+		chunk_t data;
+
+		from = this->ike_sa->get_redirected_from(this->ike_sa);
+		if (from)
+		{
+			gateway = identification_create_from_sockaddr(
+													from->get_sockaddr(from));
+			data = redirect_data_create(gateway, chunk_empty);
+			message->add_notify(message, FALSE, REDIRECTED_FROM, data);
+			chunk_free(&data);
+			gateway->destroy(gateway);
+		}
+		else
+		{
+			message->add_notify(message, FALSE, REDIRECT_SUPPORTED,
+								chunk_empty);
+		}
+	}
 	return TRUE;
 }
 
@@ -391,6 +419,30 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 							handle_supported_hash_algorithms(this, notify);
 						}
 						break;
+					case REDIRECTED_FROM:
+					{
+						identification_t *gateway;
+						chunk_t data;
+
+						data = notify->get_notification_data(notify);
+						gateway = redirect_data_parse(data, NULL);
+						if (!gateway)
+						{
+							DBG1(DBG_IKE, "received invalid REDIRECTED_FROM "
+								 "notify, ignored");
+							break;
+						}
+						DBG1(DBG_IKE, "client got redirected from %Y", gateway);
+						gateway->destroy(gateway);
+						/* fall-through */
+					}
+					case REDIRECT_SUPPORTED:
+						if (!this->old_sa)
+						{
+							this->ike_sa->enable_extension(this->ike_sa,
+														   EXT_IKE_REDIRECTION);
+						}
+						break;
 					default:
 						/* other notifies are handled elsewhere */
 						break;
@@ -550,6 +602,8 @@ static bool derive_keys(private_ike_init_t *this,
 METHOD(task_t, build_r, status_t,
 	private_ike_init_t *this, message_t *message)
 {
+	identification_t *gateway;
+
 	/* check if we have everything we need */
 	if (this->proposal == NULL ||
 		this->other_nonce.len == 0 || this->my_nonce.len == 0)
@@ -560,6 +614,22 @@ METHOD(task_t, build_r, status_t,
 	}
 	this->ike_sa->set_proposal(this->ike_sa, this->proposal);
 
+	/* check if we'd have to redirect the client */
+	if (!this->old_sa &&
+		this->ike_sa->supports_extension(this->ike_sa, EXT_IKE_REDIRECTION) &&
+		charon->redirect->redirect_on_init(charon->redirect, this->ike_sa,
+										   &gateway))
+	{
+		chunk_t data;
+
+		DBG1(DBG_IKE, "redirecting peer to %Y", gateway);
+		data = redirect_data_create(gateway, this->other_nonce);
+		message->add_notify(message, TRUE, REDIRECT, data);
+		gateway->destroy(gateway);
+		chunk_free(&data);
+		return FAILED;
+	}
+
 	if (this->dh == NULL ||
 		!this->proposal->has_dh_group(this->proposal, this->dh_group))
 	{
@@ -623,6 +693,54 @@ static void raise_alerts(private_ike_init_t *this, notify_type_t type)
 	}
 }
 
+METHOD(task_t, pre_process_i, status_t,
+	private_ike_init_t *this, message_t *message)
+{
+	enumerator_t *enumerator;
+	payload_t *payload;
+
+	/* check for erroneous notifies */
+	enumerator = message->create_payload_enumerator(message);
+	while (enumerator->enumerate(enumerator, &payload))
+	{
+		if (payload->get_type(payload) == PLV2_NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+
+			switch (type)
+			{
+				case REDIRECT:
+				{
+					identification_t *gateway;
+					chunk_t data, nonce = chunk_empty;
+					status_t status = SUCCESS;
+
+					if (this->old_sa)
+					{
+						break;
+					}
+					data = notify->get_notification_data(notify);
+					gateway = redirect_data_parse(data, &nonce);
+					if (!gateway || !chunk_equals(nonce, this->my_nonce))
+					{
+						DBG1(DBG_IKE, "received invalid REDIRECT notify");
+						status = FAILED;
+					}
+					DESTROY_IF(gateway);
+					chunk_free(&nonce);
+					enumerator->destroy(enumerator);
+					return status;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return SUCCESS;
+}
+
 METHOD(task_t, process_i, status_t,
 	private_ike_init_t *this, message_t *message)
 {
@@ -678,6 +796,29 @@ METHOD(task_t, process_i, status_t,
 					this->retry++;
 					return NEED_MORE;
 				}
+				case REDIRECT:
+				{
+					identification_t *gateway;
+					chunk_t data, nonce = chunk_empty;
+					status_t status = FAILED;
+
+					if (this->old_sa)
+					{
+						DBG1(DBG_IKE, "received REDIRECT notify during rekeying"
+						     ", ignored");
+						break;
+					}
+					data = notify->get_notification_data(notify);
+					gateway = redirect_data_parse(data, &nonce);
+					if (this->ike_sa->handle_redirect(this->ike_sa, gateway))
+					{
+						status = NEED_MORE;
+					}
+					DESTROY_IF(gateway);
+					chunk_free(&nonce);
+					enumerator->destroy(enumerator);
+					return status;
+				}
 				default:
 				{
 					if (type <= 16383)
@@ -802,6 +943,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 		.old_sa = old_sa,
 		.signature_authentication = lib->settings->get_bool(lib->settings,
 								"%s.signature_authentication", TRUE, lib->ns),
+		.follow_redirects = lib->settings->get_bool(lib->settings,
+								"%s.follow_redirects", TRUE, lib->ns),
 	);
 	this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
 
@@ -809,6 +952,7 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 	{
 		this->public.task.build = _build_i;
 		this->public.task.process = _process_i;
+		this->public.task.pre_process = _pre_process_i;
 	}
 	else
 	{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c
index a7e7505a1..10d412ffd 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_me.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.c
@@ -17,7 +17,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <encoding/payloads/id_payload.h>
@@ -135,8 +134,8 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	port = host->get_port(host);
 
-	enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+														   ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index cbdc5e797..3f7bb175f 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -18,7 +18,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <sa/ikev2/tasks/ike_natd.h>
 #include <encoding/payloads/notify_payload.h>
@@ -196,8 +195,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	int added = 0;
 
 	me = this->ike_sa->get_my_host(this->ike_sa);
-	enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+	enumerator = charon->kernel->create_address_enumerator(charon->kernel,
+														   ADDR_TYPE_REGULAR);
 	while (enumerator->enumerate(enumerator, (void**)&host))
 	{
 		if (me->ip_equals(me, host))
@@ -333,8 +332,7 @@ METHOD(ike_mobike_t, transmit, bool,
 
 	if (!this->check)
 	{
-		me = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
-													  other_old, me_old);
+		me = charon->kernel->get_source_addr(charon->kernel, other_old, me_old);
 		if (me)
 		{
 			if (me->ip_equals(me, me_old))
@@ -372,8 +370,7 @@ METHOD(ike_mobike_t, transmit, bool,
 		{
 			continue;
 		}
-		me = hydra->kernel_interface->get_source_addr(
-										hydra->kernel_interface, other, NULL);
+		me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
 		if (me)
 		{
 			/* reuse port for an active address, 4500 otherwise */
@@ -407,7 +404,7 @@ METHOD(task_t, build_i, status_t,
 
 		/* we check if the existing address is still valid */
 		old = message->get_source(message);
-		new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+		new = charon->kernel->get_source_addr(charon->kernel,
 										message->get_destination(message), old);
 		if (new)
 		{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
index dd34c1234..4bf5264dd 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_natd.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -18,7 +18,6 @@
 
 #include <string.h>
 
-#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <crypto/hashers/hasher.h>
@@ -86,7 +85,7 @@ static bool force_encap(ike_cfg_t *ike_cfg)
 {
 	if (!ike_cfg->force_encap(ike_cfg))
 	{
-		return hydra->kernel_interface->get_features(hydra->kernel_interface) &
+		return charon->kernel->get_features(charon->kernel) &
 					KERNEL_REQUIRE_UDP_ENCAPSULATION;
 	}
 	return TRUE;
@@ -327,7 +326,7 @@ METHOD(task_t, build_i, status_t,
 	}
 	else
 	{
-		host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+		host = charon->kernel->get_source_addr(charon->kernel,
 							this->ike_sa->get_other_host(this->ike_sa), NULL);
 		if (host)
 		{	/* 2. */
@@ -341,8 +340,8 @@ METHOD(task_t, build_i, status_t,
 		}
 		else
 		{	/* 3. */
-			enumerator = hydra->kernel_interface->create_address_enumerator(
-									hydra->kernel_interface, ADDR_TYPE_REGULAR);
+			enumerator = charon->kernel->create_address_enumerator(
+											charon->kernel, ADDR_TYPE_REGULAR);
 			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
 				/* apply port 500 to host, but work on a copy */
diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.c b/src/libcharon/sa/ikev2/tasks/ike_redirect.c
new file mode 100644
index 000000000..f82c80f71
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_redirect.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+typedef struct private_ike_redirect_t private_ike_redirect_t;
+
+/**
+ * Private members
+ */
+struct private_ike_redirect_t {
+
+	/**
+	 * Public interface
+	 */
+	ike_redirect_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Gateway ID to redirect to
+	 */
+	identification_t *gateway;
+};
+
+METHOD(task_t, build_i, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	chunk_t data;
+
+	DBG1(DBG_IKE, "redirecting peer to %Y", this->gateway);
+	data = redirect_data_create(this->gateway, chunk_empty);
+	message->add_notify(message, FALSE, REDIRECT, data);
+	chunk_free(&data);
+	this->ike_sa->set_condition(this->ike_sa, COND_REDIRECTED, TRUE);
+	return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	identification_t *to;
+
+	notify = message->get_notify(message, REDIRECT);
+	if (!notify)
+	{
+		return SUCCESS;
+	}
+
+	to = redirect_data_parse(notify->get_notification_data(notify), NULL);
+	if (!to)
+	{
+		DBG1(DBG_IKE, "received invalid REDIRECT notify");
+	}
+	else
+	{
+		this->ike_sa->handle_redirect(this->ike_sa, to);
+		to->destroy(to);
+	}
+	return SUCCESS;
+}
+
+METHOD(task_t, build_r, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	/* not called because SUCCESS is returned above */
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_redirect_t *this, message_t *message)
+{
+	delete_ike_sa_job_t *job;
+
+	/* if the peer does not delete the SA we do so after a while */
+	job = delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+					lib->settings->get_int(lib->settings,
+							"%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
+							lib->ns));
+	return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_redirect_t *this)
+{
+	return TASK_IKE_REDIRECT;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_redirect_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_redirect_t *this)
+{
+	DESTROY_IF(this->gateway);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_redirect_t *ike_redirect_create(ike_sa_t *ike_sa, identification_t *to)
+{
+	private_ike_redirect_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.build = _build_r,
+				.process = _process_r,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+	);
+
+	if (to)
+	{
+		this->gateway = to->clone(to);
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
+	}
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_redirect.h b/src/libcharon/sa/ikev2/tasks/ike_redirect.h
new file mode 100644
index 000000000..afa00ce5d
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_redirect.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_redirect ike_redirect
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_REDIRECT_H_
+#define IKE_REDIRECT_H_
+
+typedef struct ike_redirect_t ike_redirect_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task that handles redirection requests for established SAs.
+ */
+struct ike_redirect_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_redirect_t task.
+ *
+ * As initiator (i.e. original responder) pass the ID of the target gateway,
+ * as responder (i.e. original initiator) this argument is NULL.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param to			gateway ID (gets cloned), or NULL as responder
+ * @return				task instance
+ */
+ike_redirect_t *ike_redirect_create(ike_sa_t *ike_sa,
+									identification_t *to);
+
+#endif /** IKE_REDIRECT_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
index cb3c270dc..e85b276e8 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -13,6 +13,29 @@
  * for more details.
  */
 
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
 #include "ike_vendor.h"
 
 #include <daemon.h>
@@ -49,6 +72,8 @@ typedef struct {
 	char *desc;
 	/* extension flag negotiated with vendor ID, if any */
 	ike_extension_t extension;
+	/* Value from strongswan.conf, whether to send vendor ID */
+	char *setting;
 	/* length of vendor ID string, 0 for NULL terminated */
 	int len;
 	/* vendor ID string */
@@ -68,23 +93,23 @@ static chunk_t get_vid_data(vid_data_t *data)
  */
 static vid_data_t vids[] = {
 	/* strongSwan MD5("strongSwan") */
-	{ "strongSwan", EXT_STRONGSWAN, 16,
+	{ "strongSwan", EXT_STRONGSWAN, "send_vendor_id", 16,
 	  "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
-	{ "Cisco Delete Reason", 0, 0,
+	{ "Cisco Delete Reason", 0, NULL, 0,
 	  "CISCO-DELETE-REASON" },
-	{ "Cisco Copyright (c) 2009", 0, 0,
+	{ "Cisco Copyright (c) 2009", 0, NULL, 0,
 	  "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
-	{ "FRAGMENTATION", 0, 16,
+	{ "FRAGMENTATION", 0, NULL, 16,
 	  "\x40\x48\xb7\xd5\x6e\xbc\xe8\x85\x25\xe7\xde\x7f\x00\xd6\xc2\xd3"},
-	{ "MS NT5 ISAKMPOAKLEY v7", 0, 20,
+	{ "MS NT5 ISAKMPOAKLEY v7", 0, NULL, 20,
 	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x07"},
-	{ "MS NT5 ISAKMPOAKLEY v8", 0, 20,
+	{ "MS NT5 ISAKMPOAKLEY v8", 0, NULL, 20,
 	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x08"},
-	{ "MS NT5 ISAKMPOAKLEY v9", 0, 20,
+	{ "MS NT5 ISAKMPOAKLEY v9", 0, NULL, 20,
 	  "\x1e\x2b\x51\x69\x05\x99\x1c\x7d\x7c\x96\xfc\xbf\xb5\x87\xe4\x61\x00\x00\x00\x09"},
-	{ "MS-Negotiation Discovery Capable", 0, 16,
+	{ "MS-Negotiation Discovery Capable", 0, NULL, 16,
 	  "\xfb\x1d\xe3\xcd\xf3\x41\xb7\xea\x16\xb7\xe5\xbe\x08\x55\xf1\x20"},
-	{ "Vid-Initial-Contact", 0, 16,
+	{ "Vid-Initial-Contact", 0, NULL, 16,
 	  "\x26\x24\x4d\x38\xed\xdb\x61\xb3\x17\x2a\x36\xe3\xd0\xcf\xb8\x19"},
 };
 
@@ -92,14 +117,19 @@ METHOD(task_t, build, status_t,
 	private_ike_vendor_t *this, message_t *message)
 {
 	vendor_id_payload_t *vid;
-	bool strongswan;
+	bool send_vid;
 	int i;
 
-	strongswan = lib->settings->get_bool(lib->settings,
-							"%s.send_vendor_id", FALSE, lib->ns);
 	for (i = 0; i < countof(vids); i++)
 	{
-		if (vids[i].extension == EXT_STRONGSWAN && strongswan)
+		send_vid = FALSE;
+
+		if (vids[i].setting)
+		{
+			send_vid = lib->settings->get_bool(lib->settings, "%s.%s", send_vid,
+											   lib->ns, vids[i].setting);
+		}
+		if (send_vid)
 		{
 			DBG2(DBG_IKE, "sending %s vendor ID", vids[i].desc);
 			vid = vendor_id_payload_create_data(PLV2_VENDOR_ID,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
new file mode 100644
index 000000000..069d51d00
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_verify_peer_cert.h"
+
+#include <daemon.h>
+#include <sa/ikev2/tasks/ike_delete.h>
+
+typedef struct private_ike_verify_peer_cert_t private_ike_verify_peer_cert_t;
+
+/**
+ * Private members
+ */
+struct private_ike_verify_peer_cert_t {
+
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_verify_peer_cert_t public;
+
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Child ike_delete task, if necessary
+	 */
+	ike_delete_t *ike_delete;
+};
+
+METHOD(task_t, build_i, status_t,
+	private_ike_verify_peer_cert_t *this, message_t *message)
+{
+	if (!this->ike_sa->verify_peer_certificate(this->ike_sa))
+	{
+		DBG1(DBG_IKE, "peer certificate verification failed, deleting SA");
+		this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
+		return this->ike_delete->task.build(&this->ike_delete->task, message);
+	}
+	DBG1(DBG_IKE, "peer certificate successfully verified");
+	message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+	return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+	private_ike_verify_peer_cert_t *this, message_t *message)
+{
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.process(&this->ike_delete->task, message);
+		/* try to reestablish the IKE_SA and all children */
+		this->ike_sa->reestablish(this->ike_sa);
+	}
+	return DESTROY_ME;
+}
+
+METHOD(task_t, get_type, task_type_t,
+	private_ike_verify_peer_cert_t *this)
+{
+	return TASK_IKE_VERIFY_PEER_CERT;
+}
+
+METHOD(task_t, migrate, void,
+	private_ike_verify_peer_cert_t *this, ike_sa_t *ike_sa)
+{
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
+	}
+	this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+	private_ike_verify_peer_cert_t *this)
+{
+	if (this->ike_delete)
+	{
+		this->ike_delete->task.destroy(&this->ike_delete->task);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_verify_peer_cert_t *ike_verify_peer_cert_create(ike_sa_t *ike_sa)
+{
+	private_ike_verify_peer_cert_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.build = _build_i,
+				.process = _process_i,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
new file mode 100644
index 000000000..3d9aae0b3
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_verify_peer_cert.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_verify_peer_cert ike_verify_peer_cert
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_VERIFY_PEER_CERT_H_
+#define IKE_VERIFY_PEER_CERT_H_
+
+typedef struct ike_verify_peer_cert_t ike_verify_peer_cert_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_verify_peer_cert, verifies a peer's certificate.
+ *
+ * This task (re-)verifies the peer's certificate explicitly including online
+ * OCSP and CRL checks.
+ */
+struct ike_verify_peer_cert_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * Create a new ike_verify_peer_cert task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @return				ike_verify_peer_cert task to handle by the task_manager
+ */
+ike_verify_peer_cert_t *ike_verify_peer_cert_create(ike_sa_t *ike_sa);
+
+#endif /** IKE_VERIFY_PEER_CERT_H_ @}*/
diff --git a/src/libcharon/sa/redirect_manager.c b/src/libcharon/sa/redirect_manager.c
new file mode 100644
index 000000000..ff92ac29f
--- /dev/null
+++ b/src/libcharon/sa/redirect_manager.c
@@ -0,0 +1,274 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "redirect_manager.h"
+
+#include <collections/linked_list.h>
+#include <threading/rwlock.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+typedef struct private_redirect_manager_t private_redirect_manager_t;
+
+/**
+ * Private data
+ */
+struct private_redirect_manager_t {
+
+	/**
+	 * Public interface
+	 */
+	redirect_manager_t public;
+
+	/**
+	 * Registered providers
+	 */
+	linked_list_t *providers;
+
+	/**
+	 * Lock to access list of providers
+	 */
+	rwlock_t *lock;
+};
+
+
+/**
+ * Gateway identify types
+ *
+ * The encoding is the same as that for corresponding ID payloads.
+ */
+typedef enum {
+	/** IPv4 address of the VPN gateway */
+	GATEWAY_ID_TYPE_IPV4 = 1,
+	/** IPv6 address of the VPN gateway */
+	GATEWAY_ID_TYPE_IPV6 = 2,
+	/** FQDN of the VPN gateway */
+	GATEWAY_ID_TYPE_FQDN = 3,
+} gateway_id_type_t;
+
+/**
+ * Mapping of gateway identity types to identity types
+ */
+static id_type_t gateway_to_id_type(gateway_id_type_t type)
+{
+	switch (type)
+	{
+		case GATEWAY_ID_TYPE_IPV4:
+			return ID_IPV4_ADDR;
+		case GATEWAY_ID_TYPE_IPV6:
+			return ID_IPV6_ADDR;
+		case GATEWAY_ID_TYPE_FQDN:
+			return ID_FQDN;
+		default:
+			return 0;
+	}
+}
+
+/**
+ * Mapping of identity types to gateway identity types
+ */
+static gateway_id_type_t id_type_to_gateway(id_type_t type)
+{
+	switch (type)
+	{
+		case ID_IPV4_ADDR:
+			return GATEWAY_ID_TYPE_IPV4;
+		case ID_IPV6_ADDR:
+			return GATEWAY_ID_TYPE_IPV6;
+		case ID_FQDN:
+			return GATEWAY_ID_TYPE_FQDN;
+		default:
+			return 0;
+	}
+}
+
+METHOD(redirect_manager_t, add_provider, void,
+	private_redirect_manager_t *this, redirect_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->insert_last(this->providers, provider);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(redirect_manager_t, remove_provider, void,
+	private_redirect_manager_t *this, redirect_provider_t *provider)
+{
+	this->lock->write_lock(this->lock);
+	this->providers->remove(this->providers, provider, NULL);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Determine whether a client should be redirected using the callback with the
+ * given offset into the redirect_provider_t interface.
+ */
+static bool should_redirect(private_redirect_manager_t *this, ike_sa_t *ike_sa,
+							identification_t **gateway, size_t offset)
+{
+	enumerator_t *enumerator;
+	void *provider;
+	bool redirect = FALSE;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &provider))
+	{
+		bool (**method)(void*,ike_sa_t*,identification_t**) = provider + offset;
+		if (*method && (*method)(provider, ike_sa, gateway))
+		{
+			if (*gateway && id_type_to_gateway((*gateway)->get_type(*gateway)))
+			{
+				redirect = TRUE;
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "redirect provider returned invalid gateway ID");
+				DESTROY_IF(*gateway);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return redirect;
+}
+
+METHOD(redirect_manager_t, redirect_on_init, bool,
+	private_redirect_manager_t *this, ike_sa_t *ike_sa,
+	identification_t **gateway)
+{
+	return should_redirect(this, ike_sa, gateway,
+						   offsetof(redirect_provider_t, redirect_on_init));
+}
+
+METHOD(redirect_manager_t, redirect_on_auth, bool,
+	private_redirect_manager_t *this, ike_sa_t *ike_sa,
+	identification_t **gateway)
+{
+	return should_redirect(this, ike_sa, gateway,
+						   offsetof(redirect_provider_t, redirect_on_auth));
+}
+
+METHOD(redirect_manager_t, destroy, void,
+	private_redirect_manager_t *this)
+{
+	this->providers->destroy(this->providers);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+redirect_manager_t *redirect_manager_create()
+{
+	private_redirect_manager_t *this;
+
+	INIT(this,
+		.public = {
+			.add_provider = _add_provider,
+			.remove_provider = _remove_provider,
+			.redirect_on_init = _redirect_on_init,
+			.redirect_on_auth = _redirect_on_auth,
+			.destroy = _destroy,
+		},
+		.providers = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
+/*
+ * Encoding of a REDIRECT or REDIRECTED_FROM notify
+ *
+                         1                   2                   3
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    | Next Payload  |C|  RESERVED   |         Payload Length        |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |Protocol ID(=0)| SPI Size (=0) |      Notify Message Type      |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    | GW Ident Type |  GW Ident Len |                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               ~
+    ~                   New Responder GW Identity                   ~
+    |                                                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |                                                               |
+    ~                        Nonce Data                             ~
+    |                                                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/*
+ * Described in header
+ */
+chunk_t redirect_data_create(identification_t *gw, chunk_t nonce)
+{
+	gateway_id_type_t type;
+	bio_writer_t *writer;
+	chunk_t data;
+
+	type = id_type_to_gateway(gw->get_type(gw));
+	if (!type)
+	{
+		return chunk_empty;
+	}
+
+	writer = bio_writer_create(0);
+	writer->write_uint8(writer, type);
+	writer->write_data8(writer, gw->get_encoding(gw));
+	if (nonce.ptr)
+	{
+		writer->write_data(writer, nonce);
+	}
+
+	data = writer->extract_buf(writer);
+	writer->destroy(writer);
+	return data;
+}
+
+/*
+ * Described in header
+ */
+identification_t *redirect_data_parse(chunk_t data, chunk_t *nonce)
+{
+	bio_reader_t *reader;
+	id_type_t id_type;
+	chunk_t gateway;
+	u_int8_t type;
+
+	reader = bio_reader_create(data);
+	if (!reader->read_uint8(reader, &type) ||
+		!reader->read_data8(reader, &gateway))
+	{
+		DBG1(DBG_ENC, "invalid REDIRECT notify data");
+		reader->destroy(reader);
+		return NULL;
+	}
+	id_type = gateway_to_id_type(type);
+	if (!id_type)
+	{
+		DBG1(DBG_ENC, "invalid gateway ID type (%d) in REDIRECT notify", type);
+		reader->destroy(reader);
+		return NULL;
+	}
+	if (nonce)
+	{
+		*nonce = chunk_clone(reader->peek(reader));
+	}
+	reader->destroy(reader);
+	return identification_create_from_encoding(id_type, gateway);
+}
diff --git a/src/libcharon/sa/redirect_manager.h b/src/libcharon/sa/redirect_manager.h
new file mode 100644
index 000000000..e8753265c
--- /dev/null
+++ b/src/libcharon/sa/redirect_manager.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup redirect_manager redirect_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef REDIRECT_MANAGER_H_
+#define REDIRECT_MANAGER_H_
+
+typedef struct redirect_manager_t redirect_manager_t;
+
+#include <sa/redirect_provider.h>
+
+/**
+ * Manages redirect providers.
+ */
+struct redirect_manager_t {
+
+	/**
+	 * Add a redirect provider.
+	 *
+	 * All registered providers are queried until one of them decides to
+	 * redirect a client.
+	 *
+	 * A provider may be called concurrently for different IKE_SAs.
+	 *
+	 * @param provider	provider to register
+	 */
+	void (*add_provider)(redirect_manager_t *this,
+						 redirect_provider_t *provider);
+
+	/**
+	 * Remove a redirect provider.
+	 *
+	 * @param provider	provider to unregister
+	 */
+	void (*remove_provider)(redirect_manager_t *this,
+							redirect_provider_t *provider);
+
+	/**
+	 * Determine whether a client should be redirected upon receipt of the
+	 * IKE_SA_INIT message.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_init)(redirect_manager_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+
+	/**
+	 * Determine whether a client should be redirected after the IKE_AUTH has
+	 * been handled.  Should be called after the client is authenticated and
+	 * when the server authenticates itself.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_auth)(redirect_manager_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+
+	/**
+	 * Destroy this instance.
+	 */
+	void (*destroy)(redirect_manager_t *this);
+};
+
+/**
+ * Create a redirect manager instance.
+ *
+ * @return					manager instance
+ */
+redirect_manager_t *redirect_manager_create();
+
+/**
+ * Create notification data of a REDIRECT or REDIRECT_FROM payload using the
+ * given gateway identity and optional nonce (only used during IKE_SA_INIT).
+ *
+ * @param gw				gateway identity (IP or FQDN), gets cloned
+ * @param nonce				nonce value, or chunk_empty, gets cloned
+ * @return					notify data, chunk_empty if ID type is not supported
+ */
+chunk_t redirect_data_create(identification_t *gw, chunk_t nonce);
+
+/**
+ * Parse notification data of a REDIRECT or REDIRECTED_FROM notify payload.
+ *
+ * @param data				notification data to parse
+ * @param[out] nonce		nonce data (allocated), if any was provided
+ * @return					gateway identity, NULL if data is invalid
+ */
+identification_t *redirect_data_parse(chunk_t data, chunk_t *nonce);
+
+#endif /** REDIRECT_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/redirect_provider.h b/src/libcharon/sa/redirect_provider.h
new file mode 100644
index 000000000..ef2288ffc
--- /dev/null
+++ b/src/libcharon/sa/redirect_provider.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup redirect_provider redirect_provider
+ * @{ @ingroup sa
+ */
+
+#ifndef REDIRECT_PROVIDER_H_
+#define REDIRECT_PROVIDER_H_
+
+typedef struct redirect_provider_t redirect_provider_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+
+/**
+ * Interface that allows implementations to decide whether a client is
+ * redirected during IKE_SA_INIT or IKE_AUTH using RFC 5685.
+ */
+struct redirect_provider_t {
+
+	/**
+	 * Decide whether a client is redirect directly upon receipt of the
+	 * IKE_SA_INIT message.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_init)(redirect_provider_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+
+	/**
+	 * Decide whether a client is redirect after the IKE_AUTH has been
+	 * handled.  This is called after the client is authenticated and when the
+	 * server authenticates itself.
+	 *
+	 * @param ike_sa		IKE_SA for which this is called
+	 * @param gateway[out]	new IKE gateway (IP or FQDN)
+	 * @return				TRUE if client should be redirected, FALSE otherwise
+	 */
+	bool (*redirect_on_auth)(redirect_provider_t *this, ike_sa_t *ike_sa,
+							 identification_t **gateway);
+};
+
+#endif /** REDIRECT_PROVIDER_H_ @}*/
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 5231994c8..0e9cf6e1f 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -16,7 +16,6 @@
 
 #include "shunt_manager.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
 #include <threading/rwlock_condvar.h>
@@ -111,22 +110,22 @@ static bool install_shunt_policy(child_cfg_t *child)
 				continue;
 			}
 			/* install out policy */
-			status |= hydra->kernel_interface->add_policy(
-								hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->add_policy(charon->kernel,
+								host_any, host_any,
 								my_ts, other_ts, POLICY_OUT, policy_type,
 								&sa, child->get_mark(child, FALSE),
 								policy_prio);
 
 			/* install in policy */
-			status |= hydra->kernel_interface->add_policy(
-								hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->add_policy(charon->kernel,
+								host_any, host_any,
 								other_ts, my_ts, POLICY_IN, policy_type,
 								&sa, child->get_mark(child, TRUE),
 								policy_prio);
 
 			/* install forward policy */
-			status |= hydra->kernel_interface->add_policy(
-								hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->add_policy(charon->kernel,
+								host_any, host_any,
 								other_ts, my_ts, POLICY_FWD, policy_type,
 								&sa, child->get_mark(child, TRUE),
 								policy_prio);
@@ -248,22 +247,22 @@ static void uninstall_shunt_policy(child_cfg_t *child)
 				continue;
 			}
 			/* uninstall out policy */
-			status |= hydra->kernel_interface->del_policy(
-							hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->del_policy(charon->kernel,
+							host_any, host_any,
 							my_ts, other_ts, POLICY_OUT, policy_type,
 							&sa, child->get_mark(child, FALSE),
 							policy_prio);
 
 			/* uninstall in policy */
-			status |= hydra->kernel_interface->del_policy(
-							hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->del_policy(charon->kernel,
+							host_any, host_any,
 							other_ts, my_ts, POLICY_IN, policy_type,
 							&sa, child->get_mark(child, TRUE),
 							policy_prio);
 
 			/* uninstall forward policy */
-			status |= hydra->kernel_interface->del_policy(
-							hydra->kernel_interface, host_any, host_any,
+			status |= charon->kernel->del_policy(charon->kernel,
+							host_any, host_any,
 							other_ts, my_ts, POLICY_FWD, policy_type,
 							&sa, child->get_mark(child, TRUE),
 							policy_prio);
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index b35b58185..405eda66b 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -28,6 +28,8 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
 	"IKE_REKEY",
 	"IKE_REAUTH",
 	"IKE_REAUTH_COMPLETE",
+	"IKE_REDIRECT",
+	"IKE_VERIFY_PEER_CERT",
 	"IKE_DELETE",
 	"IKE_DPD",
 	"IKE_VENDOR",
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index 7bd3da1fe..31d70fb3b 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2006 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -57,6 +57,10 @@ enum task_type_t {
 	TASK_IKE_REAUTH,
 	/** completion task for make-before-break IKE_SA re-authentication */
 	TASK_IKE_REAUTH_COMPLETE,
+	/** redirect an active IKE_SA */
+	TASK_IKE_REDIRECT,
+	/** verify a peer's certificate */
+	TASK_IKE_VERIFY_PEER_CERT,
 	/** delete an IKE_SA */
 	TASK_IKE_DELETE,
 	/** liveness check */
@@ -154,6 +158,18 @@ struct task_t {
 	status_t (*process) (task_t *this, message_t *message);
 
 	/**
+	 * Verify a message before processing it (optional to implement by tasks).
+	 *
+	 * @param message		message to verify
+	 * @return
+	 *						- FAILED if verification is not successful, the
+	 *						  message will be silently discarded
+	 *						- DESTROY_ME if IKE_SA has to be destroyed
+	 *						- SUCCESS if verification is successful
+	 */
+	status_t (*pre_process) (task_t *this, message_t *message);
+
+	/**
 	 * Get the type of the task implementation.
 	 */
 	task_type_t (*get_type) (task_t *this);
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 90ad7e40e..85e220775 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -16,7 +16,6 @@
 
 #include "trap_manager.h"
 
-#include <hydra.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <threading/rwlock.h>
@@ -195,8 +194,7 @@ METHOD(trap_manager_t, install, u_int32_t,
 		if (!me || me->is_anyaddr(me))
 		{
 			DESTROY_IF(me);
-			me = hydra->kernel_interface->get_source_addr(
-										hydra->kernel_interface, other, NULL);
+			me = charon->kernel->get_source_addr(charon->kernel, other, NULL);
 			if (!me)
 			{
 				DBG1(DBG_CFG, "installing trap failed, local address unknown");
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
index 5fd8ca26d..0589269aa 100644
--- a/src/libcharon/tests/Makefile.am
+++ b/src/libcharon/tests/Makefile.am
@@ -10,7 +10,6 @@ libcharon_tests_SOURCES = \
 
 libcharon_tests_CFLAGS = \
   -I$(top_srcdir)/src/libcharon \
-  -I$(top_srcdir)/src/libhydra \
   -I$(top_srcdir)/src/libstrongswan \
   -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
@@ -20,6 +19,5 @@ libcharon_tests_CFLAGS = \
 libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 libcharon_tests_LDADD = \
   $(top_builddir)/src/libcharon/libcharon.la \
-  $(top_builddir)/src/libhydra/libhydra.la \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
   $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 910aad928..87dea161a 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -109,7 +109,6 @@ am_libcharon_tests_OBJECTS =  \
 libcharon_tests_OBJECTS = $(am_libcharon_tests_OBJECTS)
 libcharon_tests_DEPENDENCIES =  \
 	$(top_builddir)/src/libcharon/libcharon.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(top_builddir)/src/libstrongswan/tests/libtest.la
 AM_V_lt = $(am__v_lt_@AM_V@)
@@ -415,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -436,7 +437,6 @@ libcharon_tests_SOURCES = \
 
 libcharon_tests_CFLAGS = \
   -I$(top_srcdir)/src/libcharon \
-  -I$(top_srcdir)/src/libhydra \
   -I$(top_srcdir)/src/libstrongswan \
   -I$(top_srcdir)/src/libstrongswan/tests \
   -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
@@ -446,7 +446,6 @@ libcharon_tests_CFLAGS = \
 libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
 libcharon_tests_LDADD = \
   $(top_builddir)/src/libcharon/libcharon.la \
-  $(top_builddir)/src/libhydra/libhydra.la \
   $(top_builddir)/src/libstrongswan/libstrongswan.la \
   $(top_builddir)/src/libstrongswan/tests/libtest.la
 
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
index ec96de711..4692c3094 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -14,7 +14,6 @@
  */
 
 #include <test_runner.h>
-#include <hydra.h>
 #include <daemon.h>
 
 /* declare test suite constructors */
@@ -39,7 +38,6 @@ static bool test_runner_init(bool init)
 	{
 		char *plugins, *plugindir;
 
-		libhydra_init();
 		libcharon_init();
 
 		plugins = getenv("TESTS_PLUGINS") ?:
@@ -59,7 +57,6 @@ static bool test_runner_init(bool init)
 		lib->processor->cancel(lib->processor);
 		lib->plugins->unload(lib->plugins);
 		libcharon_deinit();
-		libhydra_deinit();
 	}
 	return TRUE;
 }
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 6a3a4ebd5..0c692542d 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
deleted file mode 100644
index 7b62e9529..000000000
--- a/src/libhydra/Android.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-include $(CLEAR_VARS)
-
-# copy-n-paste from Makefile.am
-libhydra_la_SOURCES := \
-hydra.c hydra.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.h
-
-LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES))
-
-# adding the plugin source files
-
-LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
-
-LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
-
-# build libhydra ---------------------------------------------------------------
-
-LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libstrongswan
-
-LOCAL_CFLAGS := $(strongswan_CFLAGS)
-
-LOCAL_MODULE := libhydra
-
-LOCAL_MODULE_TAGS := optional
-
-LOCAL_ARM_MODE := arm
-
-LOCAL_PRELINK_MODULE := false
-
-LOCAL_SHARED_LIBRARIES += libstrongswan
-
-include $(BUILD_SHARED_LIBRARY)
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
deleted file mode 100644
index 9cdbc0147..000000000
--- a/src/libhydra/Makefile.am
+++ /dev/null
@@ -1,60 +0,0 @@
-ipseclib_LTLIBRARIES = libhydra.la
-
-libhydra_la_SOURCES = \
-hydra.c hydra.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.h
-
-libhydra_la_LIBADD = \
-  $(top_builddir)/src/libstrongswan/libstrongswan.la
-
-if USE_WINDOWS
-  libhydra_la_LIBADD += -lws2_32
-endif
-
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DPLUGINDIR=\"${plugindir}\"
-
-AM_LDFLAGS = \
-  -no-undefined
-
-EXTRA_DIST = Android.mk
-
-# build optional plugins
-########################
-
-if MONOLITHIC
-SUBDIRS =
-else
-SUBDIRS = .
-endif
-
-if USE_KERNEL_PFKEY
-  SUBDIRS += plugins/kernel_pfkey
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-endif
-endif
-
-if USE_KERNEL_PFROUTE
-  SUBDIRS += plugins/kernel_pfroute
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-endif
-endif
-
-if USE_KERNEL_NETLINK
-  SUBDIRS += plugins/kernel_netlink
-if MONOLITHIC
-  libhydra_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-endif
-endif
-
-if MONOLITHIC
-  SUBDIRS += .
-endif
-SUBDIRS += tests
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
deleted file mode 100644
index 9bb2e839a..000000000
--- a/src/libhydra/Makefile.in
+++ /dev/null
@@ -1,922 +0,0 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-@USE_WINDOWS_TRUE@am__append_1 = -lws2_32
-@USE_KERNEL_PFKEY_TRUE@am__append_2 = plugins/kernel_pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_3 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_4 = plugins/kernel_pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_5 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_NETLINK_TRUE@am__append_6 = plugins/kernel_netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-subdir = src/libhydra
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
-	$(top_srcdir)/m4/config/ltoptions.m4 \
-	$(top_srcdir)/m4/config/ltsugar.m4 \
-	$(top_srcdir)/m4/config/ltversion.m4 \
-	$(top_srcdir)/m4/config/lt~obsolete.m4 \
-	$(top_srcdir)/m4/macros/split-package-version.m4 \
-	$(top_srcdir)/m4/macros/with.m4 \
-	$(top_srcdir)/m4/macros/enable-disable.m4 \
-	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-am__installdirs = "$(DESTDIR)$(ipseclibdir)"
-LTLIBRARIES = $(ipseclib_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-libhydra_la_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__DEPENDENCIES_1) $(am__append_3) $(am__append_5) \
-	$(am__append_7)
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libhydra_la_OBJECTS = hydra.lo kernel/kernel_interface.lo \
-	kernel/kernel_ipsec.lo kernel/kernel_net.lo
-libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = $(libhydra_la_SOURCES)
-DIST_SOURCES = $(libhydra_la_SOURCES)
-RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
-	ctags-recursive dvi-recursive html-recursive info-recursive \
-	install-data-recursive install-dvi-recursive \
-	install-exec-recursive install-html-recursive \
-	install-info-recursive install-pdf-recursive \
-	install-ps-recursive install-recursive installcheck-recursive \
-	installdirs-recursive pdf-recursive ps-recursive \
-	tags-recursive uninstall-recursive
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
-  distclean-recursive maintainer-clean-recursive
-am__recursive_targets = \
-  $(RECURSIVE_TARGETS) \
-  $(RECURSIVE_CLEAN_TARGETS) \
-  $(am__extra_recursive_targets)
-AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
-	distdir
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-DIST_SUBDIRS = . plugins/kernel_pfkey plugins/kernel_pfroute \
-	plugins/kernel_netlink tests
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-am__relativize = \
-  dir0=`pwd`; \
-  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
-  sed_rest='s,^[^/]*/*,,'; \
-  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
-  sed_butlast='s,/*[^/]*$$,,'; \
-  while test -n "$$dir1"; do \
-    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
-    if test "$$first" != "."; then \
-      if test "$$first" = ".."; then \
-        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
-        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
-      else \
-        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
-        if test "$$first2" = "$$first"; then \
-          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
-        else \
-          dir2="../$$dir2"; \
-        fi; \
-        dir0="$$dir0"/"$$first"; \
-      fi; \
-    fi; \
-    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
-  done; \
-  reldir="$$dir2"
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
-COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-EASY_INSTALL = @EASY_INSTALL@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GEM = @GEM@
-GENHTML = @GENHTML@
-GPERF = @GPERF@
-GPRBUILD = @GPRBUILD@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LCOV = @LCOV@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OPENSSL_LIB = @OPENSSL_LIB@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
-PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
-PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
-PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
-PTHREADLIB = @PTHREADLIB@
-PYTHON = @PYTHON@
-PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-PY_TEST = @PY_TEST@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-UNWINDLIB = @UNWINDLIB@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-aikgen_plugins = @aikgen_plugins@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-cmd_plugins = @cmd_plugins@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-fips_mode = @fips_mode@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-json_CFLAGS = @json_CFLAGS@
-json_LIBS = @json_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libiptc_CFLAGS = @libiptc_CFLAGS@
-libiptc_LIBS = @libiptc_LIBS@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-strongswan_options = @strongswan_options@
-swanctldir = @swanctldir@
-sysconfdir = @sysconfdir@
-systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
-systemd_daemon_LIBS = @systemd_daemon_LIBS@
-systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
-systemd_journal_LIBS = @systemd_journal_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-t_plugins = @t_plugins@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-ipseclib_LTLIBRARIES = libhydra.la
-libhydra_la_SOURCES = \
-hydra.c hydra.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.h
-
-libhydra_la_LIBADD =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(am__append_1) $(am__append_3) $(am__append_5) \
-	$(am__append_7)
-AM_CPPFLAGS = \
-	-I$(top_srcdir)/src/libstrongswan \
-	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DPLUGINDIR=\"${plugindir}\"
-
-AM_LDFLAGS = \
-  -no-undefined
-
-EXTRA_DIST = Android.mk
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_2) $(am__append_4) \
-@MONOLITHIC_FALSE@	$(am__append_6) tests
-
-# build optional plugins
-########################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_2) $(am__append_4) \
-@MONOLITHIC_TRUE@	$(am__append_6) . tests
-all: all-recursive
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libhydra/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
-	esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure:  $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-
-install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
-	}
-
-uninstall-ipseclibLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
-	done
-
-clean-ipseclibLTLIBRARIES:
-	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
-	@list='$(ipseclib_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-kernel/$(am__dirstamp):
-	@$(MKDIR_P) kernel
-	@: > kernel/$(am__dirstamp)
-kernel/$(DEPDIR)/$(am__dirstamp):
-	@$(MKDIR_P) kernel/$(DEPDIR)
-	@: > kernel/$(DEPDIR)/$(am__dirstamp)
-kernel/kernel_interface.lo: kernel/$(am__dirstamp) \
-	kernel/$(DEPDIR)/$(am__dirstamp)
-kernel/kernel_ipsec.lo: kernel/$(am__dirstamp) \
-	kernel/$(DEPDIR)/$(am__dirstamp)
-kernel/kernel_net.lo: kernel/$(am__dirstamp) \
-	kernel/$(DEPDIR)/$(am__dirstamp)
-
-libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(LINK) -rpath $(ipseclibdir) $(libhydra_la_OBJECTS) $(libhydra_la_LIBADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-	-rm -f kernel/*.$(OBJEXT)
-	-rm -f kernel/*.lo
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
-@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-	-rm -rf kernel/.libs kernel/_libs
-
-# This directory's subdirectories are mostly independent; you can cd
-# into them and run 'make' without going through this Makefile.
-# To change the values of 'make' variables: instead of editing Makefiles,
-# (1) if the variable is set in 'config.status', edit 'config.status'
-#     (which will cause the Makefiles to be regenerated when you run 'make');
-# (2) otherwise, pass the desired values on the 'make' command line.
-$(am__recursive_targets):
-	@fail=; \
-	if $(am__make_keepgoing); then \
-	  failcom='fail=yes'; \
-	else \
-	  failcom='exit 1'; \
-	fi; \
-	dot_seen=no; \
-	target=`echo $@ | sed s/-recursive//`; \
-	case "$@" in \
-	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
-	  *) list='$(SUBDIRS)' ;; \
-	esac; \
-	for subdir in $$list; do \
-	  echo "Making $$target in $$subdir"; \
-	  if test "$$subdir" = "."; then \
-	    dot_seen=yes; \
-	    local_target="$$target-am"; \
-	  else \
-	    local_target="$$target"; \
-	  fi; \
-	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
-	  || eval $$failcom; \
-	done; \
-	if test "$$dot_seen" = "no"; then \
-	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
-	fi; test -z "$$fail"
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-recursive
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
-	  include_option=--etags-include; \
-	  empty_fix=.; \
-	else \
-	  include_option=--include; \
-	  empty_fix=; \
-	fi; \
-	list='$(SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    test ! -f $$subdir/TAGS || \
-	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
-	  fi; \
-	done; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-recursive
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-recursive
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
-	    $(am__make_dryrun) \
-	      || test -d "$(distdir)/$$subdir" \
-	      || $(MKDIR_P) "$(distdir)/$$subdir" \
-	      || exit 1; \
-	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
-	    $(am__relativize); \
-	    new_distdir=$$reldir; \
-	    dir1=$$subdir; dir2="$(top_distdir)"; \
-	    $(am__relativize); \
-	    new_top_distdir=$$reldir; \
-	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
-	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
-	    ($(am__cd) $$subdir && \
-	      $(MAKE) $(AM_MAKEFLAGS) \
-	        top_distdir="$$new_top_distdir" \
-	        distdir="$$new_distdir" \
-		am__remove_distdir=: \
-		am__skip_length_check=: \
-		am__skip_mode_fix=: \
-	        distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-check-am: all-am
-check: check-recursive
-all-am: Makefile $(LTLIBRARIES)
-installdirs: installdirs-recursive
-installdirs-am:
-	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-recursive
-install-exec: install-exec-recursive
-install-data: install-data-recursive
-uninstall: uninstall-recursive
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-recursive
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-	-rm -f kernel/$(DEPDIR)/$(am__dirstamp)
-	-rm -f kernel/$(am__dirstamp)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-recursive
-
-clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
-	mostlyclean-am
-
-distclean: distclean-recursive
-	-rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-recursive
-
-dvi-am:
-
-html: html-recursive
-
-html-am:
-
-info: info-recursive
-
-info-am:
-
-install-data-am: install-ipseclibLTLIBRARIES
-
-install-dvi: install-dvi-recursive
-
-install-dvi-am:
-
-install-exec-am:
-
-install-html: install-html-recursive
-
-install-html-am:
-
-install-info: install-info-recursive
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-recursive
-
-install-pdf-am:
-
-install-ps: install-ps-recursive
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-recursive
-	-rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-recursive
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-recursive
-
-pdf-am:
-
-ps: ps-recursive
-
-ps-am:
-
-uninstall-am: uninstall-ipseclibLTLIBRARIES
-
-.MAKE: $(am__recursive_targets) install-am install-strip
-
-.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
-	check-am clean clean-generic clean-ipseclibLTLIBRARIES \
-	clean-libtool cscopelist-am ctags ctags-am distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-dvi \
-	install-dvi-am install-exec install-exec-am install-html \
-	install-html-am install-info install-info-am \
-	install-ipseclibLTLIBRARIES install-man install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs installdirs-am \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
-	uninstall-ipseclibLTLIBRARIES
-
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
deleted file mode 100644
index 47ffb59c6..000000000
--- a/src/libhydra/hydra.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include "hydra.h"
-
-#include <utils/debug.h>
-
-typedef struct private_hydra_t private_hydra_t;
-
-/**
- * Private additions to hydra_t.
- */
-struct private_hydra_t {
-
-	/**
-	 * Public members of hydra_t.
-	 */
-	hydra_t public;
-
-	/**
-	 * Integrity check failed?
-	 */
-	bool integrity_failed;
-
-	/**
-	 * Number of times we have been initialized
-	 */
-	refcount_t ref;
-};
-
-/**
- * Single instance of hydra_t.
- */
-hydra_t *hydra = NULL;
-
-/**
- * Described in header.
- */
-void libhydra_deinit()
-{
-	private_hydra_t *this = (private_hydra_t*)hydra;
-
-	if (!this || !ref_put(&this->ref))
-	{	/* have more users */
-		return;
-	}
-
-	this->public.kernel_interface->destroy(this->public.kernel_interface);
-	free(this);
-	hydra = NULL;
-}
-
-/**
- * Described in header.
- */
-bool libhydra_init()
-{
-	private_hydra_t *this;
-
-	if (hydra)
-	{	/* already initialized, increase refcount */
-		this = (private_hydra_t*)hydra;
-		ref_get(&this->ref);
-		return !this->integrity_failed;
-	}
-
-	INIT(this,
-		.ref = 1,
-	);
-	hydra = &this->public;
-
-	this->public.kernel_interface = kernel_interface_create();
-
-	if (lib->integrity &&
-		!lib->integrity->check(lib->integrity, "libhydra", libhydra_init))
-	{
-		DBG1(DBG_LIB, "integrity check of libhydra failed");
-		this->integrity_failed = TRUE;
-	}
-	return !this->integrity_failed;
-}
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
deleted file mode 100644
index b23a30584..000000000
--- a/src/libhydra/hydra.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2010 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup libhydra libhydra
- *
- * @defgroup hkernel kernel
- * @ingroup libhydra
- *
- * @defgroup hplugins plugins
- * @ingroup libhydra
- *
- * @addtogroup libhydra
- * @{
- */
-
-#ifndef HYDRA_H_
-#define HYDRA_H_
-
-typedef struct hydra_t hydra_t;
-
-#include <kernel/kernel_interface.h>
-
-#include <library.h>
-
-/**
- * IKE Daemon support object.
- */
-struct hydra_t {
-
-	/**
-	 * kernel interface to communicate with kernel
-	 */
-	kernel_interface_t *kernel_interface;
-};
-
-/**
- * The single instance of hydra_t.
- *
- * Set between calls to libhydra_init() and libhydra_deinit() calls.
- */
-extern hydra_t *hydra;
-
-/**
- * Initialize libhydra.
- *
- * libhydra_init() may be called multiple times in a single process, but each
- * caller must call libhydra_deinit() for each call to libhydra_init().
- *
- * @return				FALSE if integrity check failed
- */
-bool libhydra_init();
-
-/**
- * Deinitialize libhydra.
- */
-void libhydra_deinit();
-
-#endif /** HYDRA_H_ @}*/
diff --git a/src/libhydra/tests/Makefile.am b/src/libhydra/tests/Makefile.am
deleted file mode 100644
index 5acd5c28c..000000000
--- a/src/libhydra/tests/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
-TESTS = hydra_tests
-
-check_PROGRAMS = $(TESTS)
-
-hydra_tests_SOURCES = \
-  hydra_tests.h hydra_tests.c
-
-hydra_tests_CFLAGS = \
-  -I$(top_srcdir)/src/libhydra \
-  -I$(top_srcdir)/src/libstrongswan \
-  -I$(top_srcdir)/src/libstrongswan/tests \
-  @COVERAGE_CFLAGS@
-
-hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
-hydra_tests_LDADD = \
-  $(top_builddir)/src/libhydra/libhydra.la \
-  $(top_builddir)/src/libstrongswan/libstrongswan.la \
-  $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libhydra/tests/hydra_tests.c b/src/libhydra/tests/hydra_tests.c
deleted file mode 100644
index 0d6387be7..000000000
--- a/src/libhydra/tests/hydra_tests.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2014 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <test_runner.h>
-#include <hydra.h>
-
-/* declare test suite constructors */
-#define TEST_SUITE(x) test_suite_t* x();
-#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
-#include "hydra_tests.h"
-#undef TEST_SUITE
-#undef TEST_SUITE_DEPEND
-
-static test_configuration_t tests[] = {
-#define TEST_SUITE(x) \
-	{ .suite = x, },
-#define TEST_SUITE_DEPEND(x, type, ...) \
-	{ .suite = x, .feature = PLUGIN_DEPENDS(type, __VA_ARGS__) },
-#include "hydra_tests.h"
-	{ .suite = NULL, }
-};
-
-static bool test_runner_init(bool init)
-{
-	if (init)
-	{
-		libhydra_init();
-	}
-	else
-	{
-		lib->processor->set_threads(lib->processor, 0);
-		lib->processor->cancel(lib->processor);
-		libhydra_deinit();
-	}
-	return TRUE;
-}
-
-int main(int argc, char *argv[])
-{
-	return test_runner_run("libhydra", tests, test_runner_init);
-}
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index ed2934cfb..200f9590e 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -586,6 +586,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/imc/imc_os_info.c b/src/libimcv/imc/imc_os_info.c
index 0a094eb23..55e152af5 100644
--- a/src/libimcv/imc/imc_os_info.c
+++ b/src/libimcv/imc/imc_os_info.c
@@ -383,6 +383,7 @@ static bool extract_platform_info(os_type_t *type, chunk_t *name,
 	FILE *file;
 	u_char buf[BUF_LEN], *pos = buf;
 	int len = BUF_LEN - 1;
+	long file_len;
 	os_type_t os_type = OS_TYPE_UNKNOWN;
 	chunk_t os_name = chunk_empty;
 	chunk_t os_version = chunk_empty;
@@ -425,15 +426,22 @@ static bool extract_platform_info(os_type_t *type, chunk_t *name,
 
 		/* read release file into buffer */
 		fseek(file, 0, SEEK_END);
-		len = min(ftell(file), len);
+		file_len = ftell(file);
+		if (file_len < 0)
+		{
+			DBG1(DBG_IMC, "failed to determine size of \"%s\"", releases[i]);
+			fclose(file);
+			return FALSE;
+		}
+		len = min(file_len, len);
 		rewind(file);
-		buf[len] = '\0';
 		if (fread(buf, 1, len, file) != len)
 		{
 			DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]);
 			fclose(file);
 			return FALSE;
 		}
+		buf[len] = '\0';
 		fclose(file);
 
 		DBG1(DBG_IMC, "processing \"%s\" file", releases[i]);
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index 8ad56181e..6d9533d21 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in
index da7523c33..0d603c9e7 100644
--- a/src/libimcv/plugins/imc_hcd/Makefile.in
+++ b/src/libimcv/plugins/imc_hcd/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 3b7538688..d1787da3c 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 7b696896f..2f03a7c70 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index 2847f09b4..981f86401 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 2048caa4d..7bf459044 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 09a0ab0ce..d3f790091 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
index 28ebd0069..91c12f33b 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c
@@ -603,8 +603,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							if (!comp)
 							{
 								comp_name->log(comp_name, "unregistered ");
-								comp_name->destroy(comp_name);
 							}
+							comp_name->destroy(comp_name);
 						}
 
 						/* do TPM IMA measurements */
@@ -620,8 +620,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							if (!comp)
 							{
 								comp_name->log(comp_name, "unregistered ");
-								comp_name->destroy(comp_name);
 							}
+							comp_name->destroy(comp_name);
 						}
 
 						/* do TPM TRUSTED BOOT measurements */
@@ -637,8 +637,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							if (!comp)
 							{
 								comp_name->log(comp_name, "unregistered ");
-								comp_name->destroy(comp_name);
 							}
+							comp_name->destroy(comp_name);
 						}
 						attestation_state->set_handshake_state(attestation_state,
 											IMV_ATTESTATION_STATE_NONCE_REQ);
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_state.h b/src/libimcv/plugins/imv_attestation/imv_attestation_state.h
index 39a8eee9c..d9bb47c31 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_state.h
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_state.h
@@ -115,7 +115,7 @@ struct imv_attestation_state_t {
 	/**
 	 * Create and add an entry to the list of Functional Components
 	 *
-	 * @param name				Component Functional Name
+	 * @param name				Component Functional Name (cloned)
 	 * @param depth				Sub-component Depth
 	 * @param pts_db			PTS measurement database
 	 * @return					created functional component instance or NULL
diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in
index ea017646d..c179a94e4 100644
--- a/src/libimcv/plugins/imv_hcd/Makefile.in
+++ b/src/libimcv/plugins/imv_hcd/Makefile.in
@@ -411,6 +411,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index ec3488992..c6f925aa0 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 08abbf596..0eee4d1e0 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 936bee86e..ce246da57 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/plugins/imv_swid/imv_swid_agent.c b/src/libimcv/plugins/imv_swid/imv_swid_agent.c
index 6d327830f..c057e7ed1 100644
--- a/src/libimcv/plugins/imv_swid/imv_swid_agent.c
+++ b/src/libimcv/plugins/imv_swid/imv_swid_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -213,7 +213,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
 				if (request_id == swid_state->get_request_id(swid_state))
 				{
 					swid_state->set_swid_inventory(swid_state, inventory);
-					swid_state->set_count(swid_state, tag_id_count, 0);
+					swid_state->set_count(swid_state, tag_id_count, 0,
+										  in_msg->get_src_id(in_msg));
 				}
 				else
 				{
@@ -251,7 +252,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
 
 				if (request_id == swid_state->get_request_id(swid_state))
 				{
-					swid_state->set_count(swid_state, 0, tag_count);
+					swid_state->set_count(swid_state, 0, tag_count,
+										  in_msg->get_src_id(in_msg));
 
 					if (this->rest_api)
 					{
@@ -387,7 +389,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 
 	/* Create an empty out message - we might need it */
-	out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+	out_msg = imv_msg_create(this->agent, state, id, imv_id,
+							 swid_state->get_imc_id(swid_state),
 							 msg_types[0]);
 
 	if (!imcv_db)
diff --git a/src/libimcv/plugins/imv_swid/imv_swid_state.c b/src/libimcv/plugins/imv_swid/imv_swid_state.c
index 04364b030..fb9493a83 100644
--- a/src/libimcv/plugins/imv_swid/imv_swid_state.c
+++ b/src/libimcv/plugins/imv_swid/imv_swid_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -123,6 +123,11 @@ struct private_imv_swid_state_t {
 	uint32_t missing;
 
 	/**
+	 * SWID IMC ID
+	 */
+	TNC_UInt32 imc_id;
+
+	/**
 	 * Top level JSON object
 	 */
 	json_object *jobj;
@@ -326,10 +331,12 @@ METHOD(imv_swid_state_t, get_missing, uint32_t,
 }
 
 METHOD(imv_swid_state_t, set_count, void,
-	private_imv_swid_state_t *this, int tag_id_count, int tag_count)
+	private_imv_swid_state_t *this, int tag_id_count, int tag_count,
+	TNC_UInt32 imc_id)
 {
 	this->tag_id_count += tag_id_count;
 	this->tag_count += tag_count;
+	this->imc_id = imc_id;
 }
 
 METHOD(imv_swid_state_t, get_count, void,
@@ -345,6 +352,12 @@ METHOD(imv_swid_state_t, get_count, void,
 	}
 }
 
+METHOD(imv_swid_state_t, get_imc_id, TNC_UInt32,
+	private_imv_swid_state_t *this)
+{
+	return this->imc_id;
+}
+
 /**
  * Described in header.
  */
@@ -384,12 +397,14 @@ imv_state_t *imv_swid_state_create(TNC_ConnectionID connection_id)
 			.get_missing = _get_missing,
 			.set_count = _set_count,
 			.get_count = _get_count,
+			.get_imc_id = _get_imc_id,
 		},
 		.state = TNC_CONNECTION_STATE_CREATE,
 		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
 		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
 		.connection_id = connection_id,
 		.contracts = seg_contract_manager_create(),
+		.imc_id = TNC_IMCID_ANY,
 		.jobj = json_object_new_object(),
 		.jarray = json_object_new_array(),
 	);
diff --git a/src/libimcv/plugins/imv_swid/imv_swid_state.h b/src/libimcv/plugins/imv_swid/imv_swid_state.h
index af5d95c9d..5fe99ecdc 100644
--- a/src/libimcv/plugins/imv_swid/imv_swid_state.h
+++ b/src/libimcv/plugins/imv_swid/imv_swid_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -81,19 +81,19 @@ struct imv_swid_state_t {
 	 */
 	uint32_t (*get_request_id)(imv_swid_state_t *this);
 
-    /**
-     * Set or extend the SWID Tag ID inventory in the state
-     *
-     * @param inventory			SWID Tags ID inventory to be added
-     */
-    void (*set_swid_inventory)(imv_swid_state_t *this, swid_inventory_t *inventory);
+	/**
+	 * Set or extend the SWID Tag ID inventory in the state
+	 *
+	 * @param inventory			SWID Tags ID inventory to be added
+	 */
+	void (*set_swid_inventory)(imv_swid_state_t *this, swid_inventory_t *inventory);
 
-   /**
-     * Get the encoding of the complete SWID Tag ID inventory
-     *
-     * @return			       SWID Tags ID inventory as a JSON array
-     */
-    json_object* (*get_swid_inventory)(imv_swid_state_t *this);
+	/**
+	 * Get the encoding of the complete SWID Tag ID inventory
+	 *
+	 * @return			       SWID Tags ID inventory as a JSON array
+	 */
+	json_object* (*get_swid_inventory)(imv_swid_state_t *this);
 
 	/**
 	 * Set the number of still missing SWID Tags or Tag IDs
@@ -114,8 +114,10 @@ struct imv_swid_state_t {
 	 *
 	 * @param tag_id_count		Number of received SWID Tag IDs
 	 * @param tag_count			Number of received SWID Tags
+	 * @param imc_id			SWID IMC ID
 	 */
-	void (*set_count)(imv_swid_state_t *this, int tag_id_count, int tag_count);
+	void (*set_count)(imv_swid_state_t *this, int tag_id_count, int tag_count,
+					  TNC_UInt32 imc_id);
 
 	/**
 	 * Set [or with multiple attributes increment] SWID Tag [ID] counters
@@ -124,6 +126,13 @@ struct imv_swid_state_t {
 	 * @param tag_count			Number of received SWID Tags
 	 */
 	void (*get_count)(imv_swid_state_t *this, int *tag_id_count, int *tag_count);
+
+	/**
+	 * Get SWID IMC ID
+	 *
+	 * @return					SWID IMC ID
+	 */
+	TNC_UInt32 (*get_imc_id)(imv_swid_state_t *this);
 };
 
 /**
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 8e0e22353..19cef2073 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libimcv/pts/components/pts_component_manager.h b/src/libimcv/pts/components/pts_component_manager.h
index 61055ec74..00f8765ca 100644
--- a/src/libimcv/pts/components/pts_component_manager.h
+++ b/src/libimcv/pts/components/pts_component_manager.h
@@ -45,7 +45,7 @@ struct pts_component_manager_t {
 	 * @param comp_func_names		Vendor-specific Component Functional names
 	 * @param qualifier_type_size	Vendor-specific Qualifier Type size
 	 * @param qualifier_flag_names	Vendor-specific Qualifier Flag names
-	 * @param qualifier_type_names	Vendor-specific Qualifier Type names 
+	 * @param qualifier_type_names	Vendor-specific Qualifier Type names
 	 */
 	void (*add_vendor)(pts_component_manager_t *this, pen_t vendor_id,
 					   enum_name_t *comp_func_names,
@@ -106,7 +106,7 @@ struct pts_component_manager_t {
 	 * @param pts_db				PTS measurement database
 	 * @return						Component object if supported, NULL else
 	 */
-	pts_component_t* (*create)(pts_component_manager_t *this, 
+	pts_component_t* (*create)(pts_component_manager_t *this,
 							   pts_comp_func_name_t *name, u_int32_t depth,
 							   pts_database_t *pts_db);
 
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index aa793441b..a08d8c51f 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -453,6 +453,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libipsec/ipsec_policy_mgr.c b/src/libipsec/ipsec_policy_mgr.c
index e2eaba014..3f312ffd2 100644
--- a/src/libipsec/ipsec_policy_mgr.c
+++ b/src/libipsec/ipsec_policy_mgr.c
@@ -175,15 +175,16 @@ METHOD(ipsec_policy_mgr_t, add_policy, status_t,
 }
 
 METHOD(ipsec_policy_mgr_t, del_policy, status_t,
-	private_ipsec_policy_mgr_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t reqid,
-	mark_t mark, policy_priority_t policy_priority)
+	private_ipsec_policy_mgr_t *this, host_t *src, host_t *dst,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
+	policy_priority_t policy_priority)
 {
 	enumerator_t *enumerator;
 	ipsec_policy_entry_t *current, *found = NULL;
 	u_int32_t priority;
 
-	if (direction == POLICY_FWD)
+	if (type != POLICY_IPSEC || direction == POLICY_FWD)
 	{	/* we ignore these policies as we currently have no use for them */
 		return SUCCESS;
 	}
@@ -198,7 +199,7 @@ METHOD(ipsec_policy_mgr_t, del_policy, status_t,
 	{
 		if (current->priority == priority &&
 			current->policy->match(current->policy, src_ts, dst_ts, direction,
-								   reqid, mark, policy_priority))
+								   sa->reqid, mark, policy_priority))
 		{
 			this->policies->remove_at(this->policies, enumerator);
 			found = current;
diff --git a/src/libipsec/ipsec_policy_mgr.h b/src/libipsec/ipsec_policy_mgr.h
index 30406bdb7..0ea797e7a 100644
--- a/src/libipsec/ipsec_policy_mgr.h
+++ b/src/libipsec/ipsec_policy_mgr.h
@@ -71,18 +71,21 @@ struct ipsec_policy_mgr_t {
 	/**
 	 * Remove a policy
 	 *
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
 	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
-	 * @param reqid			unique ID of the associated SA
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			optional mark
 	 * @param priority		priority of the policy
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_policy)(ipsec_policy_mgr_t *this,
-						   traffic_selector_t *src_ts,
-						   traffic_selector_t *dst_ts,
-						   policy_dir_t direction, u_int32_t reqid, mark_t mark,
+						   host_t *src, host_t *dst, traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts, policy_dir_t direction,
+						   policy_type_t type, ipsec_sa_cfg_t *sa, mark_t mark,
 						   policy_priority_t priority);
 
 	/**
diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in
index 9a9bb3142..ebf6e7e93 100644
--- a/src/libipsec/tests/Makefile.in
+++ b/src/libipsec/tests/Makefile.in
@@ -409,6 +409,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 96d1ae4aa..c4eb8b4a9 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 9bca3bd29..9b03099da 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -409,6 +409,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am
index 9997ece08..dd31689c6 100644
--- a/src/libsimaka/Makefile.am
+++ b/src/libsimaka/Makefile.am
@@ -1,6 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_LDFLAGS = \
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index 637137cb0..e813eb085 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -427,7 +429,6 @@ xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
 AM_LDFLAGS = \
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index db3da8e15..da5f34e87 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -21,7 +21,8 @@ credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
-credentials/certificates/ocsp_response.c \
+credentials/certificates/ocsp_response.c credentials/certificates/x509.c \
+credentials/certificates/certificate_printer.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index ed3b85dd4..0bac61b44 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -19,7 +19,8 @@ credentials/credential_factory.c credentials/builder.c \
 credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
-credentials/certificates/ocsp_response.c \
+credentials/certificates/ocsp_response.c credentials/certificates/x509.c \
+credentials/certificates/certificate_printer.c \
 credentials/containers/container.c credentials/containers/pkcs12.c \
 credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
@@ -83,6 +84,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
 credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
+credentials/certificates/certificate_printer.h \
 credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/containers/pkcs12.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 284960f5c..d88c96f03 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -322,6 +322,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/certificates/x509.c \
+	credentials/certificates/certificate_printer.c \
 	credentials/containers/container.c \
 	credentials/containers/pkcs12.c \
 	credentials/credential_manager.c \
@@ -407,6 +409,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
 	credentials/certificates/certificate.lo \
 	credentials/certificates/crl.lo \
 	credentials/certificates/ocsp_response.lo \
+	credentials/certificates/x509.lo \
+	credentials/certificates/certificate_printer.lo \
 	credentials/containers/container.lo \
 	credentials/containers/pkcs12.lo \
 	credentials/credential_manager.lo \
@@ -539,6 +543,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
 	credentials/certificates/ocsp_request.h \
 	credentials/certificates/ocsp_response.h \
 	credentials/certificates/pgp_certificate.h \
+	credentials/certificates/certificate_printer.h \
 	credentials/containers/container.h \
 	credentials/containers/pkcs7.h credentials/containers/pkcs12.h \
 	credentials/credential_manager.h \
@@ -865,6 +870,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -900,6 +907,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
 	credentials/certificates/certificate.c \
 	credentials/certificates/crl.c \
 	credentials/certificates/ocsp_response.c \
+	credentials/certificates/x509.c \
+	credentials/certificates/certificate_printer.c \
 	credentials/containers/container.c \
 	credentials/containers/pkcs12.c \
 	credentials/credential_manager.c \
@@ -961,6 +970,7 @@ settings/settings_types.h
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \
 @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \
+@USE_DEV_HEADERS_TRUE@credentials/certificates/certificate_printer.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \
 @USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \
 @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
@@ -1341,6 +1351,12 @@ credentials/certificates/crl.lo:  \
 credentials/certificates/ocsp_response.lo:  \
 	credentials/certificates/$(am__dirstamp) \
 	credentials/certificates/$(DEPDIR)/$(am__dirstamp)
+credentials/certificates/x509.lo:  \
+	credentials/certificates/$(am__dirstamp) \
+	credentials/certificates/$(DEPDIR)/$(am__dirstamp)
+credentials/certificates/certificate_printer.lo:  \
+	credentials/certificates/$(am__dirstamp) \
+	credentials/certificates/$(DEPDIR)/$(am__dirstamp)
 credentials/containers/$(am__dirstamp):
 	@$(MKDIR_P) credentials/containers
 	@: > credentials/containers/$(am__dirstamp)
@@ -1735,8 +1751,10 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/$(DEPDIR)/credential_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/$(DEPDIR)/credential_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/certificate.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/certificate_printer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/crl.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/ocsp_response.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/x509.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/container.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/pkcs12.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 7a48292af..8ac005610 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -26,6 +26,7 @@
 #include <stdarg.h>
 
 #include <library.h>
+#include <asn1/asn1.h>
 
 /**
  * Definition of some primitive ASN1 types
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index a088b0527..ed953d482 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -28,8 +28,8 @@ const oid_t oid_names[] = {
  {                0x01,         0, 1,  8, "pilotAttributeType"             }, /*  15 */
  {                  0x01,      17, 0,  9, "UID"                            }, /*  16 */
  {                  0x19,       0, 0,  9, "DC"                             }, /*  17 */
- {0x55,                        65, 1,  0, "X.500"                          }, /*  18 */
- {  0x04,                      37, 1,  1, "X.509"                          }, /*  19 */
+ {0x55,                        66, 1,  0, "X.500"                          }, /*  18 */
+ {  0x04,                      38, 1,  1, "X.509"                          }, /*  19 */
  {    0x03,                    21, 0,  2, "CN"                             }, /*  20 */
  {    0x04,                    22, 0,  2, "S"                              }, /*  21 */
  {    0x05,                    23, 0,  2, "SN"                             }, /*  22 */
@@ -46,446 +46,447 @@ const oid_t oid_names[] = {
  {    0x2B,                    34, 0,  2, "I"                              }, /*  33 */
  {    0x2D,                    35, 0,  2, "ID"                             }, /*  34 */
  {    0x2E,                    36, 0,  2, "dnQualifier"                    }, /*  35 */
- {    0x48,                     0, 0,  2, "role"                           }, /*  36 */
- {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  37 */
- {    0x09,                    39, 0,  2, "subjectDirectoryAttrs"          }, /*  38 */
- {    0x0E,                    40, 0,  2, "subjectKeyIdentifier"           }, /*  39 */
- {    0x0F,                    41, 0,  2, "keyUsage"                       }, /*  40 */
- {    0x10,                    42, 0,  2, "privateKeyUsagePeriod"          }, /*  41 */
- {    0x11,                    43, 0,  2, "subjectAltName"                 }, /*  42 */
- {    0x12,                    44, 0,  2, "issuerAltName"                  }, /*  43 */
- {    0x13,                    45, 0,  2, "basicConstraints"               }, /*  44 */
- {    0x14,                    46, 0,  2, "crlNumber"                      }, /*  45 */
- {    0x15,                    47, 0,  2, "reasonCode"                     }, /*  46 */
- {    0x17,                    48, 0,  2, "holdInstructionCode"            }, /*  47 */
- {    0x18,                    49, 0,  2, "invalidityDate"                 }, /*  48 */
- {    0x1B,                    50, 0,  2, "deltaCrlIndicator"              }, /*  49 */
- {    0x1C,                    51, 0,  2, "issuingDistributionPoint"       }, /*  50 */
- {    0x1D,                    52, 0,  2, "certificateIssuer"              }, /*  51 */
- {    0x1E,                    53, 0,  2, "nameConstraints"                }, /*  52 */
- {    0x1F,                    54, 0,  2, "crlDistributionPoints"          }, /*  53 */
- {    0x20,                    56, 1,  2, "certificatePolicies"            }, /*  54 */
- {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  55 */
- {    0x21,                    57, 0,  2, "policyMappings"                 }, /*  56 */
- {    0x23,                    58, 0,  2, "authorityKeyIdentifier"         }, /*  57 */
- {    0x24,                    59, 0,  2, "policyConstraints"              }, /*  58 */
- {    0x25,                    61, 1,  2, "extendedKeyUsage"               }, /*  59 */
- {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  60 */
- {    0x2E,                    62, 0,  2, "freshestCRL"                    }, /*  61 */
- {    0x36,                    63, 0,  2, "inhibitAnyPolicy"               }, /*  62 */
- {    0x37,                    64, 0,  2, "targetInformation"              }, /*  63 */
- {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  64 */
- {0x2A,                       189, 1,  0, ""                               }, /*  65 */
- {  0x83,                      78, 1,  1, ""                               }, /*  66 */
- {    0x08,                     0, 1,  2, "jp"                             }, /*  67 */
- {      0x8C,                   0, 1,  3, ""                               }, /*  68 */
- {        0x9A,                 0, 1,  4, ""                               }, /*  69 */
- {          0x4B,               0, 1,  5, ""                               }, /*  70 */
- {            0x3D,             0, 1,  6, ""                               }, /*  71 */
- {              0x01,           0, 1,  7, "security"                       }, /*  72 */
- {                0x01,         0, 1,  8, "algorithm"                      }, /*  73 */
- {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  74 */
- {                    0x02,    76, 0, 10, "camellia128-cbc"                }, /*  75 */
- {                    0x03,    77, 0, 10, "camellia192-cbc"                }, /*  76 */
- {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  77 */
- {  0x86,                       0, 1,  1, ""                               }, /*  78 */
- {    0x48,                     0, 1,  2, "us"                             }, /*  79 */
- {      0x86,                 148, 1,  3, ""                               }, /*  80 */
- {        0xF6,                86, 1,  4, ""                               }, /*  81 */
- {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  82 */
- {            0x07,             0, 1,  6, "Entrust"                        }, /*  83 */
- {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  84 */
- {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  85 */
- {        0xF7,                 0, 1,  4, ""                               }, /*  86 */
- {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  87 */
- {            0x01,           143, 1,  6, "PKCS"                           }, /*  88 */
- {              0x01,         101, 1,  7, "PKCS-1"                         }, /*  89 */
- {                0x01,        91, 0,  8, "rsaEncryption"                  }, /*  90 */
- {                0x02,        92, 0,  8, "md2WithRSAEncryption"           }, /*  91 */
- {                0x04,        93, 0,  8, "md5WithRSAEncryption"           }, /*  92 */
- {                0x05,        94, 0,  8, "sha-1WithRSAEncryption"         }, /*  93 */
- {                0x07,        95, 0,  8, "id-RSAES-OAEP"                  }, /*  94 */
- {                0x08,        96, 0,  8, "id-mgf1"                        }, /*  95 */
- {                0x09,        97, 0,  8, "id-pSpecified"                  }, /*  96 */
- {                0x0B,        98, 0,  8, "sha256WithRSAEncryption"        }, /*  97 */
- {                0x0C,        99, 0,  8, "sha384WithRSAEncryption"        }, /*  98 */
- {                0x0D,       100, 0,  8, "sha512WithRSAEncryption"        }, /*  99 */
- {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 100 */
- {              0x05,         106, 1,  7, "PKCS-5"                         }, /* 101 */
- {                0x03,       103, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 102 */
- {                0x0A,       104, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 103 */
- {                0x0C,       105, 0,  8, "id-PBKDF2"                      }, /* 104 */
- {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 105 */
- {              0x07,         113, 1,  7, "PKCS-7"                         }, /* 106 */
- {                0x01,       108, 0,  8, "data"                           }, /* 107 */
- {                0x02,       109, 0,  8, "signedData"                     }, /* 108 */
- {                0x03,       110, 0,  8, "envelopedData"                  }, /* 109 */
- {                0x04,       111, 0,  8, "signedAndEnvelopedData"         }, /* 110 */
- {                0x05,       112, 0,  8, "digestedData"                   }, /* 111 */
- {                0x06,         0, 0,  8, "encryptedData"                  }, /* 112 */
- {              0x09,         127, 1,  7, "PKCS-9"                         }, /* 113 */
- {                0x01,       115, 0,  8, "E"                              }, /* 114 */
- {                0x02,       116, 0,  8, "unstructuredName"               }, /* 115 */
- {                0x03,       117, 0,  8, "contentType"                    }, /* 116 */
- {                0x04,       118, 0,  8, "messageDigest"                  }, /* 117 */
- {                0x05,       119, 0,  8, "signingTime"                    }, /* 118 */
- {                0x06,       120, 0,  8, "counterSignature"               }, /* 119 */
- {                0x07,       121, 0,  8, "challengePassword"              }, /* 120 */
- {                0x08,       122, 0,  8, "unstructuredAddress"            }, /* 121 */
- {                0x0E,       123, 0,  8, "extensionRequest"               }, /* 122 */
- {                0x0F,       124, 0,  8, "S/MIME Capabilities"            }, /* 123 */
- {                0x16,         0, 1,  8, "certTypes"                      }, /* 124 */
- {                  0x01,     126, 0,  9, "X.509"                          }, /* 125 */
- {                  0x02,       0, 0,  9, "SDSI"                           }, /* 126 */
- {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 127 */
- {                0x01,       135, 1,  8, "pbeIds"                         }, /* 128 */
- {                  0x01,     130, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 129 */
- {                  0x02,     131, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 130 */
- {                  0x03,     132, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 131 */
- {                  0x04,     133, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 132 */
- {                  0x05,     134, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 133 */
- {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 134 */
- {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 135 */
- {                  0x01,       0, 1,  9, "bagIds"                         }, /* 136 */
- {                    0x01,   138, 0, 10, "keyBag"                         }, /* 137 */
- {                    0x02,   139, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 138 */
- {                    0x03,   140, 0, 10, "certBag"                        }, /* 139 */
- {                    0x04,   141, 0, 10, "crlBag"                         }, /* 140 */
- {                    0x05,   142, 0, 10, "secretBag"                      }, /* 141 */
- {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 142 */
- {            0x02,           146, 1,  6, "digestAlgorithm"                }, /* 143 */
- {              0x02,         145, 0,  7, "md2"                            }, /* 144 */
- {              0x05,           0, 0,  7, "md5"                            }, /* 145 */
- {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 146 */
- {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 147 */
- {      0xCE,                   0, 1,  3, ""                               }, /* 148 */
- {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 149 */
- {          0x02,             152, 1,  5, "id-publicKeyType"               }, /* 150 */
- {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 151 */
- {          0x03,             182, 1,  5, "ellipticCurve"                  }, /* 152 */
- {            0x00,           174, 1,  6, "c-TwoCurve"                     }, /* 153 */
- {              0x01,         155, 0,  7, "c2pnb163v1"                     }, /* 154 */
- {              0x02,         156, 0,  7, "c2pnb163v2"                     }, /* 155 */
- {              0x03,         157, 0,  7, "c2pnb163v3"                     }, /* 156 */
- {              0x04,         158, 0,  7, "c2pnb176w1"                     }, /* 157 */
- {              0x05,         159, 0,  7, "c2tnb191v1"                     }, /* 158 */
- {              0x06,         160, 0,  7, "c2tnb191v2"                     }, /* 159 */
- {              0x07,         161, 0,  7, "c2tnb191v3"                     }, /* 160 */
- {              0x08,         162, 0,  7, "c2onb191v4"                     }, /* 161 */
- {              0x09,         163, 0,  7, "c2onb191v5"                     }, /* 162 */
- {              0x0A,         164, 0,  7, "c2pnb208w1"                     }, /* 163 */
- {              0x0B,         165, 0,  7, "c2tnb239v1"                     }, /* 164 */
- {              0x0C,         166, 0,  7, "c2tnb239v2"                     }, /* 165 */
- {              0x0D,         167, 0,  7, "c2tnb239v3"                     }, /* 166 */
- {              0x0E,         168, 0,  7, "c2onb239v4"                     }, /* 167 */
- {              0x0F,         169, 0,  7, "c2onb239v5"                     }, /* 168 */
- {              0x10,         170, 0,  7, "c2pnb272w1"                     }, /* 169 */
- {              0x11,         171, 0,  7, "c2pnb304w1"                     }, /* 170 */
- {              0x12,         172, 0,  7, "c2tnb359v1"                     }, /* 171 */
- {              0x13,         173, 0,  7, "c2pnb368w1"                     }, /* 172 */
- {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 173 */
- {            0x01,             0, 1,  6, "primeCurve"                     }, /* 174 */
- {              0x01,         176, 0,  7, "prime192v1"                     }, /* 175 */
- {              0x02,         177, 0,  7, "prime192v2"                     }, /* 176 */
- {              0x03,         178, 0,  7, "prime192v3"                     }, /* 177 */
- {              0x04,         179, 0,  7, "prime239v1"                     }, /* 178 */
- {              0x05,         180, 0,  7, "prime239v2"                     }, /* 179 */
- {              0x06,         181, 0,  7, "prime239v3"                     }, /* 180 */
- {              0x07,           0, 0,  7, "prime256v1"                     }, /* 181 */
- {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 182 */
- {            0x01,           184, 0,  6, "ecdsa-with-SHA1"                }, /* 183 */
- {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 184 */
- {              0x01,         186, 0,  7, "ecdsa-with-SHA224"              }, /* 185 */
- {              0x02,         187, 0,  7, "ecdsa-with-SHA256"              }, /* 186 */
- {              0x03,         188, 0,  7, "ecdsa-with-SHA384"              }, /* 187 */
- {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 188 */
- {0x2B,                       416, 1,  0, ""                               }, /* 189 */
- {  0x06,                     330, 1,  1, "dod"                            }, /* 190 */
- {    0x01,                     0, 1,  2, "internet"                       }, /* 191 */
- {      0x04,                 281, 1,  3, "private"                        }, /* 192 */
- {        0x01,                 0, 1,  4, "enterprise"                     }, /* 193 */
- {          0x82,             231, 1,  5, ""                               }, /* 194 */
- {            0x37,           207, 1,  6, "Microsoft"                      }, /* 195 */
- {              0x0A,         200, 1,  7, ""                               }, /* 196 */
- {                0x03,         0, 1,  8, ""                               }, /* 197 */
- {                  0x03,     199, 0,  9, "msSGC"                          }, /* 198 */
- {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 199 */
- {              0x14,         204, 1,  7, "msEnrollmentInfrastructure"     }, /* 200 */
- {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 201 */
- {                  0x02,     203, 0,  9, "msSmartcardLogon"               }, /* 202 */
- {                  0x03,       0, 0,  9, "msUPN"                          }, /* 203 */
- {              0x15,           0, 1,  7, "msCertSrvInfrastructure"        }, /* 204 */
- {                0x07,       206, 0,  8, "msCertTemplate"                 }, /* 205 */
- {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 206 */
- {            0xA0,             0, 1,  6, ""                               }, /* 207 */
- {              0x2A,           0, 1,  7, "ITA"                            }, /* 208 */
- {                0x01,       210, 0,  8, "strongSwan"                     }, /* 209 */
- {                0x02,       211, 0,  8, "cps"                            }, /* 210 */
- {                0x03,       212, 0,  8, "e-voting"                       }, /* 211 */
- {                0x05,         0, 1,  8, "BLISS"                          }, /* 212 */
- {                  0x01,     215, 1,  9, "keyType"                        }, /* 213 */
- {                    0x01,     0, 0, 10, "blissPublicKey"                 }, /* 214 */
- {                  0x02,     224, 1,  9, "parameters"                     }, /* 215 */
- {                    0x01,   217, 0, 10, "BLISS-I"                        }, /* 216 */
- {                    0x02,   218, 0, 10, "BLISS-II"                       }, /* 217 */
- {                    0x03,   219, 0, 10, "BLISS-III"                      }, /* 218 */
- {                    0x04,   220, 0, 10, "BLISS-IV"                       }, /* 219 */
- {                    0x05,   221, 0, 10, "BLISS-B-I"                      }, /* 220 */
- {                    0x06,   222, 0, 10, "BLISS-B-II"                     }, /* 221 */
- {                    0x07,   223, 0, 10, "BLISS-B-III"                    }, /* 222 */
- {                    0x08,     0, 0, 10, "BLISS-B-IV"                     }, /* 223 */
- {                  0x03,       0, 1,  9, "blissSigType"                   }, /* 224 */
- {                    0x01,   226, 0, 10, "BLISS-with-SHA2-512"            }, /* 225 */
- {                    0x02,   227, 0, 10, "BLISS-with-SHA2-384"            }, /* 226 */
- {                    0x03,   228, 0, 10, "BLISS-with-SHA2-256"            }, /* 227 */
- {                    0x04,   229, 0, 10, "BLISS-with-SHA3-512"            }, /* 228 */
- {                    0x05,   230, 0, 10, "BLISS-with-SHA3-384"            }, /* 229 */
- {                    0x06,     0, 0, 10, "BLISS-with-SHA3-256"            }, /* 230 */
- {          0x89,             238, 1,  5, ""                               }, /* 231 */
- {            0x31,             0, 1,  6, ""                               }, /* 232 */
- {              0x01,           0, 1,  7, ""                               }, /* 233 */
- {                0x01,         0, 1,  8, ""                               }, /* 234 */
- {                  0x02,       0, 1,  9, ""                               }, /* 235 */
- {                    0x02,     0, 1, 10, ""                               }, /* 236 */
- {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 237 */
- {          0x97,             242, 1,  5, ""                               }, /* 238 */
- {            0x55,             0, 1,  6, ""                               }, /* 239 */
- {              0x01,           0, 1,  7, ""                               }, /* 240 */
- {                0x02,         0, 0,  8, "blowfish-cbc"                   }, /* 241 */
- {          0xC1,               0, 1,  5, ""                               }, /* 242 */
- {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 243 */
- {              0x01,           0, 1,  7, "eess"                           }, /* 244 */
- {                0x01,         0, 1,  8, "eess1"                          }, /* 245 */
- {                  0x01,     250, 1,  9, "eess1-algs"                     }, /* 246 */
- {                    0x01,   248, 0, 10, "ntru-EESS1v1-SVES"              }, /* 247 */
- {                    0x02,   249, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 248 */
- {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 249 */
- {                  0x02,     280, 1,  9, "eess1-params"                   }, /* 250 */
- {                    0x01,   252, 0, 10, "ees251ep1"                      }, /* 251 */
- {                    0x02,   253, 0, 10, "ees347ep1"                      }, /* 252 */
- {                    0x03,   254, 0, 10, "ees503ep1"                      }, /* 253 */
- {                    0x07,   255, 0, 10, "ees251sp2"                      }, /* 254 */
- {                    0x0C,   256, 0, 10, "ees251ep4"                      }, /* 255 */
- {                    0x0D,   257, 0, 10, "ees251ep5"                      }, /* 256 */
- {                    0x0E,   258, 0, 10, "ees251sp3"                      }, /* 257 */
- {                    0x0F,   259, 0, 10, "ees251sp4"                      }, /* 258 */
- {                    0x10,   260, 0, 10, "ees251sp5"                      }, /* 259 */
- {                    0x11,   261, 0, 10, "ees251sp6"                      }, /* 260 */
- {                    0x12,   262, 0, 10, "ees251sp7"                      }, /* 261 */
- {                    0x13,   263, 0, 10, "ees251sp8"                      }, /* 262 */
- {                    0x14,   264, 0, 10, "ees251sp9"                      }, /* 263 */
- {                    0x22,   265, 0, 10, "ees401ep1"                      }, /* 264 */
- {                    0x23,   266, 0, 10, "ees449ep1"                      }, /* 265 */
- {                    0x24,   267, 0, 10, "ees677ep1"                      }, /* 266 */
- {                    0x25,   268, 0, 10, "ees1087ep2"                     }, /* 267 */
- {                    0x26,   269, 0, 10, "ees541ep1"                      }, /* 268 */
- {                    0x27,   270, 0, 10, "ees613ep1"                      }, /* 269 */
- {                    0x28,   271, 0, 10, "ees887ep1"                      }, /* 270 */
- {                    0x29,   272, 0, 10, "ees1171ep1"                     }, /* 271 */
- {                    0x2A,   273, 0, 10, "ees659ep1"                      }, /* 272 */
- {                    0x2B,   274, 0, 10, "ees761ep1"                      }, /* 273 */
- {                    0x2C,   275, 0, 10, "ees1087ep1"                     }, /* 274 */
- {                    0x2D,   276, 0, 10, "ees1499ep1"                     }, /* 275 */
- {                    0x2E,   277, 0, 10, "ees401ep2"                      }, /* 276 */
- {                    0x2F,   278, 0, 10, "ees439ep1"                      }, /* 277 */
- {                    0x30,   279, 0, 10, "ees593ep1"                      }, /* 278 */
- {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 279 */
- {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 280 */
- {      0x05,                   0, 1,  3, "security"                       }, /* 281 */
- {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 282 */
- {          0x07,             327, 1,  5, "id-pkix"                        }, /* 283 */
- {            0x01,           288, 1,  6, "id-pe"                          }, /* 284 */
- {              0x01,         286, 0,  7, "authorityInfoAccess"            }, /* 285 */
- {              0x03,         287, 0,  7, "qcStatements"                   }, /* 286 */
- {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 287 */
- {            0x02,           291, 1,  6, "id-qt"                          }, /* 288 */
- {              0x01,         290, 0,  7, "cps"                            }, /* 289 */
- {              0x02,           0, 0,  7, "unotice"                        }, /* 290 */
- {            0x03,           301, 1,  6, "id-kp"                          }, /* 291 */
- {              0x01,         293, 0,  7, "serverAuth"                     }, /* 292 */
- {              0x02,         294, 0,  7, "clientAuth"                     }, /* 293 */
- {              0x03,         295, 0,  7, "codeSigning"                    }, /* 294 */
- {              0x04,         296, 0,  7, "emailProtection"                }, /* 295 */
- {              0x05,         297, 0,  7, "ipsecEndSystem"                 }, /* 296 */
- {              0x06,         298, 0,  7, "ipsecTunnel"                    }, /* 297 */
- {              0x07,         299, 0,  7, "ipsecUser"                      }, /* 298 */
- {              0x08,         300, 0,  7, "timeStamping"                   }, /* 299 */
- {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 300 */
- {            0x08,           309, 1,  6, "id-otherNames"                  }, /* 301 */
- {              0x01,         303, 0,  7, "personalData"                   }, /* 302 */
- {              0x02,         304, 0,  7, "userGroup"                      }, /* 303 */
- {              0x03,         305, 0,  7, "id-on-permanentIdentifier"      }, /* 304 */
- {              0x04,         306, 0,  7, "id-on-hardwareModuleName"       }, /* 305 */
- {              0x05,         307, 0,  7, "xmppAddr"                       }, /* 306 */
- {              0x06,         308, 0,  7, "id-on-SIM"                      }, /* 307 */
- {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 308 */
- {            0x0A,           314, 1,  6, "id-aca"                         }, /* 309 */
- {              0x01,         311, 0,  7, "authenticationInfo"             }, /* 310 */
- {              0x02,         312, 0,  7, "accessIdentity"                 }, /* 311 */
- {              0x03,         313, 0,  7, "chargingIdentity"               }, /* 312 */
- {              0x04,           0, 0,  7, "group"                          }, /* 313 */
- {            0x0B,           315, 0,  6, "subjectInfoAccess"              }, /* 314 */
- {            0x30,             0, 1,  6, "id-ad"                          }, /* 315 */
- {              0x01,         324, 1,  7, "ocsp"                           }, /* 316 */
- {                0x01,       318, 0,  8, "basic"                          }, /* 317 */
- {                0x02,       319, 0,  8, "nonce"                          }, /* 318 */
- {                0x03,       320, 0,  8, "crl"                            }, /* 319 */
- {                0x04,       321, 0,  8, "response"                       }, /* 320 */
- {                0x05,       322, 0,  8, "noCheck"                        }, /* 321 */
- {                0x06,       323, 0,  8, "archiveCutoff"                  }, /* 322 */
- {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 323 */
- {              0x02,         325, 0,  7, "caIssuers"                      }, /* 324 */
- {              0x03,         326, 0,  7, "timeStamping"                   }, /* 325 */
- {              0x05,           0, 0,  7, "caRepository"                   }, /* 326 */
- {          0x08,               0, 1,  5, "ipsec"                          }, /* 327 */
- {            0x02,             0, 1,  6, "certificate"                    }, /* 328 */
- {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 329 */
- {  0x0E,                     336, 1,  1, "oiw"                            }, /* 330 */
- {    0x03,                     0, 1,  2, "secsig"                         }, /* 331 */
- {      0x02,                   0, 1,  3, "algorithms"                     }, /* 332 */
- {        0x07,               334, 0,  4, "des-cbc"                        }, /* 333 */
- {        0x1A,               335, 0,  4, "sha-1"                          }, /* 334 */
- {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 335 */
- {  0x24,                     382, 1,  1, "TeleTrusT"                      }, /* 336 */
- {    0x03,                     0, 1,  2, "algorithm"                      }, /* 337 */
- {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 338 */
- {        0x01,               343, 1,  4, "rsaSignature"                   }, /* 339 */
- {          0x02,             341, 0,  5, "rsaSigWithripemd160"            }, /* 340 */
- {          0x03,             342, 0,  5, "rsaSigWithripemd128"            }, /* 341 */
- {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 342 */
- {        0x02,                 0, 1,  4, "ecSign"                         }, /* 343 */
- {          0x01,             345, 0,  5, "ecSignWithsha1"                 }, /* 344 */
- {          0x02,             346, 0,  5, "ecSignWithripemd160"            }, /* 345 */
- {          0x03,             347, 0,  5, "ecSignWithmd2"                  }, /* 346 */
- {          0x04,             348, 0,  5, "ecSignWithmd5"                  }, /* 347 */
- {          0x05,             365, 1,  5, "ttt-ecg"                        }, /* 348 */
- {            0x01,           353, 1,  6, "fieldType"                      }, /* 349 */
- {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 350 */
- {                0x01,         0, 1,  8, "basisType"                      }, /* 351 */
- {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 352 */
- {            0x02,           355, 1,  6, "keyType"                        }, /* 353 */
- {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 354 */
- {            0x03,           356, 0,  6, "curve"                          }, /* 355 */
- {            0x04,           363, 1,  6, "signatures"                     }, /* 356 */
- {              0x01,         358, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 357 */
- {              0x02,         359, 0,  7, "ecgdsa-with-SHA1"               }, /* 358 */
- {              0x03,         360, 0,  7, "ecgdsa-with-SHA224"             }, /* 359 */
- {              0x04,         361, 0,  7, "ecgdsa-with-SHA256"             }, /* 360 */
- {              0x05,         362, 0,  7, "ecgdsa-with-SHA384"             }, /* 361 */
- {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 362 */
- {            0x05,             0, 1,  6, "module"                         }, /* 363 */
- {              0x01,           0, 0,  7, "1"                              }, /* 364 */
- {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 365 */
- {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 366 */
- {              0x01,           0, 1,  7, "versionOne"                     }, /* 367 */
- {                0x01,       369, 0,  8, "brainpoolP160r1"                }, /* 368 */
- {                0x02,       370, 0,  8, "brainpoolP160t1"                }, /* 369 */
- {                0x03,       371, 0,  8, "brainpoolP192r1"                }, /* 370 */
- {                0x04,       372, 0,  8, "brainpoolP192t1"                }, /* 371 */
- {                0x05,       373, 0,  8, "brainpoolP224r1"                }, /* 372 */
- {                0x06,       374, 0,  8, "brainpoolP224t1"                }, /* 373 */
- {                0x07,       375, 0,  8, "brainpoolP256r1"                }, /* 374 */
- {                0x08,       376, 0,  8, "brainpoolP256t1"                }, /* 375 */
- {                0x09,       377, 0,  8, "brainpoolP320r1"                }, /* 376 */
- {                0x0A,       378, 0,  8, "brainpoolP320t1"                }, /* 377 */
- {                0x0B,       379, 0,  8, "brainpoolP384r1"                }, /* 378 */
- {                0x0C,       380, 0,  8, "brainpoolP384t1"                }, /* 379 */
- {                0x0D,       381, 0,  8, "brainpoolP512r1"                }, /* 380 */
- {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 381 */
- {  0x81,                       0, 1,  1, ""                               }, /* 382 */
- {    0x04,                     0, 1,  2, "Certicom"                       }, /* 383 */
- {      0x00,                   0, 1,  3, "curve"                          }, /* 384 */
- {        0x01,               386, 0,  4, "sect163k1"                      }, /* 385 */
- {        0x02,               387, 0,  4, "sect163r1"                      }, /* 386 */
- {        0x03,               388, 0,  4, "sect239k1"                      }, /* 387 */
- {        0x04,               389, 0,  4, "sect113r1"                      }, /* 388 */
- {        0x05,               390, 0,  4, "sect113r2"                      }, /* 389 */
- {        0x06,               391, 0,  4, "secp112r1"                      }, /* 390 */
- {        0x07,               392, 0,  4, "secp112r2"                      }, /* 391 */
- {        0x08,               393, 0,  4, "secp160r1"                      }, /* 392 */
- {        0x09,               394, 0,  4, "secp160k1"                      }, /* 393 */
- {        0x0A,               395, 0,  4, "secp256k1"                      }, /* 394 */
- {        0x0F,               396, 0,  4, "sect163r2"                      }, /* 395 */
- {        0x10,               397, 0,  4, "sect283k1"                      }, /* 396 */
- {        0x11,               398, 0,  4, "sect283r1"                      }, /* 397 */
- {        0x16,               399, 0,  4, "sect131r1"                      }, /* 398 */
- {        0x17,               400, 0,  4, "sect131r2"                      }, /* 399 */
- {        0x18,               401, 0,  4, "sect193r1"                      }, /* 400 */
- {        0x19,               402, 0,  4, "sect193r2"                      }, /* 401 */
- {        0x1A,               403, 0,  4, "sect233k1"                      }, /* 402 */
- {        0x1B,               404, 0,  4, "sect233r1"                      }, /* 403 */
- {        0x1C,               405, 0,  4, "secp128r1"                      }, /* 404 */
- {        0x1D,               406, 0,  4, "secp128r2"                      }, /* 405 */
- {        0x1E,               407, 0,  4, "secp160r2"                      }, /* 406 */
- {        0x1F,               408, 0,  4, "secp192k1"                      }, /* 407 */
- {        0x20,               409, 0,  4, "secp224k1"                      }, /* 408 */
- {        0x21,               410, 0,  4, "secp224r1"                      }, /* 409 */
- {        0x22,               411, 0,  4, "secp384r1"                      }, /* 410 */
- {        0x23,               412, 0,  4, "secp521r1"                      }, /* 411 */
- {        0x24,               413, 0,  4, "sect409k1"                      }, /* 412 */
- {        0x25,               414, 0,  4, "sect409r1"                      }, /* 413 */
- {        0x26,               415, 0,  4, "sect571k1"                      }, /* 414 */
- {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 415 */
- {0x60,                       470, 1,  0, ""                               }, /* 416 */
- {  0x86,                       0, 1,  1, ""                               }, /* 417 */
- {    0x48,                     0, 1,  2, ""                               }, /* 418 */
- {      0x01,                   0, 1,  3, "organization"                   }, /* 419 */
- {        0x65,               446, 1,  4, "gov"                            }, /* 420 */
- {          0x03,               0, 1,  5, "csor"                           }, /* 421 */
- {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 422 */
- {              0x01,         433, 1,  7, "aes"                            }, /* 423 */
- {                0x02,       425, 0,  8, "id-aes128-CBC"                  }, /* 424 */
- {                0x06,       426, 0,  8, "id-aes128-GCM"                  }, /* 425 */
- {                0x07,       427, 0,  8, "id-aes128-CCM"                  }, /* 426 */
- {                0x16,       428, 0,  8, "id-aes192-CBC"                  }, /* 427 */
- {                0x1A,       429, 0,  8, "id-aes192-GCM"                  }, /* 428 */
- {                0x1B,       430, 0,  8, "id-aes192-CCM"                  }, /* 429 */
- {                0x2A,       431, 0,  8, "id-aes256-CBC"                  }, /* 430 */
- {                0x2E,       432, 0,  8, "id-aes256-GCM"                  }, /* 431 */
- {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 432 */
- {              0x02,           0, 1,  7, "hashalgs"                       }, /* 433 */
- {                0x01,       435, 0,  8, "id-sha256"                      }, /* 434 */
- {                0x02,       436, 0,  8, "id-sha384"                      }, /* 435 */
- {                0x03,       437, 0,  8, "id-sha512"                      }, /* 436 */
- {                0x04,       438, 0,  8, "id-sha224"                      }, /* 437 */
- {                0x05,       439, 0,  8, "id-sha512-224"                  }, /* 438 */
- {                0x06,       440, 0,  8, "id-sha512-256"                  }, /* 439 */
- {                0x07,       441, 0,  8, "id-sha3-224"                    }, /* 440 */
- {                0x08,       442, 0,  8, "id-sha3-256"                    }, /* 441 */
- {                0x09,       443, 0,  8, "id-sha3-384"                    }, /* 442 */
- {                0x0A,       444, 0,  8, "id-sha3-512"                    }, /* 443 */
- {                0x0B,       445, 0,  8, "id-shake128"                    }, /* 444 */
- {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 445 */
- {        0x86,                 0, 1,  4, ""                               }, /* 446 */
- {          0xf8,               0, 1,  5, ""                               }, /* 447 */
- {            0x42,           460, 1,  6, "netscape"                       }, /* 448 */
- {              0x01,         455, 1,  7, ""                               }, /* 449 */
- {                0x01,       451, 0,  8, "nsCertType"                     }, /* 450 */
- {                0x03,       452, 0,  8, "nsRevocationUrl"                }, /* 451 */
- {                0x04,       453, 0,  8, "nsCaRevocationUrl"              }, /* 452 */
- {                0x08,       454, 0,  8, "nsCaPolicyUrl"                  }, /* 453 */
- {                0x0d,         0, 0,  8, "nsComment"                      }, /* 454 */
- {              0x03,         458, 1,  7, "directory"                      }, /* 455 */
- {                0x01,         0, 1,  8, ""                               }, /* 456 */
- {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 457 */
- {              0x04,           0, 1,  7, "policy"                         }, /* 458 */
- {                0x01,         0, 0,  8, "nsSGC"                          }, /* 459 */
- {            0x45,             0, 1,  6, "verisign"                       }, /* 460 */
- {              0x01,           0, 1,  7, "pki"                            }, /* 461 */
- {                0x09,         0, 1,  8, "attributes"                     }, /* 462 */
- {                  0x02,     464, 0,  9, "messageType"                    }, /* 463 */
- {                  0x03,     465, 0,  9, "pkiStatus"                      }, /* 464 */
- {                  0x04,     466, 0,  9, "failInfo"                       }, /* 465 */
- {                  0x05,     467, 0,  9, "senderNonce"                    }, /* 466 */
- {                  0x06,     468, 0,  9, "recipientNonce"                 }, /* 467 */
- {                  0x07,     469, 0,  9, "transID"                        }, /* 468 */
- {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 469 */
- {0x67,                         0, 1,  0, ""                               }, /* 470 */
- {  0x81,                       0, 1,  1, ""                               }, /* 471 */
- {    0x05,                     0, 1,  2, ""                               }, /* 472 */
- {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 473 */
- {        0x01,               475, 0,  4, "tcg-at-tpmManufacturer"         }, /* 474 */
- {        0x02,               476, 0,  4, "tcg-at-tpmModel"                }, /* 475 */
- {        0x03,               477, 0,  4, "tcg-at-tpmVersion"              }, /* 476 */
- {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 477 */
+ {    0x41,                    37, 0,  2, "pseudonym"                      }, /*  36 */
+ {    0x48,                     0, 0,  2, "role"                           }, /*  37 */
+ {  0x1D,                       0, 1,  1, "id-ce"                          }, /*  38 */
+ {    0x09,                    40, 0,  2, "subjectDirectoryAttrs"          }, /*  39 */
+ {    0x0E,                    41, 0,  2, "subjectKeyIdentifier"           }, /*  40 */
+ {    0x0F,                    42, 0,  2, "keyUsage"                       }, /*  41 */
+ {    0x10,                    43, 0,  2, "privateKeyUsagePeriod"          }, /*  42 */
+ {    0x11,                    44, 0,  2, "subjectAltName"                 }, /*  43 */
+ {    0x12,                    45, 0,  2, "issuerAltName"                  }, /*  44 */
+ {    0x13,                    46, 0,  2, "basicConstraints"               }, /*  45 */
+ {    0x14,                    47, 0,  2, "crlNumber"                      }, /*  46 */
+ {    0x15,                    48, 0,  2, "reasonCode"                     }, /*  47 */
+ {    0x17,                    49, 0,  2, "holdInstructionCode"            }, /*  48 */
+ {    0x18,                    50, 0,  2, "invalidityDate"                 }, /*  49 */
+ {    0x1B,                    51, 0,  2, "deltaCrlIndicator"              }, /*  50 */
+ {    0x1C,                    52, 0,  2, "issuingDistributionPoint"       }, /*  51 */
+ {    0x1D,                    53, 0,  2, "certificateIssuer"              }, /*  52 */
+ {    0x1E,                    54, 0,  2, "nameConstraints"                }, /*  53 */
+ {    0x1F,                    55, 0,  2, "crlDistributionPoints"          }, /*  54 */
+ {    0x20,                    57, 1,  2, "certificatePolicies"            }, /*  55 */
+ {      0x00,                   0, 0,  3, "anyPolicy"                      }, /*  56 */
+ {    0x21,                    58, 0,  2, "policyMappings"                 }, /*  57 */
+ {    0x23,                    59, 0,  2, "authorityKeyIdentifier"         }, /*  58 */
+ {    0x24,                    60, 0,  2, "policyConstraints"              }, /*  59 */
+ {    0x25,                    62, 1,  2, "extendedKeyUsage"               }, /*  60 */
+ {      0x00,                   0, 0,  3, "anyExtendedKeyUsage"            }, /*  61 */
+ {    0x2E,                    63, 0,  2, "freshestCRL"                    }, /*  62 */
+ {    0x36,                    64, 0,  2, "inhibitAnyPolicy"               }, /*  63 */
+ {    0x37,                    65, 0,  2, "targetInformation"              }, /*  64 */
+ {    0x38,                     0, 0,  2, "noRevAvail"                     }, /*  65 */
+ {0x2A,                       190, 1,  0, ""                               }, /*  66 */
+ {  0x83,                      79, 1,  1, ""                               }, /*  67 */
+ {    0x08,                     0, 1,  2, "jp"                             }, /*  68 */
+ {      0x8C,                   0, 1,  3, ""                               }, /*  69 */
+ {        0x9A,                 0, 1,  4, ""                               }, /*  70 */
+ {          0x4B,               0, 1,  5, ""                               }, /*  71 */
+ {            0x3D,             0, 1,  6, ""                               }, /*  72 */
+ {              0x01,           0, 1,  7, "security"                       }, /*  73 */
+ {                0x01,         0, 1,  8, "algorithm"                      }, /*  74 */
+ {                  0x01,       0, 1,  9, "symm-encryption-alg"            }, /*  75 */
+ {                    0x02,    77, 0, 10, "camellia128-cbc"                }, /*  76 */
+ {                    0x03,    78, 0, 10, "camellia192-cbc"                }, /*  77 */
+ {                    0x04,     0, 0, 10, "camellia256-cbc"                }, /*  78 */
+ {  0x86,                       0, 1,  1, ""                               }, /*  79 */
+ {    0x48,                     0, 1,  2, "us"                             }, /*  80 */
+ {      0x86,                 149, 1,  3, ""                               }, /*  81 */
+ {        0xF6,                87, 1,  4, ""                               }, /*  82 */
+ {          0x7D,               0, 1,  5, "NortelNetworks"                 }, /*  83 */
+ {            0x07,             0, 1,  6, "Entrust"                        }, /*  84 */
+ {              0x41,           0, 1,  7, "nsn-ce"                         }, /*  85 */
+ {                0x00,         0, 0,  8, "entrustVersInfo"                }, /*  86 */
+ {        0xF7,                 0, 1,  4, ""                               }, /*  87 */
+ {          0x0D,               0, 1,  5, "RSADSI"                         }, /*  88 */
+ {            0x01,           144, 1,  6, "PKCS"                           }, /*  89 */
+ {              0x01,         102, 1,  7, "PKCS-1"                         }, /*  90 */
+ {                0x01,        92, 0,  8, "rsaEncryption"                  }, /*  91 */
+ {                0x02,        93, 0,  8, "md2WithRSAEncryption"           }, /*  92 */
+ {                0x04,        94, 0,  8, "md5WithRSAEncryption"           }, /*  93 */
+ {                0x05,        95, 0,  8, "sha-1WithRSAEncryption"         }, /*  94 */
+ {                0x07,        96, 0,  8, "id-RSAES-OAEP"                  }, /*  95 */
+ {                0x08,        97, 0,  8, "id-mgf1"                        }, /*  96 */
+ {                0x09,        98, 0,  8, "id-pSpecified"                  }, /*  97 */
+ {                0x0B,        99, 0,  8, "sha256WithRSAEncryption"        }, /*  98 */
+ {                0x0C,       100, 0,  8, "sha384WithRSAEncryption"        }, /*  99 */
+ {                0x0D,       101, 0,  8, "sha512WithRSAEncryption"        }, /* 100 */
+ {                0x0E,         0, 0,  8, "sha224WithRSAEncryption"        }, /* 101 */
+ {              0x05,         107, 1,  7, "PKCS-5"                         }, /* 102 */
+ {                0x03,       104, 0,  8, "pbeWithMD5AndDES-CBC"           }, /* 103 */
+ {                0x0A,       105, 0,  8, "pbeWithSHA1AndDES-CBC"          }, /* 104 */
+ {                0x0C,       106, 0,  8, "id-PBKDF2"                      }, /* 105 */
+ {                0x0D,         0, 0,  8, "id-PBES2"                       }, /* 106 */
+ {              0x07,         114, 1,  7, "PKCS-7"                         }, /* 107 */
+ {                0x01,       109, 0,  8, "data"                           }, /* 108 */
+ {                0x02,       110, 0,  8, "signedData"                     }, /* 109 */
+ {                0x03,       111, 0,  8, "envelopedData"                  }, /* 110 */
+ {                0x04,       112, 0,  8, "signedAndEnvelopedData"         }, /* 111 */
+ {                0x05,       113, 0,  8, "digestedData"                   }, /* 112 */
+ {                0x06,         0, 0,  8, "encryptedData"                  }, /* 113 */
+ {              0x09,         128, 1,  7, "PKCS-9"                         }, /* 114 */
+ {                0x01,       116, 0,  8, "E"                              }, /* 115 */
+ {                0x02,       117, 0,  8, "unstructuredName"               }, /* 116 */
+ {                0x03,       118, 0,  8, "contentType"                    }, /* 117 */
+ {                0x04,       119, 0,  8, "messageDigest"                  }, /* 118 */
+ {                0x05,       120, 0,  8, "signingTime"                    }, /* 119 */
+ {                0x06,       121, 0,  8, "counterSignature"               }, /* 120 */
+ {                0x07,       122, 0,  8, "challengePassword"              }, /* 121 */
+ {                0x08,       123, 0,  8, "unstructuredAddress"            }, /* 122 */
+ {                0x0E,       124, 0,  8, "extensionRequest"               }, /* 123 */
+ {                0x0F,       125, 0,  8, "S/MIME Capabilities"            }, /* 124 */
+ {                0x16,         0, 1,  8, "certTypes"                      }, /* 125 */
+ {                  0x01,     127, 0,  9, "X.509"                          }, /* 126 */
+ {                  0x02,       0, 0,  9, "SDSI"                           }, /* 127 */
+ {              0x0c,           0, 1,  7, "PKCS-12"                        }, /* 128 */
+ {                0x01,       136, 1,  8, "pbeIds"                         }, /* 129 */
+ {                  0x01,     131, 0,  9, "pbeWithSHAAnd128BitRC4"         }, /* 130 */
+ {                  0x02,     132, 0,  9, "pbeWithSHAAnd40BitRC4"          }, /* 131 */
+ {                  0x03,     133, 0,  9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 132 */
+ {                  0x04,     134, 0,  9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 133 */
+ {                  0x05,     135, 0,  9, "pbeWithSHAAnd128BitRC2-CBC"     }, /* 134 */
+ {                  0x06,       0, 0,  9, "pbeWithSHAAnd40BitRC2-CBC"      }, /* 135 */
+ {                0x0a,         0, 1,  8, "PKCS-12v1"                      }, /* 136 */
+ {                  0x01,       0, 1,  9, "bagIds"                         }, /* 137 */
+ {                    0x01,   139, 0, 10, "keyBag"                         }, /* 138 */
+ {                    0x02,   140, 0, 10, "pkcs8ShroudedKeyBag"            }, /* 139 */
+ {                    0x03,   141, 0, 10, "certBag"                        }, /* 140 */
+ {                    0x04,   142, 0, 10, "crlBag"                         }, /* 141 */
+ {                    0x05,   143, 0, 10, "secretBag"                      }, /* 142 */
+ {                    0x06,     0, 0, 10, "safeContentsBag"                }, /* 143 */
+ {            0x02,           147, 1,  6, "digestAlgorithm"                }, /* 144 */
+ {              0x02,         146, 0,  7, "md2"                            }, /* 145 */
+ {              0x05,           0, 0,  7, "md5"                            }, /* 146 */
+ {            0x03,             0, 1,  6, "encryptionAlgorithm"            }, /* 147 */
+ {              0x07,           0, 0,  7, "3des-ede-cbc"                   }, /* 148 */
+ {      0xCE,                   0, 1,  3, ""                               }, /* 149 */
+ {        0x3D,                 0, 1,  4, "ansi-X9-62"                     }, /* 150 */
+ {          0x02,             153, 1,  5, "id-publicKeyType"               }, /* 151 */
+ {            0x01,             0, 0,  6, "id-ecPublicKey"                 }, /* 152 */
+ {          0x03,             183, 1,  5, "ellipticCurve"                  }, /* 153 */
+ {            0x00,           175, 1,  6, "c-TwoCurve"                     }, /* 154 */
+ {              0x01,         156, 0,  7, "c2pnb163v1"                     }, /* 155 */
+ {              0x02,         157, 0,  7, "c2pnb163v2"                     }, /* 156 */
+ {              0x03,         158, 0,  7, "c2pnb163v3"                     }, /* 157 */
+ {              0x04,         159, 0,  7, "c2pnb176w1"                     }, /* 158 */
+ {              0x05,         160, 0,  7, "c2tnb191v1"                     }, /* 159 */
+ {              0x06,         161, 0,  7, "c2tnb191v2"                     }, /* 160 */
+ {              0x07,         162, 0,  7, "c2tnb191v3"                     }, /* 161 */
+ {              0x08,         163, 0,  7, "c2onb191v4"                     }, /* 162 */
+ {              0x09,         164, 0,  7, "c2onb191v5"                     }, /* 163 */
+ {              0x0A,         165, 0,  7, "c2pnb208w1"                     }, /* 164 */
+ {              0x0B,         166, 0,  7, "c2tnb239v1"                     }, /* 165 */
+ {              0x0C,         167, 0,  7, "c2tnb239v2"                     }, /* 166 */
+ {              0x0D,         168, 0,  7, "c2tnb239v3"                     }, /* 167 */
+ {              0x0E,         169, 0,  7, "c2onb239v4"                     }, /* 168 */
+ {              0x0F,         170, 0,  7, "c2onb239v5"                     }, /* 169 */
+ {              0x10,         171, 0,  7, "c2pnb272w1"                     }, /* 170 */
+ {              0x11,         172, 0,  7, "c2pnb304w1"                     }, /* 171 */
+ {              0x12,         173, 0,  7, "c2tnb359v1"                     }, /* 172 */
+ {              0x13,         174, 0,  7, "c2pnb368w1"                     }, /* 173 */
+ {              0x14,           0, 0,  7, "c2tnb431r1"                     }, /* 174 */
+ {            0x01,             0, 1,  6, "primeCurve"                     }, /* 175 */
+ {              0x01,         177, 0,  7, "prime192v1"                     }, /* 176 */
+ {              0x02,         178, 0,  7, "prime192v2"                     }, /* 177 */
+ {              0x03,         179, 0,  7, "prime192v3"                     }, /* 178 */
+ {              0x04,         180, 0,  7, "prime239v1"                     }, /* 179 */
+ {              0x05,         181, 0,  7, "prime239v2"                     }, /* 180 */
+ {              0x06,         182, 0,  7, "prime239v3"                     }, /* 181 */
+ {              0x07,           0, 0,  7, "prime256v1"                     }, /* 182 */
+ {          0x04,               0, 1,  5, "id-ecSigType"                   }, /* 183 */
+ {            0x01,           185, 0,  6, "ecdsa-with-SHA1"                }, /* 184 */
+ {            0x03,             0, 1,  6, "ecdsa-with-Specified"           }, /* 185 */
+ {              0x01,         187, 0,  7, "ecdsa-with-SHA224"              }, /* 186 */
+ {              0x02,         188, 0,  7, "ecdsa-with-SHA256"              }, /* 187 */
+ {              0x03,         189, 0,  7, "ecdsa-with-SHA384"              }, /* 188 */
+ {              0x04,           0, 0,  7, "ecdsa-with-SHA512"              }, /* 189 */
+ {0x2B,                       417, 1,  0, ""                               }, /* 190 */
+ {  0x06,                     331, 1,  1, "dod"                            }, /* 191 */
+ {    0x01,                     0, 1,  2, "internet"                       }, /* 192 */
+ {      0x04,                 282, 1,  3, "private"                        }, /* 193 */
+ {        0x01,                 0, 1,  4, "enterprise"                     }, /* 194 */
+ {          0x82,             232, 1,  5, ""                               }, /* 195 */
+ {            0x37,           208, 1,  6, "Microsoft"                      }, /* 196 */
+ {              0x0A,         201, 1,  7, ""                               }, /* 197 */
+ {                0x03,         0, 1,  8, ""                               }, /* 198 */
+ {                  0x03,     200, 0,  9, "msSGC"                          }, /* 199 */
+ {                  0x04,       0, 0,  9, "msEncryptingFileSystem"         }, /* 200 */
+ {              0x14,         205, 1,  7, "msEnrollmentInfrastructure"     }, /* 201 */
+ {                0x02,         0, 1,  8, "msCertificateTypeExtension"     }, /* 202 */
+ {                  0x02,     204, 0,  9, "msSmartcardLogon"               }, /* 203 */
+ {                  0x03,       0, 0,  9, "msUPN"                          }, /* 204 */
+ {              0x15,           0, 1,  7, "msCertSrvInfrastructure"        }, /* 205 */
+ {                0x07,       207, 0,  8, "msCertTemplate"                 }, /* 206 */
+ {                0x0A,         0, 0,  8, "msApplicationCertPolicies"      }, /* 207 */
+ {            0xA0,             0, 1,  6, ""                               }, /* 208 */
+ {              0x2A,           0, 1,  7, "ITA"                            }, /* 209 */
+ {                0x01,       211, 0,  8, "strongSwan"                     }, /* 210 */
+ {                0x02,       212, 0,  8, "cps"                            }, /* 211 */
+ {                0x03,       213, 0,  8, "e-voting"                       }, /* 212 */
+ {                0x05,         0, 1,  8, "BLISS"                          }, /* 213 */
+ {                  0x01,     216, 1,  9, "keyType"                        }, /* 214 */
+ {                    0x01,     0, 0, 10, "blissPublicKey"                 }, /* 215 */
+ {                  0x02,     225, 1,  9, "parameters"                     }, /* 216 */
+ {                    0x01,   218, 0, 10, "BLISS-I"                        }, /* 217 */
+ {                    0x02,   219, 0, 10, "BLISS-II"                       }, /* 218 */
+ {                    0x03,   220, 0, 10, "BLISS-III"                      }, /* 219 */
+ {                    0x04,   221, 0, 10, "BLISS-IV"                       }, /* 220 */
+ {                    0x05,   222, 0, 10, "BLISS-B-I"                      }, /* 221 */
+ {                    0x06,   223, 0, 10, "BLISS-B-II"                     }, /* 222 */
+ {                    0x07,   224, 0, 10, "BLISS-B-III"                    }, /* 223 */
+ {                    0x08,     0, 0, 10, "BLISS-B-IV"                     }, /* 224 */
+ {                  0x03,       0, 1,  9, "blissSigType"                   }, /* 225 */
+ {                    0x01,   227, 0, 10, "BLISS-with-SHA2-512"            }, /* 226 */
+ {                    0x02,   228, 0, 10, "BLISS-with-SHA2-384"            }, /* 227 */
+ {                    0x03,   229, 0, 10, "BLISS-with-SHA2-256"            }, /* 228 */
+ {                    0x04,   230, 0, 10, "BLISS-with-SHA3-512"            }, /* 229 */
+ {                    0x05,   231, 0, 10, "BLISS-with-SHA3-384"            }, /* 230 */
+ {                    0x06,     0, 0, 10, "BLISS-with-SHA3-256"            }, /* 231 */
+ {          0x89,             239, 1,  5, ""                               }, /* 232 */
+ {            0x31,             0, 1,  6, ""                               }, /* 233 */
+ {              0x01,           0, 1,  7, ""                               }, /* 234 */
+ {                0x01,         0, 1,  8, ""                               }, /* 235 */
+ {                  0x02,       0, 1,  9, ""                               }, /* 236 */
+ {                    0x02,     0, 1, 10, ""                               }, /* 237 */
+ {                      0x4B,   0, 0, 11, "TCGID"                          }, /* 238 */
+ {          0x97,             243, 1,  5, ""                               }, /* 239 */
+ {            0x55,             0, 1,  6, ""                               }, /* 240 */
+ {              0x01,           0, 1,  7, ""                               }, /* 241 */
+ {                0x02,         0, 0,  8, "blowfish-cbc"                   }, /* 242 */
+ {          0xC1,               0, 1,  5, ""                               }, /* 243 */
+ {            0x16,             0, 1,  6, "ntruCryptosystems"              }, /* 244 */
+ {              0x01,           0, 1,  7, "eess"                           }, /* 245 */
+ {                0x01,         0, 1,  8, "eess1"                          }, /* 246 */
+ {                  0x01,     251, 1,  9, "eess1-algs"                     }, /* 247 */
+ {                    0x01,   249, 0, 10, "ntru-EESS1v1-SVES"              }, /* 248 */
+ {                    0x02,   250, 0, 10, "ntru-EESS1v1-SVSSA"             }, /* 249 */
+ {                    0x03,     0, 0, 10, "ntru-EESS1v1-NTRUSign"          }, /* 250 */
+ {                  0x02,     281, 1,  9, "eess1-params"                   }, /* 251 */
+ {                    0x01,   253, 0, 10, "ees251ep1"                      }, /* 252 */
+ {                    0x02,   254, 0, 10, "ees347ep1"                      }, /* 253 */
+ {                    0x03,   255, 0, 10, "ees503ep1"                      }, /* 254 */
+ {                    0x07,   256, 0, 10, "ees251sp2"                      }, /* 255 */
+ {                    0x0C,   257, 0, 10, "ees251ep4"                      }, /* 256 */
+ {                    0x0D,   258, 0, 10, "ees251ep5"                      }, /* 257 */
+ {                    0x0E,   259, 0, 10, "ees251sp3"                      }, /* 258 */
+ {                    0x0F,   260, 0, 10, "ees251sp4"                      }, /* 259 */
+ {                    0x10,   261, 0, 10, "ees251sp5"                      }, /* 260 */
+ {                    0x11,   262, 0, 10, "ees251sp6"                      }, /* 261 */
+ {                    0x12,   263, 0, 10, "ees251sp7"                      }, /* 262 */
+ {                    0x13,   264, 0, 10, "ees251sp8"                      }, /* 263 */
+ {                    0x14,   265, 0, 10, "ees251sp9"                      }, /* 264 */
+ {                    0x22,   266, 0, 10, "ees401ep1"                      }, /* 265 */
+ {                    0x23,   267, 0, 10, "ees449ep1"                      }, /* 266 */
+ {                    0x24,   268, 0, 10, "ees677ep1"                      }, /* 267 */
+ {                    0x25,   269, 0, 10, "ees1087ep2"                     }, /* 268 */
+ {                    0x26,   270, 0, 10, "ees541ep1"                      }, /* 269 */
+ {                    0x27,   271, 0, 10, "ees613ep1"                      }, /* 270 */
+ {                    0x28,   272, 0, 10, "ees887ep1"                      }, /* 271 */
+ {                    0x29,   273, 0, 10, "ees1171ep1"                     }, /* 272 */
+ {                    0x2A,   274, 0, 10, "ees659ep1"                      }, /* 273 */
+ {                    0x2B,   275, 0, 10, "ees761ep1"                      }, /* 274 */
+ {                    0x2C,   276, 0, 10, "ees1087ep1"                     }, /* 275 */
+ {                    0x2D,   277, 0, 10, "ees1499ep1"                     }, /* 276 */
+ {                    0x2E,   278, 0, 10, "ees401ep2"                      }, /* 277 */
+ {                    0x2F,   279, 0, 10, "ees439ep1"                      }, /* 278 */
+ {                    0x30,   280, 0, 10, "ees593ep1"                      }, /* 279 */
+ {                    0x31,     0, 0, 10, "ees743ep1"                      }, /* 280 */
+ {                  0x03,       0, 0,  9, "eess1-encodingMethods"          }, /* 281 */
+ {      0x05,                   0, 1,  3, "security"                       }, /* 282 */
+ {        0x05,                 0, 1,  4, "mechanisms"                     }, /* 283 */
+ {          0x07,             328, 1,  5, "id-pkix"                        }, /* 284 */
+ {            0x01,           289, 1,  6, "id-pe"                          }, /* 285 */
+ {              0x01,         287, 0,  7, "authorityInfoAccess"            }, /* 286 */
+ {              0x03,         288, 0,  7, "qcStatements"                   }, /* 287 */
+ {              0x07,           0, 0,  7, "ipAddrBlocks"                   }, /* 288 */
+ {            0x02,           292, 1,  6, "id-qt"                          }, /* 289 */
+ {              0x01,         291, 0,  7, "cps"                            }, /* 290 */
+ {              0x02,           0, 0,  7, "unotice"                        }, /* 291 */
+ {            0x03,           302, 1,  6, "id-kp"                          }, /* 292 */
+ {              0x01,         294, 0,  7, "serverAuth"                     }, /* 293 */
+ {              0x02,         295, 0,  7, "clientAuth"                     }, /* 294 */
+ {              0x03,         296, 0,  7, "codeSigning"                    }, /* 295 */
+ {              0x04,         297, 0,  7, "emailProtection"                }, /* 296 */
+ {              0x05,         298, 0,  7, "ipsecEndSystem"                 }, /* 297 */
+ {              0x06,         299, 0,  7, "ipsecTunnel"                    }, /* 298 */
+ {              0x07,         300, 0,  7, "ipsecUser"                      }, /* 299 */
+ {              0x08,         301, 0,  7, "timeStamping"                   }, /* 300 */
+ {              0x09,           0, 0,  7, "ocspSigning"                    }, /* 301 */
+ {            0x08,           310, 1,  6, "id-otherNames"                  }, /* 302 */
+ {              0x01,         304, 0,  7, "personalData"                   }, /* 303 */
+ {              0x02,         305, 0,  7, "userGroup"                      }, /* 304 */
+ {              0x03,         306, 0,  7, "id-on-permanentIdentifier"      }, /* 305 */
+ {              0x04,         307, 0,  7, "id-on-hardwareModuleName"       }, /* 306 */
+ {              0x05,         308, 0,  7, "xmppAddr"                       }, /* 307 */
+ {              0x06,         309, 0,  7, "id-on-SIM"                      }, /* 308 */
+ {              0x07,           0, 0,  7, "id-on-dnsSRV"                   }, /* 309 */
+ {            0x0A,           315, 1,  6, "id-aca"                         }, /* 310 */
+ {              0x01,         312, 0,  7, "authenticationInfo"             }, /* 311 */
+ {              0x02,         313, 0,  7, "accessIdentity"                 }, /* 312 */
+ {              0x03,         314, 0,  7, "chargingIdentity"               }, /* 313 */
+ {              0x04,           0, 0,  7, "group"                          }, /* 314 */
+ {            0x0B,           316, 0,  6, "subjectInfoAccess"              }, /* 315 */
+ {            0x30,             0, 1,  6, "id-ad"                          }, /* 316 */
+ {              0x01,         325, 1,  7, "ocsp"                           }, /* 317 */
+ {                0x01,       319, 0,  8, "basic"                          }, /* 318 */
+ {                0x02,       320, 0,  8, "nonce"                          }, /* 319 */
+ {                0x03,       321, 0,  8, "crl"                            }, /* 320 */
+ {                0x04,       322, 0,  8, "response"                       }, /* 321 */
+ {                0x05,       323, 0,  8, "noCheck"                        }, /* 322 */
+ {                0x06,       324, 0,  8, "archiveCutoff"                  }, /* 323 */
+ {                0x07,         0, 0,  8, "serviceLocator"                 }, /* 324 */
+ {              0x02,         326, 0,  7, "caIssuers"                      }, /* 325 */
+ {              0x03,         327, 0,  7, "timeStamping"                   }, /* 326 */
+ {              0x05,           0, 0,  7, "caRepository"                   }, /* 327 */
+ {          0x08,               0, 1,  5, "ipsec"                          }, /* 328 */
+ {            0x02,             0, 1,  6, "certificate"                    }, /* 329 */
+ {              0x02,           0, 0,  7, "iKEIntermediate"                }, /* 330 */
+ {  0x0E,                     337, 1,  1, "oiw"                            }, /* 331 */
+ {    0x03,                     0, 1,  2, "secsig"                         }, /* 332 */
+ {      0x02,                   0, 1,  3, "algorithms"                     }, /* 333 */
+ {        0x07,               335, 0,  4, "des-cbc"                        }, /* 334 */
+ {        0x1A,               336, 0,  4, "sha-1"                          }, /* 335 */
+ {        0x1D,                 0, 0,  4, "sha-1WithRSASignature"          }, /* 336 */
+ {  0x24,                     383, 1,  1, "TeleTrusT"                      }, /* 337 */
+ {    0x03,                     0, 1,  2, "algorithm"                      }, /* 338 */
+ {      0x03,                   0, 1,  3, "signatureAlgorithm"             }, /* 339 */
+ {        0x01,               344, 1,  4, "rsaSignature"                   }, /* 340 */
+ {          0x02,             342, 0,  5, "rsaSigWithripemd160"            }, /* 341 */
+ {          0x03,             343, 0,  5, "rsaSigWithripemd128"            }, /* 342 */
+ {          0x04,               0, 0,  5, "rsaSigWithripemd256"            }, /* 343 */
+ {        0x02,                 0, 1,  4, "ecSign"                         }, /* 344 */
+ {          0x01,             346, 0,  5, "ecSignWithsha1"                 }, /* 345 */
+ {          0x02,             347, 0,  5, "ecSignWithripemd160"            }, /* 346 */
+ {          0x03,             348, 0,  5, "ecSignWithmd2"                  }, /* 347 */
+ {          0x04,             349, 0,  5, "ecSignWithmd5"                  }, /* 348 */
+ {          0x05,             366, 1,  5, "ttt-ecg"                        }, /* 349 */
+ {            0x01,           354, 1,  6, "fieldType"                      }, /* 350 */
+ {              0x01,           0, 1,  7, "characteristictwoField"         }, /* 351 */
+ {                0x01,         0, 1,  8, "basisType"                      }, /* 352 */
+ {                  0x01,       0, 0,  9, "ipBasis"                        }, /* 353 */
+ {            0x02,           356, 1,  6, "keyType"                        }, /* 354 */
+ {              0x01,           0, 0,  7, "ecgPublicKey"                   }, /* 355 */
+ {            0x03,           357, 0,  6, "curve"                          }, /* 356 */
+ {            0x04,           364, 1,  6, "signatures"                     }, /* 357 */
+ {              0x01,         359, 0,  7, "ecgdsa-with-RIPEMD160"          }, /* 358 */
+ {              0x02,         360, 0,  7, "ecgdsa-with-SHA1"               }, /* 359 */
+ {              0x03,         361, 0,  7, "ecgdsa-with-SHA224"             }, /* 360 */
+ {              0x04,         362, 0,  7, "ecgdsa-with-SHA256"             }, /* 361 */
+ {              0x05,         363, 0,  7, "ecgdsa-with-SHA384"             }, /* 362 */
+ {              0x06,           0, 0,  7, "ecgdsa-with-SHA512"             }, /* 363 */
+ {            0x05,             0, 1,  6, "module"                         }, /* 364 */
+ {              0x01,           0, 0,  7, "1"                              }, /* 365 */
+ {          0x08,               0, 1,  5, "ecStdCurvesAndGeneration"       }, /* 366 */
+ {            0x01,             0, 1,  6, "ellipticCurve"                  }, /* 367 */
+ {              0x01,           0, 1,  7, "versionOne"                     }, /* 368 */
+ {                0x01,       370, 0,  8, "brainpoolP160r1"                }, /* 369 */
+ {                0x02,       371, 0,  8, "brainpoolP160t1"                }, /* 370 */
+ {                0x03,       372, 0,  8, "brainpoolP192r1"                }, /* 371 */
+ {                0x04,       373, 0,  8, "brainpoolP192t1"                }, /* 372 */
+ {                0x05,       374, 0,  8, "brainpoolP224r1"                }, /* 373 */
+ {                0x06,       375, 0,  8, "brainpoolP224t1"                }, /* 374 */
+ {                0x07,       376, 0,  8, "brainpoolP256r1"                }, /* 375 */
+ {                0x08,       377, 0,  8, "brainpoolP256t1"                }, /* 376 */
+ {                0x09,       378, 0,  8, "brainpoolP320r1"                }, /* 377 */
+ {                0x0A,       379, 0,  8, "brainpoolP320t1"                }, /* 378 */
+ {                0x0B,       380, 0,  8, "brainpoolP384r1"                }, /* 379 */
+ {                0x0C,       381, 0,  8, "brainpoolP384t1"                }, /* 380 */
+ {                0x0D,       382, 0,  8, "brainpoolP512r1"                }, /* 381 */
+ {                0x0E,         0, 0,  8, "brainpoolP512t1"                }, /* 382 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 383 */
+ {    0x04,                     0, 1,  2, "Certicom"                       }, /* 384 */
+ {      0x00,                   0, 1,  3, "curve"                          }, /* 385 */
+ {        0x01,               387, 0,  4, "sect163k1"                      }, /* 386 */
+ {        0x02,               388, 0,  4, "sect163r1"                      }, /* 387 */
+ {        0x03,               389, 0,  4, "sect239k1"                      }, /* 388 */
+ {        0x04,               390, 0,  4, "sect113r1"                      }, /* 389 */
+ {        0x05,               391, 0,  4, "sect113r2"                      }, /* 390 */
+ {        0x06,               392, 0,  4, "secp112r1"                      }, /* 391 */
+ {        0x07,               393, 0,  4, "secp112r2"                      }, /* 392 */
+ {        0x08,               394, 0,  4, "secp160r1"                      }, /* 393 */
+ {        0x09,               395, 0,  4, "secp160k1"                      }, /* 394 */
+ {        0x0A,               396, 0,  4, "secp256k1"                      }, /* 395 */
+ {        0x0F,               397, 0,  4, "sect163r2"                      }, /* 396 */
+ {        0x10,               398, 0,  4, "sect283k1"                      }, /* 397 */
+ {        0x11,               399, 0,  4, "sect283r1"                      }, /* 398 */
+ {        0x16,               400, 0,  4, "sect131r1"                      }, /* 399 */
+ {        0x17,               401, 0,  4, "sect131r2"                      }, /* 400 */
+ {        0x18,               402, 0,  4, "sect193r1"                      }, /* 401 */
+ {        0x19,               403, 0,  4, "sect193r2"                      }, /* 402 */
+ {        0x1A,               404, 0,  4, "sect233k1"                      }, /* 403 */
+ {        0x1B,               405, 0,  4, "sect233r1"                      }, /* 404 */
+ {        0x1C,               406, 0,  4, "secp128r1"                      }, /* 405 */
+ {        0x1D,               407, 0,  4, "secp128r2"                      }, /* 406 */
+ {        0x1E,               408, 0,  4, "secp160r2"                      }, /* 407 */
+ {        0x1F,               409, 0,  4, "secp192k1"                      }, /* 408 */
+ {        0x20,               410, 0,  4, "secp224k1"                      }, /* 409 */
+ {        0x21,               411, 0,  4, "secp224r1"                      }, /* 410 */
+ {        0x22,               412, 0,  4, "secp384r1"                      }, /* 411 */
+ {        0x23,               413, 0,  4, "secp521r1"                      }, /* 412 */
+ {        0x24,               414, 0,  4, "sect409k1"                      }, /* 413 */
+ {        0x25,               415, 0,  4, "sect409r1"                      }, /* 414 */
+ {        0x26,               416, 0,  4, "sect571k1"                      }, /* 415 */
+ {        0x27,                 0, 0,  4, "sect571r1"                      }, /* 416 */
+ {0x60,                       471, 1,  0, ""                               }, /* 417 */
+ {  0x86,                       0, 1,  1, ""                               }, /* 418 */
+ {    0x48,                     0, 1,  2, ""                               }, /* 419 */
+ {      0x01,                   0, 1,  3, "organization"                   }, /* 420 */
+ {        0x65,               447, 1,  4, "gov"                            }, /* 421 */
+ {          0x03,               0, 1,  5, "csor"                           }, /* 422 */
+ {            0x04,             0, 1,  6, "nistalgorithm"                  }, /* 423 */
+ {              0x01,         434, 1,  7, "aes"                            }, /* 424 */
+ {                0x02,       426, 0,  8, "id-aes128-CBC"                  }, /* 425 */
+ {                0x06,       427, 0,  8, "id-aes128-GCM"                  }, /* 426 */
+ {                0x07,       428, 0,  8, "id-aes128-CCM"                  }, /* 427 */
+ {                0x16,       429, 0,  8, "id-aes192-CBC"                  }, /* 428 */
+ {                0x1A,       430, 0,  8, "id-aes192-GCM"                  }, /* 429 */
+ {                0x1B,       431, 0,  8, "id-aes192-CCM"                  }, /* 430 */
+ {                0x2A,       432, 0,  8, "id-aes256-CBC"                  }, /* 431 */
+ {                0x2E,       433, 0,  8, "id-aes256-GCM"                  }, /* 432 */
+ {                0x2F,         0, 0,  8, "id-aes256-CCM"                  }, /* 433 */
+ {              0x02,           0, 1,  7, "hashalgs"                       }, /* 434 */
+ {                0x01,       436, 0,  8, "id-sha256"                      }, /* 435 */
+ {                0x02,       437, 0,  8, "id-sha384"                      }, /* 436 */
+ {                0x03,       438, 0,  8, "id-sha512"                      }, /* 437 */
+ {                0x04,       439, 0,  8, "id-sha224"                      }, /* 438 */
+ {                0x05,       440, 0,  8, "id-sha512-224"                  }, /* 439 */
+ {                0x06,       441, 0,  8, "id-sha512-256"                  }, /* 440 */
+ {                0x07,       442, 0,  8, "id-sha3-224"                    }, /* 441 */
+ {                0x08,       443, 0,  8, "id-sha3-256"                    }, /* 442 */
+ {                0x09,       444, 0,  8, "id-sha3-384"                    }, /* 443 */
+ {                0x0A,       445, 0,  8, "id-sha3-512"                    }, /* 444 */
+ {                0x0B,       446, 0,  8, "id-shake128"                    }, /* 445 */
+ {                0x0C,         0, 0,  8, "id-shake256"                    }, /* 446 */
+ {        0x86,                 0, 1,  4, ""                               }, /* 447 */
+ {          0xf8,               0, 1,  5, ""                               }, /* 448 */
+ {            0x42,           461, 1,  6, "netscape"                       }, /* 449 */
+ {              0x01,         456, 1,  7, ""                               }, /* 450 */
+ {                0x01,       452, 0,  8, "nsCertType"                     }, /* 451 */
+ {                0x03,       453, 0,  8, "nsRevocationUrl"                }, /* 452 */
+ {                0x04,       454, 0,  8, "nsCaRevocationUrl"              }, /* 453 */
+ {                0x08,       455, 0,  8, "nsCaPolicyUrl"                  }, /* 454 */
+ {                0x0d,         0, 0,  8, "nsComment"                      }, /* 455 */
+ {              0x03,         459, 1,  7, "directory"                      }, /* 456 */
+ {                0x01,         0, 1,  8, ""                               }, /* 457 */
+ {                  0x03,       0, 0,  9, "employeeNumber"                 }, /* 458 */
+ {              0x04,           0, 1,  7, "policy"                         }, /* 459 */
+ {                0x01,         0, 0,  8, "nsSGC"                          }, /* 460 */
+ {            0x45,             0, 1,  6, "verisign"                       }, /* 461 */
+ {              0x01,           0, 1,  7, "pki"                            }, /* 462 */
+ {                0x09,         0, 1,  8, "attributes"                     }, /* 463 */
+ {                  0x02,     465, 0,  9, "messageType"                    }, /* 464 */
+ {                  0x03,     466, 0,  9, "pkiStatus"                      }, /* 465 */
+ {                  0x04,     467, 0,  9, "failInfo"                       }, /* 466 */
+ {                  0x05,     468, 0,  9, "senderNonce"                    }, /* 467 */
+ {                  0x06,     469, 0,  9, "recipientNonce"                 }, /* 468 */
+ {                  0x07,     470, 0,  9, "transID"                        }, /* 469 */
+ {                  0x08,       0, 0,  9, "extensionReq"                   }, /* 470 */
+ {0x67,                         0, 1,  0, ""                               }, /* 471 */
+ {  0x81,                       0, 1,  1, ""                               }, /* 472 */
+ {    0x05,                     0, 1,  2, ""                               }, /* 473 */
+ {      0x02,                   0, 1,  3, "tcg-attribute"                  }, /* 474 */
+ {        0x01,               476, 0,  4, "tcg-at-tpmManufacturer"         }, /* 475 */
+ {        0x02,               477, 0,  4, "tcg-at-tpmModel"                }, /* 476 */
+ {        0x03,               478, 0,  4, "tcg-at-tpmVersion"              }, /* 477 */
+ {        0x0F,                 0, 0,  4, "tcg-at-tpmIdLabel"              }  /* 478 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index b9ed08d2e..1120156e5 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -40,220 +40,221 @@ extern const oid_t oid_names[];
 #define OID_INITIALS						33
 #define OID_UNIQUE_IDENTIFIER				34
 #define OID_DN_QUALIFIER					35
-#define OID_ROLE							36
-#define OID_SUBJECT_KEY_ID					39
-#define OID_KEY_USAGE						40
-#define OID_SUBJECT_ALT_NAME				42
-#define OID_BASIC_CONSTRAINTS				44
-#define OID_CRL_NUMBER						45
-#define OID_CRL_REASON_CODE					46
-#define OID_DELTA_CRL_INDICATOR				49
-#define OID_ISSUING_DIST_POINT				50
-#define OID_NAME_CONSTRAINTS				52
-#define OID_CRL_DISTRIBUTION_POINTS			53
-#define OID_CERTIFICATE_POLICIES			54
-#define OID_ANY_POLICY						55
-#define OID_POLICY_MAPPINGS					56
-#define OID_AUTHORITY_KEY_ID				57
-#define OID_POLICY_CONSTRAINTS				58
-#define OID_EXTENDED_KEY_USAGE				59
-#define OID_FRESHEST_CRL					61
-#define OID_INHIBIT_ANY_POLICY				62
-#define OID_TARGET_INFORMATION				63
-#define OID_NO_REV_AVAIL					64
-#define OID_CAMELLIA128_CBC					75
-#define OID_CAMELLIA192_CBC					76
-#define OID_CAMELLIA256_CBC					77
-#define OID_RSA_ENCRYPTION					90
-#define OID_MD2_WITH_RSA					91
-#define OID_MD5_WITH_RSA					92
-#define OID_SHA1_WITH_RSA					93
-#define OID_RSAES_OAEP						94
-#define OID_SHA256_WITH_RSA					97
-#define OID_SHA384_WITH_RSA					98
-#define OID_SHA512_WITH_RSA					99
-#define OID_SHA224_WITH_RSA					100
-#define OID_PBE_MD5_DES_CBC					102
-#define OID_PBE_SHA1_DES_CBC				103
-#define OID_PBKDF2							104
-#define OID_PBES2							105
-#define OID_PKCS7_DATA						107
-#define OID_PKCS7_SIGNED_DATA				108
-#define OID_PKCS7_ENVELOPED_DATA			109
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		110
-#define OID_PKCS7_DIGESTED_DATA				111
-#define OID_PKCS7_ENCRYPTED_DATA			112
-#define OID_EMAIL_ADDRESS					114
-#define OID_UNSTRUCTURED_NAME				115
-#define OID_PKCS9_CONTENT_TYPE				116
-#define OID_PKCS9_MESSAGE_DIGEST			117
-#define OID_PKCS9_SIGNING_TIME				118
-#define OID_CHALLENGE_PASSWORD				120
-#define OID_UNSTRUCTURED_ADDRESS			121
-#define OID_EXTENSION_REQUEST				122
-#define OID_X509_CERTIFICATE				125
-#define OID_PBE_SHA1_RC4_128				129
-#define OID_PBE_SHA1_RC4_40					130
-#define OID_PBE_SHA1_3DES_CBC				131
-#define OID_PBE_SHA1_3DES_2KEY_CBC			132
-#define OID_PBE_SHA1_RC2_CBC_128			133
-#define OID_PBE_SHA1_RC2_CBC_40				134
-#define OID_P12_KEY_BAG						137
-#define OID_P12_PKCS8_KEY_BAG				138
-#define OID_P12_CERT_BAG					139
-#define OID_P12_CRL_BAG						140
-#define OID_MD2								144
-#define OID_MD5								145
-#define OID_3DES_EDE_CBC					147
-#define OID_EC_PUBLICKEY					151
-#define OID_C2PNB163V1						154
-#define OID_C2PNB163V2						155
-#define OID_C2PNB163V3						156
-#define OID_C2PNB176W1						157
-#define OID_C2PNB191V1						158
-#define OID_C2PNB191V2						159
-#define OID_C2PNB191V3						160
-#define OID_C2PNB191V4						161
-#define OID_C2PNB191V5						162
-#define OID_C2PNB208W1						163
-#define OID_C2PNB239V1						164
-#define OID_C2PNB239V2						165
-#define OID_C2PNB239V3						166
-#define OID_C2PNB239V4						167
-#define OID_C2PNB239V5						168
-#define OID_C2PNB272W1						169
-#define OID_C2PNB304W1						170
-#define OID_C2PNB359V1						171
-#define OID_C2PNB368W1						172
-#define OID_C2PNB431R1						173
-#define OID_PRIME192V1						175
-#define OID_PRIME192V2						176
-#define OID_PRIME192V3						177
-#define OID_PRIME239V1						178
-#define OID_PRIME239V2						179
-#define OID_PRIME239V3						180
-#define OID_PRIME256V1						181
-#define OID_ECDSA_WITH_SHA1					183
-#define OID_ECDSA_WITH_SHA224				185
-#define OID_ECDSA_WITH_SHA256				186
-#define OID_ECDSA_WITH_SHA384				187
-#define OID_ECDSA_WITH_SHA512				188
-#define OID_MS_SMARTCARD_LOGON				202
-#define OID_USER_PRINCIPAL_NAME				203
-#define OID_STRONGSWAN						209
-#define OID_BLISS_PUBLICKEY					214
-#define OID_BLISS_I							216
-#define OID_BLISS_II						217
-#define OID_BLISS_III						218
-#define OID_BLISS_IV						219
-#define OID_BLISS_B_I						220
-#define OID_BLISS_B_II						221
-#define OID_BLISS_B_III						222
-#define OID_BLISS_B_IV						223
-#define OID_BLISS_WITH_SHA2_512				225
-#define OID_BLISS_WITH_SHA2_384				226
-#define OID_BLISS_WITH_SHA2_256				227
-#define OID_BLISS_WITH_SHA3_512				228
-#define OID_BLISS_WITH_SHA3_384				229
-#define OID_BLISS_WITH_SHA3_256				230
-#define OID_TCGID							237
-#define OID_BLOWFISH_CBC					241
-#define OID_AUTHORITY_INFO_ACCESS			285
-#define OID_IP_ADDR_BLOCKS					287
-#define OID_POLICY_QUALIFIER_CPS			289
-#define OID_POLICY_QUALIFIER_UNOTICE		290
-#define OID_SERVER_AUTH						292
-#define OID_CLIENT_AUTH						293
-#define OID_OCSP_SIGNING					300
-#define OID_XMPP_ADDR						306
-#define OID_AUTHENTICATION_INFO				310
-#define OID_ACCESS_IDENTITY					311
-#define OID_CHARGING_IDENTITY				312
-#define OID_GROUP							313
-#define OID_OCSP							316
-#define OID_BASIC							317
-#define OID_NONCE							318
-#define OID_CRL								319
-#define OID_RESPONSE						320
-#define OID_NO_CHECK						321
-#define OID_ARCHIVE_CUTOFF					322
-#define OID_SERVICE_LOCATOR					323
-#define OID_CA_ISSUERS						324
-#define OID_IKE_INTERMEDIATE				329
-#define OID_DES_CBC							333
-#define OID_SHA1							334
-#define OID_SHA1_WITH_RSA_OIW				335
-#define OID_ECGDSA_PUBKEY					354
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		357
-#define OID_ECGDSA_SIG_WITH_SHA1			358
-#define OID_ECGDSA_SIG_WITH_SHA224			359
-#define OID_ECGDSA_SIG_WITH_SHA256			360
-#define OID_ECGDSA_SIG_WITH_SHA384			361
-#define OID_ECGDSA_SIG_WITH_SHA512			362
-#define OID_SECT163K1						385
-#define OID_SECT163R1						386
-#define OID_SECT239K1						387
-#define OID_SECT113R1						388
-#define OID_SECT113R2						389
-#define OID_SECT112R1						390
-#define OID_SECT112R2						391
-#define OID_SECT160R1						392
-#define OID_SECT160K1						393
-#define OID_SECT256K1						394
-#define OID_SECT163R2						395
-#define OID_SECT283K1						396
-#define OID_SECT283R1						397
-#define OID_SECT131R1						398
-#define OID_SECT131R2						399
-#define OID_SECT193R1						400
-#define OID_SECT193R2						401
-#define OID_SECT233K1						402
-#define OID_SECT233R1						403
-#define OID_SECT128R1						404
-#define OID_SECT128R2						405
-#define OID_SECT160R2						406
-#define OID_SECT192K1						407
-#define OID_SECT224K1						408
-#define OID_SECT224R1						409
-#define OID_SECT384R1						410
-#define OID_SECT521R1						411
-#define OID_SECT409K1						412
-#define OID_SECT409R1						413
-#define OID_SECT571K1						414
-#define OID_SECT571R1						415
-#define OID_AES128_CBC						424
-#define OID_AES128_GCM						425
-#define OID_AES128_CCM						426
-#define OID_AES192_CBC						427
-#define OID_AES192_GCM						428
-#define OID_AES192_CCM						429
-#define OID_AES256_CBC						430
-#define OID_AES256_GCM						431
-#define OID_AES256_CCM						432
-#define OID_SHA256							434
-#define OID_SHA384							435
-#define OID_SHA512							436
-#define OID_SHA224							437
-#define OID_SHA3_224						440
-#define OID_SHA3_256						441
-#define OID_SHA3_384						442
-#define OID_SHA3_512						443
-#define OID_NS_REVOCATION_URL				451
-#define OID_NS_CA_REVOCATION_URL			452
-#define OID_NS_CA_POLICY_URL				453
-#define OID_NS_COMMENT						454
-#define OID_EMPLOYEE_NUMBER					457
-#define OID_PKI_MESSAGE_TYPE				463
-#define OID_PKI_STATUS						464
-#define OID_PKI_FAIL_INFO					465
-#define OID_PKI_SENDER_NONCE				466
-#define OID_PKI_RECIPIENT_NONCE				467
-#define OID_PKI_TRANS_ID					468
-#define OID_TPM_MANUFACTURER				474
-#define OID_TPM_MODEL						475
-#define OID_TPM_VERSION						476
-#define OID_TPM_ID_LABEL					477
+#define OID_PSEUDONYM						36
+#define OID_ROLE							37
+#define OID_SUBJECT_KEY_ID					40
+#define OID_KEY_USAGE						41
+#define OID_SUBJECT_ALT_NAME				43
+#define OID_BASIC_CONSTRAINTS				45
+#define OID_CRL_NUMBER						46
+#define OID_CRL_REASON_CODE					47
+#define OID_DELTA_CRL_INDICATOR				50
+#define OID_ISSUING_DIST_POINT				51
+#define OID_NAME_CONSTRAINTS				53
+#define OID_CRL_DISTRIBUTION_POINTS			54
+#define OID_CERTIFICATE_POLICIES			55
+#define OID_ANY_POLICY						56
+#define OID_POLICY_MAPPINGS					57
+#define OID_AUTHORITY_KEY_ID				58
+#define OID_POLICY_CONSTRAINTS				59
+#define OID_EXTENDED_KEY_USAGE				60
+#define OID_FRESHEST_CRL					62
+#define OID_INHIBIT_ANY_POLICY				63
+#define OID_TARGET_INFORMATION				64
+#define OID_NO_REV_AVAIL					65
+#define OID_CAMELLIA128_CBC					76
+#define OID_CAMELLIA192_CBC					77
+#define OID_CAMELLIA256_CBC					78
+#define OID_RSA_ENCRYPTION					91
+#define OID_MD2_WITH_RSA					92
+#define OID_MD5_WITH_RSA					93
+#define OID_SHA1_WITH_RSA					94
+#define OID_RSAES_OAEP						95
+#define OID_SHA256_WITH_RSA					98
+#define OID_SHA384_WITH_RSA					99
+#define OID_SHA512_WITH_RSA					100
+#define OID_SHA224_WITH_RSA					101
+#define OID_PBE_MD5_DES_CBC					103
+#define OID_PBE_SHA1_DES_CBC				104
+#define OID_PBKDF2							105
+#define OID_PBES2							106
+#define OID_PKCS7_DATA						108
+#define OID_PKCS7_SIGNED_DATA				109
+#define OID_PKCS7_ENVELOPED_DATA			110
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		111
+#define OID_PKCS7_DIGESTED_DATA				112
+#define OID_PKCS7_ENCRYPTED_DATA			113
+#define OID_EMAIL_ADDRESS					115
+#define OID_UNSTRUCTURED_NAME				116
+#define OID_PKCS9_CONTENT_TYPE				117
+#define OID_PKCS9_MESSAGE_DIGEST			118
+#define OID_PKCS9_SIGNING_TIME				119
+#define OID_CHALLENGE_PASSWORD				121
+#define OID_UNSTRUCTURED_ADDRESS			122
+#define OID_EXTENSION_REQUEST				123
+#define OID_X509_CERTIFICATE				126
+#define OID_PBE_SHA1_RC4_128				130
+#define OID_PBE_SHA1_RC4_40					131
+#define OID_PBE_SHA1_3DES_CBC				132
+#define OID_PBE_SHA1_3DES_2KEY_CBC			133
+#define OID_PBE_SHA1_RC2_CBC_128			134
+#define OID_PBE_SHA1_RC2_CBC_40				135
+#define OID_P12_KEY_BAG						138
+#define OID_P12_PKCS8_KEY_BAG				139
+#define OID_P12_CERT_BAG					140
+#define OID_P12_CRL_BAG						141
+#define OID_MD2								145
+#define OID_MD5								146
+#define OID_3DES_EDE_CBC					148
+#define OID_EC_PUBLICKEY					152
+#define OID_C2PNB163V1						155
+#define OID_C2PNB163V2						156
+#define OID_C2PNB163V3						157
+#define OID_C2PNB176W1						158
+#define OID_C2PNB191V1						159
+#define OID_C2PNB191V2						160
+#define OID_C2PNB191V3						161
+#define OID_C2PNB191V4						162
+#define OID_C2PNB191V5						163
+#define OID_C2PNB208W1						164
+#define OID_C2PNB239V1						165
+#define OID_C2PNB239V2						166
+#define OID_C2PNB239V3						167
+#define OID_C2PNB239V4						168
+#define OID_C2PNB239V5						169
+#define OID_C2PNB272W1						170
+#define OID_C2PNB304W1						171
+#define OID_C2PNB359V1						172
+#define OID_C2PNB368W1						173
+#define OID_C2PNB431R1						174
+#define OID_PRIME192V1						176
+#define OID_PRIME192V2						177
+#define OID_PRIME192V3						178
+#define OID_PRIME239V1						179
+#define OID_PRIME239V2						180
+#define OID_PRIME239V3						181
+#define OID_PRIME256V1						182
+#define OID_ECDSA_WITH_SHA1					184
+#define OID_ECDSA_WITH_SHA224				186
+#define OID_ECDSA_WITH_SHA256				187
+#define OID_ECDSA_WITH_SHA384				188
+#define OID_ECDSA_WITH_SHA512				189
+#define OID_MS_SMARTCARD_LOGON				203
+#define OID_USER_PRINCIPAL_NAME				204
+#define OID_STRONGSWAN						210
+#define OID_BLISS_PUBLICKEY					215
+#define OID_BLISS_I							217
+#define OID_BLISS_II						218
+#define OID_BLISS_III						219
+#define OID_BLISS_IV						220
+#define OID_BLISS_B_I						221
+#define OID_BLISS_B_II						222
+#define OID_BLISS_B_III						223
+#define OID_BLISS_B_IV						224
+#define OID_BLISS_WITH_SHA2_512				226
+#define OID_BLISS_WITH_SHA2_384				227
+#define OID_BLISS_WITH_SHA2_256				228
+#define OID_BLISS_WITH_SHA3_512				229
+#define OID_BLISS_WITH_SHA3_384				230
+#define OID_BLISS_WITH_SHA3_256				231
+#define OID_TCGID							238
+#define OID_BLOWFISH_CBC					242
+#define OID_AUTHORITY_INFO_ACCESS			286
+#define OID_IP_ADDR_BLOCKS					288
+#define OID_POLICY_QUALIFIER_CPS			290
+#define OID_POLICY_QUALIFIER_UNOTICE		291
+#define OID_SERVER_AUTH						293
+#define OID_CLIENT_AUTH						294
+#define OID_OCSP_SIGNING					301
+#define OID_XMPP_ADDR						307
+#define OID_AUTHENTICATION_INFO				311
+#define OID_ACCESS_IDENTITY					312
+#define OID_CHARGING_IDENTITY				313
+#define OID_GROUP							314
+#define OID_OCSP							317
+#define OID_BASIC							318
+#define OID_NONCE							319
+#define OID_CRL								320
+#define OID_RESPONSE						321
+#define OID_NO_CHECK						322
+#define OID_ARCHIVE_CUTOFF					323
+#define OID_SERVICE_LOCATOR					324
+#define OID_CA_ISSUERS						325
+#define OID_IKE_INTERMEDIATE				330
+#define OID_DES_CBC							334
+#define OID_SHA1							335
+#define OID_SHA1_WITH_RSA_OIW				336
+#define OID_ECGDSA_PUBKEY					355
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		358
+#define OID_ECGDSA_SIG_WITH_SHA1			359
+#define OID_ECGDSA_SIG_WITH_SHA224			360
+#define OID_ECGDSA_SIG_WITH_SHA256			361
+#define OID_ECGDSA_SIG_WITH_SHA384			362
+#define OID_ECGDSA_SIG_WITH_SHA512			363
+#define OID_SECT163K1						386
+#define OID_SECT163R1						387
+#define OID_SECT239K1						388
+#define OID_SECT113R1						389
+#define OID_SECT113R2						390
+#define OID_SECT112R1						391
+#define OID_SECT112R2						392
+#define OID_SECT160R1						393
+#define OID_SECT160K1						394
+#define OID_SECT256K1						395
+#define OID_SECT163R2						396
+#define OID_SECT283K1						397
+#define OID_SECT283R1						398
+#define OID_SECT131R1						399
+#define OID_SECT131R2						400
+#define OID_SECT193R1						401
+#define OID_SECT193R2						402
+#define OID_SECT233K1						403
+#define OID_SECT233R1						404
+#define OID_SECT128R1						405
+#define OID_SECT128R2						406
+#define OID_SECT160R2						407
+#define OID_SECT192K1						408
+#define OID_SECT224K1						409
+#define OID_SECT224R1						410
+#define OID_SECT384R1						411
+#define OID_SECT521R1						412
+#define OID_SECT409K1						413
+#define OID_SECT409R1						414
+#define OID_SECT571K1						415
+#define OID_SECT571R1						416
+#define OID_AES128_CBC						425
+#define OID_AES128_GCM						426
+#define OID_AES128_CCM						427
+#define OID_AES192_CBC						428
+#define OID_AES192_GCM						429
+#define OID_AES192_CCM						430
+#define OID_AES256_CBC						431
+#define OID_AES256_GCM						432
+#define OID_AES256_CCM						433
+#define OID_SHA256							435
+#define OID_SHA384							436
+#define OID_SHA512							437
+#define OID_SHA224							438
+#define OID_SHA3_224						441
+#define OID_SHA3_256						442
+#define OID_SHA3_384						443
+#define OID_SHA3_512						444
+#define OID_NS_REVOCATION_URL				452
+#define OID_NS_CA_REVOCATION_URL			453
+#define OID_NS_CA_POLICY_URL				454
+#define OID_NS_COMMENT						455
+#define OID_EMPLOYEE_NUMBER					458
+#define OID_PKI_MESSAGE_TYPE				464
+#define OID_PKI_STATUS						465
+#define OID_PKI_FAIL_INFO					466
+#define OID_PKI_SENDER_NONCE				467
+#define OID_PKI_RECIPIENT_NONCE				468
+#define OID_PKI_TRANS_ID					469
+#define OID_TPM_MANUFACTURER				475
+#define OID_TPM_MODEL						476
+#define OID_TPM_VERSION						477
+#define OID_TPM_ID_LABEL					478
 
-#define OID_MAX								478
+#define OID_MAX								479
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 64dedcb33..b5ec15f3c 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -34,6 +34,7 @@
     0x2B                     "I"						OID_INITIALS
     0x2D                     "ID"						OID_UNIQUE_IDENTIFIER
     0x2E                     "dnQualifier"				OID_DN_QUALIFIER
+    0x41                     "pseudonym"				OID_PSEUDONYM
     0x48                     "role"						OID_ROLE
   0x1D                       "id-ce"
     0x09                     "subjectDirectoryAttrs"
diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
index 61c696bc1..a45a68aaf 100644
--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
@@ -277,6 +277,16 @@ void array_insert_create(array_t **array, int idx, void *ptr)
 	array_insert(*array, idx, ptr);
 }
 
+void array_insert_create_value(array_t **array, u_int esize,
+							   int idx, void *val)
+{
+	if (*array == NULL)
+	{
+		*array = array_create(esize, 0);
+	}
+	array_insert(*array, idx, val);
+}
+
 void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator)
 {
 	void *ptr;
diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h
index 0659c70bd..c3be1a15d 100644
--- a/src/libstrongswan/collections/array.h
+++ b/src/libstrongswan/collections/array.h
@@ -139,6 +139,21 @@ void array_insert(array_t *array, int idx, void *data);
 void array_insert_create(array_t **array, int idx, void *ptr);
 
 /**
+ * Create a value based array if it does not exist, insert value.
+ *
+ * This is a convenience function to insert a value and implicitly
+ * create a value based array if array is NULL. Array is set the the newly
+ * created array, if any.
+ *
+ * @param array			pointer to array reference, potentially NULL
+ * @param esize			element size of this array
+ * @param idx			index to insert item at
+ * @param val			pointer to value to insert
+ */
+void array_insert_create_value(array_t **array, u_int esize,
+							   int idx, void *val);
+
+/**
  * Insert all items from an enumerator to an array.
  *
  * @param array			array to add items to
diff --git a/src/libstrongswan/collections/linked_list.c b/src/libstrongswan/collections/linked_list.c
index a176e5a54..b8fe81578 100644
--- a/src/libstrongswan/collections/linked_list.c
+++ b/src/libstrongswan/collections/linked_list.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -433,6 +433,56 @@ METHOD(linked_list_t, clone_offset, linked_list_t*,
 	return clone;
 }
 
+METHOD(linked_list_t, equals_offset, bool,
+	private_linked_list_t *this, linked_list_t *other_pub, size_t offset)
+{
+	private_linked_list_t *other = (private_linked_list_t*)other_pub;
+	element_t *cur_t, *cur_o;
+
+	if (this->count != other->count)
+	{
+		return FALSE;
+	}
+	cur_t = this->first;
+	cur_o = other->first;
+	while (cur_t && cur_o)
+	{
+		bool (**method)(void*,void*) = cur_t->value + offset;
+		if (!(*method)(cur_t->value, cur_o->value))
+		{
+			return FALSE;
+		}
+		cur_t = cur_t->next;
+		cur_o = cur_o->next;
+	}
+	return TRUE;
+}
+
+METHOD(linked_list_t, equals_function, bool,
+	private_linked_list_t *this, linked_list_t *other_pub,
+	bool (*fn)(void*,void*))
+{
+	private_linked_list_t *other = (private_linked_list_t*)other_pub;
+	element_t *cur_t, *cur_o;
+
+	if (this->count != other->count)
+	{
+		return FALSE;
+	}
+	cur_t = this->first;
+	cur_o = other->first;
+	while (cur_t && cur_o)
+	{
+		if (!fn(cur_t->value, cur_o->value))
+		{
+			return FALSE;
+		}
+		cur_t = cur_t->next;
+		cur_o = cur_o->next;
+	}
+	return TRUE;
+}
+
 METHOD(linked_list_t, destroy, void,
 	private_linked_list_t *this)
 {
@@ -503,6 +553,8 @@ linked_list_t *linked_list_create()
 			.invoke_offset = (void*)_invoke_offset,
 			.invoke_function = (void*)_invoke_function,
 			.clone_offset = _clone_offset,
+			.equals_offset = _equals_offset,
+			.equals_function = _equals_function,
 			.destroy = _destroy,
 			.destroy_offset = _destroy_offset,
 			.destroy_function = _destroy_function,
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index abc33c12a..5edaa07aa 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2011 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -218,6 +218,27 @@ struct linked_list_t {
 	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
 
 	/**
+	 * Compare two lists and their objects for equality using the given equals
+	 * method.
+	 *
+	 * @param other		list to compare
+	 * @param offset	offset of the objects equals method
+	 * @return			TRUE if lists and objects are equal, FALSE otherwise
+	 */
+	bool (*equals_offset) (linked_list_t *this, linked_list_t *other,
+						   size_t offset);
+
+	/**
+	 * Compare two lists and their objects for equality using the given function.
+	 *
+	 * @param other		list to compare
+	 * @param function	function to compare the objects
+	 * @return			TRUE if lists and objects are equal, FALSE otherwise
+	 */
+	bool (*equals_function) (linked_list_t *this, linked_list_t *other,
+							 bool (*)(void*,void*));
+
+	/**
 	 * Destroys a linked_list object.
 	 */
 	void (*destroy) (linked_list_t *this);
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 9988d8021..956ce08c9 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -46,11 +46,13 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
 	"RULE_SUBJECT_CERT",
 	"RULE_CRL_VALIDATION",
 	"RULE_OCSP_VALIDATION",
+	"RULE_CERT_VALIDATION_SUSPENDED",
 	"RULE_GROUP",
 	"RULE_RSA_STRENGTH",
 	"RULE_ECDSA_STRENGTH",
 	"RULE_BLISS_STRENGTH",
 	"RULE_SIGNATURE_SCHEME",
+	"RULE_IKE_SIGNATURE_SCHEME",
 	"RULE_CERT_POLICY",
 	"HELPER_IM_CERT",
 	"HELPER_SUBJECT_CERT",
@@ -79,6 +81,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_XAUTH_IDENTITY:
 		case AUTH_RULE_XAUTH_BACKEND:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		case AUTH_HELPER_SUBJECT_CERT:
 		case AUTH_HELPER_SUBJECT_HASH_URL:
 		case AUTH_RULE_MAX:
@@ -91,6 +94,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_CERT_POLICY:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
@@ -211,6 +215,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 			/* integer type */
 			this->value = (void*)(uintptr_t)va_arg(args, u_int);
 			break;
@@ -260,6 +266,8 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		{
 			return e1->value == e2->value;
 		}
@@ -351,6 +359,8 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 		case AUTH_RULE_MAX:
 			break;
 	}
@@ -383,6 +393,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				/* integer type */
 				entry->value = (void*)(uintptr_t)va_arg(args, u_int);
 				break;
@@ -459,11 +471,13 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_BLISS_STRENGTH:
 			return (void*)0;
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			return (void*)HASH_UNKNOWN;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
 			return (void*)VALIDATION_FAILED;
 		case AUTH_RULE_IDENTITY_LOOSE:
+		case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 			return (void*)FALSE;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
@@ -510,6 +524,183 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 	}
 }
 
+METHOD(auth_cfg_t, add_pubkey_constraints, void,
+	private_auth_cfg_t *this, char* constraints, bool ike)
+{
+	enumerator_t *enumerator;
+	bool is_ike = FALSE, ike_added = FALSE;
+	key_type_t expected_type = -1;
+	auth_rule_t expected_strength = AUTH_RULE_MAX;
+	int strength;
+	char *token;
+	auth_rule_t type;
+	void *value;
+
+	enumerator = enumerator_create_token(constraints, "-", "");
+	while (enumerator->enumerate(enumerator, &token))
+	{
+		bool found = FALSE;
+		int i;
+		struct {
+			char *name;
+			signature_scheme_t scheme;
+			key_type_t key;
+		} schemes[] = {
+			{ "md5",		SIGN_RSA_EMSA_PKCS1_MD5,		KEY_RSA,	},
+			{ "sha1",		SIGN_RSA_EMSA_PKCS1_SHA1,		KEY_RSA,	},
+			{ "sha224",		SIGN_RSA_EMSA_PKCS1_SHA224,		KEY_RSA,	},
+			{ "sha256",		SIGN_RSA_EMSA_PKCS1_SHA256,		KEY_RSA,	},
+			{ "sha384",		SIGN_RSA_EMSA_PKCS1_SHA384,		KEY_RSA,	},
+			{ "sha512",		SIGN_RSA_EMSA_PKCS1_SHA512,		KEY_RSA,	},
+			{ "sha1",		SIGN_ECDSA_WITH_SHA1_DER,		KEY_ECDSA,	},
+			{ "sha256",		SIGN_ECDSA_WITH_SHA256_DER,		KEY_ECDSA,	},
+			{ "sha384",		SIGN_ECDSA_WITH_SHA384_DER,		KEY_ECDSA,	},
+			{ "sha512",		SIGN_ECDSA_WITH_SHA512_DER,		KEY_ECDSA,	},
+			{ "sha256",		SIGN_ECDSA_256,					KEY_ECDSA,	},
+			{ "sha384",		SIGN_ECDSA_384,					KEY_ECDSA,	},
+			{ "sha512",		SIGN_ECDSA_521,					KEY_ECDSA,	},
+			{ "sha256",		SIGN_BLISS_WITH_SHA2_256,		KEY_BLISS,	},
+			{ "sha384",		SIGN_BLISS_WITH_SHA2_384,		KEY_BLISS,	},
+			{ "sha512",		SIGN_BLISS_WITH_SHA2_512,		KEY_BLISS,	},
+		};
+
+		if (expected_strength != AUTH_RULE_MAX)
+		{	/* expecting a key strength token */
+			strength = atoi(token);
+			if (strength)
+			{
+				add(this, expected_strength, (uintptr_t)strength);
+			}
+			expected_strength = AUTH_RULE_MAX;
+			if (strength)
+			{
+				continue;
+			}
+		}
+		if (streq(token, "rsa") || streq(token, "ike:rsa"))
+		{
+			expected_type = KEY_RSA;
+			expected_strength = AUTH_RULE_RSA_STRENGTH;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "ecdsa") || streq(token, "ike:ecdsa"))
+		{
+			expected_type = KEY_ECDSA;
+			expected_strength = AUTH_RULE_ECDSA_STRENGTH;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "bliss") || streq(token, "ike:bliss"))
+		{
+			expected_type = KEY_BLISS;
+			expected_strength = AUTH_RULE_BLISS_STRENGTH;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (streq(token, "pubkey") || streq(token, "ike:pubkey"))
+		{
+			expected_type = KEY_ANY;
+			is_ike = strpfx(token, "ike:");
+			continue;
+		}
+		if (is_ike && !ike)
+		{
+			continue;
+		}
+
+		for (i = 0; i < countof(schemes); i++)
+		{
+			if (streq(schemes[i].name, token))
+			{
+				if (expected_type == KEY_ANY || expected_type == schemes[i].key)
+				{
+					if (is_ike)
+					{
+						add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+							(uintptr_t)schemes[i].scheme);
+						ike_added = TRUE;
+					}
+					else
+					{
+						add(this, AUTH_RULE_SIGNATURE_SCHEME,
+						   (uintptr_t)schemes[i].scheme);
+					}
+				}
+				found = TRUE;
+			}
+		}
+		if (!found)
+		{
+			DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	/* if no explicit IKE signature contraints were added we add them for all
+	 * configured signature contraints */
+	if (ike && !ike_added &&
+		lib->settings->get_bool(lib->settings,
+							"%s.signature_authentication_constraints", TRUE,
+							lib->ns))
+	{
+		enumerator = create_enumerator(this);
+		while (enumerator->enumerate(enumerator, &type, &value))
+		{
+			if (type == AUTH_RULE_SIGNATURE_SCHEME)
+			{
+				add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+					(uintptr_t)value);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Check if signature schemes of a specific type are compliant
+ */
+static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
+							auth_rule_t type, bool log_error)
+{
+	enumerator_t *e1, *e2;
+	auth_rule_t t1, t2;
+	signature_scheme_t scheme;
+	void *value;
+	bool success = TRUE;
+
+	e2 = create_enumerator(this);
+	while (e2->enumerate(e2, &t2, &scheme))
+	{
+		if (t2 == type)
+		{
+			success = FALSE;
+			e1 = constraints->create_enumerator(constraints);
+			while (e1->enumerate(e1, &t1, &value))
+			{
+				if (t1 == type && (uintptr_t)value == scheme)
+				{
+					success = TRUE;
+					break;
+				}
+			}
+			e1->destroy(e1);
+			if (!success)
+			{
+				if (log_error)
+				{
+					DBG1(DBG_CFG, "%s signature scheme %N not acceptable",
+						 AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE",
+						 signature_scheme_names, (int)scheme);
+				}
+				break;
+			}
+		}
+	}
+	e2->destroy(e2);
+	return success;
+}
+
 METHOD(auth_cfg_t, complies, bool,
 	private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
 {
@@ -518,7 +709,7 @@ METHOD(auth_cfg_t, complies, bool,
 	bool ca_match = FALSE, cert_match = FALSE;
 	identification_t *require_group = NULL;
 	certificate_t *require_ca = NULL, *require_cert = NULL;
-	signature_scheme_t scheme = SIGN_UNKNOWN;
+	signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN;
 	u_int strength = 0;
 	auth_rule_t t1, t2;
 	char *key_type;
@@ -573,6 +764,11 @@ METHOD(auth_cfg_t, complies, bool,
 			{
 				uintptr_t validated;
 
+				if (get(this, AUTH_RULE_CERT_VALIDATION_SUSPENDED))
+				{	/* skip validation, may happen later */
+					break;
+				}
+
 				e2 = create_enumerator(this);
 				while (e2->enumerate(e2, &t2, &validated))
 				{
@@ -714,6 +910,11 @@ METHOD(auth_cfg_t, complies, bool,
 				strength = (uintptr_t)value;
 				break;
 			}
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			{
+				ike_scheme = (uintptr_t)value;
+				break;
+			}
 			case AUTH_RULE_SIGNATURE_SCHEME:
 			{
 				scheme = (uintptr_t)value;
@@ -745,6 +946,8 @@ METHOD(auth_cfg_t, complies, bool,
 				/* just an indication when verifying AUTH_RULE_IDENTITY */
 			case AUTH_RULE_XAUTH_BACKEND:
 				/* not enforced, just a hint for local authentication */
+			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
+				/* not a constraint */
 			case AUTH_HELPER_IM_CERT:
 			case AUTH_HELPER_SUBJECT_CERT:
 			case AUTH_HELPER_IM_HASH_URL:
@@ -766,35 +969,13 @@ METHOD(auth_cfg_t, complies, bool,
 	 * signature schemes. */
 	if (success && scheme != SIGN_UNKNOWN)
 	{
-		e2 = create_enumerator(this);
-		while (e2->enumerate(e2, &t2, &scheme))
-		{
-			if (t2 == AUTH_RULE_SIGNATURE_SCHEME)
-			{
-				success = FALSE;
-				e1 = constraints->create_enumerator(constraints);
-				while (e1->enumerate(e1, &t1, &value))
-				{
-					if (t1 == AUTH_RULE_SIGNATURE_SCHEME &&
-						(uintptr_t)value == scheme)
-					{
-						success = TRUE;
-						break;
-					}
-				}
-				e1->destroy(e1);
-				if (!success)
-				{
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "signature scheme %N not acceptable",
-							 signature_scheme_names, (int)scheme);
-					}
-					break;
-				}
-			}
-		}
-		e2->destroy(e2);
+		success = complies_scheme(this, constraints,
+								  AUTH_RULE_SIGNATURE_SCHEME, log_error);
+	}
+	if (success && ike_scheme != SIGN_UNKNOWN)
+	{
+		success = complies_scheme(this, constraints,
+								  AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error);
 	}
 
 	/* Check if we have a matching constraint (or none at all) for used
@@ -918,6 +1099,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_ECDSA_STRENGTH:
 				case AUTH_RULE_BLISS_STRENGTH:
 				case AUTH_RULE_SIGNATURE_SCHEME:
+				case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+				case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				{
 					add(this, type, (uintptr_t)value);
 					break;
@@ -1088,6 +1271,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
 				clone->add(clone, type, (uintptr_t)value);
 				break;
 			case AUTH_RULE_MAX:
@@ -1116,6 +1301,7 @@ auth_cfg_t *auth_cfg_create()
 	INIT(this,
 		.public = {
 			.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add,
+			.add_pubkey_constraints = _add_pubkey_constraints,
 			.get = _get,
 			.create_enumerator = _create_enumerator,
 			.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace,
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 53f1b3805..6940069de 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -94,6 +94,8 @@ enum auth_rule_t {
 	AUTH_RULE_CRL_VALIDATION,
 	/** result of a OCSP validation, cert_validation_t */
 	AUTH_RULE_OCSP_VALIDATION,
+	/** CRL/OCSP validation is disabled, bool */
+	AUTH_RULE_CERT_VALIDATION_SUSPENDED,
 	/** subject is member of a group, identification_t*
 	 * The group membership constraint is fulfilled if the subject is member of
 	 * one group defined in the constraints. */
@@ -106,6 +108,8 @@ enum auth_rule_t {
 	AUTH_RULE_BLISS_STRENGTH,
 	/** required signature scheme, signature_scheme_t */
 	AUTH_RULE_SIGNATURE_SCHEME,
+	/** required signature scheme for IKE authentication, signature_scheme_t */
+	AUTH_RULE_IKE_SIGNATURE_SCHEME,
 	/** certificatePolicy constraint, numerical OID as char* */
 	AUTH_RULE_CERT_POLICY,
 
@@ -182,6 +186,15 @@ struct auth_cfg_t {
 	void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
 
 	/**
+	 * Add public key and signature scheme constraints to the set.
+	 *
+	 * @param constraints	constraints string (e.g. "rsa-sha384")
+	 * @param ike			whether to add/parse constraints for IKE signatures
+	 */
+	void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints,
+								   bool ike);
+
+	/**
 	 * Get a rule value.
 	 *
 	 * For rules we expect only once the latest value is returned.
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index b281c1669..761082986 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -22,10 +23,10 @@ ENUM(certificate_type_names, CERT_ANY, CERT_GPG,
 	"ANY",
 	"X509",
 	"X509_CRL",
-	"X509_OCSP_REQUEST",
-	"X509_OCSP_RESPONSE",
+	"OCSP_REQUEST",
+	"OCSP_RESPONSE",
 	"X509_AC",
-	"TRUSTED_PUBKEY",
+	"PUBKEY",
 	"PKCS10_REQUEST",
 	"PGP",
 );
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c
new file mode 100644
index 000000000..c618e80bf
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/certificate_printer.c
@@ -0,0 +1,753 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "certificate_printer.h"
+#include "credentials/certificates/x509.h"
+#include "credentials/certificates/crl.h"
+#include "credentials/certificates/ac.h"
+#include "credentials/certificates/ocsp_response.h"
+#include "credentials/certificates/pgp_certificate.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <selectors/traffic_selector.h>
+
+#include <time.h>
+
+typedef struct private_certificate_printer_t private_certificate_printer_t;
+
+/**
+ * Private data of an certificate_printer_t object.
+ */
+struct private_certificate_printer_t {
+
+	/**
+	 * Public certificate_printer_t interface.
+	 */
+	certificate_printer_t public;
+
+	/**
+	 * File to print to
+	 */
+	FILE *f;
+
+	/**
+	 * Print detailed certificate information
+	 */
+	bool detailed;
+
+	/**
+	 * Print time information in UTC
+	 */
+	bool utc;
+
+	/**
+	 * Previous certificate type
+	 */
+	certificate_type_t type;
+
+	/**
+	 * Previous X.509 certificate flag
+	 */
+	x509_flag_t flag;
+
+};
+
+/**
+ * Print X509 specific certificate information
+ */
+static void print_x509(private_certificate_printer_t *this, x509_t *x509)
+{
+	enumerator_t *enumerator;
+	identification_t *id;
+	traffic_selector_t *block;
+	chunk_t chunk;
+	bool first;
+	char *uri;
+	int len, explicit, inhibit;
+	x509_flag_t flags;
+	x509_cdp_t *cdp;
+	x509_cert_policy_t *policy;
+	x509_policy_mapping_t *mapping;
+	FILE *f = this->f;
+
+	chunk = chunk_skip_zero(x509->get_serial(x509));
+	fprintf(f, "  serial:    %#B\n", &chunk);
+
+	first = TRUE;
+	enumerator = x509->create_subjectAltName_enumerator(x509);
+	while (enumerator->enumerate(enumerator, &id))
+	{
+		if (first)
+		{
+			fprintf(f, "  altNames:  ");
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(f, ", ");
+		}
+		fprintf(f, "%Y", id);
+	}
+	if (!first)
+	{
+		fprintf(f, "\n");
+	}
+	enumerator->destroy(enumerator);
+
+	if (this->detailed)
+	{
+		flags = x509->get_flags(x509);
+		if (flags != X509_NONE)
+		{
+			fprintf(f, "  flags:     ");
+			if (flags & X509_CA)
+			{
+				fprintf(f, "CA ");
+			}
+			if (flags & X509_CRL_SIGN)
+			{
+				fprintf(f, "CRLSign ");
+			}
+			if (flags & X509_OCSP_SIGNER)
+			{
+				fprintf(f, "ocspSigning ");
+			}
+			if (flags & X509_SERVER_AUTH)
+			{
+				fprintf(f, "serverAuth ");
+			}
+			if (flags & X509_CLIENT_AUTH)
+			{
+				fprintf(f, "clientAuth ");
+			}
+			if (flags & X509_IKE_INTERMEDIATE)
+			{
+				fprintf(f, "ikeIntermediate ");
+			}
+			if (flags & X509_MS_SMARTCARD_LOGON)
+			{
+				fprintf(f, "msSmartcardLogon");
+			}
+			if (flags & X509_SELF_SIGNED)
+			{
+				fprintf(f, "self-signed ");
+			}
+			fprintf(f, "\n");
+		}
+
+		first = TRUE;
+		enumerator = x509->create_crl_uri_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &cdp))
+		{
+			if (first)
+			{
+				fprintf(f, "  CRL URIs:  %s", cdp->uri);
+				first = FALSE;
+			}
+			else
+			{
+				fprintf(f, "           %s", cdp->uri);
+			}
+			if (cdp->issuer)
+			{
+				fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+			}
+			fprintf(f, "\n");
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_ocsp_uri_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &uri))
+		{
+			if (first)
+			{
+				fprintf(f, "  OCSP URIs: %s\n", uri);
+				first = FALSE;
+			}
+			else
+			{
+				fprintf(f, "           %s\n", uri);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		len = x509->get_constraint(x509, X509_PATH_LEN);
+		if (len != X509_NO_CONSTRAINT)
+		{
+			fprintf(f, "  pathlen:   %d\n", len);
+		}
+
+		first = TRUE;
+		enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (first)
+			{
+				fprintf(f, "  permitted nameConstraints:\n");
+				first = FALSE;
+			}
+			fprintf(f, "           %Y\n", id);
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (first)
+			{
+				fprintf(f, "  excluded nameConstraints:\n");
+				first = FALSE;
+			}
+			fprintf(f, "           %Y\n", id);
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_cert_policy_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &policy))
+		{
+			char *oid;
+
+			if (first)
+			{
+				fprintf(f, "  certificatePolicies:\n");
+				first = FALSE;
+			}
+			oid = asn1_oid_to_string(policy->oid);
+			if (oid)
+			{
+				fprintf(f, "             %s\n", oid);
+				free(oid);
+			}
+			else
+			{
+				fprintf(f, "             %#B\n", &policy->oid);
+			}
+			if (policy->cps_uri)
+			{
+				fprintf(f, "             CPS: %s\n", policy->cps_uri);
+			}
+			if (policy->unotice_text)
+			{
+				fprintf(f, "             Notice: %s\n", policy->unotice_text);
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		first = TRUE;
+		enumerator = x509->create_policy_mapping_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &mapping))
+		{
+			char *issuer_oid, *subject_oid;
+
+			if (first)
+			{
+				fprintf(f, "  policyMappings:\n");
+				first = FALSE;
+			}
+			issuer_oid = asn1_oid_to_string(mapping->issuer);
+			subject_oid = asn1_oid_to_string(mapping->subject);
+			fprintf(f, "           %s => %s\n", issuer_oid, subject_oid);
+			free(issuer_oid);
+			free(subject_oid);
+		}
+		enumerator->destroy(enumerator);
+
+		explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
+		inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
+		len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+
+		if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
+			len != X509_NO_CONSTRAINT)
+		{
+			fprintf(f, "  policyConstraints:\n");
+			if (explicit != X509_NO_CONSTRAINT)
+			{
+				fprintf(f, "           requireExplicitPolicy: %d\n", explicit);
+			}
+			if (inhibit != X509_NO_CONSTRAINT)
+			{
+				fprintf(f, "           inhibitPolicyMapping: %d\n", inhibit);
+			}
+			if (len != X509_NO_CONSTRAINT)
+			{
+				fprintf(f, "           inhibitAnyPolicy: %d\n", len);
+			}
+		}
+
+		if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+		{
+			first = TRUE;
+			fprintf(f, "  addresses: ");
+			enumerator = x509->create_ipAddrBlock_enumerator(x509);
+			while (enumerator->enumerate(enumerator, &block))
+			{
+				if (first)
+				{
+					first = FALSE;
+				}
+				else
+				{
+					fprintf(f, ", ");
+				}
+				fprintf(f, "%R", block);
+			}
+			enumerator->destroy(enumerator);
+			fprintf(f, "\n");
+		}
+	}
+
+	chunk = x509->get_authKeyIdentifier(x509);
+	if (chunk.ptr)
+	{
+		fprintf(f, "  authkeyId: %#B\n", &chunk);
+	}
+
+	chunk = x509->get_subjectKeyIdentifier(x509);
+	if (chunk.ptr)
+	{
+		fprintf(f, "  subjkeyId: %#B\n", &chunk);
+	}
+}
+
+/**
+ * Print CRL specific information
+ */
+static void print_crl(private_certificate_printer_t *this, crl_t *crl)
+{
+	enumerator_t *enumerator;
+	time_t ts;
+	crl_reason_t reason;
+	chunk_t chunk;
+	int count = 0;
+	bool first;
+	x509_cdp_t *cdp;
+	FILE *f = this->f;
+
+	chunk = chunk_skip_zero(crl->get_serial(crl));
+	fprintf(f, "  serial:    %#B\n", &chunk);
+
+	if (crl->is_delta_crl(crl, &chunk))
+	{
+		chunk = chunk_skip_zero(chunk);
+		fprintf(f, "  delta CRL: for serial %#B\n", &chunk);
+	}
+	chunk = crl->get_authKeyIdentifier(crl);
+	fprintf(f, "  authKeyId: %#B\n", &chunk);
+
+	first = TRUE;
+	enumerator = crl->create_delta_crl_uri_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &cdp))
+	{
+		if (first)
+		{
+			fprintf(f, "  freshest:  %s", cdp->uri);
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(f, "             %s", cdp->uri);
+		}
+		if (cdp->issuer)
+		{
+			fprintf(f, " (CRL issuer: %Y)", cdp->issuer);
+		}
+		fprintf(f, "\n");
+	}
+	enumerator->destroy(enumerator);
+
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+
+	fprintf(f, "  %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s",
+				(count && this->detailed) ? ":" : "");
+
+	if (this->detailed)
+	{
+		enumerator = crl->create_enumerator(crl);
+		while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+		{
+			chunk = chunk_skip_zero(chunk);
+			fprintf(f, "    %#B: %T, %N\n", &chunk, &ts, this->utc,
+											crl_reason_names, reason);
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Print AC specific information
+ */
+static void print_ac(private_certificate_printer_t *this, ac_t *ac)
+{
+	ac_group_type_t type;
+	identification_t *id;
+	enumerator_t *groups;
+	chunk_t chunk;
+	bool first = TRUE;
+	FILE *f = this->f;
+
+	chunk = chunk_skip_zero(ac->get_serial(ac));
+	fprintf(f, "  serial:    %#B\n", &chunk);
+
+	id = ac->get_holderIssuer(ac);
+	if (id)
+	{
+		fprintf(f, "  hissuer:  \"%Y\"\n", id);
+	}
+	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
+	if (chunk.ptr)
+	{
+		fprintf(f, "  hserial:   %#B\n", &chunk);
+	}
+	groups = ac->create_group_enumerator(ac);
+	while (groups->enumerate(groups, &type, &chunk))
+	{
+		int oid;
+		char *str;
+
+		if (first)
+		{
+			fprintf(f, "  groups:    ");
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(f, "             ");
+		}
+		switch (type)
+		{
+			case AC_GROUP_TYPE_STRING:
+				fprintf(f, "%.*s", (int)chunk.len, chunk.ptr);
+				break;
+			case AC_GROUP_TYPE_OID:
+				oid = asn1_known_oid(chunk);
+				if (oid == OID_UNKNOWN)
+				{
+					str = asn1_oid_to_string(chunk);
+					if (str)
+					{
+						fprintf(f, "%s", str);
+						free(str);
+					}
+					else
+					{
+						fprintf(f, "OID:%#B", &chunk);
+					}
+				}
+				else
+				{
+					fprintf(f, "%s", oid_names[oid].name);
+				}
+				break;
+			case AC_GROUP_TYPE_OCTETS:
+				fprintf(f, "%#B", &chunk);
+				break;
+		}
+		fprintf(f, "\n");
+	}
+	groups->destroy(groups);
+
+	chunk = ac->get_authKeyIdentifier(ac);
+	if (chunk.ptr)
+	{
+		fprintf(f, "  authkey:  %#B\n", &chunk);
+	}
+}
+
+/**
+ * Print OCSP response specific information
+ */
+static void print_ocsp_response(private_certificate_printer_t *this,
+								ocsp_response_t *ocsp_response)
+{
+	enumerator_t *enumerator;
+	chunk_t serialNumber;
+	cert_validation_t status;
+	char *status_text;
+	time_t revocationTime;
+	crl_reason_t *revocationReason;
+	bool first = TRUE;
+	FILE *f = this->f;
+
+	if (this->detailed)
+	{
+		fprintf(f, "  responses: ");
+
+		enumerator = ocsp_response->create_response_enumerator(ocsp_response);
+		while (enumerator->enumerate(enumerator, &serialNumber, &status,
+									 &revocationTime, &revocationReason))
+		{
+			if (first)
+			{
+				first = FALSE;
+			}
+			else
+			{
+				fprintf(f, "             ");
+			}
+			serialNumber = chunk_skip_zero(serialNumber);
+
+			switch (status)
+			{
+				case VALIDATION_GOOD:
+					status_text = "good";
+					break;
+				case VALIDATION_REVOKED:
+					status_text = "revoked";
+					break;
+				default:
+					status_text = "unknown";
+			}
+			fprintf(f, "%#B: %s", &serialNumber, status_text);
+
+			if (status == VALIDATION_REVOKED)
+			{
+				fprintf(f, " on %T, %N", &revocationTime, this->utc,
+							 crl_reason_names, revocationReason);
+			}
+			fprintf(f, "\n");
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Print public key information
+ */
+static void print_pubkey(private_certificate_printer_t *this, public_key_t *key,
+						 bool has_privkey)
+{
+	chunk_t chunk;
+	FILE *f = this->f;
+
+	fprintf(f, "  pubkey:    %N %d bits", key_type_names, key->get_type(key),
+				key->get_keysize(key));
+	if (has_privkey)
+	{
+		fprintf(f, ", has private key");
+	}
+	fprintf(f, "\n");
+	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
+	{
+		fprintf(f, "  keyid:     %#B\n", &chunk);
+	}
+	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
+	{
+		fprintf(f, "  subjkey:   %#B\n", &chunk);
+	}
+}
+
+METHOD(certificate_printer_t, print, void,
+	private_certificate_printer_t *this, certificate_t *cert, bool has_privkey)
+{
+	time_t now, notAfter, notBefore;
+	certificate_type_t type;
+	identification_t *subject;
+	char *t0, *t1, *t2;
+	public_key_t *key;
+	FILE *f = this->f;
+
+	now = time(NULL);
+	type = cert->get_type(cert);
+	subject = cert->get_subject(cert);
+
+	if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE &&
+		 type != CERT_TRUSTED_PUBKEY) ||
+	    (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID))
+	{
+		fprintf(f, "  subject:  \"%Y\"\n", subject);
+	}
+	if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG)
+	{
+		fprintf(f, "  issuer:   \"%Y\"\n", cert->get_issuer(cert));
+	}
+
+	/* list validity if set */
+	cert->get_validity(cert, &now, &notBefore, &notAfter);
+	if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME)
+	{
+		if (type == CERT_GPG)
+		{
+			fprintf(f, "  created:   %T\n", &notBefore, this->utc);
+			fprintf(f, "  until:     %T%s\n", &notAfter, this->utc,
+				(notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : "");
+		}
+		else
+		{
+			 if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE)
+			{
+				t0 = "update:  ";
+				t1 = "this on";
+				t2 = "next on";
+			}
+			else
+			{
+				t0 = "validity:";
+				t1 = "not before";
+				t2 = "not after ";
+			}
+			fprintf(f, "  %s  %s %T, ", t0, t1, &notBefore, this->utc);
+			if (now < notBefore)
+			{
+				fprintf(f, "not valid yet (valid in %V)\n", &now, &notBefore);
+			}
+			else
+			{
+				fprintf(f, "ok\n");
+			}
+			fprintf(f, "             %s %T, ", t2, &notAfter, this->utc);
+			if (now > notAfter)
+			{
+				fprintf(f, "expired (%V ago)\n", &now, &notAfter);
+			}
+			else
+			{
+				fprintf(f, "ok (expires in %V)\n", &now, &notAfter);
+			}
+		}
+	}
+
+	switch (cert->get_type(cert))
+	{
+		case CERT_X509:
+			print_x509(this, (x509_t*)cert);
+			break;
+		case CERT_X509_CRL:
+			print_crl(this, (crl_t*)cert);
+			break;
+		case CERT_X509_AC:
+			print_ac(this, (ac_t*)cert);
+			break;
+		case CERT_X509_OCSP_RESPONSE:
+			print_ocsp_response(this, (ocsp_response_t*)cert);
+			break;
+		case CERT_TRUSTED_PUBKEY:
+		default:
+			break;
+	}
+	if (type == CERT_GPG)
+	{
+		pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
+		chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+		fprintf(f, "  pgpDigest: %#B\n", &fingerprint);
+	}
+	key = cert->get_public_key(cert);
+	if (key)
+	{
+		print_pubkey(this, key, has_privkey);
+		key->destroy(key);
+	}
+}
+
+METHOD(certificate_printer_t, print_caption, void,
+	private_certificate_printer_t *this, certificate_type_t type,
+	x509_flag_t flag)
+{
+	char *caption;
+
+	if (type != this->type || (type == CERT_X509 && flag != this->flag))
+	{
+		switch (type)
+		{
+			case CERT_X509:
+				switch (flag)
+				{
+					case X509_NONE:
+						caption = "X.509 End Entity Certificate";
+						break;
+					case X509_CA:
+						caption = "X.509 CA Certificate";
+						break;
+					case X509_AA:
+						caption = "X.509 AA Certificate";
+						break;
+					case X509_OCSP_SIGNER:
+						caption = "X.509 OCSP Signer Certificate";
+						break;
+					default:
+						return;
+				}
+				break;
+			case CERT_X509_AC:
+				caption = "X.509 Attribute Certificate";
+				break;
+			case CERT_X509_CRL:
+				caption = "X.509 CRL";
+				break;
+			case CERT_X509_OCSP_RESPONSE:
+				caption = "OCSP Response";
+				break;
+			case CERT_TRUSTED_PUBKEY:
+				caption = "Raw Public Key";
+				break;
+			case CERT_GPG:
+				caption = "PGP End Entity Certificate";
+				break;
+			default:
+				return;
+		}
+		fprintf(this->f, "\nList of %ss\n", caption);
+
+		/* Update to current type and flag value */
+		this->type = type;
+		if (type == CERT_X509)
+		{
+			this->flag = flag;
+		}
+	}
+	fprintf(this->f, "\n");
+}
+
+METHOD(certificate_printer_t, destroy, void,
+	private_certificate_printer_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+certificate_printer_t *certificate_printer_create(FILE *f, bool detailed,
+												  bool utc)
+{
+	private_certificate_printer_t *this;
+
+	INIT(this,
+		.public = {
+			.print = _print,
+			.print_caption = _print_caption,
+			.destroy = _destroy,
+		},
+		.f = f,
+		.detailed = detailed,
+		.utc = utc,
+		.type = CERT_ANY,
+		.flag = X509_ANY,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.h b/src/libstrongswan/credentials/certificates/certificate_printer.h
new file mode 100644
index 000000000..7953eb060
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/certificate_printer.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup certificate_printer certificate_printer
+ * @{ @ingroup certificates
+ */
+
+#ifndef CERTIFICATE_PRINTER_H_
+#define CERTIFICATE_PRINTER_H_
+
+typedef struct certificate_printer_t certificate_printer_t;
+
+#include "credentials/certificates/certificate.h"
+#include "credentials/certificates/x509.h"
+
+#include <stdio.h>
+
+/**
+ * An object for printing certificate information.
+ */
+struct certificate_printer_t {
+
+	/**
+	 * Print a certificate.
+	 *
+	 * @param cert			certificate to be printed
+	 * @param has_privkey	indicates that certificate has a matching private key
+	 */
+	void (*print)(certificate_printer_t *this, certificate_t *cert,
+				  bool has_privkey);
+
+	/**
+	 * Print a caption if the certificate type changed.
+	 *
+	 * @param type		certificate type
+	 * @param flag		X.509 certificate flag
+	 */
+	void (*print_caption)(certificate_printer_t *this, certificate_type_t type,
+						  x509_flag_t flag);
+
+	/**
+	 * Destroy the certificate_printer object.
+	 */
+	void (*destroy)(certificate_printer_t *this);
+};
+
+/**
+ * Create a certificate_printer object
+ *
+ * @param f				file where print output is directed to (usually stdout)
+ * @param detailed		print more detailed certificate information
+ * @param utc			print time inforamtion in UTC
+ */
+certificate_printer_t* certificate_printer_create(FILE *f, bool detailed,
+												  bool utc);
+
+#endif /** CERTIFICATE_PRINTER_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index 9c5637b9f..c6a4c1277 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -77,6 +77,13 @@ struct ocsp_response_t {
 	 * @return					enumerator over certificate_t*
 	 */
 	enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
+
+	/**
+	 * Create an enumerator over the contained responses.
+	 *
+	 * @return					enumerator over major response fields
+	 */
+	enumerator_t* (*create_response_enumerator)(ocsp_response_t *this);
 };
 
 #endif /** OCSP_RESPONSE_H_ @}*/
diff --git a/src/libhydra/tests/hydra_tests.h b/src/libstrongswan/credentials/certificates/x509.c
index 6b213d026..5eefa0bb4 100644
--- a/src/libhydra/tests/hydra_tests.h
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2014 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -12,3 +12,16 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */
+
+#include "x509.h"
+
+ENUM_BEGIN(x509_flag_names, X509_NONE, X509_AA,
+	"NONE",
+	"CA",
+	"AA");
+ENUM_NEXT(x509_flag_names, X509_OCSP_SIGNER, X509_OCSP_SIGNER, X509_AA,
+	"OCSP");
+ENUM_NEXT(x509_flag_names, X509_ANY, X509_ANY, X509_OCSP_SIGNER,
+	"ANY");
+ENUM_END(x509_flag_names, X509_ANY);
+
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 6cbfcdeed..601c034ef 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -46,6 +46,8 @@ enum x509_flag_t {
 	X509_AA =                 (1<<1),
 	/** cert has OCSP signer constraint */
 	X509_OCSP_SIGNER =        (1<<2),
+    /** cert has either CA, AA or OCSP constraint */
+	X509_ANY = X509_CA | X509_AA | X509_OCSP_SIGNER,
 	/** cert has serverAuth key usage */
 	X509_SERVER_AUTH =        (1<<3),
 	/** cert has clientAuth key usage */
@@ -62,6 +64,8 @@ enum x509_flag_t {
 	X509_MS_SMARTCARD_LOGON = (1<<9),
 };
 
+extern enum_name_t *x509_flag_names;
+
 /**
  * Different numerical X.509 constraints.
  */
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 371e6404d..95c5cd777 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -917,6 +918,8 @@ METHOD(enumerator_t, trusted_destroy, void,
 	DESTROY_IF(this->auth);
 	DESTROY_IF(this->candidates);
 	this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy));
+	/* check for delayed certificate cache queue */
+	cache_queue(this->this);
 	free(this);
 }
 
@@ -985,7 +988,6 @@ METHOD(enumerator_t, public_destroy, void,
 		this->wrapper->destroy(this->wrapper);
 	}
 	this->this->lock->unlock(this->this->lock);
-
 	/* check for delayed certificate cache queue */
 	cache_queue(this->this);
 	free(this);
@@ -993,7 +995,7 @@ METHOD(enumerator_t, public_destroy, void,
 
 METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 	private_credential_manager_t *this, key_type_t type, identification_t *id,
-	auth_cfg_t *auth)
+	auth_cfg_t *auth, bool online)
 {
 	public_enumerator_t *enumerator;
 
@@ -1002,7 +1004,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 			.enumerate = (void*)_public_enumerate,
 			.destroy = _public_destroy,
 		},
-		.inner = create_trusted_enumerator(this, type, id, TRUE),
+		.inner = create_trusted_enumerator(this, type, id, online),
 		.this = this,
 	);
 	if (auth)
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 445ea3f9c..022ca566c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -202,14 +203,18 @@ struct credential_manager_t {
 	 * where the auth config helper contains rules for constraint checks.
 	 * This function is very similar to create_trusted_enumerator(), but
 	 * gets public keys directly.
+	 * If online is set, revocations are checked online for the whole
+	 * trustchain.
 	 *
 	 * @param type		type of the key to get
 	 * @param id		owner of the key, signer of the signature
 	 * @param auth		authentication infos
+	 * @param online	whether revocations should be checked online
 	 * @return			enumerator
 	 */
 	enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
-					key_type_t type, identification_t *id, auth_cfg_t *auth);
+					key_type_t type, identification_t *id, auth_cfg_t *auth,
+					bool online);
 
 	/**
 	 * Cache a certificate by invoking cache_cert() on all registered sets.
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index dc73ccc68..e130b93ee 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -61,6 +61,31 @@ struct private_library_t {
 	refcount_t ref;
 };
 
+#define MAX_NAMESPACES 5
+
+/**
+ * Additional namespaces registered using __atrribute__((constructor))
+ */
+static char *namespaces[MAX_NAMESPACES];
+static int ns_count;
+
+/**
+ * Described in header
+ */
+void library_add_namespace(char *ns)
+{
+	if (ns_count < MAX_NAMESPACES - 1)
+	{
+		namespaces[ns_count] = ns;
+		ns_count++;
+	}
+	else
+	{
+		fprintf(stderr, "failed to register additional namespace alias, please "
+				"increase MAX_NAMESPACES");
+	}
+}
+
 /**
  * library instance
  */
@@ -248,6 +273,7 @@ bool library_init(char *settings, const char *namespace)
 {
 	private_library_t *this;
 	printf_hook_t *pfh;
+	int i;
 
 	if (lib)
 	{	/* already initialized, increase refcount */
@@ -311,6 +337,11 @@ bool library_init(char *settings, const char *namespace)
 									 (hashtable_equals_t)equals, 4);
 
 	this->public.settings = settings_create(this->public.conf);
+	/* add registered aliases */
+	for (i = 0; i < ns_count; ++i)
+	{
+		lib->settings->add_fallback(lib->settings, lib->ns, namespaces[i]);
+	}
 	/* all namespace settings may fall back to libstrongswan */
 	lib->settings->add_fallback(lib->settings, lib->ns, "libstrongswan");
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 3a6dd1ba4..08316fd13 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2014 Tobias Brunner
+ * Copyright (C) 2010-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -276,4 +276,14 @@ void library_deinit();
  */
 extern library_t *lib;
 
+/**
+ * Add additional names used as alias for the namespace registered with
+ * library_init().
+ *
+ * To be called from __attribute__((constructor)) functions.
+ *
+ * @param ns			additional namespace
+ */
+void library_add_namespace(char *ns);
+
 #endif /** LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index 65542ea5d..034ab48e0 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9d79c81ee..6ad68a55a 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in
index 34adaa390..7f91e439c 100644
--- a/src/libstrongswan/plugins/aesni/Makefile.in
+++ b/src/libstrongswan/plugins/aesni/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 4a86f9640..7aaea450c 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 292c2fd90..cbdc8e84e 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
index 1361dd340..8f91cdcbe 100644
--- a/src/libstrongswan/plugins/bliss/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -433,6 +433,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
index 5a1ce3d50..43e508ba0 100644
--- a/src/libstrongswan/plugins/bliss/tests/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index f19616552..a6c3287f4 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index ca7cadbe4..3d56b9802 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in
index 98e1f4d9e..b3506587d 100644
--- a/src/libstrongswan/plugins/chapoly/Makefile.in
+++ b/src/libstrongswan/plugins/chapoly/Makefile.in
@@ -428,6 +428,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c
index 54e934e6a..dfed4d53d 100644
--- a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c
+++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c
@@ -58,27 +58,6 @@ struct private_chapoly_drv_portable_t {
 };
 
 /**
- * Convert unaligned little endian to host byte order
- */
-static inline u_int32_t uletoh32(void *p)
-{
-	u_int32_t ret;
-
-	memcpy(&ret, p, sizeof(ret));
-	ret = le32toh(ret);
-	return ret;
-}
-
-/**
- * Convert host byte order to unaligned little endian
- */
-static inline void htoule32(void *p, u_int32_t v)
-{
-	v = htole32(v);
-	memcpy(p, &v, sizeof(v));
-}
-
-/**
  * XOR a 32-bit integer into an unaligned destination
  */
 static inline void xor32u(void *p, u_int32_t x)
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 9e249399b..2ffaa0662 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 2e623ad3b..f263f7764 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 7b7231b85..9558f878e 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index d525eac02..8fc366cca 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 96b2f6055..6a09d63c9 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 910289906..55ebb3419 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in
index 31dc4a3ac..6c2e792f5 100644
--- a/src/libstrongswan/plugins/files/Makefile.in
+++ b/src/libstrongswan/plugins/files/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index b7ca1ce97..252035ca8 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index e125ab884..f9c4a6950 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 4ce7438fc..774c447f6 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 04f1f43ef..7ecba8fa9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -98,14 +98,14 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(HASHER, HASH_SHA512),
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, gcrypt_dh_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index 788cb931e..9a2d30192 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index d93aa14a1..ea75896a1 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -45,14 +45,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		/* DH groups */
 		PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
@@ -61,6 +53,14 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index a8c39cbab..46fac4a8c 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 8f6a6f54d..eb0bdf387 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 5316323a4..0a03fd819 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index d5f9c6c81..4dbdbe020 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 1dd3892cd..6fc25b023 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index e2fb7e720..17409dbc3 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 0b51ba5d8..68be3f44a 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index 5636692ab..97a70679d 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index a667ca47e..302016937 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3e9..aeb9be409 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -365,28 +365,41 @@ METHOD(plugin_t, get_features, int,
 #ifndef OPENSSL_NO_AES
 		/* AES GCM */
 		PLUGIN_REGISTER(AEAD, openssl_gcm_create),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
-			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  16),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  24),
+			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  32),
 #endif /* OPENSSL_NO_AES */
 #endif /* OPENSSL_VERSION_NUMBER */
+#ifndef OPENSSL_NO_ECDH
+		/* EC DH groups */
+		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
+			PLUGIN_PROVIDE(DH, ECP_256_BIT),
+			PLUGIN_PROVIDE(DH, ECP_384_BIT),
+			PLUGIN_PROVIDE(DH, ECP_521_BIT),
+			PLUGIN_PROVIDE(DH, ECP_224_BIT),
+			PLUGIN_PROVIDE(DH, ECP_192_BIT),
+			PLUGIN_PROVIDE(DH, ECP_256_BP),
+			PLUGIN_PROVIDE(DH, ECP_384_BP),
+			PLUGIN_PROVIDE(DH, ECP_512_BP),
+			PLUGIN_PROVIDE(DH, ECP_224_BP),
+#endif
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
@@ -446,19 +459,6 @@ METHOD(plugin_t, get_features, int,
 #endif /* OPENSSL_VERSION_NUMBER */
 		PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
 			PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
-#ifndef OPENSSL_NO_ECDH
-		/* EC DH groups */
-		PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, ECP_256_BIT),
-			PLUGIN_PROVIDE(DH, ECP_384_BIT),
-			PLUGIN_PROVIDE(DH, ECP_521_BIT),
-			PLUGIN_PROVIDE(DH, ECP_224_BIT),
-			PLUGIN_PROVIDE(DH, ECP_192_BIT),
-			PLUGIN_PROVIDE(DH, ECP_224_BP),
-			PLUGIN_PROVIDE(DH, ECP_256_BP),
-			PLUGIN_PROVIDE(DH, ECP_384_BP),
-			PLUGIN_PROVIDE(DH, ECP_512_BP),
-#endif
 #ifndef OPENSSL_NO_ECDSA
 		/* EC private/public key loading */
 		PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 44603afb1..2d6006bca 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 4c982fdf5..16dfbed3a 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 4d4215bfe..a55877952 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 2a708364a..a265818b0 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index de033a3fb..f4bded41a 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 3fa0a3890..7fd31583b 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index 3266e5d5f..5fc439b99 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 2130c9c93..162868af5 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index a9f3dd14c..007bdbd00 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
index b7ba5ad43..0631a6857 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c
@@ -196,6 +196,13 @@ METHOD(certificate_t, destroy, void,
 	}
 }
 
+METHOD(pubkey_cert_t, set_subject, void,
+	private_pubkey_cert_t *this, identification_t *subject)
+{
+	DESTROY_IF(this->subject);
+	this->subject = subject->clone(subject);
+}
+
 /*
  * see header file
  */
@@ -222,6 +229,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key,
 				.get_ref = _get_ref,
 				.destroy = _destroy,
 			},
+			.set_subject = _set_subject,
 		},
 		.ref = 1,
 		.key = key,
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
index a2d735342..06e4e0fa3 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_cert.h
+++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h
@@ -35,6 +35,13 @@ struct pubkey_cert_t {
 	 * Implements certificate_t.
 	 */
 	certificate_t interface;
+
+	/**
+	 * Set the subject of the trusted public key.
+	 *
+	 * @param subject	subject to be set
+	 */
+	void (*set_subject)(pubkey_cert_t *this, identification_t *subject);
 };
 
 /**
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 11a13463b..f6dc73e09 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index b81acef55..b9fc8bdf6 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 028464bf3..f6bdf9c59 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 342c544d9..4c7f2723b 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 18771e4f9..1de07d754 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 6aaa06b20..d4af8fbcf 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in
index 3034ea537..9aa58e236 100644
--- a/src/libstrongswan/plugins/sha3/Makefile.in
+++ b/src/libstrongswan/plugins/sha3/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 02290b4a2..acb05d570 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 3e234f1ca..ca59bb7df 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index a8d5a1020..feb9313ff 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 100f3b15a..431b60724 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -432,6 +432,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index c84717bdc..59590d1a9 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in
index f8db1ffac..acfc57bb6 100644
--- a/src/libstrongswan/plugins/winhttp/Makefile.in
+++ b/src/libstrongswan/plugins/winhttp/Makefile.in
@@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index b31bfbed1..c58dfe210 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 96280a033..2b83f3328 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2143,8 +2143,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 		msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON);
 	}
 
-	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
-		ocspSigning.ptr)
+	if (serverAuth.ptr  || clientAuth.ptr || ikeIntermediate.ptr ||
+		ocspSigning.ptr || msSmartcardLogon.ptr)
 	{
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 60133fc7f..b46af30fe 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -1,7 +1,8 @@
 /**
  * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007-2014 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2007-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -228,6 +229,42 @@ METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*,
 }
 
 /**
+ * enumerator filter callback for create_response_enumerator
+ */
+static bool filter(void *data, single_response_t **response,
+				   chunk_t *serialNumber,
+				   void *p2, cert_validation_t *status,
+				   void *p3, time_t *revocationTime,
+				   void *p4, crl_reason_t *revocationReason)
+{
+	if (serialNumber)
+	{
+		*serialNumber = (*response)->serialNumber;
+	}
+	if (status)
+	{
+		*status = (*response)->status;
+	}
+	if (revocationTime)
+	{
+		*revocationTime = (*response)->revocationTime;
+	}
+	if (revocationReason)
+	{
+		*revocationReason = (*response)->revocationReason;
+	}
+	return TRUE;
+}
+
+METHOD(ocsp_response_t, create_response_enumerator, enumerator_t*,
+	private_x509_ocsp_response_t *this)
+{
+	return enumerator_create_filter(
+				this->responses->create_enumerator(this->responses),
+				(void*)filter, NULL, NULL);
+}
+
+/**
  * ASN.1 definition of singleResponse
  */
 static const asn1Object_t singleResponseObjects[] = {
@@ -828,6 +865,7 @@ static x509_ocsp_response_t *load(chunk_t blob)
 				},
 				.get_status = _get_status,
 				.create_cert_enumerator = _create_cert_enumerator,
+				.create_response_enumerator = _create_response_enumerator,
 			},
 		},
 		.ref = 1,
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 6c9901e6c..6f69fb100 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index 5b94208bf..b7628501a 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -345,6 +345,13 @@ static job_requeue_t watch(private_watcher_t *this)
 		old = thread_cancelability(TRUE);
 
 		res = poll(pfd, count, -1);
+		if (res == -1 && errno == EINTR)
+		{
+			/* LinuxThreads interrupts poll(), but does not make it a
+			 * cancellation point. Manually test if we got cancelled. */
+			thread_cancellation_point();
+		}
+
 		thread_cancelability(old);
 		thread_cleanup_pop(FALSE);
 
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index d86584ad1..b2d456035 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -44,6 +44,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_certpolicy.c \
   suites/test_certnames.c \
   suites/test_host.c \
+  suites/test_auth_cfg.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
   suites/test_crypto_factory.c \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 13fd4cc25..0a0f5893d 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -140,6 +140,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
 	suites/tests-test_certpolicy.$(OBJEXT) \
 	suites/tests-test_certnames.$(OBJEXT) \
 	suites/tests-test_host.$(OBJEXT) \
+	suites/tests-test_auth_cfg.$(OBJEXT) \
 	suites/tests-test_hasher.$(OBJEXT) \
 	suites/tests-test_crypter.$(OBJEXT) \
 	suites/tests-test_crypto_factory.$(OBJEXT) \
@@ -452,6 +453,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -505,6 +508,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_certpolicy.c \
   suites/test_certnames.c \
   suites/test_host.c \
+  suites/test_auth_cfg.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
   suites/test_crypto_factory.c \
@@ -648,6 +652,8 @@ suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_auth_cfg.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \
@@ -690,6 +696,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_auth_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@
@@ -1119,6 +1126,20 @@ suites/tests-test_host.obj: suites/test_host.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi`
 
+suites/tests-test_auth_cfg.o: suites/test_auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c
+
+suites/tests-test_auth_cfg.obj: suites/test_auth_cfg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi`
+
 suites/tests-test_hasher.o: suites/test_hasher.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po
diff --git a/src/libstrongswan/tests/suites/test_array.c b/src/libstrongswan/tests/suites/test_array.c
index ba2aff460..eda72e10a 100644
--- a/src/libstrongswan/tests/suites/test_array.c
+++ b/src/libstrongswan/tests/suites/test_array.c
@@ -491,6 +491,44 @@ START_TEST(test_invoke_offset)
 }
 END_TEST
 
+START_TEST(test_insert_create)
+{
+	array_t *array = NULL;
+	uintptr_t x;
+
+	array_insert_create(&array, ARRAY_TAIL, (void*)(uintptr_t)1);
+	array_insert_create(&array, ARRAY_TAIL, (void*)(uintptr_t)2);
+	ck_assert(array != NULL);
+
+	ck_assert(array_get(array, ARRAY_HEAD, &x));
+	ck_assert_int_eq(x, 1);
+	ck_assert(array_get(array, ARRAY_TAIL, &x));
+	ck_assert_int_eq(x, 2);
+
+	array_destroy(array);
+}
+END_TEST
+
+START_TEST(test_insert_create_value)
+{
+	array_t *array = NULL;
+	u_int16_t v;
+
+	v = 1;
+	array_insert_create_value(&array, sizeof(v), ARRAY_TAIL, &v);
+	v = 2;
+	array_insert_create_value(&array, sizeof(v), ARRAY_TAIL, &v);
+	ck_assert(array != NULL);
+
+	ck_assert(array_get(array, ARRAY_HEAD, &v));
+	ck_assert_int_eq(v, 1);
+	ck_assert(array_get(array, ARRAY_TAIL, &v));
+	ck_assert_int_eq(v, 2);
+
+	array_destroy(array);
+}
+END_TEST
+
 Suite *array_suite_create()
 {
 	Suite *s;
@@ -528,5 +566,10 @@ Suite *array_suite_create()
 	tcase_add_test(tc, test_invoke_offset);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("insert create");
+	tcase_add_test(tc, test_insert_create);
+	tcase_add_test(tc, test_insert_create_value);
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c
new file mode 100644
index 000000000..e046725b8
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_auth_cfg.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <credentials/auth_cfg.h>
+
+struct {
+	char *constraints;
+	signature_scheme_t sig[5];
+	signature_scheme_t ike[5];
+} sig_constraints_tests[] = {
+	{ "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+	{ "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA512, 0 }, {0}},
+	{ "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
+	{ "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+	{ "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+	{ "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
+	{ "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
+	{ "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
+	{ "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
+	{ "rsa4096-sha256", {0}, {0}},
+	{ "sha256", {0}, {0}},
+	{ "ike:sha256", {0}, {0}},
+};
+
+static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
+								  signature_scheme_t expected[])
+{
+	enumerator_t *enumerator;
+	auth_rule_t t;
+	void *value;
+	int i = 0;
+
+	enumerator = cfg->create_enumerator(cfg);
+	while (enumerator->enumerate(enumerator, &t, &value))
+	{
+		if (t == type)
+		{
+			ck_assert(expected[i]);
+			ck_assert_int_eq(expected[i], (signature_scheme_t)value);
+			i++;
+		}
+	}
+	enumerator->destroy(enumerator);
+	ck_assert(!expected[i]);
+}
+
+START_TEST(test_sig_contraints)
+{
+	auth_cfg_t *cfg;
+	signature_scheme_t none[] = {0};
+
+	cfg = auth_cfg_create();
+	cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE);
+	check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none);
+	cfg->destroy(cfg);
+
+	lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
+							FALSE, lib->ns);
+
+	cfg = auth_cfg_create();
+	cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
+	check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
+	cfg->destroy(cfg);
+}
+END_TEST
+
+START_TEST(test_ike_contraints_fallback)
+{
+	auth_cfg_t *cfg;
+
+	lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
+							TRUE, lib->ns);
+
+	cfg = auth_cfg_create();
+	cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
+	check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	if (sig_constraints_tests[_i].ike[0])
+	{
+		check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
+	}
+	else
+	{
+		check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
+	}
+	cfg->destroy(cfg);
+}
+END_TEST
+
+Suite *auth_cfg_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("auth_cfg");
+
+	tc = tcase_create("add_pubkey_constraints");
+	tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests));
+	tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 9554d2919..c0a21fe34 100644
--- a/src/libstrongswan/tests/suites/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2013-2015 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -122,67 +123,122 @@ static struct {
 		} data;
 	} result;
 } string_data[] = {
-	{NULL,						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"",						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"%any",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"%any6",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"0.0.0.0",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"0::0",					ID_ANY,			{ .type = ENC_CHUNK }},
-	{"::",						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"*",						ID_ANY,			{ .type = ENC_CHUNK }},
-	{"any",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"any6",					ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"0",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"**",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"192.168.1.1",				ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{NULL,						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"",						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"%any",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"%any6",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"0.0.0.0",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"0::0",					ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"::",						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"*",						ID_ANY,					{ .type = ENC_CHUNK  }},
+	{"any",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"any6",					ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"0",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"**",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1",				ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{"192.168.",				ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{".",						ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"fec0::1",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+	{"192.168.",				ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{".",						ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1/33",			ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1/32",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff)  }},
+	{"192.168.1.1/31",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe)  }},
+	{"192.168.1.8/30",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc)  }},
+	{"192.168.1.128/25",		ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80)  }},
+	{"192.168.1.0/24",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00)  }},
+	{"192.168.1.0/23",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00)  }},
+	{"192.168.4.0/22",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00)  }},
+	{"0.0.0.0/0",				ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)  }},
+	{"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28)  }},
+	{"0.0.0.0-255.255.255.255",	ID_IPV4_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff)  }},
+	{"192.168.1.40-192.168.1.0",ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"fec0::1",					ID_IPV6_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
-	{"fec0::",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01)  }},
+	{"fec0::",					ID_IPV6_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
-	{"fec0:",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{":",						ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"alice@strongswan.org",	ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"alice@strongswan",		ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"alice@",					ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"alice",					ID_FQDN,		{ .type = ENC_SIMPLE }},
-	{"@",						ID_FQDN,		{ .type = ENC_CHUNK }},
-	{" @",						ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
-	{"@strongswan.org",			ID_FQDN,		{ .type = ENC_STRING,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)  }},
+	{"fec0:",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{":",						ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1/129",				ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1/128",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }},
+	{"fec0::1/127",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }},
+	{"fec0::4/126",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }},
+	{"fec0::100/120",			ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }},
+	{"::/0",					ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }},
+	{"fec0::1-fec0::4fff",		ID_IPV6_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
+								   0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }},
+	{"fec0::4fff-fec0::1",		ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1-",				ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"alice@strongswan.org",	ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice@strongswan",		ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice@",					ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice",					ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"@",						ID_FQDN,				{ .type = ENC_CHUNK }},
+	{" @",						ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"@strongswan.org",			ID_FQDN,				{ .type = ENC_STRING,
 		.data.s = "strongswan.org" }},
-	{"@#deadbeef",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+	{"@#deadbeef",				ID_KEY_ID,				{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
-	{"@#deadbee",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+	{"@#deadbee",				ID_KEY_ID,				{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
-	{"foo=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"foo=",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"C=",						ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"foo=bar",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"foo=",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"=bar",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"C=",						ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x00) }},
-	{"C=CH",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH,",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH,",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH, ",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH, ",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH, O",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
-	{"IPv4:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{"C=CH, O",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"IPv4:#c0a80101",			ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{ "email:tester",			ID_RFC822_ADDR,	{ .type = ENC_STRING,
+	{ "email:tester",			ID_RFC822_ADDR,			{ .type = ENC_STRING,
 		.data.s = "tester" }},
-	{ "{1}:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{ "{1}:#c0a80101",			ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{ "{0x02}:tester",			ID_FQDN,		{ .type = ENC_STRING,
+	{ "{0x02}:tester",			ID_FQDN,				{ .type = ENC_STRING,
 		.data.s = "tester" }},
-	{ "{99}:somedata",			99,				{ .type = ENC_STRING,
+	{ "{99}:somedata",			99,						{ .type = ENC_STRING,
 		.data.s = "somedata" }},
 };
 
@@ -264,14 +320,33 @@ START_TEST(test_printf_hook)
 
 	string_equals("192.168.1.1", "192.168.1.1");
 	string_equals_id("(invalid ID_IPV4_ADDR)",
-				identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+			identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+	string_equals("192.168.1.1/32", "192.168.1.1/32");
+	string_equals("192.168.1.2/31", "192.168.1.2/31");
+	string_equals("192.168.1.0/24", "192.168.1.0/24");
+	string_equals("192.168.2.0/23", "192.168.2.0/23");
+	string_equals("0.0.0.0/0", "0.0.0.0/0");
+	string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)",
+			identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty));
+	string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254");
+	string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255");
+	string_equals_id("(invalid ID_IPV4_ADDR_RANGE)",
+			identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty));
 	string_equals("fec0::1", "fec0::1");
 	string_equals("fec0::1", "fec0:0:0::1");
 	string_equals_id("(invalid ID_IPV6_ADDR)",
-				identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
-
+			identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
+	string_equals("fec0::1/128", "fec0::1/128");
+	string_equals("fec0::2/127", "fec0::2/127");
+	string_equals("fec0::100/120", "fec0::100/120");
+	string_equals("::/0", "::/0");
+	string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)",
+			identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty));
+	string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff");
+	string_equals_id("(invalid ID_IPV6_ADDR_RANGE)",
+			identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty));
 	string_equals_id("(unknown ID type: 255)",
-				identification_create_from_encoding(255, chunk_empty));
+			identification_create_from_encoding(255, chunk_empty));
 
 	string_equals("moon@strongswan.org", "moon@strongswan.org");
 	string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
@@ -324,11 +399,11 @@ START_TEST(test_printf_hook)
 	string_equals("C=CH, E=moon@strongswan.org, CN=moon",
 				  "C=CH, emailAddress=moon@strongswan.org, CN=moon");
 
-	/* C=CH, pseudonym=ANO (pseudonym is currently not recognized) */
-	string_equals_id("C=CH, 55:04:41=ANO", identification_create_from_encoding(ID_DER_ASN1_DN,
+	/* C=CH, telexNumber=123 (telexNumber is currently not recognized) */
+	string_equals_id("C=CH, 55:04:15=123", identification_create_from_encoding(ID_DER_ASN1_DN,
 		chunk_from_chars(0x30, 0x19, 0x31, 0x17, 0x30, 0x09, 0x06, 0x03, 0x55,
 						 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x0a, 0x06,
-						 0x03, 0x55, 0x04, 0x41, 0x13, 0x03, 0x41, 0x4e, 0x4f)));
+						 0x03, 0x55, 0x04, 0x15, 0x13, 0x03, 0x31, 0x32, 0x33)));
 	/* C=CH, O=strongSwan (but instead of a 2nd OID -0x06- we got NULL -0x05) */
 	string_equals_id("C=CH, (invalid ID_DER_ASN1_DN)", identification_create_from_encoding(ID_DER_ASN1_DN,
 		chunk_from_chars(0x30, 0x20, 0x31, 0x1e, 0x30, 0x09, 0x06, 0x03, 0x55,
@@ -595,6 +670,89 @@ START_TEST(test_matches_binary)
 }
 END_TEST
 
+START_TEST(test_matches_range)
+{
+	identification_t *a, *b;
+
+	/* IPv4 addresses */
+	a = identification_create_from_string("192.168.1.1");
+	ck_assert(a->get_type(a) == ID_IPV4_ADDR);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS));
+	ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+
+	/* Malformed IPv4 subnet and range encoding */
+	b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE,
+			chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00));
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+
+	a->destroy(a);
+
+	/* IPv6 addresses */
+	a = identification_create_from_string("fec0::1");
+	ck_assert(a->get_type(a) == ID_IPV6_ADDR);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS));
+	ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+
+	/* Malformed IPv6 subnet and range encoding */
+	b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE,
+			chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+							 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff,
+							 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+							 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 ));
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+
+	a->destroy(a);
+
+	/* Malformed IPv4 address encoding */
+	a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty);
+	ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE));
+	a->destroy(a);
+
+	/* Malformed IPv6 address encoding */
+	a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty);
+	ck_assert(id_matches(a, "::/0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
 START_TEST(test_matches_string)
 {
 	identification_t *a;
@@ -929,6 +1087,7 @@ Suite *identification_suite_create()
 	tcase_add_test(tc, test_matches);
 	tcase_add_test(tc, test_matches_any);
 	tcase_add_test(tc, test_matches_binary);
+	tcase_add_test(tc, test_matches_range);
 	tcase_add_test(tc, test_matches_string);
 	tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1);
 	tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1);
diff --git a/src/libstrongswan/tests/suites/test_linked_list.c b/src/libstrongswan/tests/suites/test_linked_list.c
index 922f954e3..7a161817c 100644
--- a/src/libstrongswan/tests/suites/test_linked_list.c
+++ b/src/libstrongswan/tests/suites/test_linked_list.c
@@ -348,6 +348,91 @@ START_TEST(test_clone_offset)
 }
 END_TEST
 
+
+/*******************************************************************************
+ * equals
+ */
+
+typedef struct equals_t equals_t;
+
+struct equals_t {
+	int val;
+	bool (*equals)(equals_t *a, equals_t *b);
+};
+
+static bool equalsfn(equals_t *a, equals_t *b)
+{
+	return a->val == b->val;
+}
+
+START_TEST(test_equals_offset)
+{
+	linked_list_t *other;
+	equals_t *x, items[] = {
+		{ .val = 1, .equals = equalsfn, },
+		{ .val = 2, .equals = equalsfn, },
+		{ .val = 3, .equals = equalsfn, },
+		{ .val = 4, .equals = equalsfn, },
+		{ .val = 5, .equals = equalsfn, },
+	};
+	int i;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	ck_assert(list->equals_offset(list, list, offsetof(equals_t, equals)));
+	other = linked_list_create_from_enumerator(list->create_enumerator(list));
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	other->remove_last(other, (void**)&x);
+	ck_assert(!list->equals_offset(list, other, offsetof(equals_t, equals)));
+	list->remove_last(list, (void**)&x);
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	other->remove_first(other, (void**)&x);
+	ck_assert(!list->equals_offset(list, other, offsetof(equals_t, equals)));
+	list->remove_first(list, (void**)&x);
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	while (list->remove_first(list, (void**)&x) == SUCCESS);
+	while (other->remove_first(other, (void**)&x) == SUCCESS);
+	ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals)));
+	other->destroy(other);
+}
+END_TEST
+
+START_TEST(test_equals_function)
+{
+	linked_list_t *other;
+	equals_t *x, items[] = {
+		{ .val = 1, },
+		{ .val = 2, },
+		{ .val = 3, },
+		{ .val = 4, },
+		{ .val = 5, },
+	};
+	int i;
+
+	for (i = 0; i < countof(items); i++)
+	{
+		list->insert_last(list, &items[i]);
+	}
+	ck_assert(list->equals_function(list, list, (void*)equalsfn));
+	other = linked_list_create_from_enumerator(list->create_enumerator(list));
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	other->remove_last(other, (void**)&x);
+	ck_assert(!list->equals_function(list, other, (void*)equalsfn));
+	list->remove_last(list, (void**)&x);
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	other->remove_first(other, (void**)&x);
+	ck_assert(!list->equals_function(list, other, (void*)equalsfn));
+	list->remove_first(list, (void**)&x);
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	while (list->remove_first(list, (void**)&x) == SUCCESS);
+	while (other->remove_first(other, (void**)&x) == SUCCESS);
+	ck_assert(list->equals_function(list, other, (void*)equalsfn));
+	other->destroy(other);
+}
+END_TEST
+
 Suite *linked_list_suite_create()
 {
 	Suite *s;
@@ -386,5 +471,11 @@ Suite *linked_list_suite_create()
 	tcase_add_test(tc, test_clone_offset);
 	suite_add_tcase(s, tc);
 
+	tc = tcase_create("equals");
+	tcase_add_checked_fixture(tc, setup_list, teardown_list);
+	tcase_add_test(tc, test_equals_offset);
+	tcase_add_test(tc, test_equals_function);
+	suite_add_tcase(s, tc);
+
 	return s;
 }
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index e1074b931..824c88022 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -37,6 +37,7 @@ TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509)
 TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509)
 TEST_SUITE(host_suite_create)
 TEST_SUITE(printf_suite_create)
+TEST_SUITE(auth_cfg_suite_create)
 TEST_SUITE(hasher_suite_create)
 TEST_SUITE(crypter_suite_create)
 TEST_SUITE(crypto_factory_suite_create)
diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c
index 7a243e826..3d87e7fca 100644
--- a/src/libstrongswan/threading/thread.c
+++ b/src/libstrongswan/threading/thread.c
@@ -48,7 +48,7 @@ struct private_thread_t {
 	thread_t public;
 
 	/**
-	 * Human-readable ID of this thread.
+	 * Identificator of this thread (human-readable/thread ID).
 	 */
 	u_int id;
 
@@ -157,6 +157,23 @@ static void thread_destroy(private_thread_t *this)
 	free(this);
 }
 
+/**
+ * Determine the ID of the current thread
+ */
+static u_int get_thread_id()
+{
+	u_int id;
+
+#if defined(USE_THREAD_IDS) && defined(HAVE_GETTID)
+	id = gettid();
+#else
+	id_mutex->lock(id_mutex);
+	id = next_id++;
+	id_mutex->unlock(id_mutex);
+#endif
+	return id;
+}
+
 METHOD(thread_t, cancel, void,
 	private_thread_t *this)
 {
@@ -284,6 +301,8 @@ static void *thread_main(private_thread_t *this)
 {
 	void *res;
 
+	this->id = get_thread_id();
+
 	current_thread->set(current_thread, this);
 	pthread_cleanup_push((thread_cleanup_t)thread_cleanup, this);
 
@@ -315,9 +334,6 @@ thread_t *thread_create(thread_main_t main, void *arg)
 
 	this->main = main;
 	this->arg = arg;
-	id_mutex->lock(id_mutex);
-	this->id = next_id++;
-	id_mutex->unlock(id_mutex);
 
 	if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0)
 	{
@@ -341,11 +357,7 @@ thread_t *thread_current()
 	if (!this)
 	{
 		this = thread_create_internal();
-
-		id_mutex->lock(id_mutex);
-		this->id = next_id++;
-		id_mutex->unlock(id_mutex);
-
+		this->id = get_thread_id();
 		current_thread->set(current_thread, (void*)this);
 	}
 	return &this->public;
@@ -475,12 +487,12 @@ void threads_init()
 
 	dummy1 = thread_value_create(NULL);
 
-	next_id = 1;
-	main_thread->id = 0;
+	next_id = 0;
 	main_thread->thread_id = pthread_self();
 	current_thread = thread_value_create(NULL);
 	current_thread->set(current_thread, (void*)main_thread);
 	id_mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	main_thread->id = get_thread_id();
 
 #ifndef HAVE_PTHREAD_CANCEL
 	{	/* install a signal handler for our custom SIG_CANCEL */
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index c24772839..35da24459 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -97,11 +97,13 @@ thread_t *thread_create(thread_main_t main, void *arg);
 thread_t *thread_current();
 
 /**
- * Get the human-readable ID of the current thread.
+ * Get the ID of the current thread.
  *
- * The IDs are assigned incrementally starting from 1.
+ * Depending on the build configuration thread IDs are either assigned
+ * incrementally starting from 1, or equal the value returned by an appropriate
+ * syscall (like gettid() or GetCurrentThreadId()), if available.
  *
- * @return				human-readable ID
+ * @return				ID of the current thread
  */
 u_int thread_current_id();
 
diff --git a/src/libstrongswan/threading/windows/thread.c b/src/libstrongswan/threading/windows/thread.c
index 610524722..798d75be7 100644
--- a/src/libstrongswan/threading/windows/thread.c
+++ b/src/libstrongswan/threading/windows/thread.c
@@ -516,7 +516,11 @@ thread_t *thread_current()
  */
 u_int thread_current_id()
 {
+#ifdef USE_THREAD_IDS
+	return get_current_thread()->id;
+#else
 	return get_current_thread()->tid;
+#endif
 }
 
 /**
diff --git a/src/libstrongswan/utils/compat/windows.c b/src/libstrongswan/utils/compat/windows.c
index 1f22ffa02..12ee59916 100644
--- a/src/libstrongswan/utils/compat/windows.c
+++ b/src/libstrongswan/utils/compat/windows.c
@@ -82,7 +82,6 @@ static void* dlsym_default(const char *name)
 {
 	const char *dlls[] = {
 		"libstrongswan-0.dll",
-		"libhydra-0.dll",
 		"libcharon-0.dll",
 		"libtnccs-0.dll",
 		NULL /* .exe */
diff --git a/src/libstrongswan/utils/debug.c b/src/libstrongswan/utils/debug.c
index e8c9e6b98..8a80b81a2 100644
--- a/src/libstrongswan/utils/debug.c
+++ b/src/libstrongswan/utils/debug.c
@@ -17,7 +17,7 @@
 
 #include "debug.h"
 
-ENUM(debug_names, DBG_DMN, DBG_LIB,
+ENUM(debug_names, DBG_DMN, DBG_ANY,
 	"DMN",
 	"MGR",
 	"IKE",
@@ -36,9 +36,10 @@ ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"APP",
 	"ESP",
 	"LIB",
+	"ANY",
 );
 
-ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
+ENUM(debug_lower_names, DBG_DMN, DBG_ANY,
 	"dmn",
 	"mgr",
 	"ike",
@@ -57,6 +58,7 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
 	"app",
 	"esp",
 	"lib",
+	"any",
 );
 
 /**
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index da23d143c..2b2e907f0 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1,8 +1,9 @@
 /*
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2009-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -79,6 +80,7 @@ static const x501rdn_t x501rdns[] = {
 	{"G", 					OID_GIVEN_NAME,				ASN1_PRINTABLESTRING},
 	{"I", 					OID_INITIALS,				ASN1_PRINTABLESTRING},
 	{"dnQualifier", 		OID_DN_QUALIFIER,			ASN1_PRINTABLESTRING},
+	{"pseudonym", 			OID_PSEUDONYM,				ASN1_PRINTABLESTRING},
 	{"ID", 					OID_UNIQUE_IDENTIFIER,		ASN1_PRINTABLESTRING},
 	{"EN", 					OID_EMPLOYEE_NUMBER,		ASN1_PRINTABLESTRING},
 	{"employeeNumber",		OID_EMPLOYEE_NUMBER,		ASN1_PRINTABLESTRING},
@@ -218,6 +220,7 @@ METHOD(enumerator_t, rdn_part_enumerate, bool,
 		{OID_GIVEN_NAME,		ID_PART_RDN_G},
 		{OID_INITIALS,			ID_PART_RDN_I},
 		{OID_DN_QUALIFIER,		ID_PART_RDN_DNQ},
+		{OID_PSEUDONYM,			ID_PART_RDN_PN},
 		{OID_UNIQUE_IDENTIFIER,	ID_PART_RDN_ID},
 		{OID_EMAIL_ADDRESS,		ID_PART_RDN_E},
 		{OID_EMPLOYEE_NUMBER,	ID_PART_RDN_EN},
@@ -822,6 +825,154 @@ METHOD(identification_t, matches_dn, id_match_t,
 }
 
 /**
+ * Transform netmask to CIDR bits
+ */
+static int netmask_to_cidr(char *netmask, size_t address_size)
+{
+	uint8_t byte;
+	int i, netbits = 0;
+
+	for (i = 0; i < address_size; i++)
+	{
+		byte = netmask[i];
+
+		if (byte == 0x00)
+		{
+			break;
+		}
+		if (byte == 0xff)
+		{
+			netbits += 8;
+		}
+		else
+		{
+			while (byte & 0x80)
+			{
+				netbits++;
+				byte <<= 1;
+			}
+		}
+	}
+	return netbits;
+}
+
+METHOD(identification_t, matches_range, id_match_t,
+	private_identification_t *this, identification_t *other)
+{
+	chunk_t other_encoding;
+	uint8_t *address, *from, *to, *network, *netmask;
+	size_t address_size = 0;
+	int netbits, range_sign, i;
+
+	if (other->get_type(other) == ID_ANY)
+	{
+		return ID_MATCH_ANY;
+	}
+	if (this->type == other->get_type(other) &&
+		chunk_equals(this->encoded, other->get_encoding(other)))
+	{
+		return ID_MATCH_PERFECT;
+	}
+	if ((this->type == ID_IPV4_ADDR &&
+		 other->get_type(other) == ID_IPV4_ADDR_SUBNET))
+	{
+		address_size = sizeof(struct in_addr);
+	}
+	else if ((this->type == ID_IPV6_ADDR &&
+		 other->get_type(other) == ID_IPV6_ADDR_SUBNET))
+	{
+		address_size = sizeof(struct in6_addr);
+	}
+	if (address_size)
+	{
+		other_encoding = other->get_encoding(other);
+		if (this->encoded.len != address_size ||
+			other_encoding.len != 2 * address_size)
+		{
+			return ID_MATCH_NONE;
+		}
+		address = this->encoded.ptr;
+		network = other_encoding.ptr;
+		netmask = other_encoding.ptr + address_size;
+		netbits = netmask_to_cidr(netmask, address_size);
+
+		if (netbits == 0)
+		{
+			return ID_MATCH_MAX_WILDCARDS;
+		}
+		if (netbits == 8 * address_size)
+		{
+			return memeq(address, network, address_size) ?
+				   ID_MATCH_PERFECT : ID_MATCH_NONE;
+		}
+		for (i = 0; i < (netbits + 7)/8; i++)
+		{
+			if ((address[i] ^ network[i]) & netmask[i])
+			{
+				return ID_MATCH_NONE;
+			}
+		}
+		return ID_MATCH_ONE_WILDCARD;
+	}
+	if ((this->type == ID_IPV4_ADDR &&
+		 other->get_type(other) == ID_IPV4_ADDR_RANGE))
+	{
+		address_size = sizeof(struct in_addr);
+	}
+	else if ((this->type == ID_IPV6_ADDR &&
+		 other->get_type(other) == ID_IPV6_ADDR_RANGE))
+	{
+		address_size = sizeof(struct in6_addr);
+	}
+	if (address_size)
+	{
+		other_encoding = other->get_encoding(other);
+		if (this->encoded.len != address_size ||
+			other_encoding.len != 2 * address_size)
+		{
+			return ID_MATCH_NONE;
+		}
+		address = this->encoded.ptr;
+		from = other_encoding.ptr;
+		to = other_encoding.ptr + address_size;
+
+		range_sign = memcmp(to, from, address_size);
+		if (range_sign < 0)
+		{	/* to is smaller than from */
+			return ID_MATCH_NONE;
+		}
+
+		/* check lower bound */
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != from[i])
+			{
+				if (address[i] < from[i])
+				{
+					return ID_MATCH_NONE;
+				}
+				break;
+			}
+		}
+
+		/* check upper bound */
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != to[i])
+			{
+				if (address[i] > to[i])
+				{
+					return ID_MATCH_NONE;
+				}
+				break;
+			}
+		}
+		return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT;
+	}
+	return ID_MATCH_NONE;
+}
+
+/**
  * Described in header.
  */
 int identification_printf_hook(printf_hook_data_t *data,
@@ -829,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data,
 {
 	private_identification_t *this = *((private_identification_t**)(args[0]));
 	chunk_t proper;
-	char buf[512];
+	char buf[BUF_LEN], *pos;
+	size_t len, address_size;
+	int written;
 
 	if (this == NULL)
 	{
@@ -839,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data,
 	switch (this->type)
 	{
 		case ID_ANY:
-			snprintf(buf, sizeof(buf), "%%any");
+			snprintf(buf, BUF_LEN, "%%any");
 			break;
 		case ID_IPV4_ADDR:
 			if (this->encoded.len < sizeof(struct in_addr) ||
-				inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
 			{
-				snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)");
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)");
+			}
+			break;
+		case ID_IPV4_ADDR_SUBNET:
+			address_size = sizeof(struct in_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)");
+				break;
+			}
+			written = strlen(buf);
+			snprintf(buf + written, BUF_LEN - written, "/%d",
+					 netmask_to_cidr(this->encoded.ptr + address_size,
+														 address_size));
+			break;
+		case ID_IPV4_ADDR_RANGE:
+			address_size = sizeof(struct in_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
+				break;
+			}
+			written = strlen(buf);
+			pos = buf + written;
+			len = BUF_LEN - written;
+			written = snprintf(pos, len, "-");
+			if (written < 0 || written >= len ||
+			    inet_ntop(AF_INET, this->encoded.ptr + address_size,
+						  pos + written, len - written) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
 			}
 			break;
 		case ID_IPV6_ADDR:
 			if (this->encoded.len < sizeof(struct in6_addr) ||
-				inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)");
+			}
+			break;
+		case ID_IPV6_ADDR_SUBNET:
+			address_size = sizeof(struct in6_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)");
+			}
+			else
 			{
-				snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)");
+				written = strlen(buf);
+				snprintf(buf + written, BUF_LEN - written, "/%d",
+						 netmask_to_cidr(this->encoded.ptr + address_size,
+															 address_size));
+			}
+			break;
+		case ID_IPV6_ADDR_RANGE:
+			address_size = sizeof(struct in6_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
+				break;
+			}
+			written = strlen(buf);
+			pos = buf + written;
+			len = BUF_LEN - written;
+			written = snprintf(pos, len, "-");
+			if (written < 0 || written >= len ||
+			    inet_ntop(AF_INET6, this->encoded.ptr + address_size,
+						  pos + written, len - written) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
 			}
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
 			chunk_printable(this->encoded, &proper, '?');
-			snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
+			snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr);
 			chunk_free(&proper);
 			break;
 		case ID_DER_ASN1_DN:
-			dntoa(this->encoded, buf, sizeof(buf));
+			dntoa(this->encoded, buf, BUF_LEN);
 			break;
 		case ID_DER_ASN1_GN:
-			snprintf(buf, sizeof(buf), "(ASN.1 general name)");
+			snprintf(buf, BUF_LEN, "(ASN.1 general name)");
 			break;
 		case ID_KEY_ID:
 			if (chunk_printable(this->encoded, NULL, '?') &&
 				this->encoded.len != HASH_SIZE_SHA1)
 			{	/* fully printable, use ascii version */
-				snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len,
+				snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len,
 						 this->encoded.ptr);
 			}
 			else
 			{	/* not printable, hex dump */
-				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
+				snprintf(buf, BUF_LEN, "%#B", &this->encoded);
 			}
 			break;
 		default:
-			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
+			snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type);
 			break;
 	}
 	if (spec->minus)
@@ -950,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type)
 			this->public.matches = _matches_dn;
 			this->public.contains_wildcards = _contains_wildcards_dn;
 			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+			this->public.hash = _hash_binary;
+			this->public.equals = _equals_binary;
+			this->public.matches = _matches_range;
+			this->public.contains_wildcards = return_false;
+			break;
 		default:
 			this->public.hash = _hash_binary;
 			this->public.equals = _equals_binary;
@@ -971,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str)
 	} prefixes[] = {
 		{ "ipv4:",			ID_IPV4_ADDR			},
 		{ "ipv6:",			ID_IPV6_ADDR			},
+		{ "ipv4net:",		ID_IPV4_ADDR_SUBNET		},
+		{ "ipv6net:",		ID_IPV6_ADDR_SUBNET		},
+		{ "ipv4range:",		ID_IPV4_ADDR_RANGE		},
+		{ "ipv6range:",		ID_IPV6_ADDR_RANGE		},
 		{ "rfc822:",		ID_RFC822_ADDR			},
 		{ "email:",			ID_RFC822_ADDR			},
 		{ "userfqdn:",		ID_USER_FQDN			},
@@ -1036,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str)
 	return this;
 }
 
+/**
+ * Convert to an IPv4/IPv6 host address, subnet or address range
+ */
+static private_identification_t* create_ip_address_from_string(char *string,
+															   bool is_ipv4)
+{
+	private_identification_t *this;
+	uint8_t encoding[32];
+	uint8_t *str, *pos, *address, *to_address, *netmask;
+	size_t address_size;
+	int bits, bytes, i;
+	bool has_subnet = FALSE, has_range = FALSE;
+
+	address = encoding;
+	address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr);
+
+	str = strdup(string);
+	pos = strchr(str, '/');
+	if (pos)
+	{	/* separate IP address from optional netmask */
+
+		*pos = '\0';
+		has_subnet = TRUE;
+	}
+	else
+	{
+		pos = strchr(str, '-');
+		if (pos)
+		{	/* separate lower address from upper address of IP range */
+			*pos = '\0';
+			has_range = TRUE;
+		}
+	}
+
+	if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1)
+	{
+		free(str);
+		return NULL;
+	}
+
+	if (has_subnet)
+	{	/* is IP subnet */
+		bits = atoi(pos + 1);
+		if (bits > 8 * address_size)
+		{
+			free(str);
+			return NULL;
+		}
+		bytes = bits / 8;
+		bits -= 8 * bytes;
+		netmask = encoding + address_size;
+
+		for (i = 0; i < address_size; i++)
+		{
+			if (bytes)
+			{
+				*netmask = 0xff;
+				bytes--;
+			}
+			else if (bits)
+			{
+				*netmask = 0xff << (8 - bits);
+				bits = 0;
+			}
+			else
+			{
+				*netmask = 0x00;
+			}
+			*address++ &= *netmask++;
+		}
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET :
+											   ID_IPV6_ADDR_SUBNET);
+		this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
+	}
+	else if (has_range)
+	{	/* is IP range */
+		to_address = encoding + address_size;
+
+		if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1)
+		{
+			free(str);
+			return NULL;
+		}
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != to_address[i])
+			{
+				if (address[i] > to_address[i])
+				{
+					free(str);
+					return NULL;
+				}
+				break;
+			}
+		}
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE :
+											   ID_IPV6_ADDR_RANGE);
+		this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
+	}
+	else
+	{	/* is IP host address */
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR);
+		this->encoded = chunk_clone(chunk_create(encoding, address_size));
+	}
+	free(str);
+
+	return this;
+}
+
 /*
  * Described in header.
  */
@@ -1093,15 +1432,9 @@ identification_t *identification_create_from_string(char *string)
 		{
 			if (strchr(string, ':') == NULL)
 			{
-				struct in_addr address;
-				chunk_t chunk = {(void*)&address, sizeof(address)};
-
-				if (inet_pton(AF_INET, string, &address) > 0)
-				{	/* is IPv4 */
-					this = identification_create(ID_IPV4_ADDR);
-					this->encoded = chunk_clone(chunk);
-				}
-				else
+				/* IPv4 address or subnet */
+				this = create_ip_address_from_string(string, TRUE);
+				if (!this)
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
 					this->encoded = chunk_from_str(strdup(string));
@@ -1110,15 +1443,9 @@ identification_t *identification_create_from_string(char *string)
 			}
 			else
 			{
-				struct in6_addr address;
-				chunk_t chunk = {(void*)&address, sizeof(address)};
-
-				if (inet_pton(AF_INET6, string, &address) > 0)
-				{	/* is IPv6 */
-					this = identification_create(ID_IPV6_ADDR);
-					this->encoded = chunk_clone(chunk);
-				}
-				else
+				/* IPv6 address or subnet */
+				this = create_ip_address_from_string(string, FALSE);
+				if (!this)
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
 					this->encoded = chunk_from_str(strdup(string));
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 5f27ba112..51d132491 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -168,6 +168,8 @@ enum id_part_t {
 	ID_PART_RDN_I,
 	/** DN Qualifier RDN of a DN */
 	ID_PART_RDN_DNQ,
+	/** Pseudonym RDN of a DN */
+	ID_PART_RDN_PN,
 	/** UniqueIdentifier RDN of a DN */
 	ID_PART_RDN_ID,
 	/** Locality RDN of a DN */
diff --git a/src/libstrongswan/utils/utils/byteorder.h b/src/libstrongswan/utils/utils/byteorder.h
index 48cf1d526..3ccbad5f1 100644
--- a/src/libstrongswan/utils/utils/byteorder.h
+++ b/src/libstrongswan/utils/utils/byteorder.h
@@ -44,6 +44,36 @@
 #define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
 #endif
 
+#ifndef le32toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define le32toh(x) __builtin_bswap32(x)
+#  define htole32(x) __builtin_bswap32(x)
+# else
+#  define le32toh(x) (x)
+#  define htole32(x) (x)
+# endif
+#endif
+
+#ifndef le64toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define le64toh(x) __builtin_bswap64(x)
+#  define htole64(x) __builtin_bswap64(x)
+# else
+#  define le64toh(x) (x)
+#  define htole64(x) (x)
+# endif
+#endif
+
+#ifndef be64toh
+# if BYTE_ORDER == BIG_ENDIAN
+#  define be64toh(x) (x)
+#  define htobe64(x) (x)
+# else
+#  define be64toh(x) __builtin_bswap64(x)
+#  define htobe64(x) __builtin_bswap64(x)
+# endif
+#endif
+
 /**
  * Write a 16-bit host order value in network order to an unaligned address.
  *
@@ -82,21 +112,8 @@ static inline void htoun64(void *network, u_int64_t host)
 {
 	char *unaligned = (char*)network;
 
-#ifdef be64toh
 	host = htobe64(host);
 	memcpy((char*)unaligned, &host, sizeof(host));
-#else
-	u_int32_t high_part, low_part;
-
-	high_part = host >> 32;
-	high_part = htonl(high_part);
-	low_part  = host & 0xFFFFFFFFLL;
-	low_part  = htonl(low_part);
-
-	memcpy(unaligned, &high_part, sizeof(high_part));
-	unaligned += sizeof(high_part);
-	memcpy(unaligned, &low_part, sizeof(low_part));
-#endif
 }
 
 /**
@@ -138,24 +155,37 @@ static inline u_int32_t untoh32(void *network)
 static inline u_int64_t untoh64(void *network)
 {
 	char *unaligned = (char*)network;
-
-#ifdef be64toh
 	u_int64_t tmp;
 
 	memcpy(&tmp, unaligned, sizeof(tmp));
 	return be64toh(tmp);
-#else
-	u_int32_t high_part, low_part;
+}
 
-	memcpy(&high_part, unaligned, sizeof(high_part));
-	unaligned += sizeof(high_part);
-	memcpy(&low_part, unaligned, sizeof(low_part));
+/**
+ * Read a 32-bit value in little-endian order from unaligned address.
+ *
+ * @param p			unaligned address to read little endian value from
+ * @return			host order value
+ */
+static inline u_int32_t uletoh32(void *p)
+{
+	u_int32_t ret;
 
-	high_part = ntohl(high_part);
-	low_part  = ntohl(low_part);
+	memcpy(&ret, p, sizeof(ret));
+	ret = le32toh(ret);
+	return ret;
+}
 
-	return (((u_int64_t)high_part) << 32) + low_part;
-#endif
+/**
+ * Write a 32-bit value in little-endian to an unaligned address.
+ *
+ * @param p			host order 32-bit value
+ * @param v			unaligned address to write little endian value to
+ */
+static inline void htoule32(void *p, u_int32_t v)
+{
+	v = htole32(v);
+	memcpy(p, &v, sizeof(v));
 }
 
 #endif /** BYTEORDER_H_ @} */
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index e6c23d970..8d16059f3 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -465,6 +465,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index 7d5b3771c..e57a95f4f 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -410,6 +410,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 000dda43b..8087e2e2d 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -320,7 +320,8 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
 	if (cert)
 	{
 		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-						KEY_ANY, cert->get_subject(cert), this->server_auth);
+											KEY_ANY, cert->get_subject(cert),
+											this->server_auth, TRUE);
 		while (enumerator->enumerate(enumerator, &current, &auth))
 		{
 			found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index f9295a160..cfbe02037 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -548,7 +548,7 @@ static status_t process_cert_verify(private_tls_server_t *this,
 	bio_reader_t *sig;
 
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-										KEY_ANY, this->peer, this->peer_auth);
+									KEY_ANY, this->peer, this->peer_auth, TRUE);
 	while (enumerator->enumerate(enumerator, &public, &auth))
 	{
 		sig = bio_reader_create(reader->peek(reader));
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index dc8c1b8cc..85d2581a2 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -470,6 +470,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 3641bdf5b..963e1f0eb 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index c4b1bee23..f77db91c4 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -419,6 +419,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 5b01e317a..577f53776 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index e0c039af9..ec5de0f11 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -428,6 +428,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 17d997f76..5037a9517 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -431,6 +431,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index a1a95733f..35d297842 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -126,6 +126,24 @@ struct private_tnccs_20_t {
 
 };
 
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_20_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	tnccs_20_server_t *tnc_server;
+
+	if (this->tnc_server)
+	{
+		tnc_server = (tnccs_20_server_t*)this->tnc_server;
+		if (tnc_server->have_recommendation(tnc_server, &rec, &eval))
+		{
+			return this->callback ? this->callback(rec, eval) : TRUE;
+		}
+	}
+	return FALSE;
+}
+
 METHOD(tnccs_t, send_msg, TNC_Result,
 	private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
 							  TNC_UInt32 msg_flags,
@@ -269,6 +287,7 @@ METHOD(tls_t, process, status_t,
 		/* Suppress a successful CLOSE batch coming from the TNC server */
 		if (status == SUCCESS)
 		{
+			is_complete(this);
 			status = NEED_MORE;
 		}
 	}
@@ -359,25 +378,6 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
 	return TLS_PURPOSE_EAP_TNC;
 }
 
-METHOD(tls_t, is_complete, bool,
-	private_tnccs_20_t *this)
-{
-	TNC_IMV_Action_Recommendation rec;
-	TNC_IMV_Evaluation_Result eval;
-
-	if (this->tnc_server)
-	{
-		tnccs_20_server_t *tnc_server;
-
-		tnc_server = (tnccs_20_server_t*)this->tnc_server;
-		if (tnc_server->have_recommendation(tnc_server, &rec, &eval))
-		{
-			return this->callback ? this->callback(rec, eval) : TRUE;
-		}
-	}
-	return FALSE;
-}
-
 METHOD(tls_t, get_eap_msk, chunk_t,
 	private_tnccs_20_t *this)
 {
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 3f21a22d4..949532a09 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index 010fadc42..4be7ae1a8 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -380,6 +380,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 500220a3a..9beaab0a3 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -432,6 +432,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 42830e186..c367841df 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -421,6 +421,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index a3da0ab04..261e41c16 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -17,7 +17,10 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/signcrl.c \
 	commands/verify.c
 
-pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pki_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
+
 pki.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index b4829f777..4b206c9c9 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -111,7 +111,9 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
 	commands/self.$(OBJEXT) commands/signcrl.$(OBJEXT) \
 	commands/verify.$(OBJEXT)
 pki_OBJECTS = $(am_pki_OBJECTS)
-pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
+am__DEPENDENCIES_1 =
+pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -431,6 +433,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -460,7 +464,10 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 	commands/signcrl.c \
 	commands/verify.c
 
-pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+pki_LDADD = \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
+
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-DPLUGINS=\""${pki_plugins}\""
@@ -919,6 +926,7 @@ uninstall-am: uninstall-binPROGRAMS
 	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
 	uninstall-am uninstall-binPROGRAMS
 
+
 pki.o :	$(top_builddir)/config.status
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/pki/command.c b/src/pki/command.c
index 13e81404c..ce704dbb8 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -172,6 +172,15 @@ void command_register(command_t command)
 				"options",	'+', 1, "read command line options from file"
 			};
 		}
+		for (i = 0; cmds[registered].line[i]; i++)
+		{
+			if (i == MAX_LINES - 1)
+			{
+				fprintf(stderr, "command '%s' specifies too many usage summary "
+						"lines, please increase MAX_LINES\n", command.cmd);
+				break;
+			}
+		}
 	}
 	registered++;
 }
@@ -208,7 +217,7 @@ int command_usage(char *error)
 	}
 	else
 	{
-		for (i = 0; cmds[active].line[i]; i++)
+		for (i = 0; i < MAX_LINES && cmds[active].line[i]; i++)
 		{
 			if (i == 0)
 			{
diff --git a/src/pki/command.h b/src/pki/command.h
index e55c579e4..449252eb8 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -34,7 +34,7 @@
 /**
  * Maximum number of usage summary lines (+1)
  */
-#define MAX_LINES 10
+#define MAX_LINES 11
 
 typedef struct command_t command_t;
 typedef struct command_option_t command_option_t;
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index fa69de133..c367a21a9 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -15,540 +18,37 @@
 
 #include "pki.h"
 
-#include <asn1/asn1.h>
-#include <asn1/oid.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
-#include <selectors/traffic_selector.h>
+#include <credentials/certificates/certificate_printer.h>
 
-#include <time.h>
 #include <errno.h>
 
 /**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key)
-{
-	chunk_t chunk;
-	key_type_t type;
-
-	type = key->get_type(key);
-	printf("pubkey:    %N %d bits%s\n", key_type_names, type,
-			key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
-
-	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
-	{
-		printf("keyid:     %#B\n", &chunk);
-	}
-	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
-	{
-		printf("subjkey:   %#B\n", &chunk);
-	}
-}
-
-/**
  * Print private key information
  */
 static void print_key(private_key_t *key)
 {
 	public_key_t *public;
+	chunk_t chunk;
 
 	public = key->get_public_key(key);
 	if (public)
 	{
-		printf("private key with:\n");
-		print_pubkey(public);
-		public->destroy(public);
-	}
-	else
-	{
-		printf("extracting public from private key failed\n");
-	}
-}
-
-/**
- * Get a prefix for a named constraint identity type
- */
-static char* get_type_pfx(identification_t *id)
-{
-	switch (id->get_type(id))
-	{
-		case ID_RFC822_ADDR:
-			return "email:";
-		case ID_FQDN:
-			return "dns:";
-		default:
-			return "";
-	}
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
-{
-	enumerator_t *enumerator;
-	identification_t *id;
-	traffic_selector_t *block;
-	chunk_t chunk;
-	bool first;
-	char *uri;
-	int len, explicit, inhibit;
-	x509_flag_t flags;
-	x509_cdp_t *cdp;
-	x509_cert_policy_t *policy;
-	x509_policy_mapping_t *mapping;
-
-	chunk = chunk_skip_zero(x509->get_serial(x509));
-	printf("serial:    %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = x509->create_subjectAltName_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("altNames:  ");
-			first = FALSE;
-		}
-		else
-		{
-			printf(", ");
-		}
-		printf("%Y", id);
-	}
-	if (!first)
-	{
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	flags = x509->get_flags(x509);
-	printf("flags:     ");
-	if (flags & X509_CA)
-	{
-		printf("CA ");
-	}
-	if (flags & X509_CRL_SIGN)
-	{
-		printf("CRLSign ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_OCSP_SIGNER)
-	{
-		printf("OCSP ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_SERVER_AUTH)
-	{
-		printf("serverAuth ");
-	}
-	if (flags & X509_CLIENT_AUTH)
-	{
-		printf("clientAuth ");
-	}
-	if (flags & X509_IKE_INTERMEDIATE)
-	{
-		printf("iKEIntermediate ");
-	}
-	if (flags & X509_MS_SMARTCARD_LOGON)
-	{
-		printf("msSmartcardLogon ");
-	}
-	if (flags & X509_SELF_SIGNED)
-	{
-		printf("self-signed ");
-	}
-	printf("\n");
-
-	first = TRUE;
-	enumerator = x509->create_crl_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &cdp))
-	{
-		if (first)
-		{
-			printf("CRL URIs:  %s", cdp->uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s", cdp->uri);
-		}
-		if (cdp->issuer)
-		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
-		}
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_ocsp_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &uri))
-	{
-		if (first)
-		{
-			printf("OCSP URIs: %s\n", uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s\n", uri);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	len = x509->get_constraint(x509, X509_PATH_LEN);
-	if (len != X509_NO_CONSTRAINT)
-	{
-		printf("pathlen:   %d\n", len);
-	}
-
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Permitted NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %s%Y\n", get_type_pfx(id), id);
-	}
-	enumerator->destroy(enumerator);
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Excluded NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %s%Y\n", get_type_pfx(id), id);
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_cert_policy_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &policy))
-	{
-		char *oid;
-
-		if (first)
-		{
-			printf("CertificatePolicies:\n");
-			first = FALSE;
-		}
-		oid = asn1_oid_to_string(policy->oid);
-		if (oid)
-		{
-			printf("           %s\n", oid);
-			free(oid);
-		}
-		else
-		{
-			printf("           %#B\n", &policy->oid);
-		}
-		if (policy->cps_uri)
-		{
-			printf("             CPS: %s\n", policy->cps_uri);
-		}
-		if (policy->unotice_text)
-		{
-			printf("             Notice: %s\n", policy->unotice_text);
-
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_policy_mapping_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &mapping))
-	{
-		char *issuer_oid, *subject_oid;
-
-		if (first)
-		{
-			printf("PolicyMappings:\n");
-			first = FALSE;
-		}
-		issuer_oid = asn1_oid_to_string(mapping->issuer);
-		subject_oid = asn1_oid_to_string(mapping->subject);
-		printf("           %s => %s\n", issuer_oid, subject_oid);
-		free(issuer_oid);
-		free(subject_oid);
-	}
-	enumerator->destroy(enumerator);
-
-	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
-	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
-	len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
-
-	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
-		len != X509_NO_CONSTRAINT)
-	{
-		printf("PolicyConstraints:\n");
-		if (explicit != X509_NO_CONSTRAINT)
-		{
-			printf("           requireExplicitPolicy: %d\n", explicit);
-		}
-		if (inhibit != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitPolicyMapping: %d\n", inhibit);
-		}
-		if (len != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitAnyPolicy: %d\n", len);
-		}
-	}
-
-	chunk = x509->get_authKeyIdentifier(x509);
-	if (chunk.ptr)
-	{
-		printf("authkeyId: %#B\n", &chunk);
-	}
-
-	chunk = x509->get_subjectKeyIdentifier(x509);
-	if (chunk.ptr)
-	{
-		printf("subjkeyId: %#B\n", &chunk);
-	}
-	if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
-	{
-		first = TRUE;
-		printf("addresses: ");
-		enumerator = x509->create_ipAddrBlock_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &block))
-		{
-			if (first)
-			{
-				first = FALSE;
-			}
-			else
-			{
-				printf(", ");
-			}
-			printf("%R", block);
-		}
-		enumerator->destroy(enumerator);
-		printf("\n");
-	}
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
-	enumerator_t *enumerator;
-	time_t ts;
-	crl_reason_t reason;
-	chunk_t chunk;
-	int count = 0;
-	bool first;
-	char buf[64];
-	struct tm tm;
-	x509_cdp_t *cdp;
-
-	chunk = chunk_skip_zero(crl->get_serial(crl));
-	printf("serial:    %#B\n", &chunk);
-
-	if (crl->is_delta_crl(crl, &chunk))
-	{
-		chunk = chunk_skip_zero(chunk);
-		printf("delta CRL: for serial %#B\n", &chunk);
-	}
-	chunk = crl->get_authKeyIdentifier(crl);
-	printf("authKeyId: %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = crl->create_delta_crl_uri_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &cdp))
-	{
-		if (first)
-		{
-			printf("freshest:  %s", cdp->uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s", cdp->uri);
-		}
-		if (cdp->issuer)
-		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
-		}
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		count++;
-	}
-	enumerator->destroy(enumerator);
-
-	printf("%d revoked certificate%s%s\n", count,
-		   count == 1 ? "" : "s", count ? ":" : "");
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		chunk = chunk_skip_zero(chunk);
-		localtime_r(&ts, &tm);
-		strftime(buf, sizeof(buf), "%F %T", &tm);
-		printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
-		count++;
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
-	ac_group_type_t type;
-	identification_t *id;
-	enumerator_t *groups;
-	chunk_t chunk;
-	bool first = TRUE;
-
-	chunk = chunk_skip_zero(ac->get_serial(ac));
-	printf("serial:    %#B\n", &chunk);
-
-	id = ac->get_holderIssuer(ac);
-	if (id)
-	{
-		printf("hissuer:  \"%Y\"\n", id);
-	}
-	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-	if (chunk.ptr)
-	{
-		printf("hserial:   %#B\n", &chunk);
-	}
-	groups = ac->create_group_enumerator(ac);
-	while (groups->enumerate(groups, &type, &chunk))
-	{
-		int oid;
-		char *str;
-
-		if (first)
+		printf("  privkey:   %N %d bits\n", key_type_names,
+			   public->get_type(public), public->get_keysize(public));
+		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
-			printf("groups:    ");
-			first = FALSE;
+			printf("  keyid:     %#B\n", &chunk);
 		}
-		else
+		if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk))
 		{
-			printf("           ");
+			printf("  subjkey:   %#B\n", &chunk);
 		}
-		switch (type)
-		{
-			case AC_GROUP_TYPE_STRING:
-				printf("%.*s", (int)chunk.len, chunk.ptr);
-				break;
-			case AC_GROUP_TYPE_OID:
-				oid = asn1_known_oid(chunk);
-				if (oid == OID_UNKNOWN)
-				{
-					str = asn1_oid_to_string(chunk);
-					if (str)
-					{
-						printf("%s", str);
-						free(str);
-					}
-					else
-					{
-						printf("OID:%#B", &chunk);
-					}
-				}
-				else
-				{
-					printf("%s", oid_names[oid].name);
-				}
-				break;
-			case AC_GROUP_TYPE_OCTETS:
-				printf("%#B", &chunk);
-				break;
-		}
-		printf("\n");
-	}
-	groups->destroy(groups);
-
-	chunk = ac->get_authKeyIdentifier(ac);
-	if (chunk.ptr)
-	{
-		printf("authkey:  %#B\n", &chunk);
-	}
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert)
-{
-	time_t now, notAfter, notBefore;
-	public_key_t *key;
-
-	now = time(NULL);
-
-	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-	if (cert->get_type(cert) != CERT_X509_CRL)
-	{
-		printf("subject:  \"%Y\"\n", cert->get_subject(cert));
-	}
-	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-	cert->get_validity(cert, &now, &notBefore, &notAfter);
-	printf("validity:  not before %T, ", &notBefore, FALSE);
-	if (now < notBefore)
-	{
-		printf("not valid yet (valid in %V)\n", &now, &notBefore);
-	}
-	else
-	{
-		printf("ok\n");
-	}
-	printf("           not after  %T, ", &notAfter, FALSE);
-	if (now > notAfter)
-	{
-		printf("expired (%V ago)\n", &now, &notAfter);
+		public->destroy(public);
 	}
 	else
 	{
-		printf("ok (expires in %V)\n", &now, &notAfter);
-	}
-
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-			print_x509((x509_t*)cert);
-			break;
-		case CERT_X509_CRL:
-			print_crl((crl_t*)cert);
-			break;
-		case CERT_X509_AC:
-			print_ac((ac_t*)cert);
-			break;
-		default:
-			printf("parsing certificate subtype %N not implemented\n",
-				   certificate_type_names, cert->get_type(cert));
-			break;
-	}
-	key = cert->get_public_key(cert);
-	if (key)
-	{
-		print_pubkey(key);
-		key->destroy(key);
+		printf("extracting public from private key failed\n");
 	}
 }
 
@@ -586,8 +86,8 @@ static int print()
 				}
 				else if (streq(arg, "pub"))
 				{
-					type = CRED_PUBLIC_KEY;
-					subtype = KEY_ANY;
+					type = CRED_CERTIFICATE;
+					subtype = CERT_TRUSTED_PUBKEY;
 				}
 				else if (streq(arg, "rsa-priv"))
 				{
@@ -647,17 +147,13 @@ static int print()
 	if (type == CRED_CERTIFICATE)
 	{
 		certificate_t *cert = (certificate_t*)cred;
+		certificate_printer_t *printer;
 
-		print_cert(cert);
+		printer = certificate_printer_create(stdout, TRUE, FALSE);
+		printer->print(printer, cert, FALSE);
+		printer->destroy(printer);
 		cert->destroy(cert);
 	}
-	if (type == CRED_PUBLIC_KEY)
-	{
-		public_key_t *key = (public_key_t*)cred;
-
-		print_pubkey(key);
-		key->destroy(key);
-	}
 	if (type == CRED_PRIVATE_KEY)
 	{
 		private_key_t *key = (private_key_t*)cred;
@@ -665,6 +161,7 @@ static int print()
 		print_key(key);
 		key->destroy(key);
 	}
+
 	return 0;
 }
 
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 62942d108..e61230929 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -370,6 +370,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am
index 5ae624b88..1513bbff4 100644
--- a/src/pool/Makefile.am
+++ b/src/pool/Makefile.am
@@ -10,13 +10,11 @@ pool.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-DPLUGINS=\""${pool_plugins}\""
 
 pool_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
 	$(top_builddir)/src/libcharon/libcharon.la
 
 endif USE_ATTR_SQL
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index b9557547a..3d9adb14d 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -109,7 +109,6 @@ am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \
 @USE_ATTR_SQL_TRUE@	pool_usage.$(OBJEXT)
 pool_OBJECTS = $(am_pool_OBJECTS)
 @USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libcharon/libcharon.la
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -416,6 +415,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -435,13 +436,11 @@ xml_LIBS = @xml_LIBS@
 
 @USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \
 @USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libstrongswan \
-@USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libhydra \
 @USE_ATTR_SQL_TRUE@	-I$(top_srcdir)/src/libcharon \
 @USE_ATTR_SQL_TRUE@	-DPLUGINS=\""${pool_plugins}\""
 
 @USE_ATTR_SQL_TRUE@pool_LDADD = \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libhydra/libhydra.la \
 @USE_ATTR_SQL_TRUE@	$(top_builddir)/src/libcharon/libcharon.la
 
 templatesdir = $(pkgdatadir)/templates/database/sql
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index a02db98f2..2ab3cbf3d 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -385,6 +385,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index b3beb1b68..13116723b 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -6,7 +6,6 @@ scepclient.o :	$(top_builddir)/config.status
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 	-DPLUGINS=\""${scepclient_plugins}\""
 
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index bcc70cb1b..141db6993 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -412,6 +412,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -430,7 +432,6 @@ scepclient.c scep.c scep.h
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
 	-DPLUGINS=\""${scepclient_plugins}\""
 
diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index 8c5d1a92f..e882cc7e2 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -14,7 +14,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
 # build starter ----------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
-	$(strongswan_PATH)/src/libhydra \
 	$(strongswan_PATH)/src/libstrongswan \
 	$(strongswan_PATH)/src/starter \
 	$(strongswan_PATH)/src/stroke
@@ -33,7 +32,7 @@ LOCAL_PRELINK_MODULE := false
 
 LOCAL_REQUIRED_MODULES := stroke
 
-LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
+LOCAL_SHARED_LIBRARIES += libstrongswan
 
 include $(BUILD_EXECUTABLE)
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 7f5d1ca5b..8341ca3ee 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -15,7 +15,7 @@ parser/parser.y parser/lexer.l parser/conf_parser.c parser/conf_parser.h
 AM_CPPFLAGS = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/starter \
 	-I$(top_srcdir)/src/stroke \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
@@ -32,7 +32,7 @@ AM_YFLAGS = -v -d
 
 starter_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
 	libstarter.la \
 	$(SOCKLIB) $(PTHREADLIB)
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 3166cc5d5..31e0e9d42 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -123,7 +123,7 @@ starter_OBJECTS = $(am_starter_OBJECTS)
 am__DEPENDENCIES_1 =
 starter_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la libstarter.la \
+	$(top_builddir)/src/libcharon/libcharon.la libstarter.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -457,6 +457,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -484,7 +486,7 @@ libstarter_la_SOURCES = \
 parser/parser.y parser/lexer.l parser/conf_parser.c parser/conf_parser.h
 
 AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/starter \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/starter \
 	-I$(top_srcdir)/src/stroke -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
 	-DIPSEC_EAPDIR=\"${eapdir}\" \
@@ -496,7 +498,7 @@ AM_CPPFLAGS = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
 AM_YFLAGS = -v -d
 starter_LDADD = \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
-	$(top_builddir)/src/libhydra/libhydra.la \
+	$(top_builddir)/src/libcharon/libcharon.la \
 	libstarter.la \
 	$(SOCKLIB) $(PTHREADLIB)
 
diff --git a/src/starter/confread.c b/src/starter/confread.c
index c3a0ac07f..897aa423e 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -40,8 +40,8 @@
 #define SA_REPLACEMENT_RETRIES_DEFAULT   3
 #define SA_REPLAY_WINDOW_DEFAULT        -1 /* use charon.replay_window */
 
-static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1,3des-sha1";
+static const char ike_defaults[] = "aes128-sha256-modp3072";
+static const char esp_defaults[] = "aes128-sha256";
 
 static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
 
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index 3eb6973a1..b150d3e80 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -17,7 +17,6 @@
 #include <stdlib.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <utils/debug.h>
 
 #include "files.h"
diff --git a/src/starter/starter.c b/src/starter/starter.c
index ab1ebdd5d..45c28d3cc 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -33,7 +33,6 @@
 #include <pthread.h>
 
 #include <library.h>
-#include <hydra.h>
 #include <utils/backtrace.h>
 #include <threading/thread.h>
 #include <utils/debug.h>
@@ -427,9 +426,6 @@ int main (int argc, char **argv)
 	library_init(NULL, "starter");
 	atexit(library_deinit);
 
-	libhydra_init();
-	atexit(libhydra_deinit);
-
 	/* parse command line */
 	for (i = 1; i < argc; i++)
 	{
diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in
index b26125501..58daacfb3 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/starter/tests/Makefile.in
@@ -410,6 +410,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index c32ebf905..e7bfd9d57 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -384,6 +384,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 2dfb66d7c..6571815e5 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -279,7 +279,7 @@ static int list_flags[] = {
 	LIST_ALL
 };
 
-static int list(stroke_keyword_t kw, int utc)
+static int list(stroke_keyword_t kw, bool utc)
 {
 	stroke_msg_t *msg;
 
@@ -433,9 +433,9 @@ static int usage(char *error)
 	fprintf(out, "  Show extended status information without blocking:\n");
 	fprintf(out, "    stroke statusall-nb\n");
 	fprintf(out, "  Show list of authority and attribute certificates:\n");
-	fprintf(out, "    stroke listcacerts|listocspcerts|listaacerts|listacerts\n");
+	fprintf(out, "    stroke listcacerts|listocspcerts|listaacerts|listacerts [--utc]\n");
 	fprintf(out, "  Show list of end entity certificates, ca info records  and crls:\n");
-	fprintf(out, "    stroke listcerts|listcainfos|listcrls|listall\n");
+	fprintf(out, "    stroke listcerts|listcainfos|listcrls|listall [--utc]\n");
 	fprintf(out, "  Show list of supported algorithms:\n");
 	fprintf(out, "    stroke listalgs\n");
 	fprintf(out, "  Reload authority and attribute certificates:\n");
@@ -478,6 +478,7 @@ int main(int argc, char *argv[])
 {
 	const stroke_token_t *token;
 	char *cmd;
+	bool utc = FALSE;
 	int res = 0;
 
 	library_init(NULL, "stroke");
@@ -487,6 +488,7 @@ int main(int argc, char *argv[])
 	{
 		struct option long_opts[] = {
 			{"help",		no_argument,		NULL,	'h' },
+			{"utc",			no_argument,		NULL,	'u' },
 			{"daemon",		required_argument,	NULL,	'd' },
 			{0,0,0,0},
 		};
@@ -499,6 +501,9 @@ int main(int argc, char *argv[])
 			case 'd':
 				daemon_name = optarg;
 				continue;
+			case 'u':
+				utc = TRUE;
+				continue;
 			default:
 				return usage("invalid option");
 		}
@@ -611,7 +616,7 @@ int main(int argc, char *argv[])
 		case STROKE_LIST_ALGS:
 		case STROKE_LIST_PLUGINS:
 		case STROKE_LIST_ALL:
-			res = list(token->kw, argc && streq(argv[0], "--utc"));
+			res = list(token->kw, utc);
 			break;
 		case STROKE_REREAD_SECRETS:
 		case STROKE_REREAD_CACERTS:
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 703e5746a..fb027149a 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -4,6 +4,7 @@ swanctl_SOURCES = \
 	command.c command.h \
 	commands/initiate.c \
 	commands/terminate.c \
+	commands/redirect.c \
 	commands/install.c \
 	commands/list_sas.c \
 	commands/list_pols.c \
@@ -11,6 +12,7 @@ swanctl_SOURCES = \
 	commands/list_conns.c \
 	commands/list_certs.c \
 	commands/list_pools.c \
+	commands/list_algs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -24,7 +26,8 @@ swanctl_SOURCES = \
 
 swanctl_LDADD = \
 	$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
 
 swanctl.o :		$(top_builddir)/config.status
 
@@ -62,10 +65,13 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
+	test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
+	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
+	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index a4d853cb1..94921af6d 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -105,20 +105,24 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \
 PROGRAMS = $(sbin_PROGRAMS)
 am__dirstamp = $(am__leading_dot)dirstamp
 am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \
-	commands/terminate.$(OBJEXT) commands/install.$(OBJEXT) \
-	commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \
+	commands/terminate.$(OBJEXT) commands/redirect.$(OBJEXT) \
+	commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \
+	commands/list_pols.$(OBJEXT) \
 	commands/list_authorities.$(OBJEXT) \
 	commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \
-	commands/list_pools.$(OBJEXT) commands/load_all.$(OBJEXT) \
+	commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \
+	commands/load_all.$(OBJEXT) \
 	commands/load_authorities.$(OBJEXT) \
 	commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \
 	commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \
 	commands/version.$(OBJEXT) commands/stats.$(OBJEXT) \
 	commands/reload_settings.$(OBJEXT) swanctl.$(OBJEXT)
 swanctl_OBJECTS = $(am_swanctl_OBJECTS)
+am__DEPENDENCIES_1 =
 swanctl_DEPENDENCIES =  \
 	$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 AM_V_lt = $(am__v_lt_@AM_V@)
 am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
 am__v_lt_0 = --silent
@@ -427,6 +431,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
@@ -444,6 +450,7 @@ swanctl_SOURCES = \
 	command.c command.h \
 	commands/initiate.c \
 	commands/terminate.c \
+	commands/redirect.c \
 	commands/install.c \
 	commands/list_sas.c \
 	commands/list_pols.c \
@@ -451,6 +458,7 @@ swanctl_SOURCES = \
 	commands/list_conns.c \
 	commands/list_certs.c \
 	commands/list_pools.c \
+	commands/list_algs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -464,7 +472,8 @@ swanctl_SOURCES = \
 
 swanctl_LDADD = \
 	$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(PTHREADLIB) $(DLLIB)
 
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
@@ -579,6 +588,8 @@ commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/redirect.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/install.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/list_sas.$(OBJEXT): commands/$(am__dirstamp) \
@@ -593,6 +604,8 @@ commands/list_certs.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/list_algs.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \
@@ -627,6 +640,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_algs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_authorities.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_certs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_conns.Po@am__quote@
@@ -639,6 +653,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_creds.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_pools.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/log.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/redirect.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/reload_settings.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/stats.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/terminate.Po@am__quote@
@@ -1001,10 +1016,13 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
+	test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
+	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
+	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
 	test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
 	test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
diff --git a/src/swanctl/command.c b/src/swanctl/command.c
index 26c41346c..fd9bc0083 100644
--- a/src/swanctl/command.c
+++ b/src/swanctl/command.c
@@ -176,6 +176,15 @@ void command_register(command_t command)
 				"uri",		'u', 1, "service URI to connect to"
 			};
 		}
+		for (i = 0; cmds[registered].line[i]; i++)
+		{
+			if (i == MAX_LINES - 1)
+			{
+				fprintf(stderr, "command '%s' specifies too many usage summary "
+						"lines, please increase MAX_LINES\n", command.cmd);
+				break;
+			}
+		}
 	}
 	registered++;
 }
@@ -217,7 +226,7 @@ int command_usage(char *error, ...)
 	}
 	else
 	{
-		for (i = 0; cmds[active].line[i]; i++)
+		for (i = 0; i < MAX_LINES && cmds[active].line[i]; i++)
 		{
 			if (i == 0)
 			{
diff --git a/src/swanctl/command.h b/src/swanctl/command.h
index 0760d1384..8d0a2e6b9 100644
--- a/src/swanctl/command.h
+++ b/src/swanctl/command.h
@@ -27,12 +27,12 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 21
+#define MAX_COMMANDS 23
 
 /**
  * Maximum number of options in a command (+3)
  */
-#define MAX_OPTIONS 32
+#define MAX_OPTIONS 34
 
 /**
  * Maximum number of usage summary lines (+1)
diff --git a/src/swanctl/commands/list_algs.c b/src/swanctl/commands/list_algs.c
new file mode 100644
index 000000000..616e6ff75
--- /dev/null
+++ b/src/swanctl/commands/list_algs.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+
+#include <errno.h>
+
+CALLBACK(algs, int,
+	void *null, vici_res_t *res, char *name, void *value, int len)
+{
+	if (chunk_printable(chunk_create(value, len), NULL, ' '))
+	{
+		printf("  %s[%.*s]\n", name, len, value);
+	}
+	return 0;
+}
+
+CALLBACK(types, int,
+	void *null, vici_res_t *res, char *name)
+{
+	printf("%s:\n", name);
+	return vici_parse_cb(res, NULL, algs, NULL, NULL);
+}
+
+static int algorithms(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	char *arg;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	int ret;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --list-algs option");
+		}
+		break;
+	}
+
+	req = vici_begin("get-algorithms");
+	res = vici_submit(req, conn);
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "get-algorithms request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "get-algorithms reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	else
+	{
+		if (vici_parse_cb(res, types, NULL, NULL, NULL) != 0)
+		{
+			fprintf(stderr, "parsing get-algorithms reply failed: %s\n",
+					strerror(errno));
+		}
+	}
+	vici_free_res(res);
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		algorithms, 'g', "list-algs", "show loaded algorithms",
+		{"[--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}
diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c
index 167f8d848..e9c964771 100644
--- a/src/swanctl/commands/list_certs.c
+++ b/src/swanctl/commands/list_certs.c
@@ -24,14 +24,17 @@
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
 #include <credentials/certificates/certificate.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/crl.h>
-#include <credentials/certificates/ac.h>
+#include <credentials/certificates/certificate_printer.h>
 #include <selectors/traffic_selector.h>
 
 #include "command.h"
 
 /**
+ * Static certificate printer object
+ */
+static certificate_printer_t *cert_printer = NULL;
+
+/**
  * Print PEM encoding of a certificate
  */
 static void print_pem(certificate_t *cert)
@@ -49,541 +52,99 @@ static void print_pem(certificate_t *cert)
 	}
 }
 
-/**
- * Print public key information
- */
-static void print_pubkey(public_key_t *key, bool has_privkey)
-{
-	chunk_t chunk;
-
-	printf("pubkey:    %N %d bits", key_type_names, key->get_type(key),
-		   key->get_keysize(key));
-	if (has_privkey)
-	{
-		printf(", has private key");
-	}
-	printf("\n");
-	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
-	{
-		printf("keyid:     %#B\n", &chunk);
-	}
-	if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk))
-	{
-		printf("subjkey:   %#B\n", &chunk);
-	}
-}
-
-/**
- * Print X509 specific certificate information
- */
-static void print_x509(x509_t *x509)
+CALLBACK(list_cb, void,
+	command_format_options_t *format, char *name, vici_res_t *res)
 {
-	enumerator_t *enumerator;
-	identification_t *id;
-	traffic_selector_t *block;
-	chunk_t chunk;
-	bool first;
-	char *uri;
-	int len, explicit, inhibit;
-	x509_flag_t flags;
-	x509_cdp_t *cdp;
-	x509_cert_policy_t *policy;
-	x509_policy_mapping_t *mapping;
-
-	chunk = chunk_skip_zero(x509->get_serial(x509));
-	printf("serial:    %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = x509->create_subjectAltName_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("altNames:  ");
-			first = FALSE;
-		}
-		else
-		{
-			printf(", ");
-		}
-		printf("%Y", id);
-	}
-	if (!first)
-	{
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	flags = x509->get_flags(x509);
-	printf("flags:     ");
-	if (flags & X509_CA)
-	{
-		printf("CA ");
-	}
-	if (flags & X509_CRL_SIGN)
-	{
-		printf("CRLSign ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_OCSP_SIGNER)
-	{
-		printf("OCSP ");
-	}
-	if (flags & X509_AA)
-	{
-		printf("AA ");
-	}
-	if (flags & X509_SERVER_AUTH)
-	{
-		printf("serverAuth ");
-	}
-	if (flags & X509_CLIENT_AUTH)
-	{
-		printf("clientAuth ");
-	}
-	if (flags & X509_IKE_INTERMEDIATE)
-	{
-		printf("iKEIntermediate ");
-	}
-	if (flags & X509_SELF_SIGNED)
-	{
-		printf("self-signed ");
-	}
-	printf("\n");
-
-	first = TRUE;
-	enumerator = x509->create_crl_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &cdp))
-	{
-		if (first)
-		{
-			printf("CRL URIs:  %s", cdp->uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s", cdp->uri);
-		}
-		if (cdp->issuer)
-		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
-		}
-		printf("\n");
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_ocsp_uri_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &uri))
-	{
-		if (first)
-		{
-			printf("OCSP URIs: %s\n", uri);
-			first = FALSE;
-		}
-		else
-		{
-			printf("           %s\n", uri);
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	len = x509->get_constraint(x509, X509_PATH_LEN);
-	if (len != X509_NO_CONSTRAINT)
-	{
-		printf("pathlen:   %d\n", len);
-	}
-
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, TRUE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Permitted NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %Y\n", id);
-	}
-	enumerator->destroy(enumerator);
-	first = TRUE;
-	enumerator = x509->create_name_constraint_enumerator(x509, FALSE);
-	while (enumerator->enumerate(enumerator, &id))
-	{
-		if (first)
-		{
-			printf("Excluded NameConstraints:\n");
-			first = FALSE;
-		}
-		printf("           %Y\n", id);
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_cert_policy_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &policy))
-	{
-		char *oid;
-
-		if (first)
-		{
-			printf("CertificatePolicies:\n");
-			first = FALSE;
-		}
-		oid = asn1_oid_to_string(policy->oid);
-		if (oid)
-		{
-			printf("           %s\n", oid);
-			free(oid);
-		}
-		else
-		{
-			printf("           %#B\n", &policy->oid);
-		}
-		if (policy->cps_uri)
-		{
-			printf("             CPS: %s\n", policy->cps_uri);
-		}
-		if (policy->unotice_text)
-		{
-			printf("             Notice: %s\n", policy->unotice_text);
-
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	first = TRUE;
-	enumerator = x509->create_policy_mapping_enumerator(x509);
-	while (enumerator->enumerate(enumerator, &mapping))
-	{
-		char *issuer_oid, *subject_oid;
-
-		if (first)
-		{
-			printf("PolicyMappings:\n");
-			first = FALSE;
-		}
-		issuer_oid = asn1_oid_to_string(mapping->issuer);
-		subject_oid = asn1_oid_to_string(mapping->subject);
-		printf("           %s => %s\n", issuer_oid, subject_oid);
-		free(issuer_oid);
-		free(subject_oid);
-	}
-	enumerator->destroy(enumerator);
-
-	explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY);
-	inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING);
-	len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY);
+	certificate_t *cert;
+	certificate_type_t type;
+	x509_flag_t flag = X509_NONE;
+	identification_t *subject = NULL;
+	time_t not_before = UNDEFINED_TIME;
+	time_t not_after  = UNDEFINED_TIME;
+	chunk_t t_ch;
+	bool has_privkey;
+	char *str;
+	void *buf;
+	int len;
 
-	if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT ||
-		len != X509_NO_CONSTRAINT)
+	if (*format & COMMAND_FORMAT_RAW)
 	{
-		printf("PolicyConstraints:\n");
-		if (explicit != X509_NO_CONSTRAINT)
-		{
-			printf("           requireExplicitPolicy: %d\n", explicit);
-		}
-		if (inhibit != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitPolicyMapping: %d\n", inhibit);
-		}
-		if (len != X509_NO_CONSTRAINT)
-		{
-			printf("           inhibitAnyPolicy: %d\n", len);
-		}
+		vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+		return;
 	}
 
-	chunk = x509->get_authKeyIdentifier(x509);
-	if (chunk.ptr)
+	buf = vici_find(res, &len, "data");
+	if (!buf)
 	{
-		printf("authkeyId: %#B\n", &chunk);
+		fprintf(stderr, "received incomplete certificate data\n");
+		return;
 	}
+	has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
 
-	chunk = x509->get_subjectKeyIdentifier(x509);
-	if (chunk.ptr)
+	str = vici_find_str(res, "ANY", "type");
+	if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY)
 	{
-		printf("subjkeyId: %#B\n", &chunk);
+		fprintf(stderr, "unsupported certificate type '%s'\n", str);
+		return;
 	}
-	if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+	if (type == CERT_X509)
 	{
-		first = TRUE;
-		printf("addresses: ");
-		enumerator = x509->create_ipAddrBlock_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &block))
+		str = vici_find_str(res, "ANY", "flag");
+		if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY)
 		{
-			if (first)
-			{
-				first = FALSE;
-			}
-			else
-			{
-				printf(", ");
-			}
-			printf("%R", block);
+			fprintf(stderr, "unsupported certificate flag '%s'\n", str);
+			return;
 		}
-		enumerator->destroy(enumerator);
-		printf("\n");
 	}
-}
-
-/**
- * Print CRL specific information
- */
-static void print_crl(crl_t *crl)
-{
-	enumerator_t *enumerator;
-	time_t ts;
-	crl_reason_t reason;
-	chunk_t chunk;
-	int count = 0;
-	bool first;
-	char buf[64];
-	struct tm tm;
-	x509_cdp_t *cdp;
-
-	chunk = chunk_skip_zero(crl->get_serial(crl));
-	printf("serial:    %#B\n", &chunk);
-
-	if (crl->is_delta_crl(crl, &chunk))
-	{
-		chunk = chunk_skip_zero(chunk);
-		printf("delta CRL: for serial %#B\n", &chunk);
-	}
-	chunk = crl->get_authKeyIdentifier(crl);
-	printf("authKeyId: %#B\n", &chunk);
-
-	first = TRUE;
-	enumerator = crl->create_delta_crl_uri_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &cdp))
+	if (type == CERT_TRUSTED_PUBKEY)
 	{
-		if (first)
+		str = vici_find_str(res, NULL, "subject");
+		if (str)
 		{
-			printf("freshest:  %s", cdp->uri);
-			first = FALSE;
+			subject = identification_create_from_string(str);
 		}
-		else
+		str = vici_find_str(res, NULL, "not-before");
+		if (str)
 		{
-			printf("           %s", cdp->uri);
+			t_ch = chunk_from_str(str);
+			not_before = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME);
 		}
-		if (cdp->issuer)
+		str = vici_find_str(res, NULL, "not-after");
+		if (str)
 		{
-			printf(" (CRL issuer: %Y)", cdp->issuer);
+			t_ch = chunk_from_str(str);
+			not_after = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME);
 		}
-		printf("\n");
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+								  BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+								  BUILD_NOT_BEFORE_TIME, not_before,
+								  BUILD_NOT_AFTER_TIME, not_after,
+								  BUILD_SUBJECT, subject, BUILD_END);
+		DESTROY_IF(subject);
 	}
-	enumerator->destroy(enumerator);
-
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		count++;
-	}
-	enumerator->destroy(enumerator);
-
-	printf("%d revoked certificate%s%s\n", count,
-		   count == 1 ? "" : "s", count ? ":" : "");
-	enumerator = crl->create_enumerator(crl);
-	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
-	{
-		chunk = chunk_skip_zero(chunk);
-		localtime_r(&ts, &tm);
-		strftime(buf, sizeof(buf), "%F %T", &tm);
-		printf("    %#B: %s, %N\n", &chunk, buf, crl_reason_names, reason);
-		count++;
-	}
-	enumerator->destroy(enumerator);
-}
-
-/**
- * Print AC specific information
- */
-static void print_ac(ac_t *ac)
-{
-	ac_group_type_t type;
-	identification_t *id;
-	enumerator_t *groups;
-	chunk_t chunk;
-	bool first = TRUE;
-
-	chunk = chunk_skip_zero(ac->get_serial(ac));
-	printf("serial:    %#B\n", &chunk);
-
-	id = ac->get_holderIssuer(ac);
-	if (id)
-	{
-		printf("hissuer:  \"%Y\"\n", id);
-	}
-	chunk = chunk_skip_zero(ac->get_holderSerial(ac));
-	if (chunk.ptr)
+	else
 	{
-		printf("hserial:   %#B\n", &chunk);
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
+								  BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
+								  BUILD_END);
 	}
-	groups = ac->create_group_enumerator(ac);
-	while (groups->enumerate(groups, &type, &chunk))
+	if (cert)
 	{
-		int oid;
-		char *str;
-
-		if (first)
+		if (*format & COMMAND_FORMAT_PEM)
 		{
-			printf("groups:    ");
-			first = FALSE;
+			print_pem(cert);
 		}
 		else
 		{
-			printf("           ");
-		}
-		switch (type)
-		{
-			case AC_GROUP_TYPE_STRING:
-				printf("%.*s", (int)chunk.len, chunk.ptr);
-				break;
-			case AC_GROUP_TYPE_OID:
-				oid = asn1_known_oid(chunk);
-				if (oid == OID_UNKNOWN)
-				{
-					str = asn1_oid_to_string(chunk);
-					if (str)
-					{
-						printf("%s", str);
-						free(str);
-					}
-					else
-					{
-						printf("OID:%#B", &chunk);
-					}
-				}
-				else
-				{
-					printf("%s", oid_names[oid].name);
-				}
-				break;
-			case AC_GROUP_TYPE_OCTETS:
-				printf("%#B", &chunk);
-				break;
+			cert_printer->print_caption(cert_printer, type, flag);
+			cert_printer->print(cert_printer, cert, has_privkey);
 		}
-		printf("\n");
-	}
-	groups->destroy(groups);
-
-	chunk = ac->get_authKeyIdentifier(ac);
-	if (chunk.ptr)
-	{
-		printf("authkey:  %#B\n", &chunk);
-	}
-}
-
-/**
- * Print certificate information
- */
-static void print_cert(certificate_t *cert, bool has_privkey)
-{
-	time_t now, notAfter, notBefore;
-	public_key_t *key;
-
-	now = time(NULL);
-
-	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-	if (cert->get_type(cert) != CERT_X509_CRL)
-	{
-		printf("subject:  \"%Y\"\n", cert->get_subject(cert));
-	}
-	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
-
-	cert->get_validity(cert, &now, &notBefore, &notAfter);
-	printf("validity:  not before %T, ", &notBefore, FALSE);
-	if (now < notBefore)
-	{
-		printf("not valid yet (valid in %V)\n", &now, &notBefore);
+		cert->destroy(cert);
 	}
 	else
 	{
-		printf("ok\n");
-	}
-	printf("           not after  %T, ", &notAfter, FALSE);
-	if (now > notAfter)
-	{
-		printf("expired (%V ago)\n", &now, &notAfter);
-	}
-	else
-	{
-		printf("ok (expires in %V)\n", &now, &notAfter);
-	}
-
-	switch (cert->get_type(cert))
-	{
-		case CERT_X509:
-			print_x509((x509_t*)cert);
-			break;
-		case CERT_X509_CRL:
-			print_crl((crl_t*)cert);
-			break;
-		case CERT_X509_AC:
-			print_ac((ac_t*)cert);
-			break;
-		default:
-			fprintf(stderr, "parsing certificate subtype %N not implemented\n",
-					certificate_type_names, cert->get_type(cert));
-			break;
-	}
-	key = cert->get_public_key(cert);
-	if (key)
-	{
-		print_pubkey(key, has_privkey);
-		key->destroy(key);
-	}
-	printf("\n");
-}
-
-CALLBACK(list_cb, void,
-	command_format_options_t *format, char *name, vici_res_t *res)
-{
-	if (*format & COMMAND_FORMAT_RAW)
-	{
-		vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY,
-				  stdout);
-	}
-	else
-	{
-		certificate_type_t type;
-		certificate_t *cert;
-		void *buf;
-		int len;
-		bool has_privkey;
-
-		buf = vici_find(res, &len, "data");
-		has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes");
-		if (enum_from_name(certificate_type_names,
-						   vici_find_str(res, "ANY", "type"), &type) &&
-			type != CERT_ANY && buf)
-		{
-			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type,
-									BUILD_BLOB_ASN1_DER, chunk_create(buf, len),
-									BUILD_END);
-			if (cert)
-			{
-				if (*format & COMMAND_FORMAT_PEM)
-				{
-					print_pem(cert);
-				}
-				else
-				{
-					print_cert(cert, has_privkey);
-				}
-				cert->destroy(cert);
-			}
-			else
-			{
-				fprintf(stderr, "parsing certificate failed\n");
-			}
-		}
-		else
-		{
-			fprintf(stderr, "received incomplete certificate data\n");
-		}
+		fprintf(stderr, "parsing certificate failed\n");
 	}
 }
 
@@ -592,7 +153,8 @@ static int list_certs(vici_conn_t *conn)
 	vici_req_t *req;
 	vici_res_t *res;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
-	char *arg, *subject = NULL, *type = NULL;
+	char *arg, *subject = NULL, *type = NULL, *flag = NULL;
+	bool detailed = TRUE, utc = FALSE;
 	int ret;
 
 	while (TRUE)
@@ -607,6 +169,9 @@ static int list_certs(vici_conn_t *conn)
 			case 't':
 				type = arg;
 				continue;
+			case 'f':
+				flag = arg;
+				continue;
 			case 'p':
 				format |= COMMAND_FORMAT_PEM;
 				continue;
@@ -616,6 +181,12 @@ static int list_certs(vici_conn_t *conn)
 			case 'r':
 				format |= COMMAND_FORMAT_RAW;
 				continue;
+			case 'S':
+				detailed = FALSE;
+				continue;
+			case 'U':
+				utc = TRUE;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -631,19 +202,28 @@ static int list_certs(vici_conn_t *conn)
 		return ret;
 	}
 	req = vici_begin("list-certs");
+
 	if (type)
 	{
 		vici_add_key_valuef(req, "type", "%s", type);
 	}
+	if (flag)
+	{
+		vici_add_key_valuef(req, "flag", "%s", flag);
+	}
 	if (subject)
 	{
 		vici_add_key_valuef(req, "subject", "%s", subject);
 	}
+	cert_printer = certificate_printer_create(stdout, detailed, utc);
+
 	res = vici_submit(req, conn);
 	if (!res)
 	{
 		ret = errno;
 		fprintf(stderr, "list-certs request failed: %s\n", strerror(errno));
+		cert_printer->destroy(cert_printer);
+		cert_printer = NULL;
 		return ret;
 	}
 	if (format & COMMAND_FORMAT_RAW)
@@ -652,6 +232,9 @@ static int list_certs(vici_conn_t *conn)
 				  stdout);
 	}
 	vici_free_res(res);
+
+	cert_printer->destroy(cert_printer);
+	cert_printer = NULL;
 	return 0;
 }
 
@@ -662,15 +245,19 @@ static void __attribute__ ((constructor))reg()
 {
 	command_register((command_t) {
 		list_certs, 'x', "list-certs", "list stored certificates",
-		{"[--subject <dn/san>] [--type X509|X509_AC|X509_CRL] [--pem] "
-		 "[--raw|--pretty]"},
+		{"[--subject <dn/san>] [--pem]",
+		 "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]",
+		 "[--flag none|ca|aa|ocsp|any] [--raw|--pretty|--short|--utc]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"subject",		's', 1, "filter by certificate subject"},
 			{"type",		't', 1, "filter by certificate type"},
+			{"flag",		'f', 1, "filter by X.509 certificate flag"},
 			{"pem",			'p', 0, "print PEM encoding of certificate"},
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+			{"short",		'S', 0, "omit some certificate details"},
+			{"utc",			'U', 0, "use UTC for time fields"},
 		}
 	});
 }
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 93dd7ed85..fd080227d 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -198,16 +201,18 @@ CALLBACK(ike_sa, int,
 			ike->get(ike, "state"), ike->get(ike, "version"),
 			ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi"));
 
-		printf("  local  '%s' @ %s",
-			ike->get(ike, "local-id"), ike->get(ike, "local-host"));
+		printf("  local  '%s' @ %s[%s]",
+			ike->get(ike, "local-id"), ike->get(ike, "local-host"),
+			ike->get(ike, "local-port"));
 		if (ike->get(ike, "local-vips"))
 		{
 			printf(" [%s]", ike->get(ike, "local-vips"));
 		}
 		printf("\n");
 
-		printf("  remote '%s' @ %s",
-			ike->get(ike, "remote-id"), ike->get(ike, "remote-host"));
+		printf("  remote '%s' @ %s[%s]",
+			ike->get(ike, "remote-id"), ike->get(ike, "remote-host"),
+			ike->get(ike, "remote-port"));
 		if (ike->get(ike, "remote-eap-id"))
 		{
 			printf(" EAP: '%s'", ike->get(ike, "remote-eap-id"));
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 6ee8b8785..bbc700d5c 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -59,6 +59,7 @@ static bool is_file_list_key(char *key)
 	char *keys[] = {
 		"certs",
 		"cacerts",
+		"pubkeys"
 	};
 	int i;
 
@@ -112,12 +113,18 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value)
 						 SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
 				token = buf;
 			}
-			if (streq(key, "cacerts"))
+			else if (streq(key, "cacerts"))
 			{
 				snprintf(buf, sizeof(buf), "%s%s%s",
 						 SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
 				token = buf;
 			}
+			else if (streq(key, "pubkeys"))
+			{
+				snprintf(buf, sizeof(buf), "%s%s%s",
+						 SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
+				token = buf;
+			}
 		}
 
 		map = chunk_map(token, FALSE);
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index d2ebc22eb..4647934f7 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -27,11 +30,14 @@
 #include <credentials/sets/callback_cred.h>
 #include <credentials/containers/pkcs12.h>
 
+#include <vici_cert_info.h>
+
 /**
  * Load a single certificate over vici
  */
 static bool load_cert(vici_conn_t *conn, command_format_options_t format,
-					  char *dir, char *type, chunk_t data)
+					  char *dir, certificate_type_t type, x509_flag_t flag,
+					  chunk_t data)
 {
 	vici_req_t *req;
 	vici_res_t *res;
@@ -39,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
 
 	req = vici_begin("load-cert");
 
-	vici_add_key_valuef(req, "type", "%s", type);
+	vici_add_key_valuef(req, "type", "%N", certificate_type_names, type);
+	if (type == CERT_X509)
+	{
+		vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag);
+	}
 	vici_add_key_value(req, "data", data.ptr, data.len);
 
 	res = vici_submit(req, conn);
@@ -61,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
 	}
 	else
 	{
-		printf("loaded %s certificate from '%s'\n", type, dir);
+		printf("loaded certificate from '%s'\n", dir);
 	}
 	vici_free_res(res);
 	return ret;
@@ -71,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
  * Load certficiates from a directory
  */
 static void load_certs(vici_conn_t *conn, command_format_options_t format,
-					   char *type, char *dir)
+					   char *type_str, char *dir)
 {
 	enumerator_t *enumerator;
+	certificate_type_t type;
+	x509_flag_t flag;
 	struct stat st;
 	chunk_t *map;
 	char *path;
 
+	vici_cert_info_from_str(type_str, &type, &flag);
+
 	enumerator = enumerator_create_directory(dir);
 	if (enumerator)
 	{
@@ -88,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
 				map = chunk_map(path, FALSE);
 				if (map)
 				{
-					load_cert(conn, format, path, type, *map);
+					load_cert(conn, format, path, type, flag, *map);
 					chunk_unmap(map);
 				}
 				else
@@ -171,6 +185,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
 		case KEY_ECDSA:
 			loaded = load_key(conn, format, path, "ecdsa", encoding);
 			break;
+		case KEY_BLISS:
+			loaded = load_key(conn, format, path, "bliss", encoding);
+			break;
 		default:
 			fprintf(stderr, "unsupported key type in '%s'\n", path);
 			break;
@@ -237,6 +254,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
 		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
 		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
+		{ "bliss",			CRED_PRIVATE_KEY,		KEY_BLISS,			},
 		{ "pkcs12",			CRED_CONTAINER,			CONTAINER_PKCS12,	},
 	};
 	int i;
@@ -439,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
 		loaded = FALSE;
 		if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
 		{
-			loaded = load_cert(conn, format, path, "x509", encoding);
+			loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
+							   encoding);
 			if (loaded)
 			{
 				fprintf(stderr, "  %Y\n", cert->get_subject(cert));
@@ -548,6 +567,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"ike",
 		"rsa",
 		"ecdsa",
+		"bliss",
 		"pkcs8",
 		"pkcs12",
 	};
@@ -672,14 +692,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 		}
 	}
 
-	load_certs(conn, format, "x509", SWANCTL_X509DIR);
-	load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
-	load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
-	load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
-	load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
+	load_certs(conn, format, "x509",     SWANCTL_X509DIR);
+	load_certs(conn, format, "x509ca",   SWANCTL_X509CADIR);
+	load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
+	load_certs(conn, format, "x509aa",   SWANCTL_X509AADIR);
+	load_certs(conn, format, "x509ac",   SWANCTL_X509ACDIR);
+	load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
+	load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-	load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
+	load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
 	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
+	load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
 	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
 
 	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
diff --git a/src/swanctl/commands/redirect.c b/src/swanctl/commands/redirect.c
new file mode 100644
index 000000000..6edb936e6
--- /dev/null
+++ b/src/swanctl/commands/redirect.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+
+#include <errno.h>
+
+static int redirect(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	char *arg, *peer_ip = NULL, *peer_id = NULL, *ike = NULL, *gateway = NULL;
+	int ret = 0, ike_id = 0;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case 'i':
+				ike = arg;
+				continue;
+			case 'I':
+				ike_id = atoi(arg);
+				continue;
+			case 'p':
+				peer_ip = arg;
+				continue;
+			case 'd':
+				peer_id = arg;
+				continue;
+			case 'g':
+				gateway = arg;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --redirect option");
+		}
+		break;
+	}
+	req = vici_begin("redirect");
+	if (ike)
+	{
+		vici_add_key_valuef(req, "ike", "%s", ike);
+	}
+	if (ike_id)
+	{
+		vici_add_key_valuef(req, "ike-id", "%d", ike_id);
+	}
+	if (peer_ip)
+	{
+		vici_add_key_valuef(req, "peer-ip", "%s", peer_ip);
+	}
+	if (peer_id)
+	{
+		vici_add_key_valuef(req, "peer-id", "%s", peer_id);
+	}
+	if (gateway)
+	{
+		vici_add_key_valuef(req, "gateway", "%s", gateway);
+	}
+	res = vici_submit(req, conn);
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "redirect request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "redirect reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	else
+	{
+		if (streq(vici_find_str(res, "no", "success"), "yes"))
+		{
+			printf("redirect completed successfully\n");
+		}
+		else
+		{
+			fprintf(stderr, "redirect failed: %s\n",
+					vici_find_str(res, "", "errmsg"));
+			ret = 1;
+		}
+	}
+	vici_free_res(res);
+	return ret;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		redirect, 'd', "redirect", "redirect an IKE_SA",
+		{"--ike <name> | --ike-id <id> | --peer-ip <ip|subnet|range>",
+		 "--peer-id <id|wildcards> | --gateway <ip|fqdn> [--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"ike",			'i', 1, "redirect by IKE_SA name"},
+			{"ike-id",		'I', 1, "redirect by IKE_SA unique identifier"},
+			{"peer-ip",		'p', 1, "redirect by client IP"},
+			{"peer-id",		'd', 1, "redirect by IKE_SA name"},
+			{"gateway",		'g', 1, "target gateway (IP or FQDN)"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}
diff --git a/src/swanctl/commands/stats.c b/src/swanctl/commands/stats.c
index a28ca83ba..e734c66ff 100644
--- a/src/swanctl/commands/stats.c
+++ b/src/swanctl/commands/stats.c
@@ -15,8 +15,17 @@
 
 #include "command.h"
 
+#include <collections/hashtable.h>
+
 #include <errno.h>
 
+CALLBACK(list, int,
+	hashtable_t *sa, vici_res_t *res, char *name, void *value, int len)
+{
+	printf(" %.*s", len, value);
+	return 0;
+}
+
 static int stats(vici_conn_t *conn)
 {
 	vici_req_t *req;
@@ -98,6 +107,9 @@ static int stats(vici_conn_t *conn)
 				vici_find_str(res, "", "mallinfo.used"),
 				vici_find_str(res, "", "mallinfo.free"));
 		}
+		printf("loaded plugins:");
+		vici_parse_cb(res, NULL, NULL, list, NULL);
+		printf("\n");
 	}
 	vici_free_res(res);
 	return 0;
diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in
index cd033f91e..a3074601e 100644
--- a/src/swanctl/swanctl.8.in
+++ b/src/swanctl/swanctl.8.in
@@ -1,4 +1,4 @@
-.TH SWANCTL 8 "2014-04-28" "@PACKAGE_VERSION@" "strongSwan"
+.TH SWANCTL 8 "2015-11-20" "@PACKAGE_VERSION@" "strongSwan"
 .SH NAME
 swanctl \- strongSwan configuration, control and monitoring command line interface.
 .SH SYNOPSIS
@@ -41,6 +41,10 @@ initiate a connection
 \-\-terminate\fR
 terminate a connection
 .TP
+.B "\-d, \-\-redirect"
+\-\-redirect\fR
+redirect an IKE_SA
+.TP
 .B "\-p, \-\-install"
 install a trap or shunt policy
 .TP
@@ -68,6 +72,9 @@ list stored certificates
 .B "\-A, \-\-list\-pools"
 list loaded pool configurations
 .TP
+.B "\-g, \-\-list\-algs"
+list loaded algorithms and their implementation
+.TP
 .B "\-q, \-\-load\-all"
 (re\-)load credentials, pools, authorities and connections
 .TP
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index c480ce174..428be91e7 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -13,7 +13,7 @@
         # Remote address(es) to use for IKE communication, comma separated.
         # remote_addrs = %any
 
-        # Local UPD port for IKE communication.
+        # Local UDP port for IKE communication.
         # local_port = 500
 
         # Remote UDP port for IKE communication.
@@ -43,7 +43,7 @@
         # Timeout for DPD checks (IKEV1 only).
         # dpd_timeout = 0s
 
-        # Use IKEv1 UDP packet fragmentation (yes, no or force).
+        # Use IKE UDP datagram fragmentation.  (yes, no or force).
         # fragmentation = no
 
         # Send certificate requests payloads (yes or no).
@@ -76,10 +76,19 @@
         # Section for a local authentication round.
         # local<suffix> {
 
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+
             # Comma separated list of certificate candidates to use for
             # authentication.
             # certs =
 
+            # Comma separated list of raw public key candidates to use for
+            # authentication.
+            # pubkeys =
+
             # Authentication to perform locally (pubkey, psk, xauth[-backend] or
             # eap[-method]).
             # auth = pubkey
@@ -102,6 +111,11 @@
         # Section for a remote authentication round.
         # remote<suffix> {
 
+            # Optional numeric identifier by which authentication rounds are
+            # sorted.  If not specified rounds are ordered by their position in
+            # the config file/VICI message.
+            # round = 0
+
             # IKE identity to expect for authentication round.
             # id = %any
 
@@ -115,6 +129,10 @@
             # authentication.
             # cacerts =
 
+            # Comma separated list of raw public keys to accept for
+            # authentication.
+            # pubkeys =
+
             # Certificate revocation policy, (strict, ifuri or relaxed).
             # revocation = relaxed
 
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 6e3842d8a..a5b2a731f 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -49,7 +49,7 @@ specified.
 
 .TP
 .BR connections.<conn>.local_port " [500]"
-Local UPD port for IKE communication. By default the port of the socket backend
+Local UDP port for IKE communication. By default the port of the socket backend
 is used, which is usually
 .RI "" "500" "."
 If port
@@ -62,7 +62,7 @@ use (socket\-dynamic).
 
 .TP
 .BR connections.<conn>.remote_port " [500]"
-Remote UPD port for IKE communication. If the default of port
+Remote UDP port for IKE communication. If the default of port
 .RI "" "500" ""
 is used,
 automatic IKE port floating to port 4500 is used to work around NAT issues.
@@ -152,17 +152,21 @@ option has no effect on connections using IKE2.
 
 .TP
 .BR connections.<conn>.fragmentation " [no]"
-The default of
+Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
+fragmentation).  Acceptable  values  are
+.RI "" "yes" ","
+.RI "" "force" ""
+and
 .RI "" "no" ""
-disables IKEv1 fragmentation mechanism,
-.RI "" "yes" ""
-enables it if
-support has been indicated by the peer.
+(the default).
+Fragmented IKE messages sent by a peer are always accepted irrespective of  the
+value  of  this option. If set to
+.RI "" "yes" ","
+and the peer supports it, oversized IKE
+messages will be sent in fragments.  If set  to
 .RI "" "force" ""
-enforces fragmentation if
-required even before the peer had a chance to indicate support for it.
-
-IKE fragmentation is currently not supported with IKEv2.
+(only  supported  for
+IKEv1) the initial IKE message will already be fragmented if required.
 
 .TP
 .BR connections.<conn>.send_certreq " [yes]"
@@ -311,19 +315,36 @@ unique suffix. To define a single authentication round, the suffix may be
 omitted.
 
 .TP
+.BR connections.<conn>.local<suffix>.round " [0]"
+Optional numeric identifier by which authentication rounds are sorted.  If not
+specified rounds are ordered by their position in the config file/VICI message.
+
+.TP
 .BR connections.<conn>.local<suffix>.certs " []"
 Comma separated list of certificate candidates to use for authentication. The
 certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509" ""
-directory, or
-an absolute path.
+directory or an
+absolute path.
 
 The certificate used for authentication is selected based on the received
 certificate request payloads. If no appropriate CA can be located, the first
 certificate is used.
 
 .TP
+.BR connections.<conn>.local<suffix>.pubkeys " []"
+Comma separated list of raw public key candidates to use for authentication. The
+public keys may use a relative path from the
+.RB "" "swanctl" ""
+.RI "" "pubkey" ""
+directory or
+an absolute path.
+
+Even though multiple local public keys could be defined in principle, only the
+first public key in the list is used for authentication.
+
+.TP
 .BR connections.<conn>.local<suffix>.auth " [pubkey]"
 Authentication to perform locally.
 .RI "" "pubkey" ""
@@ -362,6 +383,31 @@ a specific EAP method name may be appended, separated by a dash. An
 EAP module implementing the appropriate method is selected to perform the EAP
 conversation.
 
+If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
+hash algorithms to be used during IKEv2 authentication may be configured. To do
+so use
+.RI "" "ike:" ""
+followed by a trust chain signature scheme constraint (see
+description of the
+.RB "" "remote" ""
+section's
+.RB "" "auth" ""
+keyword). For example, with
+.RI "" "ike:pubkey\-sha384\-sha256" ""
+a public key signature scheme with either SHA\-384 or
+SHA\-256 would get used for authentication, in that order and depending on the
+hash algorithms supported by the peer. If no specific hash algorithms are
+configured, the default is to prefer an algorithm that matches or exceeds the
+strength of the signature key. If no constraints with
+.RI "" "ike:" ""
+prefix are
+configured any signature scheme constraint (without
+.RI "" "ike:" ""
+prefix) will also
+apply to IKEv2 authentication, unless this is disabled in
+.RB "" "strongswan.conf" "(5)."
+
+
 .TP
 .BR connections.<conn>.local<suffix>.id " []"
 IKE identity to use for authentication round. When using certificate
@@ -432,6 +478,11 @@ unique suffix. To define a single authentication round, the suffix may be
 omitted.
 
 .TP
+.BR connections.<conn>.remote<suffix>.round " [0]"
+Optional numeric identifier by which authentication rounds are sorted.  If not
+specified rounds are ordered by their position in the config file/VICI message.
+
+.TP
 .BR connections.<conn>.remote<suffix>.id " [%any]"
 IKE identity to expect for authentication round. Refer to the
 .RI "" "local" ""
@@ -451,8 +502,8 @@ Comma separated list of certificates to accept for authentication. The
 certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509" ""
-directory, or
-an absolute path.
+directory or an
+absolute path.
 
 .TP
 .BR connections.<conn>.remote<suffix>.cacerts " []"
@@ -460,10 +511,19 @@ Comma separated list of CA certificates to accept for authentication. The
 certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509ca" ""
-directory, or
+directory or
 an absolute path.
 
 .TP
+.BR connections.<conn>.remote<suffix>.pubkeys " []"
+Comma separated list of raw public keys to accept for authentication. The public
+keys may use a relative path from the
+.RB "" "swanctl" ""
+.RI "" "x509" ""
+directory or an
+absolute path.
+
+.TP
 .BR connections.<conn>.remote<suffix>.revocation " [relaxed]"
 Certificate revocation policy for CRL or OCSP revocation.
 
@@ -486,10 +546,40 @@ i.e. it is explicitly known that it is bad.
 .BR connections.<conn>.remote<suffix>.auth " [pubkey]"
 Authentication to expect from remote. See the
 .RB "" "local" ""
-sections
+section's
 .RB "" "auth" ""
 keyword description about the details of supported mechanisms.
 
+To require a trustchain public key strength for the remote side, specify the key
+type followed by the minimum strength in bits (for example
+.RI "" "ecdsa\-384" ""
+or
+.RI "" "rsa\-2048\-ecdsa\-256" ")."
+To limit the acceptable set of hashing algorithms for
+trustchain validation, append hash algorithms to
+.RI "" "pubkey" ""
+or a key strength
+definition (for example
+.RI "" "pubkey\-sha1\-sha256" ""
+or
+.RI "" "rsa\-2048\-ecdsa\-256\-sha256\-sha384\-sha512" ")."
+Unless disabled in
+.RB "" "strongswan.conf" "(5),"
+or explicit IKEv2 signature constraints are configured
+(refer to the description of the
+.RB "" "local" ""
+section's
+.RB "" "auth" ""
+keyword for
+details), such key types and hash algorithms are also applied as constraints
+against IKEv2 signature authentication schemes used by the remote side.
+
+To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP
+method, followed by the key type/size and hash algorithm as discussed above
+(e.g.
+.RI "" "eap\-tls:ecdsa\-384\-sha384" ")."
+
+
 .TP
 .B connections.<conn>.children.<child>
 .br
@@ -722,8 +812,8 @@ is negotiated if the preferred mode is not available.
 .RI "" "pass" ""
 and
 .RI "" "drop" ""
-are used to install shunt policies, which explicitly bypass
-the defined traffic from IPsec processing, or drop it, respectively.
+are used to install shunt policies which explicitly bypass the
+defined traffic from IPsec processing or drop it, respectively.
 
 .TP
 .BR connections.<conn>.children.<child>.policies " [yes]"
@@ -856,7 +946,7 @@ which defines the secret type.
 
 It is not recommended to define any private key decryption passphrases, as then
 there is no real security benefit in having encrypted keys. Either store the key
-unencrypted, or enter the keys manually when loading credentials.
+unencrypted or enter the keys manually when loading credentials.
 
 .TP
 .B secrets.eap<suffix>
@@ -872,7 +962,7 @@ as well.
 Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded
 string if it has a
 .RI "" "0x" ""
-prefix, or a Base64 encoded string if it has a
+prefix or a Base64 encoded string if it has a
 .RI "" "0s" ""
 prefix in its value.
 
@@ -907,7 +997,7 @@ prefix.
 Value of the IKE preshared secret. It may either be an ASCII string, a hex
 encoded string if it has a
 .RI "" "0x" ""
-prefix, or a Base64 encoded string if it has a
+prefix or a Base64 encoded string if it has a
 .RI "" "0s" ""
 prefix in its value.
 
@@ -1003,7 +1093,7 @@ Section defining a single pool with a unique name.
 .TP
 .BR pools.<name>.addrs " []"
 Subnet or range defining addresses allocated in pool. Accepts a single CIDR
-subnet defining the pool to allocate addresses from, or an address range
+subnet defining the pool to allocate addresses from or an address range
 (<from>\-<to>).  Pools must be unique and non\-overlapping.
 
 .TP
@@ -1042,7 +1132,8 @@ Section defining a certification authority with a unique name.
 The certificates may use a relative path from the
 .RB "" "swanctl" ""
 .RI "" "x509ca" ""
-directory, or an absolute path.
+directory
+or an absolute path.
 
 .TP
 .BR authorities.<name>.crl_uris " []"
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index cb570cd34..560e89513 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -42,6 +45,11 @@
 #define SWANCTL_X509AADIR SWANCTLDIR "/x509aa"
 
 /**
+ * Directory for X.509 OCSP Signer certs
+ */
+#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp"
+
+/**
  * Directory for X.509 CRLs
  */
 #define SWANCTL_X509CRLDIR SWANCTLDIR "/x509crl"
@@ -52,6 +60,11 @@
 #define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac"
 
 /**
+ * Directory for raw public keys
+ */
+#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
+
+/**
  * Directory for RSA private keys
  */
 #define SWANCTL_RSADIR SWANCTLDIR "/rsa"
@@ -62,6 +75,11 @@
 #define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa"
 
 /**
+ * Directory for BLISS private keys
+ */
+#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss"
+
+/**
  * Directory for PKCS#8 encoded private keys
  */
 #define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index ef38d5d86..145fab28d 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -42,9 +42,9 @@ connections.<conn>.remote_addrs = %any
 	be specified.
 
 connections.<conn>.local_port = 500
-	Local UPD port for IKE communication.
+	Local UDP port for IKE communication.
 
-	Local UPD port for IKE communication. By default the port of the socket
+	Local UDP port for IKE communication. By default the port of the socket
 	backend is used, which is usually _500_. If port _500_ is used, automatic
 	IKE port floating to port 4500 is used to work around NAT issues.
 
@@ -54,7 +54,7 @@ connections.<conn>.local_port = 500
 connections.<conn>.remote_port = 500
 	Remote UDP port for IKE communication.
 
-	Remote UPD port for IKE communication. If the default of port _500_ is used,
+	Remote UDP port for IKE communication. If the default of port _500_ is used,
 	automatic IKE port floating to port 4500 is used to work around NAT issues.
 
 connections.<conn>.proposals = default
@@ -140,14 +140,15 @@ connections.<conn>.dpd_timeout = 0s
 	specified; this option has no effect on connections using IKE2.
 
 connections.<conn>.fragmentation = no
-	Use IKEv1 UDP packet fragmentation (_yes_, _no_ or _force_).
+	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
 
-	The default of _no_ disables IKEv1 fragmentation mechanism, _yes_ enables
-	it if support has been indicated by the peer. _force_ enforces
-	fragmentation if required even before the peer had a chance to indicate
-	support for it.
-
-	IKE fragmentation is currently not supported with IKEv2.
+	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
+	fragmentation).  Acceptable  values  are _yes_, _force_ and _no_ (the
+	default). Fragmented IKE messages sent by a peer are always accepted
+	irrespective of  the  value  of  this option. If set to _yes_, and the peer
+	supports it, oversized IKE messages will be sent in fragments.  If set  to
+	_force_  (only  supported  for IKEv1) the initial IKE message will already
+	be fragmented if required.
 
 connections.<conn>.send_certreq = yes
 	Send certificate requests payloads (_yes_ or _no_).
@@ -267,17 +268,32 @@ connections.<conn>.local<suffix> {}
 	unique suffix. To define a single authentication round, the suffix may be
 	omitted.
 
+connections.<conn>.local<suffix>.round = 0
+	Optional numeric identifier by which authentication rounds are sorted.  If
+	not specified rounds are ordered by their position in the config file/VICI
+	message.
+
 connections.<conn>.local<suffix>.certs =
 	Comma separated list of certificate candidates to use for authentication.
 
 	Comma separated list of certificate candidates to use for authentication.
 	The certificates may use a relative path from the **swanctl** _x509_
-	directory, or an absolute path.
+	directory or an absolute path.
 
 	The certificate used for authentication is selected based on the received
 	certificate request payloads. If no appropriate CA can be located, the
 	first certificate is used.
 
+connections.<conn>.local<suffix>.pubkeys =
+	Comma separated list of raw public key candidates to use for authentication.
+
+	Comma separated list of raw public key candidates to use for authentication.
+	The public keys may use a relative path from the **swanctl** _pubkey_
+	directory or an absolute path.
+
+	Even though multiple local public keys could be defined in principle, only
+	the	first public key in the list is used for authentication.
+
 connections.<conn>.local<suffix>.auth = pubkey
 	Authentication to perform locally (_pubkey_, _psk_, _xauth[-backend]_ or
 	_eap[-method]_).
@@ -298,6 +314,19 @@ connections.<conn>.local<suffix>.auth = pubkey
 	An EAP module implementing the appropriate method is selected to perform
 	the EAP conversation.
 
+	If both peers support RFC 7427 ("Signature Authentication in IKEv2")
+	specific hash algorithms to be used during IKEv2 authentication may be
+	configured. To do so use _ike:_ followed by a trust chain signature scheme
+	constraint (see description of the **remote** section's **auth** keyword).
+	For example, with _ike:pubkey-sha384-sha256_ a public key signature scheme
+	with either SHA-384 or SHA-256 would get used for authentication, in that
+	order and depending on the hash algorithms supported by the peer. If no
+	specific hash algorithms are configured, the default is to prefer an
+	algorithm that matches or exceeds the strength of the signature key.
+	If no constraints with _ike:_ prefix are configured any signature scheme
+	constraint (without _ike:_ prefix) will also apply to IKEv2 authentication,
+	unless this is disabled in **strongswan.conf**(5).
+
 connections.<conn>.local<suffix>.id =
 	IKE identity to use for authentication round.
 
@@ -350,6 +379,11 @@ connections.<conn>.remote<suffix> {}
 	optional unique suffix. To define a single authentication round, the suffix
 	may be omitted.
 
+connections.<conn>.remote<suffix>.round = 0
+	Optional numeric identifier by which authentication rounds are sorted.  If
+	not specified rounds are ordered by their position in the config file/VICI
+	message.
+
 connections.<conn>.remote<suffix>.id = %any
 	IKE identity to expect for authentication round.
 
@@ -369,14 +403,21 @@ connections.<conn>.remote<suffix>.certs =
 
 	Comma separated list of certificates to accept for authentication.
 	The certificates may use a relative path from the **swanctl** _x509_
-	directory, or an absolute path.
+	directory or an absolute path.
 
 connections.<conn>.remote<suffix>.cacerts =
 	Comma separated list of CA certificates to accept for authentication.
 
 	Comma separated list of CA certificates to accept for authentication.
 	The certificates may use a relative path from the **swanctl** _x509ca_
-	directory, or an absolute path.
+	directory or an absolute path.
+
+connections.<conn>.remote<suffix>.pubkeys =
+	Comma separated list of raw public keys to accept for authentication.
+
+	Comma separated list of raw public keys to accept for authentication.
+	The public keys may use a relative path from the **swanctl** _x509_
+	directory or an absolute path.
 
 connections.<conn>.remote<suffix>.revocation = relaxed
 	Certificate revocation policy, (_strict_, _ifuri_ or _relaxed_).
@@ -397,9 +438,25 @@ connections.<conn>.remote<suffix>.auth = pubkey
 	Authentication to expect from remote (_pubkey_, _psk_, _xauth[-backend]_ or
 	_eap[-method]_).
 
-	Authentication to expect from remote. See the **local** sections **auth**
+	Authentication to expect from remote. See the **local** section's **auth**
 	keyword description about the details of supported mechanisms.
 
+	To require a trustchain public key strength for the remote side, specify the
+	key type followed by the minimum strength in bits (for example _ecdsa-384_
+	or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms
+	for trustchain validation, append hash algorithms to _pubkey_ or a key
+	strength definition (for example _pubkey-sha1-sha256_ or
+	_rsa-2048-ecdsa-256-sha256-sha384-sha512_).
+	Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature
+	constraints are configured (refer to the description of the **local**
+	section's **auth** keyword for details), such key types and hash algorithms
+	are also applied as constraints against IKEv2 signature authentication
+	schemes used by the remote side.
+
+	To specify trust chain constraints for EAP-(T)TLS, append a colon to the
+	EAP method, followed by the key type/size and hash algorithm as discussed
+	above (e.g. _eap-tls:ecdsa-384-sha384_).
+
 connections.<conn>.children.<child> {}
 	CHILD_SA configuration sub-section.
 
@@ -586,8 +643,8 @@ connections.<conn>.children.<child>.mode = tunnel
 	Both _transport_ and _beet_ modes are subject to mode negotiation; _tunnel_
 	mode is negotiated if the preferred mode is not available.
 
-	_pass_ and _drop_ are used to install shunt policies, which explicitly
-	bypass the defined traffic from IPsec processing, or drop it, respectively.
+	_pass_ and _drop_ are used to install shunt policies which explicitly
+	bypass the defined traffic from IPsec processing or drop it, respectively.
 
 connections.<conn>.children.<child>.policies = yes
 	Whether to install IPsec policies or not.
@@ -703,7 +760,7 @@ secrets { # }
 
 	It is not recommended to define any private key decryption passphrases,
 	as then there is no real security benefit in having encrypted keys. Either
-	store the key unencrypted, or enter the keys manually when loading
+	store the key unencrypted or enter the keys manually when loading
 	credentials.
 
 secrets.eap<suffix> { # }
@@ -724,7 +781,7 @@ secrets.eap<suffix>.secret =
 	Value of the EAP/XAuth secret.
 
 	Value of the EAP/XAuth secret. It may either be an ASCII string, a hex
-	encoded string if it has a _0x_ prefix, or a Base64 encoded string if it
+	encoded string if it has a _0x_ prefix or a Base64 encoded string if it
 	has a _0s_ prefix in its value.
 
 secrets.eap<suffix>.id<suffix> =
@@ -744,7 +801,7 @@ secrets.ike<suffix>.secret =
 	Value of the IKE preshared secret.
 
 	Value of the IKE preshared secret. It may either be an ASCII string,
-	a hex encoded string if it has a _0x_ prefix, or a Base64 encoded string if
+	a hex encoded string if it has a _0x_ prefix or a Base64 encoded string if
 	it has a _0s_ prefix in its value.
 
 secrets.ike<suffix>.id<suffix> =
@@ -804,7 +861,7 @@ pools.<name>.addrs =
 	Addresses allocated in pool.
 
 	Subnet or range defining addresses allocated in pool. Accepts a single CIDR
-	subnet defining the pool to allocate addresses from, or an address range
+	subnet defining the pool to allocate addresses from or an address range
 	(<from>-<to>).  Pools must be unique and non-overlapping.
 
 pools.<name>.<attr> =
@@ -827,7 +884,7 @@ authorities.<name>.cacert =
 	CA certificate belonging to the certification authority.
 
 	The certificates may use a relative path from the **swanctl** _x509ca_
-	directory, or an absolute path.
+	directory or an absolute path.
 
 authorities.<name>.crl_uris =
 	Comma-separated list of CRL distribution points
diff --git a/testing/Makefile.in b/testing/Makefile.in
index b66c2be76..f797f1767 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -329,6 +329,8 @@ strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
 swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
 systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
 systemd_daemon_LIBS = @systemd_daemon_LIBS@
 systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
diff --git a/testing/do-tests b/testing/do-tests
index c87ba05a7..2a424e523 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -520,6 +520,14 @@ do
 	    IPTABLES_DSP="iptables -L ; ip6tables -L"
 	fi
 
+	for host in $DBHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+		scp $SSHCONF $HOSTLOGIN:/etc/db.d/ipsec.sql \
+		    $TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
+	done
+
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
@@ -531,15 +539,20 @@ do
 			scp $SSHCONF $HOSTLOGIN:/etc/swanctl/swanctl.conf \
 			$TESTRESULTDIR/${host}.swanctl.conf  > /dev/null 2>&1
 
-			for subsys in conns certs pools authorities sas pols
+			for subsys in conns algs certs pools authorities sas pols
 			do
 				ssh $SSHCONF $HOSTLOGIN swanctl --list-$subsys \
 					> $TESTRESULTDIR/${host}.swanctl.$subsys 2>/dev/null
 			done
 
-			# this is quite slow due to allocation stats via leak-detective
 			ssh $SSHCONF $HOSTLOGIN swanctl --stats \
 				> $TESTRESULTDIR/${host}.swanctl.stats 2>/dev/null
+
+			echo "" >> $TESTRESULTDIR/${host}.swanctl.sas
+			cat $TESTRESULTDIR/${host}.swanctl.pols >> \
+				$TESTRESULTDIR/${host}.swanctl.sas
+			cat $TESTRESULTDIR/${host}.swanctl.algs >> \
+				$TESTRESULTDIR/${host}.swanctl.stats
 		else
 		    for file in ipsec.conf ipsec.secrets
 		    do
@@ -552,9 +565,11 @@ do
 				ssh $SSHCONF $HOSTLOGIN ipsec $command \
 			    > $TESTRESULTDIR/${host}.$command 2>/dev/null
 		    done
+		fi
 
-		    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
-			$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
+		if (! [ -f $TESTRESULTDIR/${host}.ipsec.sql ] ) then
+			scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
+				$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
 		fi
 
 	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
@@ -578,16 +593,16 @@ do
 	    <li><a href="$host.swanctl.conf">swanctl.conf</a></li>
 	    <li><a href="$host.swanctl.conns">swanctl --list-conns</a></li>
 	    <li><a href="$host.swanctl.certs">swanctl --list-certs</a></li>
-	    <li><a href="$host.swanctl.pools">swanctl --list-pools</a></li>
 	    <li><a href="$host.strongswan.conf">strongswan.conf</a></li>
+	    <li><a href="$host.ipsec.sql">ipsec.sql</a></li>
 	  </ul>
 	</td>
 	<td valign="top">
 	  <ul>
-	    <li><a href="$host.swanctl.sas">swanctl --list-sas</a></li>
-	    <li><a href="$host.swanctl.pols">swanctl --list-pols</a></li>
+	    <li><a href="$host.swanctl.sas">swanctl --list-sas|--list-pols</a></li>
+	    <li><a href="$host.swanctl.pools">swanctl --list-pools</a></li>
 	    <li><a href="$host.swanctl.authorities">swanctl --list-authorities</a></li>
-	    <li><a href="$host.swanctl.stats">swanctl --stats</a></li>
+	    <li><a href="$host.swanctl.stats">swanctl --stats|--list-algs</a></li>
 	    <li><a href="$host.daemon.log">daemon.log</a></li>
 	  </ul>
       </td>
diff --git a/testing/hosts/alice/etc/ipsec.d/ipsec.sql b/testing/hosts/alice/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/alice/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/alice/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/bob/etc/ipsec.d/ipsec.sql b/testing/hosts/bob/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/bob/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/bob/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/carol/etc/ipsec.d/ipsec.sql b/testing/hosts/carol/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/carol/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/carol/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/dave/etc/ipsec.d/ipsec.sql b/testing/hosts/dave/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/dave/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/dave/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/default/usr/local/bin/expect-connection b/testing/hosts/default/usr/local/bin/expect-connection
index 10a709255..17e2b7fbe 100755
--- a/testing/hosts/default/usr/local/bin/expect-connection
+++ b/testing/hosts/default/usr/local/bin/expect-connection
@@ -15,10 +15,16 @@ fi
 secs=$2
 [ ! $secs ] && secs=5
 
+cmd="swanctl --list-conns"
+grep 'load.*stroke' /etc/strongswan.conf >/dev/null
+if [ $? -eq 0 ]; then
+	cmd="ipsec statusall"
+fi
+
 let steps=$secs*10
 for i in `seq 1 $steps`
 do
-	ipsec statusall 2>&1 | grep ^[[:space:]]*$1: >/dev/null
+	$cmd 2>&1 | grep ^[[:space:]]*$1: >/dev/null
 	[ $? -eq 0 ] && exit 0
 	sleep 0.1
 done
diff --git a/testing/hosts/moon/etc/ipsec.d/ipsec.sql b/testing/hosts/moon/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/moon/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/moon/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/sun/etc/ipsec.d/ipsec.sql b/testing/hosts/sun/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/sun/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/sun/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/venus/etc/ipsec.d/ipsec.sql b/testing/hosts/venus/etc/ipsec.d/ipsec.sql
index da38e9ab4..c80052d69 100644
--- a/testing/hosts/venus/etc/ipsec.d/ipsec.sql
+++ b/testing/hosts/venus/etc/ipsec.d/ipsec.sql
@@ -1,4 +1,4 @@
 /* strongSwan SQLite database */
 
-/* configuration is read from ipsec.conf   */
-/* credentials are read from ipsec.secrets */
+/* configuration is read from swanctl.conf or ipsec.conf */
+/* credentials  are read from swanctl.conf or ipsec.secrets */
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 842c3a1b2..de3c13dcf 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -24,6 +24,9 @@ openssl crl -in crl.pem -outform der -out strongswan.crl
 cp strongswan.crl     ${ROOT}
 cp strongswanCert.pem ${ROOT}
 cp index.html         ${ROOT}
+# revoke moon's current CERT
+pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --reason key-compromise --cert newcerts/2B.pem --lastcrl strongswan.crl > strongswan_moon_revoked.crl
+cp strongswan_moon_revoked.crl ${ROOT}
 cd /etc/openssl/research
 openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 994acaa28..f205df33b 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -98,7 +98,6 @@ CONFIG_OPTS = \
 	--enable-tkm \
 	--enable-ntru \
 	--enable-lookip \
-	--enable-swanctl \
 	--enable-bliss \
 	--enable-sha3
 
diff --git a/testing/tests/af-alg/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt
index b3515c333..87679788f 100644
--- a/testing/tests/af-alg/alg-camellia/description.txt
+++ b/testing/tests/af-alg/alg-camellia/description.txt
@@ -1,4 +1,3 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
-HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
-the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
-in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
+HMAC_SHA2_512_256 / PRF_HMAC_SHA2_512 / MODP_3072</b> well as the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA384_192</b>.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/af-alg/alg-camellia/evaltest.dat b/testing/tests/af-alg/alg-camellia/evaltest.dat
index 2096cb994..d88c52638 100644
--- a/testing/tests/af-alg/alg-camellia/evaltest.dat
+++ b/testing/tests/af-alg/alg-camellia/evaltest.dat
@@ -1,10 +1,6 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=CAMELLIA_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=CAMELLIA_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
index 28b9e5822..81a85aa06 100644
--- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
 }
diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..acba9cecb
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = camellia192-sha384
+         }
+      }
+      version = 2
+      proposals = camellia256-sha512-modp3072
+   }
+}
diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
index 28b9e5822..81a85aa06 100644
--- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown
+  load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
 }
diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..1c06bb2ce
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = camellia192-sha384
+         }
+      }
+      version = 2
+      proposals = camellia256-sha512-modp3072
+   }
+}
diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat
index 046d4cfdc..2fc2bbb75 100644
--- a/testing/tests/af-alg/alg-camellia/posttest.dat
+++ b/testing/tests/af-alg/alg-camellia/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat
index de4acbbf0..41255bccb 100644
--- a/testing/tests/af-alg/alg-camellia/pretest.dat
+++ b/testing/tests/af-alg/alg-camellia/pretest.dat
@@ -1,6 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection net 
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/af-alg/alg-camellia/test.conf b/testing/tests/af-alg/alg-camellia/test.conf
index 4a5fc470f..307c7e9cc 100644
--- a/testing/tests/af-alg/alg-camellia/test.conf
+++ b/testing/tests/af-alg/alg-camellia/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/af-alg/rw-cert/description.txt b/testing/tests/af-alg/rw-cert/description.txt
index d0c5e9200..13f20d1e2 100644
--- a/testing/tests/af-alg/rw-cert/description.txt
+++ b/testing/tests/af-alg/rw-cert/description.txt
@@ -5,8 +5,8 @@ encryption and hash functions whereas roadwarrior <b>dave</b> uses the default
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnel automatically iptables-based
+firewall rules are inserted which let pass the tunneled traffic.
 In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
 the client <b>alice</b> behind the gateway <b>moon</b>.
 
diff --git a/testing/tests/af-alg/rw-cert/evaltest.dat b/testing/tests/af-alg/rw-cert/evaltest.dat
index ba661975b..3cd928be5 100644
--- a/testing/tests/af-alg/rw-cert/evaltest.dat
+++ b/testing/tests/af-alg/rw-cert/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
index 2d08b38bc..3610ac699 100644
--- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..22fe14f92
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = 3des-sha1-modp1536
+         }
+      }
+      version = 2
+      proposals = 3des-sha1-modp1536 
+   }
+}
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
index f7b335e72..afa7afe83 100644
--- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,15 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
 
   integrity_test = yes
   crypto_test {
-    required = yes
     on_add = yes
   }
 }
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b3622f50e
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128-sha256-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
index 2d08b38bc..3610ac699 100644
--- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ccd247af0
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072,3des-sha1-modp1536 
+   }
+}
diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/af-alg/rw-cert/posttest.dat
+++ b/testing/tests/af-alg/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat
index 855c273cc..7652f460e 100644
--- a/testing/tests/af-alg/rw-cert/pretest.dat
+++ b/testing/tests/af-alg/rw-cert/pretest.dat
@@ -1,11 +1,11 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-moon::expect-connection rw
-carol::expect-connection home
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection net 
+carol::expect-connection home 
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-carol::ipsec up home
-dave::ipsec up home
-\ No newline at end of file
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/af-alg/rw-cert/test.conf b/testing/tests/af-alg/rw-cert/test.conf
index f29298850..1227b9d1c 100644
--- a/testing/tests/af-alg/rw-cert/test.conf
+++ b/testing/tests/af-alg/rw-cert/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
index 5f0bb3cdc..236647b56 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
index 11dece402..f0bbfc10f 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -8,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
+	ike=camellia256-sha512-modp3072!
 	esp=camellia192-sha384!
 
 conn home
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index ecbb94dca..8481f8974 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
+	ike=camellia256-sha512-modp3072!
 	esp=camellia192-sha384!
 
 conn rw
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index f1a4b964c..15c4ad7d1 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -4,6 +4,7 @@ dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
+moon::expect-connection rw
 carol::expect-connection home
 dave::expect-connection home
 carol::ipsec up home
diff --git a/testing/tests/ha/active-passive/pretest.dat b/testing/tests/ha/active-passive/pretest.dat
index 2bdab2839..f82e48437 100644
--- a/testing/tests/ha/active-passive/pretest.dat
+++ b/testing/tests/ha/active-passive/pretest.dat
@@ -11,7 +11,6 @@ carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 alice::ipsec start
-moon::ipsec start
 moon::sleep 2
 alice::echo "+1" > /var/run/charon.ha
 carol::ipsec start
diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
index abd29e97e..ad0ebd48c 100644
--- a/testing/tests/ikev1/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
@@ -5,8 +5,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96/MODP_1024,::YES
 moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
 moon:: ip xfrm state::auth-trunc hmac(md5)::YES
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
index eba856742..364d89f59 100644
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -2,11 +2,11 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128/MODP_3072,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/MODP_3072,::YES
 moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
 carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 73e25710b..1c227978e 100644
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256-modp2048!
+	ike=aes128-sha256-modp3072!
+	esp=aes128-sha256-modp3072!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 0a6f48e69..177aebf52 100644
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256-modp2048!
+	ike=aes128-sha256-modp3072!
+	esp=aes128-sha256-modp3072!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
index 3b24217c5..14f0ba479 100644
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -5,8 +5,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192/MODP_3072,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/MODP_3072,::YES
 moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
 carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat
index 6bdceeb44..6f8c05d5b 100644
--- a/testing/tests/ikev1/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha512/evaltest.dat
@@ -5,8 +5,8 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/MODP_4096,::YES
 moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
 carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 6c22fd548..7d97dd229 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
-}
 
-libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
index d568273d1..fe148cd10 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
index ee60292a3..a88debd3e 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful::YES
 moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index f11018347..c896b5f67 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 74668e7fb..c9e9e92e5 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp3072!
+	esp=aes128-aesxcbc-modp3072!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 3cda72935..4e4a9324f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp3072!
+	esp=aes128-aesxcbc-modp3072!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
index 6c4e23710..8ad0fb2b2 100644
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
 carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 0d3b9fd45..90a143678 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256_96-modp2048!
+	ike=aes128-sha256-modp3072!
+	esp=aes128-sha256_96-modp3072!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
index b0a5c4616..e0b2625c0 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256_96-modp2048!
+	ike=aes128-sha256-modp3072!
+	esp=aes128-sha256_96-modp3072!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
index eba856742..c826c3f60 100644
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
index 22d2cd38a..6890ea458 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256-modp2048!
+	ike=aes128-sha256-modp3072!
+	esp=aes128-sha256-modp3072!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
index 543374d76..583111893 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256-modp2048!
+	ike=aes128-sha256-modp3072!
+	esp=aes128-sha256-modp3072!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index 6c22fd548..7d97dd229 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
-}
 
-libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 6c22fd548..7d97dd229 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
-}
 
-libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index cf3b0d81b..b238646ac 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
-}
 
-libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index cf3b0d81b..b238646ac 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
-}
 
-libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
index 5176e2a4d..da157a5ee 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
@@ -2,9 +2,7 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
-}
 
-libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
index 56c1785cc..3aa610b38 100644
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -1,8 +1,8 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 alice::iptables-restore < /etc/iptables.rules
-carol::ipsec start
 moon::ipsec start
+carol::ipsec start
 alice::ipsec start
 carol::expect-connection home
 carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/description.txt b/testing/tests/ikev2/reauth-mbb-revoked/description.txt
new file mode 100644
index 000000000..4e27a0b82
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/description.txt
@@ -0,0 +1,15 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
+<p/>
+Because the responder is always able to install CHILD_SAs before the initiator
+is, some traffic sent by the responder over such a CHILD_SA might get dropped by
+the initiator (until it also installed the CHILD_SA).  This is particularly
+problematic if OCSP/CRL checks are delayed or if they can also be done via the
+IPsec tunnel once it's established.  Therefore, online OCSP/CRL checks are
+suspended during the reauthentication and done afterwards. This is verified here
+by revoking the responder's certificate after the SA got initially established.
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat
new file mode 100644
index 000000000..8fe9a2360
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/evaltest.dat
@@ -0,0 +1,10 @@
+winnetou::cp /var/www/strongswan.crl /var/www/strongswan.crl.bak
+winnetou::cp /var/www/strongswan_moon_revoked.crl /var/www/strongswan.crl
+carol::ipsec purgecrls
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::sleep 6
+carol::cat /var/log/daemon.log::certificate was revoked.*key compromise::YES
+carol::cat /var/log/daemon.log::peer certificate verification failed, deleting SA::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::NO
diff --git a/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf
index 214a8de28..ec2b41d29 100644
--- a/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/ipsec.conf
@@ -1,22 +1,21 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	strictcrlpolicy=yes
 
 conn %default
-	ikelifetime=60m
 	keylife=20m
-	rekeymargin=3m
+	ikelifetime=10s
+	rekeymargin=5s
+	rekeyfuzz=0%
 	keyingtries=1
-	keyexchange=ikev2
-	ike=3des-sha1-modp1536!
-	esp=3des-sha1!
 
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+  make_before_break = yes
+}
diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf
index ecbb94dca..93ae34cf7 100644
--- a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/ipsec.conf
@@ -1,21 +1,19 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
+	strictcrlpolicy=yes
 
 conn %default
-	ikelifetime=60m
+	ikelifetime=30m
 	keylife=20m
-	rekeymargin=3m
+	rekeymargin=0s
 	keyingtries=1
-	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha384!
 
 conn rw
 	left=PH_IP_MOON
-	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
+	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat
new file mode 100644
index 000000000..d0d591585
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/posttest.dat
@@ -0,0 +1,3 @@
+winnetou::cp /var/www/strongswan.crl.bak /var/www/strongswan.crl
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat
new file mode 100644
index 000000000..3a1982f8a
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::expect-connection home
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/test.conf b/testing/tests/ikev2/reauth-mbb-revoked/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/redirect-active/description.txt b/testing/tests/ikev2/redirect-active/description.txt
new file mode 100644
index 000000000..942c66ebf
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+to gateway <b>alice</b>, which identifies itself as <b>mars</b>.
+Host <b>venus</b> in the subnet behind this gateway uses gateway <b>moon</b> as
+default gateway, so it is not fully reachable by the two roadwarriors.
+Then both SAs are actively redirected with the <em>swanctl --redirect</em>
+command to gateway <b>moon</b> (also identified as <b>mars</b>) using the
+mechanism described in <b>RFC 5685</b> enabling the roadwarriors to
+ping <b>venus</b>.
diff --git a/testing/tests/ikev2/redirect-active/evaltest.dat b/testing/tests/ikev2/redirect-active/evaltest.dat
new file mode 100644
index 000000000..6d84173cd
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/evaltest.dat
@@ -0,0 +1,28 @@
+alice::ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
+alice::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+alice::swanctl --redirect --peer-ip PH_IP_CAROL --gateway 192.168.0.1::redirect completed successfully::YES
+alice::swanctl --redirect --peer-id dave@strongswan.org --gateway moon.strongswan.org::redirect completed successfully::YES
+carol::sleep 1::No output expected::NO
+carol::cat /var/log/daemon.log::redirected to 192.168.0.1::YES
+dave::cat /var/log/daemon.log::redirected to moon.strongswan.org::YES
+moon::cat /var/log/daemon.log::client got redirected from 192.168.0.5::YES
+moon::ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
+carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::NO
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
+dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::NO
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES
+venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES
+venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES
+venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.conf
index fc3eea283..6a810552b 100644
--- a/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.conf
@@ -7,15 +7,13 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-modp2048,3des-sha1-modp1536!
-	esp=aes128-sha256,3des-sha1!
 
 conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
+	left=192.168.0.5
+	leftcert=marsCert.pem
+	leftid=mars.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
+	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem
new file mode 100644
index 000000000..cf0977489
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIBNDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE1MTEyNjA4MjQ1M1oXDTE5MDkwNjA4MjQ1M1owZDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
+YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxTvcinIErfzu8YZKl+a2MNTVY
++qjG83OkweWjWed/egAugxRjTyWeKjrSNf6DWpXC0pNhzja+Sj0njz4Kq8VczkFB
+/yYEkFKpdpFQHXvbQo5h7wn1i3Omhvou5x0rRfddRpLGl7Z/Xg8gnHsZMHHN60hI
+qiLZdRSu5QF25WNcy9tO58gz8Hvo5jsk8YDu6eGYolaygQo3cqxx/r8yWzehju0F
+oWm4sLOrq+OTegeCQYI8PsOALAwLWgWdGfMPMT0ntq9tD97AcUD0EilvcXVdmwUW
+44/hM9BZ0JS7N7Wv6fgIChC7xhZj1yo6vY+FDsmNMhz7vdeulKx2dqRJkn0XAgMB
+AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUvo44
+06FQwLI8P6VqNehTNHa2LNMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
+Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
+cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
+MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
+MA0GCSqGSIb3DQEBCwUAA4IBAQCWvHc0v5BhxsLRxPvcOu1bVoeexzA/5nftfRly
+PumU2hYFQ8p7soJiT/jYPmnfNvl6halnmS0FrqLdTMNfXj/6WCZ3w4Xnokc5PYW4
+oL1VqdEgR7jyQjifZuzRkuPw+yAFoT+HbMttLdRMVTq9NXlPXtGaJTWbx5Z/gGP3
+1Ry47WhvzJyRSysPh/+9WJFOwS6nf6DFbNuyVtNXQRzXjpsGefZgN9ysntNRFMMZ
+V0j+zFIkLBLh2WBkJsuLQM9EFAlZrpQZ7iwHuz7gU0jATxN6Qxnn9AemNPl4k8T3
+igPXeVhDbZFeTc+u/Z7X5i1HXhks2QGz/zGee6no54XOnBWB
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem
new file mode 100644
index 000000000..14f9440ee
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.d/private/marsKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAsU73IpyBK387vGGSpfmtjDU1WPqoxvNzpMHlo1nnf3oALoMU
+Y08lnio60jX+g1qVwtKTYc42vko9J48+CqvFXM5BQf8mBJBSqXaRUB1720KOYe8J
+9Ytzpob6LucdK0X3XUaSxpe2f14PIJx7GTBxzetISKoi2XUUruUBduVjXMvbTufI
+M/B76OY7JPGA7unhmKJWsoEKN3Kscf6/Mls3oY7tBaFpuLCzq6vjk3oHgkGCPD7D
+gCwMC1oFnRnzDzE9J7avbQ/ewHFA9BIpb3F1XZsFFuOP4TPQWdCUuze1r+n4CAoQ
+u8YWY9cqOr2PhQ7JjTIc+73XrpSsdnakSZJ9FwIDAQABAoIBAQCe+TYMClamMUXV
++YYK2noIJAzY4qVA/DbLmi3S8GDnovNWwKAfCm+oCCUFJPQ1wZpVO4h5QPNEWjvK
+pFv0JV6nfyZzjdkAboYu+uf+9PB//oS6uiAr0AS5YnweYYl9qxXGw+gFtzEhsavO
+iX61bwIapsIApMrqPld1GE7f03vrTjyqYeJC+V5WEVZe1fkZtKFFJiHN1boPwoWt
+VRQ4UGlq9eto5pddmMcPl/uR9/TItdMC8AZ7fcRYP9RdYFEp8jS+tx3CDNs0XrlF
+qKlroDSdwBt475Ud5irtNwjGoohl3xCHvEne9l+fjlmQFynfRNeOb9rgVIsT3OoO
+MFSeW9HBAoGBAOiAjYCWoQHSlbi3Nkd5fsfTd4iZOkeeZi+2PJOhDByH1Hsq87CP
+KoYejjYUQ6QvJY2WDJCU8qXxPJkDuI6XZ6QbTDPad2xXDkA4pxuPi/c+Hb/eqLQ+
+24ebIzauC5iLdddp22oQXQOngKwUMihYggKs9cIpem8G99bcMfq1OeaDAoGBAMM6
+Z790eySPDIaKZZ/KVOu4hJe1s5vIJqN9xtV0o55PTR2wFCgwCogiXQchyhF8Qo6q
+BEpcKpY1bAivmL8T2PBsLUuKC4LAr8uzW8rVFbG3HfC62RoaVOZWmH+yBABi6eej
+Lh8KNhal+HzVOlMsw78FAkhq9aubWBywxfULFyrdAoGAPmnsEn3dIPkf+iMsrgk+
+cHQjHYdMrtclxV8daeAMuUf5UUsZeeck2jYvpPLRqayCXzzNiK6DaOqWgtkN3TFl
+wBcX4L+f2XSRPco3id2CDFAfeldSYHiTRBbwYAhe0od1jes73IAiCA4aK5eMU2pX
+FFLL8mBiHpX3SDV6MTwfG/MCgYEApgLXUC3LvVXLL+kl65ARUHUSgzNmrNSxTptY
+5hCORcNnbxRYv6fCfOrDspngC6hfrJMUnOrs59g7qtMvD2TgN+m1RqP3j9Msagp1
+xvAVx45QbnFkxdaYVVpTyVpmHrH99xSC1rBHOFEgEX78XtgVCC1JOK2DhM7PSW5k
+lzA8Hh0CgYBVXNnQsy4x+9D09zeFP2TKXsk7N154yUP6oxXu6OjZC+cfxHOGyi/g
+PVe8ukBIknZkFRz+ZXdfZzXXuJslENOVeFEInqVAu2W55KeCPc/3SU6hB2lj6MBl
+WIZ7yrUmtdalU3cPkFnHkQTL2glYAzjB2z22AxyXNzy37ZhtFpovtg==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.secrets
index e86d6aa5c..d65b96e34 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA moonKey.pem
+: RSA marsKey.pem
diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..33c22b909
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/iptables.rules
@@ -0,0 +1,34 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..6f7f4c4cb
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown vici
+}
+
diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf
index 11dece402..a5c2cc5fc 100644
--- a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/ipsec.conf
@@ -1,22 +1,19 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-
+	charondebug="knl 2"
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha384!
 
 conn home
-	left=PH_IP_CAROL
-	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-	right=PH_IP_MOON
+	leftfirewall=yes
+	right=192.168.0.5
+	rightid=mars.strongswan.org
 	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e58af9efd
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/ipsec.conf
index 7fa2966d2..642811d10 100644
--- a/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/dave/etc/ipsec.conf
@@ -7,16 +7,13 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev2
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256!
 
 conn home
-	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
+	right=192.168.0.5
+	rightid=mars.strongswan.org
 	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ecbad665c
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.conf
index 98e2525ba..fa901cbdf 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.conf
@@ -7,17 +7,12 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev2
 
-conn rw-eap
-	left=PH_IP_MOON
+conn rw
+	leftcert=marsCert.pem
+	leftid=mars.strongswan.org
 	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
 	leftfirewall=yes
-	rightauth=eap-radius
-	rightid=*@strongswan.org
-	rightsendcert=never
 	right=%any
+	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem
new file mode 100644
index 000000000..cf0977489
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQDCCAyigAwIBAgIBNDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE1MTEyNjA4MjQ1M1oXDTE5MDkwNjA4MjQ1M1owZDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1
+YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxTvcinIErfzu8YZKl+a2MNTVY
++qjG83OkweWjWed/egAugxRjTyWeKjrSNf6DWpXC0pNhzja+Sj0njz4Kq8VczkFB
+/yYEkFKpdpFQHXvbQo5h7wn1i3Omhvou5x0rRfddRpLGl7Z/Xg8gnHsZMHHN60hI
+qiLZdRSu5QF25WNcy9tO58gz8Hvo5jsk8YDu6eGYolaygQo3cqxx/r8yWzehju0F
+oWm4sLOrq+OTegeCQYI8PsOALAwLWgWdGfMPMT0ntq9tD97AcUD0EilvcXVdmwUW
+44/hM9BZ0JS7N7Wv6fgIChC7xhZj1yo6vY+FDsmNMhz7vdeulKx2dqRJkn0XAgMB
+AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUvo44
+06FQwLI8P6VqNehTNHa2LNMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou
+Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy
+cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw
+MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js
+MA0GCSqGSIb3DQEBCwUAA4IBAQCWvHc0v5BhxsLRxPvcOu1bVoeexzA/5nftfRly
+PumU2hYFQ8p7soJiT/jYPmnfNvl6halnmS0FrqLdTMNfXj/6WCZ3w4Xnokc5PYW4
+oL1VqdEgR7jyQjifZuzRkuPw+yAFoT+HbMttLdRMVTq9NXlPXtGaJTWbx5Z/gGP3
+1Ry47WhvzJyRSysPh/+9WJFOwS6nf6DFbNuyVtNXQRzXjpsGefZgN9ysntNRFMMZ
+V0j+zFIkLBLh2WBkJsuLQM9EFAlZrpQZ7iwHuz7gU0jATxN6Qxnn9AemNPl4k8T3
+igPXeVhDbZFeTc+u/Z7X5i1HXhks2QGz/zGee6no54XOnBWB
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem
new file mode 100644
index 000000000..14f9440ee
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.d/private/marsKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAsU73IpyBK387vGGSpfmtjDU1WPqoxvNzpMHlo1nnf3oALoMU
+Y08lnio60jX+g1qVwtKTYc42vko9J48+CqvFXM5BQf8mBJBSqXaRUB1720KOYe8J
+9Ytzpob6LucdK0X3XUaSxpe2f14PIJx7GTBxzetISKoi2XUUruUBduVjXMvbTufI
+M/B76OY7JPGA7unhmKJWsoEKN3Kscf6/Mls3oY7tBaFpuLCzq6vjk3oHgkGCPD7D
+gCwMC1oFnRnzDzE9J7avbQ/ewHFA9BIpb3F1XZsFFuOP4TPQWdCUuze1r+n4CAoQ
+u8YWY9cqOr2PhQ7JjTIc+73XrpSsdnakSZJ9FwIDAQABAoIBAQCe+TYMClamMUXV
++YYK2noIJAzY4qVA/DbLmi3S8GDnovNWwKAfCm+oCCUFJPQ1wZpVO4h5QPNEWjvK
+pFv0JV6nfyZzjdkAboYu+uf+9PB//oS6uiAr0AS5YnweYYl9qxXGw+gFtzEhsavO
+iX61bwIapsIApMrqPld1GE7f03vrTjyqYeJC+V5WEVZe1fkZtKFFJiHN1boPwoWt
+VRQ4UGlq9eto5pddmMcPl/uR9/TItdMC8AZ7fcRYP9RdYFEp8jS+tx3CDNs0XrlF
+qKlroDSdwBt475Ud5irtNwjGoohl3xCHvEne9l+fjlmQFynfRNeOb9rgVIsT3OoO
+MFSeW9HBAoGBAOiAjYCWoQHSlbi3Nkd5fsfTd4iZOkeeZi+2PJOhDByH1Hsq87CP
+KoYejjYUQ6QvJY2WDJCU8qXxPJkDuI6XZ6QbTDPad2xXDkA4pxuPi/c+Hb/eqLQ+
+24ebIzauC5iLdddp22oQXQOngKwUMihYggKs9cIpem8G99bcMfq1OeaDAoGBAMM6
+Z790eySPDIaKZZ/KVOu4hJe1s5vIJqN9xtV0o55PTR2wFCgwCogiXQchyhF8Qo6q
+BEpcKpY1bAivmL8T2PBsLUuKC4LAr8uzW8rVFbG3HfC62RoaVOZWmH+yBABi6eej
+Lh8KNhal+HzVOlMsw78FAkhq9aubWBywxfULFyrdAoGAPmnsEn3dIPkf+iMsrgk+
+cHQjHYdMrtclxV8daeAMuUf5UUsZeeck2jYvpPLRqayCXzzNiK6DaOqWgtkN3TFl
+wBcX4L+f2XSRPco3id2CDFAfeldSYHiTRBbwYAhe0od1jes73IAiCA4aK5eMU2pX
+FFLL8mBiHpX3SDV6MTwfG/MCgYEApgLXUC3LvVXLL+kl65ARUHUSgzNmrNSxTptY
+5hCORcNnbxRYv6fCfOrDspngC6hfrJMUnOrs59g7qtMvD2TgN+m1RqP3j9Msagp1
+xvAVx45QbnFkxdaYVVpTyVpmHrH99xSC1rBHOFEgEX78XtgVCC1JOK2DhM7PSW5k
+lzA8Hh0CgYBVXNnQsy4x+9D09zeFP2TKXsk7N154yUP6oxXu6OjZC+cfxHOGyi/g
+PVe8ukBIknZkFRz+ZXdfZzXXuJslENOVeFEInqVAu2W55KeCPc/3SU6hB2lj6MBl
+WIZ7yrUmtdalU3cPkFnHkQTL2glYAzjB2z22AxyXNzy37ZhtFpovtg==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..d65b96e34 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA moonKey.pem
+: RSA marsKey.pem
diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7c415b1ee
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
+
diff --git a/testing/tests/ikev2/redirect-active/posttest.dat b/testing/tests/ikev2/redirect-active/posttest.dat
new file mode 100644
index 000000000..7e436a683
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/posttest.dat
@@ -0,0 +1,10 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+alice::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+alice::ip addr del 192.168.0.5/24 dev eth1
+alice::ifdown eth1
diff --git a/testing/tests/ikev2/redirect-active/pretest.dat b/testing/tests/ikev2/redirect-active/pretest.dat
new file mode 100644
index 000000000..3f7ac1dcf
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/pretest.dat
@@ -0,0 +1,13 @@
+alice::ifup eth1
+alice::ip addr add 192.168.0.5/24 dev eth1
+moon::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+alice::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/redirect-active/test.conf b/testing/tests/ikev2/redirect-active/test.conf
new file mode 100644
index 000000000..8056d9ce4
--- /dev/null
+++ b/testing/tests/ikev2/redirect-active/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="venus carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice moon carol dave"
diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat
index e827687f8..ab5e18da2 100644
--- a/testing/tests/ikev2/rw-dnssec/pretest.dat
+++ b/testing/tests/ikev2/rw-dnssec/pretest.dat
@@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-moon::ipsec start
 carol::expect-connection home
 carol::ipsec up home
 dave::expect-connection home
diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat
index b62e890c0..27df31fbe 100644
--- a/testing/tests/ikev2/trap-any/evaltest.dat
+++ b/testing/tests/ikev2/trap-any/evaltest.dat
@@ -1,8 +1,8 @@
-moon::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
-moon::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
-sun::ping -c 2 -W 1 -i 0.2 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
-dave::ping -c 2 -W 1 -i 0.2 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
-dave::ping -c 2 -W 1 -i 0.2 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+sun::ping -c 2 -W 1 -i 0.4 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+dave::ping -c 2 -W 1 -i 0.4 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
+dave::ping -c 2 -W 1 -i 0.4 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
 dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
 moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
 moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat
index e455a3650..0cafb4faf 100644
--- a/testing/tests/libipsec/net2net-null/evaltest.dat
+++ b/testing/tests/libipsec/net2net-null/evaltest.dat
@@ -2,8 +2,8 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
 sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
index 4ecfb0e92..f206a16fb 100644
--- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=null-sha256-modp2048!
-	esp=null-sha256-modp2048!
+	ike=null-sha256-modp3072!
+	esp=null-sha256-modp3072!
 	mobike=no
 
 conn net-net
diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
index 95ea20d3c..21b116595 100644
--- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=null-sha256-modp2048!
-	esp=null-sha256-modp2048!
+	ike=null-sha256-modp3072!
+	esp=null-sha256-modp3072!
 	mobike=no
 
 conn net-net
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index 4d614bf7e..3b6770389 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index 7a276806e..4628311d4 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	ike=camellia256-sha512-modp3072!
+	esp=camellia192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index fb892a041..da1fbf06b 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	ike=camellia256-sha512-modp3072!
+	esp=camellia192-sha384!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 69c893f0c..941a2fecf 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -8,10 +8,10 @@ moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_NULL successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_NULL successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_NULL successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index 4d614bf7e..3b6770389 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
index 004295437..f0bbfc10f 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	ike=camellia256-sha512-modp3072!
+	esp=camellia192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index 0f6a4f569..8481f8974 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	ike=camellia256-sha512-modp3072!
+	esp=camellia192-sha384!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 590b7fe9c..9c6b73ba0 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 74668e7fb..c9e9e92e5 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp3072!
+	esp=aes128-aesxcbc-modp3072!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 3cda72935..4e4a9324f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
-	esp=aes128-aesxcbc-modp2048!
+	ike=aes128-aesxcbc-modp3072!
+	esp=aes128-aesxcbc-modp3072!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 5ff5edbf8..9b8456121 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -1,25 +1,21 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES 
 moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
 moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
index 4a5d34993..d5c4452e2 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
index 85e47522e..a44dc276c 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql
@@ -111,7 +111,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
index a584dd8c1..315749b00 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql
@@ -135,7 +135,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 64e7cc722..2e9e6464d 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
+
   plugins {
     sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
-  }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
-}
-
-libhydra {
-  plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index b757d8b15..d7107ccc6 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,6 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 3e1b762d7..068d72917 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -11,10 +8,11 @@ moon::ipsec pool --leases 2> /dev/null
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf
index 450100fbe..ae4f83447 100644
--- a/testing/tests/sql/ip-pool-db-expired/test.conf
+++ b/testing/tests/sql/ip-pool-db-expired/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index f70e2d2de..ce7a8f5bf 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -1,25 +1,21 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES 
 moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
 moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
index 4a5d34993..d5c4452e2 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
index a832d0672..6f2d0fc53 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
index 6e33e05d1..399de69e5 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -129,7 +129,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 64e7cc722..2e9e6464d 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
+
   plugins {
     sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
-  }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
-}
-
-libhydra {
-  plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index b757d8b15..d7107ccc6 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,6 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index 4976693ec..374693e36 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -11,10 +8,11 @@ moon::ipsec pool --leases 2> /dev/null
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf
index 450100fbe..ae4f83447 100644
--- a/testing/tests/sql/ip-pool-db-restart/test.conf
+++ b/testing/tests/sql/ip-pool-db-restart/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index cfa87ae3f..799692474 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -5,9 +5,8 @@ carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
@@ -16,21 +15,18 @@ dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 dave:: cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
 dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
 dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave:: ipsec status 2> /dev/null::.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES 
 moon:: ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
 moon:: ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
 moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
index 9ef560af7..ab343f2cc 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index 4346eca40..310587ee2 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
index 39f05491a..ca6c5d9f2 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index 4346eca40..310587ee2 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
index 837836416..e37653698 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 64e7cc722..2e9e6464d 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
+
   plugins {
     sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
-  }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
-}
-
-libhydra {
-  plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index 47061432a..d7107ccc6 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,9 +1,8 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
-moon::dbdir-remove
-carol::dbdir-remove
-dave::dbdir-remove
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf
index 450100fbe..ae4f83447 100644
--- a/testing/tests/sql/ip-pool-db/test.conf
+++ b/testing/tests/sql/ip-pool-db/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
index 5f7f5ec3d..b77707035 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
@@ -1,9 +1,7 @@
 dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.1.1/32] remote-ts=\[10.1.0.0/16]::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
 moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES
@@ -12,7 +10,5 @@ moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*
 moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES
 moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.1.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES 
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
index 4a5d34993..d5c4452e2 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
index 529574a62..ddd55026d 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql
@@ -116,7 +116,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
index 31d9e1c09..032b82bc9 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql
@@ -129,7 +129,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index 64e7cc722..2e9e6464d 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
+
   plugins {
     sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
-  }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
-}
-
-libhydra {
-  plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
index a851d0924..b257564dc 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
@@ -1,3 +1,5 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
index 706cb3205..d0c7b9c76 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -9,10 +6,11 @@ carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::ipsec pool --status 2> /dev/null
 moon::ipsec pool --leases 2> /dev/null
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
index 450100fbe..ae4f83447 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/test.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat
index f186d8927..16ea2287b 100644
--- a/testing/tests/sql/ip-split-pools-db/evaltest.dat
+++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat
@@ -1,9 +1,8 @@
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.1.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.1.1/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
 moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
@@ -13,5 +12,5 @@ moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*
 moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES
 moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.1.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES 
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
index 4a5d34993..d5c4452e2 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
index a832d0672..6f2d0fc53 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
index 1861e5ffb..991bcba6b 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 64e7cc722..2e9e6464d 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
+
   plugins {
     sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
-  }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
-}
-
-libhydra {
-  plugins {
     attr-sql {
       database = sqlite:///etc/db.d/ipsec.db
     }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat
index a851d0924..b257564dc 100644
--- a/testing/tests/sql/ip-split-pools-db/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db/posttest.dat
@@ -1,3 +1,5 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat
index e820c81a2..e1f0c22ae 100644
--- a/testing/tests/sql/ip-split-pools-db/pretest.dat
+++ b/testing/tests/sql/ip-split-pools-db/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -8,10 +5,11 @@ moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::ipsec pool --status 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
index 450100fbe..5e41e93f1 100644
--- a/testing/tests/sql/ip-split-pools-db/test.conf
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -23,3 +23,6 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat
index 72a555d4b..a0eaae1d5 100644
--- a/testing/tests/sql/multi-level-ca/evaltest.dat
+++ b/testing/tests/sql/multi-level-ca/evaltest.dat
@@ -1,21 +1,17 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=[192.168.0.100/32 remote-ts=\[10.1.0.0/16]::YES
 dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
 moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
 moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
 moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
 moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
 moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
 moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES 
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql
index bd2f3b8ed..b6e9c813e 100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql
@@ -156,7 +156,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql
index eae9b598a..ff60dd012 100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql
@@ -159,7 +159,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql
index 9d9564b12..64c68e486 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql
@@ -129,7 +129,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/sql/multi-level-ca/posttest.dat
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
index f6fb44f5f..2b2019d3d 100644
--- a/testing/tests/sql/multi-level-ca/test.conf
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat
index f003f822f..5180ab31d 100644
--- a/testing/tests/sql/net2net-cert/evaltest.dat
+++ b/testing/tests/sql/net2net-cert/evaltest.dat
@@ -1,7 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
index d49fe4975..31641518d 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'net-net', 'ipsec _updown iptables'
+  'net-net', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
index 938e50753..47eabf2a8 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'net-net', 'ipsec _updown iptables'
+  'net-net', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat
index 1f7aa73a1..59badb867 100644
--- a/testing/tests/sql/net2net-cert/posttest.dat
+++ b/testing/tests/sql/net2net-cert/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index 05fe277ce..6580e7604 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -1,12 +1,11 @@
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::expect-connection net-net 
+sun::expect-connection net-net
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf
index 1b7e280e8..a553c6a7e 100644
--- a/testing/tests/sql/net2net-cert/test.conf
+++ b/testing/tests/sql/net2net-cert/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon sun"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat
index f003f822f..5180ab31d 100644
--- a/testing/tests/sql/net2net-psk/evaltest.dat
+++ b/testing/tests/sql/net2net-psk/evaltest.dat
@@ -1,7 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_12.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql
index aa6e84c48..42116e245 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql
@@ -55,7 +55,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'net-net', 'ipsec _updown iptables'
+  'net-net', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql
index 7c2865fd8..0942572ae 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql
@@ -49,7 +49,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'net-net', 'ipsec _updown iptables'
+  'net-net', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat
index 1f7aa73a1..59badb867 100644
--- a/testing/tests/sql/net2net-psk/posttest.dat
+++ b/testing/tests/sql/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index 05fe277ce..6580e7604 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -1,12 +1,11 @@
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection net-net
-moon::ipsec up net-net
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::expect-connection net-net 
+sun::expect-connection net-net
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf
index 1b7e280e8..a553c6a7e 100644
--- a/testing/tests/sql/net2net-psk/test.conf
+++ b/testing/tests/sql/net2net-psk/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon sun"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
index 2c85542e6..87af401b5 100644
--- a/testing/tests/sql/net2net-route-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -1,15 +1,7 @@
-moon:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp/8\] with reqid {1}::YES
-moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-1.*INSTALLED. TUNNEL::YES
 sun::  cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp/8\] with reqid {2}::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/23].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=MODP_3072.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/23]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.0/28].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=MODP_3072.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.16/28]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql
index e161c6f9f..f0ae8c119 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql
@@ -131,19 +131,19 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-1', 'ipsec _updown iptables', 1, 1
+  'net-1', '/usr/local/libexec/ipsec/_updown iptables', 1, 1
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-2', 'ipsec _updown iptables', 1, 1
+  'net-2', '/usr/local/libexec/ipsec/_updown iptables', 1, 1
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-3', 'ipsec _updown iptables', 0, 0
+  'net-3', '/usr/local/libexec/ipsec/_updown iptables', 0, 0
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql
index 27a40ddfa..4268f8e48 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql
@@ -131,19 +131,19 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-1', 'ipsec _updown iptables', 1, 1
+  'net-1', '/usr/local/libexec/ipsec/_updown iptables', 1, 1
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-2', 'ipsec _updown iptables', 1, 1
+  'net-2', '/usr/local/libexec/ipsec/_updown iptables', 1, 1
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-3', 'ipsec _updown iptables', 0, 0
+  'net-3', '/usr/local/libexec/ipsec/_updown iptables', 0, 0
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
index 1f7aa73a1..59badb867 100644
--- a/testing/tests/sql/net2net-route-pem/posttest.dat
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index cef74e474..576bd6738 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -1,13 +1,11 @@
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
 moon::expect-connection net-net
-alice::ping -c 1 -W 1 PH_IP_BOB
-bob::ping -c 1 -W 1 PH_IP_VENUS
+alice::ping -c 1 -W 1 10.2.0.10
+bob::ping -c 1 -W 1 10.1.0.20
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
index ee97968ab..138083669 100644
--- a/testing/tests/sql/net2net-route-pem/test.conf
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon sun"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat
index 6534adc07..630c17e1a 100644
--- a/testing/tests/sql/net2net-start-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-start-pem/evaltest.dat
@@ -1,11 +1,5 @@
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/23].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/23].*net-3.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.1.2.0/23] remote-ts=\[10.2.2.0/23]::YES
+sun::  swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.0/28].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.16/28].*net-3.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.2.2.0/23] remote-ts=\[10.1.2.0/23]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql
index d178fe58a..7db84f21d 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql
@@ -105,25 +105,25 @@ INSERT INTO private_key_identity (
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes128-sha256-modp2048'
+  'aes128-sha256-modp3072'
 );
 
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes192-sha384-modp3072'
+  'aes192-sha384-modp8192'
 );
 
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes128gcm128'
+  'aes128gcm16-modp3072'
 );
 
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes192gcm128'
+  'aes192gcm16-modp8192'
 );
 
 /* Configurations */
@@ -155,19 +155,19 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-1', 'ipsec _updown iptables', 2, 2
+  'net-1', '/usr/local/libexec/ipsec/_updown iptables', 2, 2
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-2', 'ipsec _updown iptables', 2, 2
+  'net-2', '/usr/local/libexec/ipsec/_updown iptables', 2, 2
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-3', 'ipsec _updown iptables', 2, 2
+  'net-3', '/usr/local/libexec/ipsec/_updown iptables', 2, 2
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql
index dd437b9b8..8d9d95d4f 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql
@@ -105,25 +105,25 @@ INSERT INTO private_key_identity (
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes128-sha256-modp2048'
+  'aes128-sha256-modp3072'
 );
 
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes192-sha384-modp3072'
+  'aes192-sha384-modp8192'
 );
 
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes128gcm128'
+  'aes128gcm16-modp3072'
 );
 
 INSERT INTO proposals (
   proposal
 ) VALUES (
-  'aes192gcm128'
+  'aes192gcm16-modp8192'
 );
 
 /* Configurations */
@@ -155,19 +155,19 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-1', 'ipsec _updown iptables', 0, 0
+  'net-1', '/usr/local/libexec/ipsec/_updown iptables', 0, 0
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-2', 'ipsec _updown iptables', 0, 0
+  'net-2', '/usr/local/libexec/ipsec/_updown iptables', 0, 0
 );
 
 INSERT INTO child_configs (
   name, updown, start_action, dpd_action
 ) VALUES (
-  'net-3', 'ipsec _updown iptables', 0, 0
+  'net-3', '/usr/local/libexec/ipsec/_updown iptables', 0, 0
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
index 1f7aa73a1..59badb867 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index f260b396c..8fc6d1a1c 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -1,11 +1,11 @@
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-sun::ipsec start
-moon::ipsec start
-moon::sleep 1
+sun::service charon start 2> /dev/null
+sun::expect-connection net-net
+moon::service charon start 2> /dev/null
+moon::sleep 4 
+
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
index ee97968ab..138083669 100644
--- a/testing/tests/sql/net2net-start-pem/test.conf
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon sun"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat
index 2342d024b..bddf2fe33 100644
--- a/testing/tests/sql/rw-cert/evaltest.dat
+++ b/testing/tests/sql/rw-cert/evaltest.dat
@@ -1,13 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
index 90c9a49fa..75c82fddd 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index 4946b1520..22e6d1488 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
index 70afc34cb..88a326215 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index 4946b1520..22e6d1488 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 
   integrity_test = yes
   crypto_test {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
index 27e90dee0..94316472b 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index 7fed45bed..212dd3ada 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 
   integrity_test = yes
 }
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/sql/rw-cert/posttest.dat
+++ b/testing/tests/sql/rw-cert/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf
index f6fb44f5f..2b2019d3d 100644
--- a/testing/tests/sql/rw-cert/test.conf
+++ b/testing/tests/sql/rw-cert/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index 73173f06b..4f3de0f30 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,12 +1,8 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw-eap-aka.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw-eap-aka.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
index 806a5b219..dfff0849d 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -93,7 +93,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 2fba94535..25a3b427c 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
index 6b74f8bdb..02a9dfe3e 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -143,7 +143,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw-eap-aka', 'ipsec _updown iptables'
+  'rw-eap-aka', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index b06c611b7..34cc5892b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 revocation hmac vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
index 046d4cfdc..2fc2bbb75 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -1,4 +1,5 @@
-moon::ipsec stop
-carol::ipsec stop
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index a6cbee7a9..d964629a2 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -1,12 +1,11 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 moon::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 carol::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw-eap-aka
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
index 81b1d3bdb..5bd7b1495 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
index eaf47395e..80fd718a7 100644
--- a/testing/tests/sql/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql
index a5ff52d65..4b5b183e5 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql
@@ -49,7 +49,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql
index ac39472f3..5aa53d6c8 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql
@@ -49,7 +49,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql
index 231b84cb9..3d2f5d80b 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql
@@ -79,7 +79,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/sql/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf
index f6fb44f5f..2b2019d3d 100644
--- a/testing/tests/sql/rw-psk-ipv4/test.conf
+++ b/testing/tests/sql/rw-psk-ipv4/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
index 344dfa809..63c8b6414 100644
--- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
@@ -1,15 +1,10 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*10].*\[fec0.*1]::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*20].*\[fec0.*1]::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*1].*\[fec0.*10]::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*1].*\[fec0.*20]::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:10 local-port=4500 local-id=fec0:\:10 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=4500 local-id=fec0:\:20 remote-host=fec0:\:1 remote-port=4500 remote-id=fec0:\:1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
+moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:10 remote-port=4500 remote-id=fec0:\:10.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
+moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=4500 local-id=fec0:\:1 remote-host=fec0:\:20 remote-port=4500 remote-id=fec0:\:20.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql
index 8cbb82d71..031303d2a 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql
@@ -49,7 +49,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql
index 87055a216..fd91771b1 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql
@@ -49,7 +49,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql
index 2479bea12..0d94f3474 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql
@@ -79,7 +79,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index e20fecca5..6332df434 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat
index 4e59395e3..3f82576b6 100644
--- a/testing/tests/sql/rw-psk-ipv6/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index 894689648..60a1055a2 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -16,10 +13,11 @@ dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf
index 024105ebb..2b2019d3d 100644
--- a/testing/tests/sql/rw-psk-ipv6/test.conf
+++ b/testing/tests/sql/rw-psk-ipv6/test.conf
@@ -9,7 +9,7 @@ VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d-ip6.png"
+DIAGRAM="a-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 1206ea4b7..d3ddd8cf6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -1,16 +1,12 @@
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
index c6c08a0c8..37e8b09c4 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql
@@ -93,7 +93,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
index 3620f201e..724ace333 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql
@@ -94,7 +94,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
index a3d480f96..d1349f9c3 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql
@@ -168,7 +168,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 8b25be7aa..f5b531db9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf
index f6fb44f5f..2b2019d3d 100644
--- a/testing/tests/sql/rw-psk-rsa-split/test.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
index 4f5cd724c..8d6c64a94 100644
--- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -1,13 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=1f:a1:.*:6e:7c remote-host=192.168.0.1 remote-port=4500 remote-id=6a:9c:.*:29:2e initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=ee:7f:.*:8e:0e remote-host=192.168.0.1 remote-port=4500 remote-id=6a:9c:.*:29:2e initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=6a:9c:.*:29:2e remote-host=192.168.0.200 remote-port=4500 remote-id=ee:7f:.*:8e:0e.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=6a:9c:.*:29:2e remote-host=192.168.0.100 remote-port=4500 remote-id=1f:a1:.*:6e:7c.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
index 4f181b91b..ebec5c16f 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql
@@ -99,7 +99,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 75a2b0624..43ece9087 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
index 9a36c2c37..961dd65c0 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql
@@ -99,7 +99,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 75a2b0624..43ece9087 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
index 9718a75bf..dee634c50 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql
@@ -135,7 +135,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 75a2b0624..43ece9087 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/sql/rw-rsa-keyid/posttest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
index f6fb44f5f..2b2019d3d 100644
--- a/testing/tests/sql/rw-rsa-keyid/test.conf
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat
index ba661975b..b28e4c4a9 100644
--- a/testing/tests/sql/rw-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-rsa/evaltest.dat
@@ -1,13 +1,9 @@
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
index 8219bdfad..987e4ad78 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql
@@ -99,7 +99,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 75a2b0624..43ece9087 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
index 7c9cd9fe4..fda055a06 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql
@@ -98,7 +98,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'home', 'ipsec _updown iptables'
+  'home', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 75a2b0624..43ece9087 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
index 8a4eb2d21..bc18a87df 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql
@@ -135,7 +135,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'rw', 'ipsec _updown iptables'
+  'rw', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 75a2b0624..43ece9087 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
index 1865a1c60..d7107ccc6 100644
--- a/testing/tests/sql/rw-rsa/posttest.dat
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -1,6 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index 0cea9d816..4d89bed3e 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -1,6 +1,3 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-dave::rm /etc/ipsec.d/cacerts/*
 moon::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 carol::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 dave::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,10 +7,11 @@ dave::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
index f6fb44f5f..2b2019d3d 100644
--- a/testing/tests/sql/rw-rsa/test.conf
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="$IPSECHOSTS"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
index 4d36673dc..8b1173776 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
+++ b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
@@ -1,12 +1,15 @@
-alice::ipsec status 2> /dev/null::local-net.*PASS::YES
-venus::ipsec status 2> /dev/null::local-net.*PASS::YES
-alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
-venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES
+sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2
+ local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
 moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
-alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
-\ No newline at end of file
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index 50eccad21..000000000
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets
deleted file mode 100644
index 76bb21bea..000000000
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index f4dd8f199..209df5871 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 
   keep_alive = 5
 }
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index 50eccad21..000000000
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
index 8489f10a1..abda7caff 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
@@ -117,7 +117,7 @@ INSERT INTO peer_configs (
 INSERT INTO child_configs (
   name, updown
 ) VALUES (
-  'nat-t', 'ipsec _updown iptables'
+  'nat-t', '/usr/local/libexec/ipsec/_updown iptables'
 );
 
 INSERT INTO peer_config_child_config (
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index 76bb21bea..000000000
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
index 6210c21cc..4048545d5 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -9,5 +9,5 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
 }
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
deleted file mode 100644
index 50eccad21..000000000
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets
deleted file mode 100644
index 76bb21bea..000000000
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
index f4dd8f199..209df5871 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/db.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
 
   keep_alive = 5
 }
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6b5617317
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
index e772be6af..b02b19357 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
+++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
@@ -1,5 +1,5 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
+alice::service charon stop 2> /dev/null
+venus::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
 sun::iptables-restore < /etc/iptables.flush
-moon::iptables -t nat -F
-\ No newline at end of file
+moon::iptables -t nat -F
diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
index c23c09981..8d61e4c87 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
+++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
@@ -1,6 +1,3 @@
-alice::rm /etc/ipsec.d/cacerts/*
-venus::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
 alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
 sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql
@@ -10,11 +7,11 @@ sun::cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db
 sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
+sun::service charon start 2> /dev/null
+alice::service charon start 2> /dev/null
+venus::service charon start 2> /dev/null
+sun::expect-connection nat-t
 alice::expect-connection nat-t
+alice::swanctl --initiate --child nat-t 2> /dev/null
 venus::expect-connection nat-t
-sun::expect-connection nat-t
-alice::ipsec up nat-t
-venus::ipsec up nat-t
-\ No newline at end of file
+venus::swanctl --initiate --child nat-t 2> /dev/null
diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf
index d797acb06..d22f20660 100644
--- a/testing/tests/sql/shunt-policies-nat-rw/test.conf
+++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="alice venus sun"
 # Guest instances on which databases are used
 #
 DBHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/config-payload/description.txt b/testing/tests/swanctl/config-payload/description.txt
new file mode 100755
index 000000000..3e68a7798
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
+<b>moon</b> explicitly assigns a specific virtual IP to each of the two clients.
+<p/>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
+tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
+<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the
+virtual IPs <b>10.3.0.1</b> and <b>10.3.0.2</b>, respectively.
diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat
new file mode 100755
index 000000000..7d5584482
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/evaltest.dat
@@ -0,0 +1,16 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
+moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_req=1::YES
+alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..7d7e5f9f5
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f1a76db62
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..7d7e5f9f5
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..184185bb3
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0 
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..cd161bed0
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    pools = /usr/local/sbin/swanctl --load-pools 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..5b4f02142
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+      pools = carol_vip
+
+      remote {
+         auth = pubkey
+         id = carol@strongswan.org
+      }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+      pools = dave_vip
+
+      remote {
+         auth = pubkey
+         id = dave@strongswan.org
+      }
+   }
+
+}
+
+pools {
+
+   carol_vip {
+      addrs = 10.3.0.1
+   }
+
+   dave_vip {
+      addrs = 10.3.0.2
+   }
+}
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
new file mode 100755
index 000000000..08fa7113c
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,17 @@
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
diff --git a/testing/tests/swanctl/config-payload/posttest.dat b/testing/tests/swanctl/config-payload/posttest.dat
new file mode 100755
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/config-payload/pretest.dat b/testing/tests/swanctl/config-payload/pretest.dat
new file mode 100755
index 000000000..9c281d032
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw-carol
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/config-payload/test.conf b/testing/tests/swanctl/config-payload/test.conf
new file mode 100755
index 000000000..1227b9d1c
--- /dev/null
+++ b/testing/tests/swanctl/config-payload/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/dhcp-dynamic/description.txt b/testing/tests/swanctl/dhcp-dynamic/description.txt
new file mode 100644
index 000000000..bef542371
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+and request a <b>virtual IP</b> via the IKEv2 configuration payload by using the <b>vips=0.0.0.0</b>
+parameter. The <b>dhcp</b> plugin on gateway <b>moon</b> then requests an IP address and DNS server
+information from DHCP server <b>venus</b> using the DHCP protocol. The IP addresses are assigned dynamically
+by <b>venus</b> from the pool 10.1.0.50..10.1.0.60 so that <b>carol</b> and <b>dave</b> become full members
+of the subnet 10.1.0.0/16 hidden behind gateway <b>moon</b>. And this thanks to the <b>farp</b> plugin
+through which <b>moon</b> acts as a proxy for ARP requests e.g. from <b>alice</b> who wants to ping
+<b>carol</b> and <b>dave</b>. 
diff --git a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat
new file mode 100644
index 000000000..74d6ca86b
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat
@@ -0,0 +1,22 @@
+alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES
+alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..5b06b251f
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f1a76db62
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..5b06b251f
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..184185bb3
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0 
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
new file mode 100644
index 000000000..0340d5669
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/dhcpd.conf
@@ -0,0 +1,9 @@
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option routers 10.1.0.1;
+  option broadcast-address 10.1.255.255;
+  option domain-name servers PH_IP_WINNETOU PH_IP_VENUS
+  option netbios-name-servers PH_IP_VENUS;
+
+  # dynamic address pool for visitors
+  range 10.1.0.30 10.1.0.50;
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..36e4e772a
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+
+  plugins {
+    dhcp {
+      server = 10.1.255.255
+    }
+  }
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e19568b4b
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = dhcp
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
new file mode 100644
index 000000000..7a178505f
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
@@ -0,0 +1,14 @@
+# dhcpd configuration file
+
+ddns-update-style none;
+
+subnet 10.1.0.0 netmask 255.255.0.0 {
+  option domain-name          "strongswan.org";
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
+  option broadcast-address     10.1.255.255;
+  next-server                  PH_IP_VENUS;
+
+  range 10.1.0.50 10.1.0.60;
+}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
new file mode 100644
index 000000000..ec8c945a7
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
@@ -0,0 +1,7 @@
+interface=eth0
+dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
+dhcp-option=option:domain-name,strongswan.org
+log-dhcp
diff --git a/testing/tests/swanctl/dhcp-dynamic/posttest.dat b/testing/tests/swanctl/dhcp-dynamic/posttest.dat
new file mode 100644
index 000000000..624a26b4b
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/posttest.dat
@@ -0,0 +1,12 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+venus::cat /var/state/dhcp/dhcpd.leases
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+alice::arp -d 10.1.0.50
+alice::arp -d 10.1.0.51
diff --git a/testing/tests/swanctl/dhcp-dynamic/pretest.dat b/testing/tests/swanctl/dhcp-dynamic/pretest.dat
new file mode 100644
index 000000000..6d935b63c
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/dhcp-dynamic/test.conf b/testing/tests/swanctl/dhcp-dynamic/test.conf
new file mode 100644
index 000000000..853093c96
--- /dev/null
+++ b/testing/tests/swanctl/dhcp-dynamic/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/frags-ipv4/description.txt b/testing/tests/swanctl/frags-ipv4/description.txt
index 51744cf7c..b5b871126 100755
--- a/testing/tests/swanctl/frags-ipv4/description.txt
+++ b/testing/tests/swanctl/frags-ipv4/description.txt
@@ -1,7 +1,7 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b> using the <b>IKEv2</b> key exchange protocol. The
-authentication is based on <b>X.509 certificates</b>. <b>dave</b> advertises 
-the support of the IKEv2 fragmentation protocol defined in <b>RFC 7383</b> 
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv4 connection each to
+gateway <b>moon</b> using the <b>IKEv1</b> and <b>IKEv2</b> key exchange protocol,
+respectively. The authentication is based on <b>X.509 certificates</b>. <b>dave</b>
+advertises the support of the IKEv2 fragmentation protocol defined in <b>RFC 7383</b> 
 which prevents the IP fragmentation of the IKEv2 messages carrying large X.509 
 certificates whereas <b>carol</b> announces support of non-standardized
 IKEv1 fragmentation.
diff --git a/testing/tests/swanctl/frags-ipv4/evaltest.dat b/testing/tests/swanctl/frags-ipv4/evaltest.dat
index a4aea93ba..af4c5a0f5 100755
--- a/testing/tests/swanctl/frags-ipv4/evaltest.dat
+++ b/testing/tests/swanctl/frags-ipv4/evaltest.dat
@@ -7,10 +7,10 @@ dave:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete
 dave:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
 moon:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
 moon:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf
index 9062e6571..6b01dfc02 100755
--- a/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 1 
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf
index a4abc6ffc..e1d2487e9 100755
--- a/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf
@@ -17,18 +17,13 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       mobike = no 
       fragmentation = yes 
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
diff --git a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf
index a19f54254..2d219cdf0 100755
--- a/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,17 +15,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       mobike = no
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
diff --git a/testing/tests/swanctl/frags-ipv4/pretest.dat b/testing/tests/swanctl/frags-ipv4/pretest.dat
index 706bd1edd..762c35418 100755
--- a/testing/tests/swanctl/frags-ipv4/pretest.dat
+++ b/testing/tests/swanctl/frags-ipv4/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/frags-ipv6/evaltest.dat b/testing/tests/swanctl/frags-ipv6/evaltest.dat
index 4ec34d71d..18814f65e 100755
--- a/testing/tests/swanctl/frags-ipv6/evaltest.dat
+++ b/testing/tests/swanctl/frags-ipv6/evaltest.dat
@@ -7,10 +7,10 @@ dave:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete
 dave:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
 moon:: cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
 moon:: cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=fec0:\:10 local-port=500 local-id=carol@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:10/128] remote-ts=\[fec1:\:/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=fec0:\:20 local-port=500 local-id=dave@strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:20/128] remote-ts=\[fec1:\:/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:10 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:10/128]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:20 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec0:\:20/128]::YES
 alice::ping6 -c 1 ip6-carol.strongswan.org::64 bytes from ip6-carol.strongswan.org: icmp_seq=1::YES
 alice::ping6 -c 1 ip6-dave.strongswan.org::64 bytes from ip6-dave.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf
index 9e857f69b..71fc4ea29 100755
--- a/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = fec1::/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 1 
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf
index bc5e54198..f4e8a81b5 100755
--- a/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf
@@ -17,18 +17,13 @@ connections {
          home {
             remote_ts = fec1::/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       mobike = no 
       fragmentation = yes 
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
diff --git a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf
index a59d13790..a6241e9fa 100755
--- a/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,17 +15,12 @@ connections {
          net {
             local_ts = fec1::/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       mobike = no
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
diff --git a/testing/tests/swanctl/frags-ipv6/pretest.dat b/testing/tests/swanctl/frags-ipv6/pretest.dat
index 868038678..9593ac9f8 100755
--- a/testing/tests/swanctl/frags-ipv6/pretest.dat
+++ b/testing/tests/swanctl/frags-ipv6/pretest.dat
@@ -10,6 +10,8 @@ dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat
index f76c35689..4af4f3083 100755
--- a/testing/tests/swanctl/ip-pool-db/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
 moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
index 0bb341486..f1a76db62 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
index 24d2f8645..184185bb3 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
index d05dea005..3975512d4 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -16,16 +16,11 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/ip-pool-db/pretest.dat b/testing/tests/swanctl/ip-pool-db/pretest.dat
index 91380e6f9..955a3c9be 100755
--- a/testing/tests/swanctl/ip-pool-db/pretest.dat
+++ b/testing/tests/swanctl/ip-pool-db/pretest.dat
@@ -7,9 +7,11 @@ moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-moon::service charon start 2> /dev/null 
+moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
index a0891c358..5ba0002b0 100755
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
 moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
index 0bb341486..f1a76db62 100755
--- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
index 24d2f8645..184185bb3 100755
--- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
index aa31d0f26..8d4dd6bdd 100755
--- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
@@ -16,17 +16,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/ip-pool/pretest.dat b/testing/tests/swanctl/ip-pool/pretest.dat
index 706bd1edd..762c35418 100755
--- a/testing/tests/swanctl/ip-pool/pretest.dat
+++ b/testing/tests/swanctl/ip-pool/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt
new file mode 100644
index 000000000..3641d09ff
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/description.txt
@@ -0,0 +1,17 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using multiple authentication exchanges (RFC 4739). In a first round 
+both <b>carol</b> and <b>moon</b> authenticate themselves by sending 
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<p>
+In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to
+authenticate herself against the remote RADIUS server <b>alice</b>. 
+In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b>
+are used instead of a physical SIM card on the client <b>carol</b>.
+The gateway forwards all EAP messages to the RADIUS server <b>alice</b>
+which also uses a static triplets file.
+<p>
+The roadwarrior <b>dave</b> also uses multiple authentication and succeeds
+in the first round but sends wrong EAP-SIM triplets in the second round.
+As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b>
+message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. 	
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
new file mode 100644
index 000000000..50128d519
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -0,0 +1,20 @@
+moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
+moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..91425f812
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,61 @@
+authorize {
+  preprocess
+  chap
+  mschap
+  sim_files
+  suffix
+  eap {
+    ok = return
+  }
+  unix
+  files
+  expiration
+  logintime
+  pap
+}
+
+authenticate {
+  Auth-Type PAP {
+    pap
+  }
+  Auth-Type CHAP {
+    chap
+  }
+  Auth-Type MS-CHAP {
+    mschap
+  }
+  unix
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
new file mode 100644
index 000000000..aaabab89e
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
@@ -0,0 +1,6 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
+228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..c167ba940
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
+228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
+228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bccbe5a51
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..944e78ee3
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      local-eap {
+         auth = eap
+         id = 228060123456001@strongswan.org
+         eap_id = 228060123456001 
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
new file mode 100644
index 000000000..b8b86c875
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat
@@ -0,0 +1,3 @@
+228060123456002,33000000000000000000000000000000,33112244,335566778899AABB
+228060123456002,34000000000000000000000000000000,34112244,345566778899AABB
+228060123456002,35000000000000000000000000000000,35112244,355566778899AABB
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bccbe5a51
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bca5ad39a
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      local-eap {
+         auth = eap
+         id=228060123456002@strongswan.org
+         eap_id=228060123456002
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
index 1eb755354..1eb755354 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f90207b2
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..396eff5af
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = *@strongswan.org
+      }
+      remote-eap {
+         auth = eap-radius
+         eap_id = %any
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
new file mode 100644
index 000000000..25354d363
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -0,0 +1,4 @@
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+alice::killall radiusd
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
new file mode 100644
index 000000000..a6909c89f
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -0,0 +1,15 @@
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
+alice::radiusd
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf
new file mode 100644
index 000000000..678115012
--- /dev/null
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/test.conf
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
+
diff --git a/testing/tests/swanctl/multi-level-ca/evaltest.dat b/testing/tests/swanctl/multi-level-ca/evaltest.dat
index 619f44b08..050a35db3 100644
--- a/testing/tests/swanctl/multi-level-ca/evaltest.dat
+++ b/testing/tests/swanctl/multi-level-ca/evaltest.dat
@@ -4,16 +4,16 @@ moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
 moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
 moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
 moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
-moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
-moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
 dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
 moon:: cat /var/log/daemon.log::selected peer config.*research.*inacceptable::YES
 moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
-moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
-moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
index 89fccff92..e6c90c063 100755
--- a/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
index 0a87ed3b8..5ca7bb541 100755
--- a/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
diff --git a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
index 496c5fdfa..574887d7e 100755
--- a/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
@@ -19,7 +19,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
@@ -43,7 +42,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
diff --git a/testing/tests/swanctl/multi-level-ca/pretest.dat b/testing/tests/swanctl/multi-level-ca/pretest.dat
index 61ac75d84..4c1be2e14 100644
--- a/testing/tests/swanctl/multi-level-ca/pretest.dat
+++ b/testing/tests/swanctl/multi-level-ca/pretest.dat
@@ -1,8 +1,10 @@
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection research
+carol::expect-connection alice
 carol::swanctl --initiate --child alice 2> /dev/null
 carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
 dave::swanctl --initiate --child alice 2> /dev/null
 dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/swanctl/net2net-cert/evaltest.dat
index cdbecd553..48a8857f4 100755
--- a/testing/tests/swanctl/net2net-cert/evaltest.dat
+++ b/testing/tests/swanctl/net2net-cert/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
index 2f0fd9da1..b1c005b47 100755
--- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -18,17 +18,12 @@ connections {
             local_ts  = 10.1.0.0/16 
             remote_ts = 10.2.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
index e4c855621..c3512132f 100755
--- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -18,17 +18,12 @@ connections {
             local_ts  = 10.2.0.0/16 
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/net2net-cert/pretest.dat b/testing/tests/swanctl/net2net-cert/pretest.dat
index 81410ffc2..b128bef44 100755
--- a/testing/tests/swanctl/net2net-cert/pretest.dat
+++ b/testing/tests/swanctl/net2net-cert/pretest.dat
@@ -2,5 +2,6 @@ moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
 moon::service charon start 2> /dev/null
 sun::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
 moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-pubkey/description.txt b/testing/tests/swanctl/net2net-pubkey/description.txt
new file mode 100644
index 000000000..1cb90f13f
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>raw RSA keys</b> loaded in PKCS#1 format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-pubkey/evaltest.dat b/testing/tests/swanctl/net2net-pubkey/evaltest.dat
new file mode 100644
index 000000000..849117652
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/evaltest.dat
@@ -0,0 +1,5 @@
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..531e286ce
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem
new file mode 100644
index 000000000..5254ed164
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/pubkey/sunPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyIgBH1KWzMMmEYS1Gr1
+4IUBg120vdsLuNwQuzu22qIHnWIBSB2L0lkLOBY0AYd3wi9ENXnb0MOJTFfE5YJ1
+gpSZCnS3m9HqgTmmYeZ3mVxSC4TJWu2oVKvosxSo5fAVvjVVQ089HtjIsx2BR/0q
+LQ9lZ2dUtUSn9kohjU5qpktOfJ9XuTQj9dBfa5bpQMJoLUBAGWPMR+sPaBRwb34U
+ulvmoOyIZTKGEsH6czUY0+dm8iUKmkP7S3fEQjzv56Dk3zrJcFy7ij87uu9Wk/Xs
+auHAq5jHREcMFJwEOj9ZE0Q6ufz9D2NBSWvLTr7QKFVhj5HfbyUcAGRqgf+sHrkl
+IQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..08bc9380b
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = pubkey 
+         pubkeys = moonPub.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         pubkeys = sunPub.pem
+         id = sun.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16 
+            remote_ts = 10.2.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..531e286ce
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default vici updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem
new file mode 100644
index 000000000..5254ed164
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/pubkey/sunPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyIgBH1KWzMMmEYS1Gr1
+4IUBg120vdsLuNwQuzu22qIHnWIBSB2L0lkLOBY0AYd3wi9ENXnb0MOJTFfE5YJ1
+gpSZCnS3m9HqgTmmYeZ3mVxSC4TJWu2oVKvosxSo5fAVvjVVQ089HtjIsx2BR/0q
+LQ9lZ2dUtUSn9kohjU5qpktOfJ9XuTQj9dBfa5bpQMJoLUBAGWPMR+sPaBRwb34U
+ulvmoOyIZTKGEsH6czUY0+dm8iUKmkP7S3fEQjzv56Dk3zrJcFy7ij87uu9Wk/Xs
+auHAq5jHREcMFJwEOj9ZE0Q6ufz9D2NBSWvLTr7QKFVhj5HfbyUcAGRqgf+sHrkl
+IQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..e61450928
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey 
+         pubkeys = sunPub.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         pubkeys = moonPub.pem
+         id = moon.strongswan.org 
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16 
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/net2net-pubkey/posttest.dat b/testing/tests/swanctl/net2net-pubkey/posttest.dat
new file mode 100644
index 000000000..c2227a5dd
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/posttest.dat
@@ -0,0 +1,7 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pubkey/*
+sun::rm /etc/swanctl/pubkey/*
diff --git a/testing/tests/swanctl/net2net-pubkey/pretest.dat b/testing/tests/swanctl/net2net-pubkey/pretest.dat
new file mode 100644
index 000000000..11e7d5092
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/pretest.dat
@@ -0,0 +1,8 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::cd /etc/swanctl; rm x509/* x509ca/*
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+sun::service charon start 2> /dev/null
+moon::service charon start 2> /dev/null
+moon::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-pubkey/test.conf b/testing/tests/swanctl/net2net-pubkey/test.conf
new file mode 100644
index 000000000..07a3b247a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-pubkey/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat
index 04df90bea..ae292c165 100755
--- a/testing/tests/swanctl/net2net-route/evaltest.dat
+++ b/testing/tests/swanctl/net2net-route/evaltest.dat
@@ -1,7 +1,7 @@
 moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
 moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
index 1dfcfd179..3de6edcb6 100755
--- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
@@ -20,15 +20,11 @@ connections {
 
             start_action = trap 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
index e4c855621..5a9cd1308 100755
--- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
@@ -20,15 +20,11 @@ connections {
 
             start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/net2net-route/pretest.dat b/testing/tests/swanctl/net2net-route/pretest.dat
index 065d38d76..459879bbc 100755
--- a/testing/tests/swanctl/net2net-route/pretest.dat
+++ b/testing/tests/swanctl/net2net-route/pretest.dat
@@ -2,5 +2,6 @@ sun::iptables-restore < /etc/iptables.rules
 moon::iptables-restore < /etc/iptables.rules
 sun::service charon start 2> /dev/null
 moon::service charon start 2> /dev/null
-moon::sleep 1
-alice::ping -c 3 10.2.0.10
+sun::expect-connection gw-gw
+moon::expect-connection gw-gw
+alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB
diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat
index cdbecd553..48a8857f4 100755
--- a/testing/tests/swanctl/net2net-start/evaltest.dat
+++ b/testing/tests/swanctl/net2net-start/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
index 6770f6ab7..0713e7d25 100755
--- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
@@ -20,15 +20,11 @@ connections {
 
             start_action = start 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
index e4c855621..5a9cd1308 100755
--- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
@@ -20,15 +20,11 @@ connections {
 
             start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/net2net-start/pretest.dat b/testing/tests/swanctl/net2net-start/pretest.dat
index e4198365f..6c1783b74 100755
--- a/testing/tests/swanctl/net2net-start/pretest.dat
+++ b/testing/tests/swanctl/net2net-start/pretest.dat
@@ -2,4 +2,4 @@ sun::iptables-restore < /etc/iptables.rules
 moon::iptables-restore < /etc/iptables.rules
 sun::service charon start 2> /dev/null
 moon::service charon start 2> /dev/null
-moon::sleep 1
+moon::sleep 0.5
diff --git a/testing/tests/swanctl/ocsp-multi-level/evaltest.dat b/testing/tests/swanctl/ocsp-multi-level/evaltest.dat
index 48776c47c..2f3c34622 100644
--- a/testing/tests/swanctl/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/swanctl/ocsp-multi-level/evaltest.dat
@@ -1,8 +1,8 @@
-moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.research.strongswan.org::YES
-moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.sales.strongswan.org::YES
-moon:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES
-carol::swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES
-dave:: swanctl --list-certs --type X509_OCSP_RESPONSE 2> /dev/null::subject.*ocsp.strongswan.org::YES
+moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.research.strongswan.org::YES
+moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.sales.strongswan.org::YES
+moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES
+carol::swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES
+dave:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES
 moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES
 moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES
 moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
@@ -11,16 +11,16 @@ dave:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongsw
 moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
 dave:: cat /var/log/daemon.log::certificate status is good::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
-moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
-moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
 dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
 moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
 moon:: cat /var/log/daemon.log::selected peer config.*research.*inacceptable::YES
 moon:: cat /var/log/daemon.log::switching to peer config.*sales::YES
 dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
-moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
-moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf
index 26c3a898e..7867fde45 100755
--- a/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf
index 8752e9bc8..0c305210e 100755
--- a/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
diff --git a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf
index 2cb05013d..c5beb2cde 100755
--- a/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf
@@ -19,7 +19,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
@@ -43,7 +42,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
diff --git a/testing/tests/swanctl/ocsp-multi-level/pretest.dat b/testing/tests/swanctl/ocsp-multi-level/pretest.dat
index 61ac75d84..7b83e219d 100644
--- a/testing/tests/swanctl/ocsp-multi-level/pretest.dat
+++ b/testing/tests/swanctl/ocsp-multi-level/pretest.dat
@@ -1,8 +1,10 @@
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection research
+carol::expect-connection home
 carol::swanctl --initiate --child alice 2> /dev/null
 carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child alice 2> /dev/null
 dave::swanctl --initiate --child venus 2> /dev/null
diff --git a/testing/tests/swanctl/protoport-dual/description.txt b/testing/tests/swanctl/protoport-dual/description.txt
new file mode 100644
index 000000000..35c5b3967
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/description.txt
@@ -0,0 +1,7 @@
+Using <b>[&lt;protocol&gt;/&lt;port&gt;]</b> selectors in the
+<b>local_ts</b> and <b>remote_ts</b> child parameters, two IPsec tunnels
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
+The first CHILD_SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. The established tunnels are tested
+by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
+then setting up an SSH session to the same client.
diff --git a/testing/tests/swanctl/protoport-dual/evaltest.dat b/testing/tests/swanctl/protoport-dual/evaltest.dat
new file mode 100644
index 000000000..a471d1db0
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cf4d0cf1
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c33f05cba
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         icmp {
+            local_ts  = dynamic[icmp]
+            remote_ts = 10.1.0.0/16[icmp]
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+         ssh {
+            local_ts  = dynamic[tcp]
+            remote_ts = 10.1.0.0/16[tcp/ssh]
+            
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1065d9ab0
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..71d709958
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         icmp {
+            local_ts  = 10.1.0.0/16[icmp]
+            remote_ts = dynamic[icmp]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+         ssh {
+            local_ts  = 10.1.0.0/16[tcp/ssh]
+            remote_ts = dynamic[tcp]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/protoport-dual/posttest.dat b/testing/tests/swanctl/protoport-dual/posttest.dat
new file mode 100644
index 000000000..2fc2bbb75
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/protoport-dual/pretest.dat b/testing/tests/swanctl/protoport-dual/pretest.dat
new file mode 100644
index 000000000..0e8e43390
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+carol::expect-connection icmp
+carol::expect-connection ssh
+carol::swanctl --initiate --child icmp 2> /dev/null
+carol::swanctl --initiate --child ssh 2> /dev/null
diff --git a/testing/tests/swanctl/protoport-dual/test.conf b/testing/tests/swanctl/protoport-dual/test.conf
new file mode 100644
index 000000000..307c7e9cc
--- /dev/null
+++ b/testing/tests/swanctl/protoport-dual/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/protoport-range/description.txt b/testing/tests/swanctl/protoport-range/description.txt
new file mode 100644
index 000000000..b24382204
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/description.txt
@@ -0,0 +1,7 @@
+Using <b>[&lt;protocol&gt;/&lt;port&gt;]</b> selectors in the
+<b>local_ts</b> and <b>remote_ts</b> child parameters, three IPsec tunnels
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are defined.
+The first CHILD_SA is restricted to ICMP request packets, the second
+covers ICMP reply pachets and the third TCP-based FTP and SSH connections.
+The established tunnels are tested by <b>carol</b> by first pinging <b>alice</b>
+behind <b>moon</b> and then setting up an SSH session to the same client.
diff --git a/testing/tests/swanctl/protoport-range/evaltest.dat b/testing/tests/swanctl/protoport-range/evaltest.dat
new file mode 100644
index 000000000..89caa9bd1
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/evaltest.dat
@@ -0,0 +1,7 @@
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/8]] remote-ts=\[10.1.0.0/16\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/0]] remote-ts=\[10.1.0.0/16\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32\[tcp/32768-65535]] remote-ts=\[10.1.0.0/16\[tcp/21-22]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/8]] remote-ts=\[192.168.0.100/32\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/0]] remote-ts=\[192.168.0.100/32\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16\[tcp/21-22]] remote-ts=\[192.168.0.100/32\[tcp/32768-65535]]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cf4d0cf1
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..441417274
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,42 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         icmp-req {
+            local_ts  = dynamic[icmp/2048]
+            remote_ts = 10.1.0.0/16[icmp/2048]
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+         icmp-rep {
+            local_ts  = dynamic[icmp/0]
+            remote_ts = 10.1.0.0/16[icmp/0]
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+         ftp-ssh {
+            local_ts  = dynamic[tcp/32768-65535]
+            remote_ts = 10.1.0.0/16[tcp/21-22]
+            
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1065d9ab0
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..c5a2a7150
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,43 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         icmp-req {
+            local_ts  = 10.1.0.0/16[icmp/2048]
+            remote_ts = dynamic[icmp/2048]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+         icmp-rep {
+            local_ts  = 10.1.0.0/16[icmp/0]
+            remote_ts = dynamic[icmp/0]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+         ftp-ssh {
+            local_ts  = 10.1.0.0/16[tcp/21-22]
+            remote_ts = dynamic[tcp/32768-65535]
+
+            hostaccess = yes
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/protoport-range/posttest.dat b/testing/tests/swanctl/protoport-range/posttest.dat
new file mode 100644
index 000000000..2fc2bbb75
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/posttest.dat
@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/protoport-range/pretest.dat b/testing/tests/swanctl/protoport-range/pretest.dat
new file mode 100644
index 000000000..7e864f514
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+carol::expect-connection icmp-req
+carol::expect-connection icmp-rep
+carol::expect-connection ftp-ssh
+carol::swanctl --initiate --child icmp-req 2> /dev/null
+carol::swanctl --initiate --child icmp-rep 2> /dev/null
+carol::swanctl --initiate --child ftp-ssh 2> /dev/null
diff --git a/testing/tests/swanctl/protoport-range/test.conf b/testing/tests/swanctl/protoport-range/test.conf
new file mode 100644
index 000000000..307c7e9cc
--- /dev/null
+++ b/testing/tests/swanctl/protoport-range/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/swanctl/rw-cert/evaltest.dat
index ee3fb76b4..09bc82bf1 100755
--- a/testing/tests/swanctl/rw-cert/evaltest.dat
+++ b/testing/tests/swanctl/rw-cert/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 000000000..1454ec54c
--- /dev/null
+++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
+
+1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
+/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
+/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
+Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
+f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
+LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
+06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
+e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
+3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
+sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
+c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
+UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
+XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
+iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
+Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
+v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
+t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
+8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
+jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
+p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
+7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
+GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
+4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
+yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
index 0ba243300..6cdc7bdf5 100755
--- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,16 +17,19 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   rsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
    }
 }
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
index a3420a479..e65ec7a18 100755
--- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -17,16 +17,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
index 861d65ab6..a3c51c889 100755
--- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,16 +15,11 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
diff --git a/testing/tests/swanctl/rw-cert/pretest.dat b/testing/tests/swanctl/rw-cert/pretest.dat
index 706bd1edd..762c35418 100755
--- a/testing/tests/swanctl/rw-cert/pretest.dat
+++ b/testing/tests/swanctl/rw-cert/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-dnssec/description.txt b/testing/tests/swanctl/rw-dnssec/description.txt
new file mode 100644
index 000000000..0135f078c
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+</p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/rw-dnssec/evaltest.dat b/testing/tests/swanctl/rw-dnssec/evaltest.dat
new file mode 100644
index 000000000..679233471
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7913dafc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+    unbound {
+      trust_anchors = /etc/swanctl/dnssec.keys
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der
new file mode 100644
index 000000000..0c1140d3e
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/pubkey/carolPub.der
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2d14b32c5
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         id = carol.strongswan.org
+         pubkeys = carolPub.der
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7913dafc1
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+    unbound {
+      trust_anchors = /etc/swanctl/dnssec.keys
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der
new file mode 100644
index 000000000..fc36c6567
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/pubkey/davePub.der
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ba511a496
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         id = dave.strongswan.org
+         pubkeys = davePub.der
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9eafa0ded
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey gmp hmac vici kernel-netlink socket-default updown attr
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    pools = /usr/local/sbin/swanctl --load-pools 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+    unbound {
+      trust_anchors = /etc/swanctl/dnssec.keys
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der
new file mode 100644
index 000000000..672473596
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/pubkey/moonPub.der
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..33c417063
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+         pubkeys = moonPub.der
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.3.0.0/28
+   }
+}
diff --git a/testing/tests/swanctl/rw-dnssec/posttest.dat b/testing/tests/swanctl/rw-dnssec/posttest.dat
new file mode 100644
index 000000000..48a4abe78
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/posttest.dat
@@ -0,0 +1,11 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/pubkey/*
+carol::rm /etc/swanctl/pubkey/*
+dave::rm /etc/swanctl/pubkey/*
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-dnssec/pretest.dat b/testing/tests/swanctl/rw-dnssec/pretest.dat
new file mode 100644
index 000000000..5faf602fc
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+carol::cd /etc/swanctl; rm x509/* x509ca/*
+dave::cd /etc/swanctl; rm x509/* x509ca/*
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-dnssec/test.conf b/testing/tests/swanctl/rw-dnssec/test.conf
new file mode 100644
index 000000000..a542d037e
--- /dev/null
+++ b/testing/tests/swanctl/rw-dnssec/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
index 5242db17c..5286ffeb3 100755
--- a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
@@ -2,10 +2,10 @@ carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
 dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
 moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
index 7b0b2adba..401b9fa49 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
index b4d82096a..b1e734def 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
index 258d9e87c..f8931756d 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,17 +15,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-hash-and-url/pretest.dat b/testing/tests/swanctl/rw-hash-and-url/pretest.dat
index 706bd1edd..762c35418 100755
--- a/testing/tests/swanctl/rw-hash-and-url/pretest.dat
+++ b/testing/tests/swanctl/rw-hash-and-url/pretest.dat
@@ -4,6 +4,8 @@ dave::iptables-restore < /etc/iptables.rules
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-ntru-bliss/description.txt b/testing/tests/swanctl/rw-ntru-bliss/description.txt
new file mode 100644
index 000000000..82ebd89ad
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload.
+The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously
+increasing order. 
+<p>
+The updown script automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat b/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat
new file mode 100644
index 000000000..69149cdb4
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/evaltest.dat
@@ -0,0 +1,18 @@
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NTRU_128.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=NTRU_192.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1a8d3625e
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+
+  send_vendor_id = yes
+  fragment_size = 1500
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der
new file mode 100644
index 000000000..b2831a8ed
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..fbfe57d21
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = carolCert.der
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128-sha256-ntru128
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ntru128
+      fragmentation = yes
+   }
+}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der
new file mode 100644
index 000000000..8a520c0b4
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509/carolCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der
new file mode 100644
index 000000000..fdfd39f13
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..1a8d3625e
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+
+  send_vendor_id = yes
+  fragment_size = 1500
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der
new file mode 100644
index 000000000..0ec528ddf
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..ec04538ef
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,30 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = daveCert.der
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192-sha384-ntru192
+         }
+      }
+      version = 2
+      proposals = aes192-sha384-ntru192
+      fragmentation = yes
+   }
+}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der
new file mode 100644
index 000000000..75a114339
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509/daveCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der
new file mode 100644
index 000000000..fdfd39f13
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ec18f448c
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+
+  send_vendor_id = yes
+  fragment_size = 1500
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds
+    pools = /usr/local/sbin/swanctl --load-pools 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der
new file mode 100644
index 000000000..c989f91e5
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2e1ae8dbc
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+      pools = rw_pool
+
+      local {
+         auth = bliss-sha512 
+         certs = moonCert.der
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         revocation = strict
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128-sha256-ntru128,aes192-sha384-ntru192
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ntru128,aes192-sha384-ntru192
+      fragmentation = yes
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.3.0.0/28
+   }
+}
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der
new file mode 100644
index 000000000..d0ea364b0
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509/moonCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der
new file mode 100644
index 000000000..fdfd39f13
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/posttest.dat b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat
new file mode 100644
index 000000000..58d5b8675
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/posttest.dat
@@ -0,0 +1,9 @@
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::cd /etc/swanctl;  rm bliss/* x509/moonCert.der  x509ca/strongswan_blissCert.der
+carol::cd /etc/swanctl; rm bliss/* x509/carolCert.der x509ca/strongswan_blissCert.der
+dave::cd /etc/swanctl;  rm bliss/* x509/daveCert.der  x509ca/strongswan_blissCert.der
diff --git a/testing/tests/swanctl/rw-ntru-bliss/pretest.dat b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat
new file mode 100644
index 000000000..a550a2f6d
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl;  rm rsa/* x509/moonCert.pem  x509ca/strongswanCert.pem
+carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem
+dave::cd /etc/swanctl;  rm rsa/* x509/daveCert.pem  x509ca/strongswanCert.pem
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-ntru-bliss/test.conf b/testing/tests/swanctl/rw-ntru-bliss/test.conf
new file mode 100644
index 000000000..a542d037e
--- /dev/null
+++ b/testing/tests/swanctl/rw-ntru-bliss/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
index bb5e08bf4..a184ee997 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
index c113620b3..9bf759ee3 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
index 928fd04c0..1f2beefef 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
index 8cae3e820..7138b5d4a 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
@@ -14,17 +14,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat
index d55df408c..519b168ae 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/swanctl/rw-psk-fqdn/pretest.dat
@@ -7,6 +7,8 @@ dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-ikev1/description.txt b/testing/tests/swanctl/rw-psk-ikev1/description.txt
new file mode 100755
index 000000000..73aac6fe6
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The IKEv1 main mode authentication is based on
+<b>pre-shared keys</b> and <b>IPv4 address</b> identities.
+On the gateway two connections with differing parameters are defined:
+One for peers from the <b>192.168.0.96/28</b> subnet and one for peers from
+the range <b>192.168.0.150-192.168.0.200</b>.
+<p/>
+On the gateway for different shared keys are defined for the following
+hierarchcal peer address ranges: <b>0.0.0.0/0 0::0/0</b>,
+<b>192.168.0.96/28</b>, <b>192.168.0.150-192.168.0.200</b> and
+<b>192.168.0.200</b>. Client <b>carol</b> uses the first and client <b>dave</b>
+the fourth PSK.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the
+client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different
+subnets behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
new file mode 100755
index 000000000..96d74c877
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
@@ -0,0 +1,14 @@
+dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
+moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
+venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
+alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO
+venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..8c0f03f0a
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      cfg = 1 
+      ike = 1 
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..dcfcd0b4e
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = psk
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/28 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp2048
+         }
+      }
+      version = 1
+      proposals = aes128-sha256-modp2048
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = 192.168.0.1
+      # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+      secret = 0x16964066a10de938bdb2ab7864fe4459cab1
+   }
+}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..df1424dde
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      cfg = 1
+      ike = 1 
+    }
+  }
+}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..8cd79ea20
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = psk 
+      }
+      remote {
+         auth = psk 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.17-10.1.0.20
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm128-modp3072
+         }
+      }
+      version = 1 
+      proposals = aes192-sha384-modp3072
+   }
+}
+
+secrets {
+
+   ike-moon {
+      id = 192.168.0.1
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..5f2190192
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      cfg = 1 
+      ike = 1 
+    }
+  }   
+}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..be1bf8afe
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,67 @@
+connections {
+
+   rw-1 {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.96/28
+
+      local {
+         auth = psk 
+      }
+      remote {
+         auth = psk 
+      }
+      children {
+         net-1 {
+            local_ts  = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp2048
+         }
+      }
+      version = 1 
+      proposals = aes128-sha256-modp2048
+   }
+
+   rw-2 {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.150-192.168.0.200
+
+      local {
+         auth = psk
+      }
+      remote {
+         auth = psk
+      }
+      children {
+         net-2 {
+            local_ts  = 10.1.0.17-10.1.0.20
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes192gcm128-modp3072
+         }
+      }
+      version = 1
+      proposals = aes192-sha384-modp3072
+   }
+}
+
+
+secrets {
+
+   ike-any {
+      id = 0.0.0.0/0 0::0/0
+      secret = 0soBAJZLI7Bwwi61Rl113FqD/3
+   }
+   ike-rw-1 {
+      id = 192.168.0.96/28
+      secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+   }
+   ike-rw-2 {
+      id = 192.168.0.150-192.168.0.200
+      secret = 0s8qPdxyhDeGfk1l211cS8urXc
+   }
+   ike-dave {
+      id = 192.168.0.200
+      secret = 0sjVzONCF02ncsgiSlmIXeqhGN
+   }
+}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/posttest.dat b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat
new file mode 100755
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-psk-ikev1/pretest.dat b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat
new file mode 100755
index 000000000..3393f516d
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+carol::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection net-1
+moon::expect-connection net-2 
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-psk-ikev1/test.conf b/testing/tests/swanctl/rw-psk-ikev1/test.conf
new file mode 100755
index 000000000..b8048b4a0
--- /dev/null
+++ b/testing/tests/swanctl/rw-psk-ikev1/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
index 142e88e61..7acb15a3a 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.100 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.200 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
index bd00fc32c..8b3863bb6 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
index b30790b46..83f3c0a7a 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
index 098b3c0ab..9b4f7cea2 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
@@ -13,17 +13,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
diff --git a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat
index d55df408c..519b168ae 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/swanctl/rw-psk-ipv4/pretest.dat
@@ -7,6 +7,8 @@ dave::cd /etc/swanctl; rm rsa/* x509/* x509ca/*
 moon::service charon start 2> /dev/null
 carol::service charon start 2> /dev/null
 dave::service charon start 2> /dev/null
-moon::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
 carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
 dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-pubkey-anon/description.txt b/testing/tests/swanctl/rw-pubkey-anon/description.txt
new file mode 100755
index 000000000..4ccc06aaf
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>raw public keys</b>
+and IKEv2 key IDs. Gateway <b>moon</b> accepts all peers possessing a
+public key a copy of which is stored in the <b>/etc/swanctl/pubkey</b> directory.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat b/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat
new file mode 100755
index 000000000..f0cd34c86
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/evaltest.dat
@@ -0,0 +1,10 @@
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..dc166b588
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 pubkey openssl random 
+}
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem
new file mode 100644
index 000000000..8fdc45a70
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/carolPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F
+y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW
+I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu
+FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP
+01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6
+EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS
+EQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 000000000..1454ec54c
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
+
+1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
+/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
+/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
+Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
+f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
+LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
+06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
+e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
+3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
+sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
+c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
+UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
+XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
+iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
+Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
+v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
+t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
+8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
+jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
+p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
+7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
+GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
+4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
+yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f1a074fed
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         pubkeys = carolPub.pem
+      }
+      remote {
+         auth = pubkey
+         pubkeys = moonPub.pem 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   rsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..dc166b588
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 pubkey openssl random 
+}
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem
new file mode 100644
index 000000000..154ac5034
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/davePub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC
+Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd
+1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX
+CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw
+ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY
+IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W
+QwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4383ab850
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         pubkeys = davePub.pem
+      }
+      remote {
+         auth = pubkey
+         pubkeys = moonPub.pem
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..720e903c9
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem
new file mode 100644
index 000000000..8fdc45a70
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/carolPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F
+y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW
+I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu
+FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP
+01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6
+EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS
+EQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem
new file mode 100644
index 000000000..154ac5034
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/davePub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC
+Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd
+1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX
+CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw
+ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY
+IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W
+QwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem
new file mode 100644
index 000000000..5254ed164
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/pubkey/sunPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyIgBH1KWzMMmEYS1Gr1
+4IUBg120vdsLuNwQuzu22qIHnWIBSB2L0lkLOBY0AYd3wi9ENXnb0MOJTFfE5YJ1
+gpSZCnS3m9HqgTmmYeZ3mVxSC4TJWu2oVKvosxSo5fAVvjVVQ089HtjIsx2BR/0q
+LQ9lZ2dUtUSn9kohjU5qpktOfJ9XuTQj9dBfa5bpQMJoLUBAGWPMR+sPaBRwb34U
+ulvmoOyIZTKGEsH6czUY0+dm8iUKmkP7S3fEQjzv56Dk3zrJcFy7ij87uu9Wk/Xs
+auHAq5jHREcMFJwEOj9ZE0Q6ufz9D2NBSWvLTr7QKFVhj5HfbyUcAGRqgf+sHrkl
+IQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..a068c7f6c
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,24 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         pubkeys = moonPub.pem
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/rw-pubkey-anon/posttest.dat b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat
new file mode 100755
index 000000000..48a4abe78
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/posttest.dat
@@ -0,0 +1,11 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/pubkey/*
+carol::rm /etc/swanctl/pubkey/*
+dave::rm /etc/swanctl/pubkey/*
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-pubkey-anon/pretest.dat b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat
new file mode 100755
index 000000000..5faf602fc
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/pretest.dat
@@ -0,0 +1,14 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+carol::cd /etc/swanctl; rm x509/* x509ca/*
+dave::cd /etc/swanctl; rm x509/* x509ca/*
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-pubkey-anon/test.conf b/testing/tests/swanctl/rw-pubkey-anon/test.conf
new file mode 100755
index 000000000..1227b9d1c
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-anon/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/description.txt b/testing/tests/swanctl/rw-pubkey-keyid/description.txt
new file mode 100755
index 000000000..e813bbe49
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>raw public keys</b>
+and IKEv2 key IDs.
+<p/>
+Upon the successful establishment of the IPsec tunnels, the updown script
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat b/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat
new file mode 100755
index 000000000..70905de4d
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/evaltest.dat
@@ -0,0 +1,10 @@
+alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
+alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=0d:36:.*:cc:90 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=67:f6:.*:40:80 remote-host=192.168.0.1 remote-port=4500 remote-id=42:91:.*:f7:60 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-carol.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.100 remote-port=4500 remote-id=0d:36:.*:cc:90.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-dave.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=42:91:.*:f7:60 remote-host=192.168.0.200 remote-port=4500 remote-id=67:f6:.*:40:80.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf
new file mode 100755
index 000000000..dc166b588
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 pubkey openssl random 
+}
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem
new file mode 100644
index 000000000..8fdc45a70
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/carolPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F
+y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW
+I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu
+FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP
+01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6
+EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS
+EQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 000000000..1454ec54c
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,7E1D40A7901772BA4D22AF58AA2DC76F
+
+1jt4EsxtHvgpSLN8PA/kSVKgoAsBEBQb8RK6VGnZywMCnpJdLKdPisGGYKNPg53b
+/0AFBmQVE60M8icbSAIUrAtyKxaBkoc9A7ibNCjobi0UzXTm3GcZZ1EC4/lE9PQZ
+/2FbcPgQWN3kZraZDkeP9XBXl6PorES8xvQUxJ9pd4hL7/c28fIApGhEimkIZO8o
+Qb7bR2cNCLYQAR6PeDoqhV39gvWoh77wp1WB3tQVbkS6MI/xl3wY2QVdq3Sbszh+
+f6lDU/SZS8BU0f44FRoInPp0GasgJ7MCiuEIshjuNPa50QkMcnNJsSgVEuw2hjN6
+LvAXx7vPt9pKpQfnu7YSJUsXDYN6PyXt7sZ8hDqraYIcI6eMpEBaTpItPSV2eckv
+06KC24Oa66E1yufNFAY49S2OY+pJA0W5zmcCqCjdrfJ+wNQYKZpbrfGz4VRzlFJC
+e3VkmAFwA5rcZdlp/mU2XREy+TaWsHMnpL0NcMHGmsfkTgaJIkRWalrdxlNTeitr
+3boNHWk0ESyMcBYRpM3eNXsGpiYy93u0bhrPbnqJsV6miKqpbs1aBNjlJ9s1Y2fC
+sko5/v7uMjb5tLF3lWQZfTu+bYtpGxFrqHJjhd8yd4gL1cFi30JcjczhwRY3Dily
+c0BFekMGmPc1djn6tfIFu13X9xTxyidCpVaT9UGnOaQs9OF1u8XAnZDaQgPwjLiy
+UlOE8xQ60LrhWLD582FsFnZz56bZ+QOQRWDMsB8nJeqnFXKfcRlnr0qlG6lTfA8h
+XkK/qGpdVvivS+CpbhVP6ixdEfa91Rx4NjLj53LGqOYwFEkM/OAIuMJetBfx3v9T
+iQfv594KE32nv9besnKlmJr2cGQWBYg1pUOtFj/aZ00yuXacv8qwzbrt4xGGDYGO
+Aj5Yf93UEcVkTySO1xJ1yiC6GJv1lLm0i5StwykHypxFijKe/zOpgtHVa5v5igjO
+v6cfhfJGGgIPTYrtt+EDKXcayvy2e2U/3HYVCHYiiMPX8AvP/R6m7MGrzYxm/WyO
+t68EWXSDLfuR3qcIlpP4aSBxuSpKhY/dIkS/beKZ7Njx1s4jSuYDMbKuuCRFSU2H
+8ISHS0kh3FetiS8IyIYzxab+KQZwnVtiGj4oaAhgFTIIoH26Fv5+xka74JdzOSUA
+jR9puKuxaegVWQVBx4cCyg6hAdewRm64PAcbApZWrPvMPBfTZFnXeifmaurcdK8p
+p/1eLrrPnNM6+Fh6lcKdX74yHPz3eWP3K1njZegzWnChhEWElPhJr6qYNQjd+lAS
+7650RJ3CJLUxBffnRR9nTArxFNI5jGWg/plLJTaRT5x5qg1dGNMqntpoeiY++Ttk
+GFDGVIOICBze6SOvzkZBbuXLJSWmWj5g9J2cYsLoOvlwsDT7FzKl8p6VY4V+SQb+
+4PN8qZWmOeczaLEhZ1QLmTKFpz9+wUZsXeBd1s78bWJR0zhraMPa0UJ9GBGq6uQ0
+yZ4Xm5KHKcgoewCUQMekU9ECsmR5NuC7VFDaa1OdPEVnEYR1xtaWUY0lYKOiixnd
++85fSq/yAXI/r0O4ISA55o9y1kDqVibTwJacb6xXGg8dHSH+TtigwD8fK9mekkDC
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f1a074fed
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         pubkeys = carolPub.pem
+      }
+      remote {
+         auth = pubkey
+         pubkeys = moonPub.pem 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   rsa-carol {
+      file = carolKey.pem
+      secret = "nH5ZQEWtku0RJEZ6"
+   }
+}
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf
new file mode 100755
index 000000000..dc166b588
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 pubkey openssl random 
+}
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem
new file mode 100644
index 000000000..154ac5034
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/davePub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC
+Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd
+1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX
+CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw
+ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY
+IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W
+QwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..4383ab850
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,26 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         pubkeys = davePub.pem
+      }
+      remote {
+         auth = pubkey
+         pubkeys = moonPub.pem
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf
new file mode 100755
index 000000000..720e903c9
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce openssl pem pkcs1 pubkey kernel-netlink socket-default updown vici 
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem
new file mode 100644
index 000000000..8fdc45a70
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/carolPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/PUNxfK3+w4AuLUhn9F
+y49rmb7h+JJJPbBVZauXDeFSN6LAt+Cguu0poZfiL4C3zZmiXaZ1sRcWk772rFeW
+I/a7R97Go/iYG5m6zcQsDzYQ4vSVDZqECLw7epp+QMwFKC+h4mkTA17TRSCHneDu
+FPt3Dy1KBw8apCRa60ggpP1Pp78dsc2NG1iXD1mUeynyBJiOD9Dq9Xqh+2254xQP
+01G/zDZjvqudFGZQZ/caU0UWaDFme0IlG5iW2fFXtVwIWimnJq5i398+aMDFs9G6
+EcppyfMjOrzcjF/l9KMxOWW4YJ9YVf80YQ1dqYGoKGREsea4Ic17HFGn2zYXVLXS
+EQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem
new file mode 100644
index 000000000..154ac5034
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/davePub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1jzcTcWEzV+14gWt0dJC
+Ew8ZYpfWCD4lTz0grXvhf+T9gMHx9vx3SiZvAq+CBTuTkpsBydpUEbQC9GZv6qRd
+1FmIQCUk6pHZit+UH44w3tuc+YNB6QjT1PMMm31rULX14jGZQnaHYN4MASfGumnX
+CwqdYF3jwx5iGOQAStGHHwDxmUFuR3IZAkP7Lwa2nSJZLivPxqIZDS9hL4/0NWQw
+ltsaGXZqrBVj4Xffn/8tUbbjj7LNdN/WjxovA+XX48dyBq834zvrpjduojlgeCHY
+IQlMJoF/jOihMFJDpOvVxDkH/9XnX0nXH+6H//YKkRBdsVgWJTeQuZNM/P2lyZ5W
+QwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem
new file mode 100644
index 000000000..94fadce57
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/pubkey/moonPub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApHwF+sUXQdH+WwYzdPMz
+pjuwhGGvHgsmBah1IQsPsddL9gZygerzpTM1vvQ4kbRuvE3SZWLf9uKEbiQV9IAB
+r87L9JAva56EHIAiUMuG8WizVbIKIhQlZc8S2mIwAW0Jc6EmnoJv9j6F/tVD9+6x
+vMJbwHLi0h7BUO9tBVLPy72YeGNBY6Cob4CrOuFOJyACezJ7i9vZ+XzOfnXpu7qL
+0DgYP/n2maPEJGEivTFunkJD/mJ8DecyLTQcchsCj2118BMuf2qjVn4UWPCBBuhy
+YK5wsATB1ANeAtlFfgH+wsuHjZwtTJru05lGHBZ3F2hZ9PO68hVHbIZZj6SB8X47
+nwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..eac4bc1aa
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,20 @@
+connections {
+
+   rw-carol {
+      include swanctl_base.conf
+
+      remote {
+         auth = pubkey
+         pubkeys = carolPub.pem
+      }
+   }
+
+   rw-dave {
+      include swanctl_base.conf
+
+      remote {
+         auth = pubkey
+         pubkeys = davePub.pem
+      }
+   }
+}
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf
new file mode 100755
index 000000000..61e71f873
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -0,0 +1,16 @@
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         pubkeys = moonPub.pem
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat
new file mode 100755
index 000000000..48a4abe78
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/posttest.dat
@@ -0,0 +1,11 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/pubkey/*
+carol::rm /etc/swanctl/pubkey/*
+dave::rm /etc/swanctl/pubkey/*
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat
new file mode 100755
index 000000000..de43d510d
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cd /etc/swanctl; rm x509/* x509ca/*
+carol::cd /etc/swanctl; rm x509/* x509ca/*
+dave::cd /etc/swanctl; rm x509/* x509ca/*
+moon::cat /etc/swanctl/swanctl_base.conf
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw-carol
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/rw-pubkey-keyid/test.conf b/testing/tests/swanctl/rw-pubkey-keyid/test.conf
new file mode 100755
index 000000000..1227b9d1c
--- /dev/null
+++ b/testing/tests/swanctl/rw-pubkey-keyid/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/description.txt b/testing/tests/swanctl/shunt-policies-nat-rw/description.txt
new file mode 100644
index 000000000..b95669dad
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway.  In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>mode = pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
new file mode 100644
index 000000000..d89eeb6ee
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
@@ -0,0 +1,14 @@
+alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES
+venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES
+sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..9622bb089
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+  keep_alive = 5
+}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..373f8a76a
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   nat-t {
+      remote_addrs = 192.168.0.2 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = aliceCert.pem
+         id = alice@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         nat-t {
+            remote_ts = 0.0.0.0/0 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+
+   local-net {
+
+      children {
+         local-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            mode = pass
+            start_action = trap
+         }
+      }
+   }
+}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..38794af25
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    pools = /usr/local/sbin/swanctl --load-pools
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2f21d4a9b
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,32 @@
+connections {
+
+   nat-t {
+      local_addrs  = 192.168.0.2
+      pools = rw_pool
+
+      local {
+         auth = pubkey
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         nat-t {
+            local_ts  = 0.0.0.0/0
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+pools {
+   rw_pool {
+      addrs = 10.3.0.0/28
+   }
+}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..9622bb089
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+  keep_alive = 5
+}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..bb9ca080a
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   nat-t {
+      remote_addrs = 192.168.0.2 
+      vips = 0.0.0.0
+
+      local {
+         auth = pubkey
+         certs = venusCert.pem
+         id = venus.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org 
+      }
+      children {
+         nat-t {
+            remote_ts = 0.0.0.0/0 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+
+   local-net {
+
+      children {
+         local-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            mode = pass
+            start_action = trap
+         }
+      }
+   }
+}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat
new file mode 100644
index 000000000..b02b19357
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/posttest.dat
@@ -0,0 +1,5 @@
+alice::service charon stop 2> /dev/null
+venus::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat
new file mode 100644
index 000000000..d6bc0709e
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/pretest.dat
@@ -0,0 +1,11 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::service charon start 2> /dev/null
+alice::service charon start 2> /dev/null
+venus::service charon start 2> /dev/null
+sun::expect-connection nat-t
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::swanctl --initiate --child nat-t 2> /dev/null
+venus::swanctl --initiate --child nat-t 2> /dev/null
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/test.conf b/testing/tests/swanctl/shunt-policies-nat-rw/test.conf
new file mode 100644
index 000000000..34b0ba165
--- /dev/null
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/xauth-rsa/description.txt b/testing/tests/swanctl/xauth-rsa/description.txt
new file mode 100644
index 000000000..9e78e41b7
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on RSA public key signatures (<b>pubkey</b>) using X.509 certificates
+in the first round followed by extended authentication (<b>xauth</b>) of <b>carol</b> and <b>dave</b>
+based on user names equal to the <b>IKEv1 identity</b> (<b>carol@strongswan.org</b> and
+<b>dave@strongswan.org</b>, respectively) and corresponding <b>XAuth</b> user passwords.
+<p>
+Upon the successful establishment of the IPsec tunnel, automatically inserted iptables-based
+firewall rules let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/swanctl/xauth-rsa/evaltest.dat b/testing/tests/swanctl/xauth-rsa/evaltest.dat
new file mode 100644
index 000000000..c50c7fb05
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/evaltest.dat
@@ -0,0 +1,12 @@
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072 established=1.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..2976558fc
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..2d2639ea1
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 1 
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   xauth-carol {
+      id = carol@strongswan.org
+      secret = "4iChxLT3" 
+   }
+}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..2976558fc
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..f3758e387
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,38 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+         id = dave@strongswan.org
+      }
+      local-xauth {
+         auth = xauth
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 1 
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   xauth-dave {
+      id = dave@strongswan.org
+      secret = "ryftzG4A"
+   }
+}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2976558fc
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation gmp curl xauth-generic kernel-netlink socket-default updown vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+}
diff --git a/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..27a880297
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,40 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      remote-xauth {
+         auth = xauth
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 1 
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   xauth-carol {
+      id = carol@strongswan.org
+      secret = "4iChxLT3" 
+   }
+   xauth-dave {
+      id = dave@strongswan.org
+      secret = "ryftzG4A"
+   }
+}
diff --git a/testing/tests/swanctl/xauth-rsa/posttest.dat b/testing/tests/swanctl/xauth-rsa/posttest.dat
new file mode 100644
index 000000000..d7107ccc6
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/posttest.dat
@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home
+dave::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+dave::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/swanctl/xauth-rsa/pretest.dat b/testing/tests/swanctl/xauth-rsa/pretest.dat
new file mode 100644
index 000000000..762c35418
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+dave::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/swanctl/xauth-rsa/test.conf b/testing/tests/swanctl/xauth-rsa/test.conf
new file mode 100644
index 000000000..1227b9d1c
--- /dev/null
+++ b/testing/tests/swanctl/xauth-rsa/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index 3478c07df..800fa3c4f 100644
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
new file mode 100755
index 000000000..bf3a6891a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/init.d/charon
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index caa5bc17a..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
index d891a2c5b..063bb6fc9 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
@@ -1,13 +1,29 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
new file mode 100755
index 000000000..bf3a6891a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/init.d/charon
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index ba149c4ba..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
index d891a2c5b..063bb6fc9 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
@@ -1,13 +1,29 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
new file mode 100755
index 000000000..bf3a6891a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/init.d/charon
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 0fdad8607..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
index 03f5519e2..a3d85b054 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,22 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -17,3 +29,7 @@ charon {
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index d181aab9f..f0f6446bf 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -6,11 +6,15 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 moon::expect-connection rw-allow
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf
index a8a05af19..61f2312af 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/test.conf
@@ -23,4 +23,6 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
-
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index 3f3aa9f64..ef02166f0 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -1,14 +1,15 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
index 2d4961288..c5bde6a9e 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -15,6 +15,19 @@ session {
 }
 
 post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
+		}
+	}
+
 	Post-Auth-Type REJECT {
 		attr_filter.access_reject
 	}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
index 06c34ed9a..7622801ab 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
@@ -1,12 +1,12 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
-  debug_level = 3
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
+  debug_level = 3 
   assessment_result = no
   plugins {
-    imv-scanner {
-      closed_port_policy = no
-      tcp_ports = 80 443
-     }
+    imv-test {
+      rounds = 1 
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e9152e0d8..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
index 927c459db..80c96b677 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..ff58c7c9a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 25589bcf1..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
index 566457da3..691cdbc2d 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -14,6 +27,9 @@ charon {
 
 libimcv {
   plugins {
+    imc-test {
+      command = none
+    }
     imc-scanner {
       push_info = no
     }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..5af2098b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
index fbf1617bc..71fc7dd0c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,19 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs 
-      server = PH_IP_ALICE
+      server = 10.1.0.10 
+      filter_id = yes
     }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28b32b74c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+      }
+      children {
+         rw {
+            local_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
index 5e5a8514d..2989f347c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
@@ -1,9 +1,8 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 alice::killall radiusd
 alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index d2bb94583..baf8c972f 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -1,14 +1,20 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
 alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf
index 29bfaa78c..8d7f51449 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf
@@ -5,11 +5,11 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-v-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
index 955584ba3..d57b5e73f 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e9152e0d8..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
index 3520fd5c8..978cc6659 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
@@ -1,21 +1,26 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
     }
   }
-}
-
-libimcv {
   plugins {
-    imc-test {
-      command = allow
+    eap-tnc {
+      protocol = tnccs-1.1
     }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1516ad726
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 25589bcf1..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
index e8706082e..0bc6e3525 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
@@ -1,26 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
-
   retransmit_tries = 5
 
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
     }
   }
-}
-
-libimcv {
   plugins {
-    imc-test {
-      command = allow
-    }
-    imc-scanner {
-      push_info = no
+    eap-tnc {
+      protocol = tnccs-1.1
     }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..07b35dcb9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 294964fe7..000000000
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
index 6e49677e4..387236ebc 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,18 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs 
-      server = PH_IP_ALICE
+      server = 10.1.0.10 
       filter_id = yes
     }
   }
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..096eb7b5a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,53 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
index 18e03746b..db806c3c9 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 alice::killall radiusd
 alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
 carol::echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
index 31ee7d1c7..c96e0631f 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -11,12 +11,16 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
-dave::expect-connection home
-dave::ipsec up home
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
 alice::ipsec attest --sessions
 alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
index 318dfdfcb..05d40f98d 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
@@ -27,3 +27,7 @@ RADIUSHOSTS="alice"
 # Guest instances on which databases are used
 #
 DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index 955584ba3..0415c3323 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
index 45050f7e1..7622801ab 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3 
   assessment_result = no
   plugins {
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e9152e0d8..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
index 927c459db..80c96b677 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..ff58c7c9a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 25589bcf1..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
index 1422c3cc6..9c6f28fe3 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..5af2098b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 294964fe7..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e86d6aa5c..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
index 6e49677e4..71fc7dd0c 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,18 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs 
-      server = PH_IP_ALICE
+      server = 10.1.0.10 
       filter_id = yes
     }
   }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..3caad0c66
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,53 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat
index a64a9147c..2989f347c 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 alice::killall radiusd
 alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
 moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index fcfb1451c..baf8c972f 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -7,10 +7,14 @@ alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.propertie
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf
index f23a19329..8d7f51449 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
index 45050f7e1..7622801ab 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3 
   assessment_result = no
   plugins {
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index f24455975..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index ddd495699..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
index 71fbae695..965752b5e 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..00ef0f516
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index f24455975..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index ddd495699..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
index 4ce2769f2..ca1f7d9a5 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libimcv {
+  load = random nonce sha1 sha2 md5 gmp pubkey x509
   debug_level = 3
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..00ef0f516
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# The strongSwan IMCs are loaded by the WPA supplicant
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 294964fe7..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e86d6aa5c..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 6e49677e4..000000000
--- a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
-  multiple_authentication=no
-  plugins {
-    eap-radius {
-      secret = gv6URkSs 
-      server = PH_IP_ALICE
-      filter_id = yes
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/tnc/tnccs-11-supplicant/test.conf
index f23a19329..2069e4aa5 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/test.conf
+++ b/testing/tests/tnc/tnccs-11-supplicant/test.conf
@@ -13,14 +13,17 @@ DIAGRAM="a-v-m-c-w-d.png"
 
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS=
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="carol dave"
 
 # Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
index 3478c07df..800fa3c4f 100644
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
index 927c459db..af30c204d 100644
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 77446cbae..000000000
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
index 1422c3cc6..524536228 100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index e21ef0d14..000000000
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
index 2ce6fd3a1..bba631b1f 100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -18,6 +31,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-11/posttest.dat
+++ b/testing/tests/tnc/tnccs-11/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index 85622034d..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11/test.conf b/testing/tests/tnc/tnccs-11/test.conf
index a8a05af19..3a6669966 100644
--- a/testing/tests/tnc/tnccs-11/test.conf
+++ b/testing/tests/tnc/tnccs-11/test.conf
@@ -24,3 +24,7 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
+
diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index e0f3d9357..b67affbf4 100644
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -1,12 +1,14 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
 dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw::NO
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
index 201f6c7cb..fac3dc02d 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = de, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..760fca451
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 77446cbae..000000000
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
index a255b906d..168e4ec64 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication=no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru, fr, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-scanner {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..53450038e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 9aeb02ac2..000000000
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
index ee510f1b5..bb15d3ffa 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -17,12 +30,6 @@ charon {
   }
 }
 
-libimcv {
-  plugins {
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
-  }
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..e396cd06e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,39 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+      }
+      children {
+         rw {
+            local_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat
index 2258e03ff..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-block/posttest.dat
@@ -1,7 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index c66a2e1ec..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -1,14 +1,17 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-block/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-20-block/test.conf
+++ b/testing/tests/tnc/tnccs-20-block/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index c69940c4b..1b70ac8ec 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -1,19 +1,17 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index a483d6df8..000000000
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
index ea8e62679..aceddc368 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 11378131a..000000000
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
index 3a93fc30c..7ac1a5d70 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru , de, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index b1093d46d..000000000
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
index 009e2ef13..a0b807755 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
index 85622034d..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-client-retry/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
index fcd224651..073355713 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnccs-20 {
       tests {
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 504408488..000000000
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
index 76f413722..6c1b9917b 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru, pl  , de
@@ -17,6 +30,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index e21ef0d14..000000000
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
index 9c13fcb67..165c5ccb9 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
index b757d8b15..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
@@ -1,6 +1,6 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
index 85622034d..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf
index 3c8e3996f..513114964 100644
--- a/testing/tests/tnc/tnccs-20-fail-init/test.conf
+++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
index ed6d6f718..56fa7a967 100644
--- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index e21ef0d14..000000000
--- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
index 626731f58..cb6abf305 100644
--- a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -19,6 +32,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
index 80ce1a125..9af5f39a2 100644
--- a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
@@ -1,4 +1,4 @@
-carol::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
index e5c202947..3dba1d75e 100644
--- a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -2,7 +2,9 @@ moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
index e8430743e..9141c691e 100644
--- a/testing/tests/tnc/tnccs-20-fail-resp/test.conf
+++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index c69940c4b..d406b5925 100644
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -1,19 +1,18 @@
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
new file mode 100755
index 000000000..bf3a6891a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/init.d/charon
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index a483d6df8..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
index 43af0fca1..c3338d43b 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,25 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
new file mode 100755
index 000000000..bf3a6891a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/init.d/charon
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 11378131a..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
index 43af0fca1..89d9e50bd 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
new file mode 100755
index 000000000..bf3a6891a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/init.d/charon
@@ -0,0 +1,158 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          charon 
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: strongSwan charon IKE daemon 
+# Description:       with swanctl the strongSwan charon daemon must be
+#                    running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index b1093d46d..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
index 9f3874b6c..0cd34865c 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 39b0e03eb..f0f6446bf 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -6,12 +6,15 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::cat /etc/tnc/dummyimv.policy
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 moon::expect-connection rw-allow
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat
index 1293e9883..90d1922fb 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat
@@ -16,4 +16,3 @@ alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*i
 alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
-
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index f2e611952..000000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imv 3"
-
-conn aaa
-	leftcert=aaaCert.pem
-	leftid=aaa.strongswan.org
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets
deleted file mode 100644
index 606e184bd..000000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
index 1ecf6f883..a0db6ae7b 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
@@ -1,8 +1,20 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       request_peer_auth = yes
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem
index adc47dd33..adc47dd33 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/swanctl.conf
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem
index 42083c2a9..42083c2a9 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 2cca42cd7..000000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
index 2694b75d8..f0a6c4bde 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
@@ -1,8 +1,21 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 3
+    }
+  }
   plugins {
     eap-ttls {
       max_message_count = 0
@@ -17,6 +30,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   os_info {
     name = strongPrint OS
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..db9d4fad8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 2707b2be9..000000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftauth=eap
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
index dbc845de9..f5c3440c1 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
@@ -1,8 +1,21 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 3
+    }
+  }
   plugins {
     eap-ttls {
       max_message_count = 0
@@ -17,6 +30,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   os_info {
     name = strongPrint OS
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989107a2a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         aaa_id = aaa.strongswan.org
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 02ada5665..000000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightsendcert=never
-	right=%any
-	eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e86d6aa5c..000000000
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
index fc647a079..4dae69352 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,13 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..3caad0c66
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,53 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat
index 369cfe86f..bcd655353 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat
@@ -1,7 +1,9 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
+alice::service charon stop
+alice::rm /etc/swanctl/rsa/aaaKey.pem
+alice::rm /etc/swanctl/x509/aaaCert.pem
 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
index 0978d1252..db8ce1061 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat
@@ -7,11 +7,13 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-alice::ipsec start
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::rm /etc/swanctl/rsa/aliceKey.pem
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::service charon start
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/test.conf b/testing/tests/tnc/tnccs-20-hcd-eap/test.conf
index c4ca1a19f..14b7fc8bf 100644
--- a/testing/tests/tnc/tnccs-20-hcd-eap/test.conf
+++ b/testing/tests/tnc/tnccs-20-hcd-eap/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave alice"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt
new file mode 100644
index 000000000..f910cb59f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt
@@ -0,0 +1,5 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements over IKEv2-EAP
+using the PA-TNC, PB-TNC and PT-EAP protocols. The IKEv2 EAP-TTLS authentication
+is based on X.509 certificates. The TNC measurement on <b>moon</b> is successful
+and the measurement on <b>sun</b> fails, causing the IPsec connection to be
+aborted by <b>moon</b>.
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat
new file mode 100644
index 000000000..93303221f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/daemon.log::final recommendation is.*no access::YES
+sun:: cat /var/log/daemon.log::final recommendation is.*allow::YES
+moon::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::NO
+sun::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::NO
+moon::ping -c 1 -W 1 192.168.0.2::64 bytes from 192.168.0.2: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a555970ec
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,45 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+  multiple_authentication = no
+
+ start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+      imv = 2
+    }
+  }
+  plugins {
+    eap-ttls {
+      phase2_tnc = yes
+    }
+    tnccs-20 {
+      mutual = yes
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow 
+    }
+    imv-test {
+      rounds = 1
+    }   
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..329005907
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   mutual {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = eap-ttls
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = sun.strongswan.org
+         groups = allow
+      }
+      children {
+         mutual {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint 
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..b2280db18
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,47 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+   multiple_authentication = no
+ 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+      imv = 2
+    }
+  }
+  plugins {
+    eap-ttls {
+      request_peer_auth = yes
+      phase2_piggyback = yes
+      phase2_tnc =yes
+    }
+    tnccs-20 {
+      mutual = yes
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = none 
+    }
+    imv-test {
+      rounds = 1 
+    }   
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..6b559aa8c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   mutual {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls 
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org
+         groups = allow
+      }
+      children {
+          mutual {
+             updown = /usr/local/libexec/ipsec/_updown iptables
+             esp_proposals = aes128gcm16-ecp256
+          } 
+      }
+      version = 2
+      mobike = no
+      send_certreq = no 
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint 
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat
new file mode 100644
index 000000000..4677e46f0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat
@@ -0,0 +1,4 @@
+moon::service charon stop
+sun::service charon stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat
new file mode 100644
index 000000000..0a3563986
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::service charon start
+sun::service charon start
+moon::expect-connection mutual 
+moon::swanctl --initiate --child mutual 
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf
new file mode 100644
index 000000000..5c095cefa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
index 6c79b8c49..6d5c67a03 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
@@ -1,3 +1,4 @@
 The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements over IKEv2-EAP
-using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on
-X.509 certificates.
+using the PA-TNC, PB-TNC and PT-EAP protocols. The IKEv2 EAP-TTLS authentication
+is based on X.509 certificates. The TNC measurements of both <b>moon</b> and
+<b>sun</b> are successful and the IPsec connection gets established.
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
index 0ef7b5d7d..28f101cdc 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
@@ -1,11 +1,9 @@
 moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
 sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
-moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
-sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
-moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+moon::cat /var/log/daemon.log::final recommendation is.*allow::YES
+sun:: cat /var/log/daemon.log::final recommendation is.*allow::YES
+moon::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES
+sun::swanctl --list-sas --raw 2> /dev/null::mutual.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*mutual.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES
+moon::ping -c 1 192.168.0.2::64 bytes from 192.168.0.2: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 47a0283dc..000000000
--- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 2, imv 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn host-host
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=moon.strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightid=sun.strongswan.org
-	rightsendcert=never
-	rightauth=any
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
index 953e7fcea..1212e2356 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+  load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
 
   multiple_authentication = no
+
+ start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
-      phase2_tnc =yes
+      phase2_tnc = yes
     }
     tnccs-20 {
       mutual = yes
@@ -14,6 +29,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..329005907
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   mutual {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2 
+
+      local {
+         auth = eap-ttls
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = sun.strongswan.org
+         groups = allow
+      }
+      children {
+         mutual {
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      mobike = no
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index c20bce930..000000000
--- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 2, imv 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn host-host
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=sun.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=moon.strongswan.org
-	rightauth=eap-ttls
-	rightsendcert=never
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
index 570126a0e..f29175d67 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
@@ -1,9 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+  load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
 
-  multiple_authentication = no
+   multiple_authentication = no
+ 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
       request_peer_auth = yes
@@ -16,6 +31,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..6b559aa8c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,28 @@
+connections {
+
+   mutual {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls 
+         certs = sunCert.pem
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org
+         groups = allow
+      }
+      children {
+          mutual {
+             updown = /usr/local/libexec/ipsec/_updown iptables
+             esp_proposals = aes128gcm16-ecp256
+          } 
+      }
+      version = 2
+      mobike = no
+      send_certreq = no 
+      proposals = aes128-sha256-ecp256
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
index 1f7aa73a1..4677e46f0 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
@@ -1,4 +1,4 @@
-moon::ipsec stop
-sun::ipsec stop
+moon::service charon stop
+sun::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
index 997a48167..0a3563986 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
@@ -1,6 +1,6 @@
 moon::iptables-restore < /etc/iptables.rules
 sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::expect-connection host-host
-moon::ipsec up host-host
+moon::service charon start
+sun::service charon start
+moon::expect-connection mutual 
+moon::swanctl --initiate --child mutual 
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
index 55d6e9fd6..5c095cefa 100644
--- a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 98c415edb..000000000
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-/* configuration is read from /etc/pts/options  */
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
index 79ae1e866..7eea85def 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
@@ -1,8 +1,8 @@
 --connect sun.strongswan.org
 --client moon.strongswan.org
---key /etc/ipsec.d/private/moonKey.pem
---cert /etc/ipsec.d/certs/moonCert.pem
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--key /etc/swanctl/rsa/moonKey.pem
+--cert /etc/swanctl/x509/moonCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
 --mutual
 --quiet
 --debug 2
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
index fafdac4aa..a476878ac 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pt-tls-client {
-  load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 
+  load = random nonce x509 openssl pem pkcs1 revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index ba629a24f..000000000
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 2, imv 2"
-
-conn pdp 
-	leftcert=sunCert.pem
-	leftid=sun.strongswan.org
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
index 05ffdb178..9e694bc01 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
@@ -1,8 +1,21 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 
+  load = random nonce x509 openssl pem pkcs1 revocation curl vici kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+      imv = 2
+    }
+  }
   plugins {
     tnc-pdp {
       server = sun.strongswan.org
@@ -16,6 +29,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/swantcl/swanctl.conf
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
index e6ccb14fe..d1f83a319 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
@@ -1 +1 @@
-sun::ipsec stop
+sun::service charon stop
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
index 07b17600d..af53e6c9b 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
@@ -1,4 +1,4 @@
-sun::ipsec start
+sun::service charon start
 moon::cat /etc/pts/options
-sun::expect-connection pdp
+moon::sleep 1
 moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
index 55d6e9fd6..5c095cefa 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="sun"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
index 8c9e59a56..88b55c9f7 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index d17473db1..000000000
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
index 0c934295f..d3941d811 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,28 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+      pts = 3
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index d459bfc6c..000000000
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
index 156a2e4c4..134cd991c 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
@@ -1,12 +1,25 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
-
   retransmit_tries = 5
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+      pts = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = de
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-os {
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index bc8b2d8f9..000000000
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
index c8992bdad..4b024e9a8 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+      pts = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +28,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   database = sqlite:///etc/db.d/config.db
   policy_script = ipsec imv_policy_manager
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
index 74b902c69..ce72d2ca9 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
index 345f54816..81537cc62 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
@@ -8,12 +8,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
-dave::expect-connection home
-dave::ipsec up home
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/null
 moon::ipsec attest --sessions
 moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf
index 4b1c410ff..005df9a0c 100644
--- a/testing/tests/tnc/tnccs-20-os-pts/test.conf
+++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="moon carol dave"
 # Guest instances on which databases are used
 #
 DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
index 292116309..202b408aa 100644
--- a/testing/tests/tnc/tnccs-20-os/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: ipsec attest --sessions 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec attest --sessions 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
index 0b8e9235c..ef90078f2 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 77446cbae..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
index 4dcb5c32f..4af05ad31 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = de
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+ilibtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-os {
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index e21ef0d14..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
index 43cf395d9..2fae3ba63 100644
--- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   database = sqlite:///etc/db.d/config.db
   policy_script = ipsec imv_policy_manager
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
index 74b902c69..ce72d2ca9 100644
--- a/testing/tests/tnc/tnccs-20-os/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
index 3c5cd328e..fa8d089f2 100644
--- a/testing/tests/tnc/tnccs-20-os/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -9,13 +9,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
-moon::ipsec attest --packages --product 'Debian 7.4 x86_64'
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
+dave::expect-connection home
+dave::swanctl --initiate --child home 2> /dev/nullmoon::ipsec attest --packages --product 'Debian 7.9 x86_64'
 moon::ipsec attest --sessions
 moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf
index f4fd4dc16..005df9a0c 100644
--- a/testing/tests/tnc/tnccs-20-os/test.conf
+++ b/testing/tests/tnc/tnccs-20-os/test.conf
@@ -22,4 +22,8 @@ IPSECHOSTS="moon carol dave"
 
 # Guest instances on which databases are used
 #
-DBHOSTS="moon"
-\ No newline at end of file
+DBHOSTS="moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
index d373eb39b..2d3027c2c 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@@ -3,14 +3,12 @@ dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on
 dave:: cat /var/log/daemon.log::collected ... SWID tags::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
 carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES
 carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
 alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and ... SWID tags::YES
 alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
@@ -21,8 +19,10 @@ moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP succe
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
 moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
-moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100 remote-eap-id=carol.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200 remote-eap-id=dave.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index f2e611952..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imv 3"
-
-conn aaa
-	leftcert=aaaCert.pem
-	leftid=aaa.strongswan.org
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets
deleted file mode 100644
index 11d45cd14..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
-
-carol : EAP "Ar3etTnp"
-dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
index 48d5d70f0..4328b06ea 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
@@ -1,8 +1,20 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem
index adc47dd33..adc47dd33 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/rsa/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..378b73a69
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,11 @@
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem
index 42083c2a9..42083c2a9 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/swanctl/x509/aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 6e6430e4d..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	eap_identity=carol
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 23d79cf2e..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
index 8aa2ab97e..47b9affed 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
@@ -1,10 +1,21 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
-  retransmit_timeout =
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 3
+    }
+  }
   plugins {
     eap-ttls {
       max_message_count = 0
@@ -18,3 +29,7 @@ charon {
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6925f0f90
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         eap_id = carol
+         aaa_id = aaa.strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 4846af279..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightauth=pubkey
-	eap_identity=dave
-	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 02e0c9963..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
index aea7a71f9..d00808398 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,21 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
-  retransmit_timeout =
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 3
+    }
+  }
   plugins {
    eap-ttls {
       max_message_count = 0
@@ -19,6 +30,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
    imc-os {
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0870cf04b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap
+         eap_id = dave
+         aaa_id = aaa.strongswan.org
+      }
+      remote {
+         auth = pubkey 
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 02ada5665..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=pubkey
-	leftfirewall=yes
-	rightauth=eap-radius
-	rightsendcert=never
-	right=%any
-	eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e86d6aa5c..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
index fc647a079..8b931afc9 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,14 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
+
   multiple_authentication=no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..6ec8d3428
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,53 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+         certs = moonCert.pem
+      }
+      remote {
+         auth = eap-radius
+         eap_id = %any
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey 
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-radius
+         eap_id = %any 
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
index fe9f59e44..e5ec2afc7 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
@@ -1,8 +1,10 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::ipsec stop
+moon::service charon stop
+carol::service charon stop
+dave::service charon stop
+alice::service charon stop
 alice::service apache2 stop
+alice::rm /etc/swanctl/x509/aaaCert.pem
+alice::rm /etc/swanctl/rsa/aaaKey.pem
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
index 4b8d3f024..6292d6909 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
@@ -1,6 +1,12 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::rm /etc/swanctl/rsa/aliceKey.pem
+carol::rm /etc/swanctl/x509/carolCert.pem
+carol::rm /etc/swanctl/rsa/carolKey.pem
+dave::rm /etc/swanctl/x509/daveCert.pem
+dave::rm /etc/swanctl/rsa/daveKey.pem
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
@@ -12,12 +18,12 @@ alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql dat
 alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
 alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
 alice::service apache2 start
-alice::ipsec start
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+alice::service charon start
+moon::service charon start
+dave::service charon start
+carol::service charon start
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 carol::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
index 345e91150..18522e76e 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave alice"
 #
 DBHOSTS="alice"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index 7b2118f7e..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tls 2, tnc 2, imv 3"
-
-conn aaa
-	leftcert=aaaCert.pem
-	leftid=aaa.strongswan.org
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets
deleted file mode 100644
index 11d45cd14..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
-
-carol : EAP "Ar3etTnp"
-dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
index 5fa49e7a7..d1cb6c9e2 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
@@ -1,8 +1,21 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = pem pkcs1 nonce x509 openssl curl revocation constraints socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+  load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tls = 2
+      tnc = 2 
+      imv = 3
+    }
+  }
   plugins {
     tnc-pdp {
       server = aaa.strongswan.org
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem
index adc47dd33..adc47dd33 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..635620b7d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,7 @@
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem
index 42083c2a9..42083c2a9 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index 4a41e7ed9..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index d2f6378b8..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
index d485e9bf7..52a3673b3 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
@@ -1,6 +1,6 @@
 --connect aaa.strongswan.org
 --client carol
 --secret "Ar3etTnp"
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
 --quiet
 --debug 2
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 4a41e7ed9..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index d2f6378b8..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
index ca3ca3aa1..08953142f 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
@@ -1,7 +1,7 @@
 --connect aaa.strongswan.org
 --client dave@strongswan.org
---key  /etc/ipsec.d/private/daveKey.pem
---cert /etc/ipsec.d/certs/daveCert.pem
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--key  /etc/swanctl/rsa/daveKey.pem
+--cert /etc/swanctl/x509/daveCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
 --quiet
 --debug 2
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index ecd9d47aa..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 41cf8f84b..000000000
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..27f96a620
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
index 2f45a149d..09c8a6cbc 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
@@ -1,8 +1,10 @@
 carol::ip route del 10.1.0.0/16 via 192.168.0.1
 dave::ip route del 10.1.0.0/16 via 192.168.0.1
 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
-alice::ipsec stop
+alice::service charon stop
 alice::service apache2 stop
+alice::rm /etc/swanctl/rsa/aaaKey.pem
+alice::rm /etc/swanctl/x509/aaaCert.pem
 alice::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
index e14ba8902..ea93b2d2b 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
@@ -11,8 +11,10 @@ alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
 alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
 alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
 alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::rm /etc/swanctl/rsa/aliceKey.pem
 alice::service apache2 start
-alice::ipsec start
+alice::service charon start
 alice::expect-connection aaa
 winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
 dave::ip route add 10.1.0.0/16 via 192.168.0.1
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
index baeceb92b..08ea543e2 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
@@ -23,3 +23,7 @@ IPSECHOSTS="carol moon dave alice"
 # Guest instances on which databases are used
 #
 DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
index 8c9e59a56..88b89c91c 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - isolate::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index d17473db1..000000000
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
index 9f410d1bc..f4fb7e2dc 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,28 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+      pts = 3
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index d459bfc6c..000000000
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
index c69f9454d..b7a772692 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
@@ -1,12 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
-  retransmit_timeout =
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+      pts = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = de
@@ -14,6 +26,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-os {
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index bc8b2d8f9..000000000
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
index 38b2e2ec2..117ca715c 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+      pts = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +28,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   database = sqlite:///etc/db.d/config.db
   policy_script = ipsec imv_policy_manager
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
index 74b902c69..ce72d2ca9 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
index 345f54816..4b1c45ef9 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
@@ -8,12 +8,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+dave::service charon start
+carol::service charon start
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 moon::ipsec attest --sessions
 moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
index 2fd3139f5..005df9a0c 100644
--- a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
+++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 DBHOSTS="moon"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
index d67756349..a531ddf08 100644
--- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES
 moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*carol@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: ipsec attest --session 2> /dev/null::Debian.*x86_64.*dave@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/28]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp
new file mode 100644
index 000000000..f57c1e1ec
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/.strongswan.conf.swp
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index d17473db1..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
index 0c934295f..2eb34841d 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,28 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3 
+      imc = 3
+      pts = 3 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..c35df4fbc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index d459bfc6c..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
index b6c9ab661..e9fa8cb80 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-
-  retransmit_timeout =
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+      pts = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = de
@@ -13,6 +26,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-os {
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..dd349a087
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index bc8b2d8f9..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3, pts 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
index d9d0624f5..4b024e9a8 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -1,12 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
-
-  retransmit_timeout =
+  load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+      pts = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -16,6 +28,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   database = sqlite:///etc/db.d/config.db
   policy_script = ipsec imv_policy_manager
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..c7e9b1ef2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-ecp256
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat
index 74b902c69..ce72d2ca9 100644
--- a/testing/tests/tnc/tnccs-20-pts/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
index 345f54816..4b1c45ef9 100644
--- a/testing/tests/tnc/tnccs-20-pts/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -8,12 +8,16 @@ moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+dave::service charon start
+carol::service charon start
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 moon::ipsec attest --sessions
 moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf
index 2fd3139f5..005df9a0c 100644
--- a/testing/tests/tnc/tnccs-20-pts/test.conf
+++ b/testing/tests/tnc/tnccs-20-pts/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 DBHOSTS="moon"
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
index c69940c4b..b94dc5e2c 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index a483d6df8..000000000
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
index 85287fb51..7e51900a1 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 11378131a..000000000
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
index f068d121e..4aeda6674 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 2 
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru , de, en
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index b1093d46d..000000000
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
index 009e2ef13..902e837f5 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 2 
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
index 85622034d..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index fe1becb97..ff9ac28b8 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index eece9f294..000000000
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
index 6c7ef551f..73f32424e 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..7898275dd
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         certs = carolCert.pem 
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 362042656..000000000
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imc 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
index 67c3007f4..07df4c086 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imc = 2
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..73c379cd2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,27 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         certs =daveCert.pem
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 0ec930286..000000000
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 2, imv 2"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid="C=CH, O=Linux strongSwan, OU=*, CN=*"
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
index a408b734e..7aef92f39 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 2 
+      imv = 2
+    }
+  }
   plugins {
     eap-ttls {
       request_peer_auth = yes
@@ -13,3 +26,7 @@ charon {
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..99ef2c98c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,50 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index 85622034d..709a7714b 100644
--- a/testing/tests/tnc/tnccs-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -4,10 +4,10 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-20-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-tls/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
index c69940c4b..b94dc5e2c 100644
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -1,19 +1,18 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
index c1693c156..887806475 100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,27 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
 
   multiple_authentication = no
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
+}
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 77446cbae..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
index d8026b2dc..e78272b43 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     tnc-imc {
       preferred_language = ru, pl  , de
@@ -12,6 +25,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index e21ef0d14..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
index 9c13fcb67..165c5ccb9 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,23 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
 
   multiple_authentication = no
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -14,6 +27,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imv-test {
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-20/posttest.dat
+++ b/testing/tests/tnc/tnccs-20/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
index 85622034d..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-20/test.conf
+++ b/testing/tests/tnc/tnccs-20/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 3d0c55449..2bb125430 100644
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -1,11 +1,9 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
 moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
 moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
 moon:: cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
@@ -18,10 +16,11 @@ moon:: cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw  2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw  2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index e2bf349d9..000000000
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 74942afda..000000000
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
index a81460b95..609852bc7 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
 
   multiple_authentication=no
   integrity_test = yes
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-1.1
@@ -13,6 +26,10 @@ charon {
   }
 }
 
+ilibtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..0f266dd93
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 77446cbae..000000000
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imc 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftauth=eap
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightauth=any
-	rightsendcert=never
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 5496df7ad..000000000
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index b64aeeb93..2c0deca5e 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
 
   multiple_authentication=no
   integrity_test = yes
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imc = 3
+    }
+  }
   plugins {
     eap-tnc {
       protocol = tnccs-2.0
@@ -13,6 +26,10 @@ charon {
   }
 }
 
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
 libimcv {
   plugins {
     imc-test {
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..989ab88c7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.200
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = eap-ttls
+         id = dave@strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index e21ef0d14..000000000
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	charondebug="tnc 3, imv 3"
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-
-conn rw-allow
-	rightgroups=allow
-	leftsubnet=10.1.0.0/28
-	also=rw-eap
-	auto=add
-
-conn rw-isolate
-	rightgroups=isolate
-	leftsubnet=10.1.0.16/28
-	also=rw-eap
-	auto=add
-
-conn rw-eap
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftauth=eap-ttls
-	leftfirewall=yes
-	rightauth=eap-ttls
-	rightid=*@strongswan.org
-	rightsendcert=never
-	right=%any
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 2e277ccb0..000000000
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index 45c132fe8..d61bcd111 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,24 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
 
   multiple_authentication=no
   integrity_test = yes
 
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  }
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tnc = 3
+      imv = 3
+    }
+  }
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -18,3 +31,8 @@ charon {
     }
   }
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..1238c1a91
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,64 @@
+connections {
+
+   rw-allow {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = allow
+      }
+      children {
+         rw-allow {
+            local_ts = 10.1.0.0/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+
+   rw-isolate {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = eap-ttls
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = eap-ttls
+         id = *@strongswan.org
+         groups = isolate
+      }
+      children {
+         rw-isolate {
+            local_ts = 10.1.0.16/28
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm16-modp3072
+         }
+      }
+      version = 2
+      send_certreq = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   eap-carol {
+      id = carol@strongswan.org
+      secret = "Ar3etTnp"
+   }
+   eap-dave {
+      id = dave@strongswan.org
+      secret = "W7R0g3do"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat
index 1865a1c60..770cf6ede 100644
--- a/testing/tests/tnc/tnccs-dynamic/posttest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
index 927b89d06..c8ab14343 100644
--- a/testing/tests/tnc/tnccs-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -4,10 +4,14 @@ dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
 carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
 dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf
index a8a05af19..f6db73912 100644
--- a/testing/tests/tnc/tnccs-dynamic/test.conf
+++ b/testing/tests/tnc/tnccs-dynamic/test.conf
@@ -24,3 +24,6 @@ IPSECHOSTS="moon carol dave"
 #
 RADIUSHOSTS=
 
+# charon controlled by swanctl
+#
+SWANCTL=1
author	Yves-Alexis Perez <corsac@debian.org>	2016-03-24 11:59:32 +0100
committer	Yves-Alexis Perez <corsac@debian.org>	2016-03-24 11:59:32 +0100
commit	518dd33c94e041db0444c7d1f33da363bb8e3faf (patch)
tree	e8d1665ffadff7ec40228dda47e81f8f4691cd07
parent	f42f239a632306ed082f6fde878977248eea85cf (diff)
download	vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip