- Updated to new upstream release.

455 files changed, 9432 insertions, 5403 deletions

diff --git a/Makefile.in b/Makefile.in
index 3b2ba98c1..8788825bb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -129,6 +129,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/NEWS b/NEWS
index 9c64e6001..8ed4fbda4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,55 @@
+strongswan-4.1.4
+----------------
+
+- The pluto IKEv1 daemon now exhibits the same behaviour as its
+  IKEv2 companion charon by inserting an explicit route via the
+  _updown script only if a sourceip exists. This is admissible
+  since routing through the IPsec tunnel is handled automatically
+  by NETKEY's IPsec policies. As a consequence the left|rightnexthop
+  parameter is not required any more.
+
+- The new IKEv1 parameter right|leftallowany parameters helps to handle
+  the case where both peers possess dynamic IP addresses that are
+  usually resolved using DynDNS or a similar service. The configuration
+
+    right=peer.foo.bar
+    rightallowany=yes
+
+  can be used by the initiator to start up a connection to a peer
+  by resolving peer.foo.bar into the currently allocated IP address.
+  Thanks to the rightallowany flag the connection behaves later on
+  as
+
+   right=%any
+
+  so that the peer can rekey the connection as an initiator when his
+  IP address changes. An alternative notation is
+
+    right=%peer.foo.bar
+
+  which will implicitly set rightallowany=yes.
+
+- ipsec starter now fails more gracefully in the presence of parsing
+  errors. Flawed ca and conn section are discarded and pluto is started
+  if non-fatal errors only were encountered. If right=%peer.foo.bar
+  cannot be resolved by DNS then right=%any will be used so that passive
+  connections as a responder are still possible.
+
+- The new pkcs11initargs parameter that can be placed in the
+  setup config section of /etc/ipsec.conf allows the definition
+  of an argument string that is used with the PKCS#11 C_Initialize()
+  function. This non-standard feature is required by the NSS softoken
+  library. This patch was contributed by Robert Varga.
+	
+- Fixed a bug in ipsec starter introduced by strongswan-2.8.5
+  which caused a segmentation fault in the presence of unknown
+  or misspelt keywords in ipsec.conf. This bug fix was contributed
+  by Robert Varga.
+
+- Partial support for MOBIKE in IKEv2. The initiator acts on interface/
+  address configuration changes and updates IKE and IPsec SAs dynamically.
+
+
 strongswan-4.1.3
 ----------------
 
diff --git a/TODO b/TODO
index 03b4827e6..efdd125f5 100644
--- a/TODO
+++ b/TODO
@@ -10,20 +10,14 @@ gain hassle-free configuration, version negotiation and maintainability.
 Roadmap 2007
 ============
 
- Apr  !   - credentials backend redesign
-      !   - interface in charon for the XML based SMP management interface
-      !
- May  !   - SMP configuration client
+ Jul  !   - reimplement IKEv2 p2p NATT support
       !   - release IKEv2 p2p NATT draft 00
-      !   - reimplement IKEv2 p2p NATT support
-      !
- Jun  !   - start with IKEv1 migration strategy
-      !
- Jul  !
+      !   - interface in charon for the XML based SMP management interface
+      !   - SMP configuration client
       !
- Aug  !
+ Aug  !   - modular cerendtial backends
       !
- Sep  !
+ Sep  !   - Start IKEv1 implementation in charon
       !
  Oct  !
       !
@@ -39,6 +33,10 @@ TODO-List
 A set of TODOs. This is only a list of things I write down to not forget them.
 Watch out for TODOs in the code.
 
+Build options
+-------------
+- Allow static build using libtool dlopen wrapper
+
 Certificate support
 -------------------
 - New trustchain mechanism?
@@ -51,9 +49,9 @@ Stroke interface
 ----------------
 - add a Rekey-Counter for SAs in "statusall"
 - ipsec statusall bytecount
-- proper handling of CTRL+C console detach (SIG_PIPE)
 
 Misc
 ----
 - Address pool/backend for virtual IP assignement
 - fix iterator->insert_before/after
+- split up kernel interface into:  ipsec, routing, interfaces
diff --git a/aclocal.m4 b/aclocal.m4
index de1bcc519..51169d42c 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -13,7 +13,7 @@
 
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 
-# serial 48 AC_PROG_LIBTOOL
+# serial 50 AC_PROG_LIBTOOL
 
 
 # AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
@@ -246,7 +246,7 @@ if test "x$ltmain" = "x" ; then
 *** \$ltmain is not defined, please check the patch for consistency! ***
 ])
 fi
-gentoo_lt_version="1.5.22"
+gentoo_lt_version="1.5.23b"
 gentoo_ltmain_version=`sed -n '/^[[ 	]]*VERSION=/{s/^[[ 	]]*VERSION=//;p;q;}' "$ltmain"`
 if test "x$gentoo_lt_version" != "x$gentoo_ltmain_version" ; then
   AC_MSG_RESULT(no)
@@ -306,8 +306,9 @@ cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 # Check for compiler boilerplate output or warnings with
 # the simple compiler test code.
 AC_DEFUN([_LT_COMPILER_BOILERPLATE],
-[ac_outfile=conftest.$ac_objext
-printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -319,8 +320,9 @@ $rm conftest*
 # Check for linker boilerplate output or warnings with
 # the simple link test code.
 AC_DEFUN([_LT_LINKER_BOILERPLATE],
-[ac_outfile=conftest.$ac_objext
-printf "$lt_simple_link_test_code" >conftest.$ac_ext
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -336,12 +338,20 @@ $rm conftest*
 # If we don't find anything, use the default library path according
 # to the aix ld manual.
 AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
-[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi],[])
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi],[])
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 ])# _LT_AC_SYS_LIBPATH_AIX
 
@@ -572,13 +582,17 @@ ia64-*-hpux*)
   rm -rf conftest*
   ;;
 
-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|sparc*-*linux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
     *32-bit*)
       case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_i386_fbsd"
+          ;;
         x86_64-*linux*)
           LD="${LD-ld} -m elf_i386"
           ;;
@@ -595,6 +609,9 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
       ;;
     *64-bit*)
       case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_x86_64_fbsd"
+          ;;
         x86_64-*linux*)
           LD="${LD-ld} -m elf_x86_64"
           ;;
@@ -666,7 +683,7 @@ AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
 AC_CACHE_CHECK([$1], [$2],
   [$2=no
   ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$3"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -707,11 +724,12 @@ fi
 # ------------------------------------------------------------
 # Check whether the given compiler option works
 AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
-[AC_CACHE_CHECK([$1], [$2],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
   [$2=no
    save_LDFLAGS="$LDFLAGS"
    LDFLAGS="$LDFLAGS $3"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
      # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -1069,7 +1087,8 @@ fi
 # ---------------------------------
 # Check to see if options -c and -o are simultaneously supported by compiler
 AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
 AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
   [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
   [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
@@ -1077,7 +1096,7 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    mkdir conftest
    cd conftest
    mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
    lt_compiler_flag="-o out/conftest2.$ac_objext"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -1217,6 +1236,7 @@ else
    darwin*)
        if test -n "$STRIP" ; then
          striplib="$STRIP -x"
+         old_striplib="$STRIP -S"
          AC_MSG_RESULT([yes])
        else
   AC_MSG_RESULT([no])
@@ -1234,7 +1254,8 @@ fi
 # -----------------------------
 # PORTME Fill in your ld.so characteristics
 AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
-[AC_MSG_CHECKING([dynamic linker characteristics])
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_MSG_CHECKING([dynamic linker characteristics])
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
@@ -1248,20 +1269,58 @@ shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 sys_lib_dlsearch_path_spec="/lib /usr/lib"
+m4_if($1,[],[
 if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
   else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
   fi
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
+  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`echo $lt_search_path_spec`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
+fi])
 need_lib_prefix=unknown
 hardcode_into_libs=no
 
@@ -1399,30 +1458,6 @@ cygwin* | mingw* | pw32*)
     esac
     ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        $archive_expsym_cmds="$archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
   *)
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
     ;;
@@ -1442,12 +1477,8 @@ darwin* | rhapsody*)
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
   shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
+  m4_if([$1], [],[
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) 
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -1464,18 +1495,6 @@ freebsd1*)
   dynamic_linker=no
   ;;
 
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -1526,7 +1545,7 @@ freebsd* | dragonfly*)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
-  freebsd*) # from 4.6 on
+  *) # from 4.6 on, and DragonFly
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
@@ -1644,7 +1663,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -1660,7 +1679,7 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -1673,18 +1692,6 @@ linux*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -1766,6 +1773,10 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
+rdos*)
+  dynamic_linker=no
+  ;;
+
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -1871,7 +1882,8 @@ fi
 # _LT_AC_TAGCONFIG
 # ----------------
 AC_DEFUN([_LT_AC_TAGCONFIG],
-[AC_ARG_WITH([tags],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_ARG_WITH([tags],
     [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
         [include additional configurations @<:@automatic@:>@])],
     [tagnames="$withval"])
@@ -2132,7 +2144,7 @@ m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
 
 # AC_PATH_TOOL_PREFIX
 # -------------------
-# find a file program which can recognise shared library
+# find a file program which can recognize shared library
 AC_DEFUN([AC_PATH_TOOL_PREFIX],
 [AC_REQUIRE([AC_PROG_EGREP])dnl
 AC_MSG_CHECKING([for $1])
@@ -2195,7 +2207,7 @@ fi
 
 # AC_PATH_MAGIC
 # -------------
-# find a file program which can recognise a shared library
+# find a file program which can recognize a shared library
 AC_DEFUN([AC_PATH_MAGIC],
 [AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
 if test -z "$lt_cv_path_MAGIC_CMD"; then
@@ -2342,7 +2354,7 @@ esac
 # how to check for library dependencies
 #  -- PORTME fill in with the dynamic library characteristics
 AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
-[AC_CACHE_CHECK([how to recognise dependent libraries],
+[AC_CACHE_CHECK([how to recognize dependent libraries],
 lt_cv_deplibs_check_method,
 [lt_cv_file_magic_cmd='$MAGIC_CMD'
 lt_cv_file_magic_test_file=
@@ -2381,16 +2393,22 @@ cygwin*)
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
-  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
   ;;
 
 darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-freebsd* | kfreebsd*-gnu | dragonfly*)
+freebsd* | dragonfly*)
   if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
     case $host_cpu in
     i*86 )
@@ -2444,7 +2462,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -2478,6 +2496,10 @@ osf3* | osf4* | osf5*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 solaris*)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -2530,7 +2552,7 @@ AC_DEFUN([AC_PROG_NM],
   lt_cv_path_NM="$NM"
 else
   lt_nm_to_check="${ac_tool_prefix}nm"
-  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then 
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
     lt_nm_to_check="$lt_nm_to_check nm"
   fi
   for lt_tmp_nm in $lt_nm_to_check; do
@@ -2746,10 +2768,10 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
+lt_simple_compile_test_code="int some_variable = 0;"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}\n'
+lt_simple_link_test_code='int main(){return(0);}'
 
 _LT_AC_SYS_COMPILER
 
@@ -2851,10 +2873,10 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
+lt_simple_compile_test_code="int some_variable = 0;"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }\n'
+lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
@@ -3000,7 +3022,7 @@ case $host_os in
 	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	then
 	  # We have reworked collect2
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  :
 	else
 	  # We have old collect2
 	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
@@ -3196,7 +3218,7 @@ case $host_os in
   freebsd-elf*)
     _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
     ;;
-  freebsd* | kfreebsd*-gnu | dragonfly*)
+  freebsd* | dragonfly*)
     # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
     # conventions
     _LT_AC_TAGVAR(ld_shlibs, $1)=yes
@@ -3245,9 +3267,7 @@ case $host_os in
       _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 
       case $host_cpu in
-      hppa*64*|ia64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-        ;;
+      hppa*64*|ia64*) ;;
       *)
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
         ;;
@@ -3355,7 +3375,7 @@ case $host_os in
     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
     _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
     ;;
-  linux*)
+  linux* | k*bsd*-gnu)
     case $cc_basename in
       KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
@@ -3435,6 +3455,29 @@ case $host_os in
 	# dependencies.
 	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
 	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C++ 5.9
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+
+	  # Not sure whether something based on
+	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	  # would be better.
+	  output_verbose_link_cmd='echo'
+
+	  # Archives containing C++ object files must be created using
+	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	  # necessary to make sure instantiated templates are included
+	  # in the archive.
+	  _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	  ;;
+	esac
+	;;
     esac
     ;;
   lynxos*)
@@ -3644,15 +3687,10 @@ case $host_os in
 	case $host_os in
 	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
 	  *)
-	    # The C++ compiler is used as linker so we must use $wl
-	    # flag to pass the commands to the underlying system
-	    # linker. We must also pass each convience library through
-	    # to the system linker between allextract/defaultextract.
-	    # The C++ compiler will combine linker options so we
-	    # cannot just pass the convience library names through
-	    # without $wl.
+	    # The compiler driver will combine and reorder linker options,
+	    # but understands `-z linker_flag'.
 	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract'
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
 	    ;;
 	esac
 	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
@@ -3699,6 +3737,12 @@ case $host_os in
 	  fi
 
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	  case $host_os in
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	  *)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	  esac
 	fi
 	;;
     esac
@@ -3950,13 +3994,46 @@ interix3*)
   _LT_AC_TAGVAR(postdeps,$1)=
   ;;
 
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+    #
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
 solaris*)
   case $cc_basename in
   CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
     # Adding this requires a known-good setup of shared libraries for
     # Sun compiler versions before 5.6, else PIC objects from an old
     # archive will be linked into the output, leading to subtle bugs.
-    _LT_AC_TAGVAR(postdeps,$1)='-lCstd -lCrun'
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
     ;;
   esac
   ;;
@@ -4005,10 +4082,17 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code="      program t\n      end\n"
+lt_simple_link_test_code="\
+      program t
+      end
+"
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
@@ -4087,10 +4171,10 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}\n"
+lt_simple_compile_test_code="class foo {}"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }\n'
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
@@ -4143,7 +4227,7 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
 
 # Code to be used in simple link tests
 lt_simple_link_test_code="$lt_simple_compile_test_code"
@@ -4278,7 +4362,7 @@ ifelse([$1], [],
 # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
 # Free Software Foundation, Inc.
 #
 # This file is part of GNU Libtool:
@@ -4686,6 +4770,7 @@ fi
 # ---------------------------------
 AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
 [AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([LT_AC_PROG_SED])
 AC_REQUIRE([AC_PROG_NM])
 AC_REQUIRE([AC_OBJEXT])
 # Check for command to grab the raw symbol name followed by C symbol from nm.
@@ -4722,7 +4807,7 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
-linux*)
+linux* | k*bsd*-gnu)
   if test "$host_cpu" = ia64; then
     symcode='[[ABCDGIRSTW]]'
     lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
@@ -4912,12 +4997,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       # like `-m68040'.
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
       ;;
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
-    mingw* | os2* | pw32*)
+    mingw* | cygwin* | os2* | pw32*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
       ;;
     darwin* | rhapsody*)
@@ -4995,7 +5082,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      freebsd* | kfreebsd*-gnu | dragonfly*)
+      freebsd* | dragonfly*)
 	# FreeBSD uses GNU C++
 	;;
       hpux9* | hpux10* | hpux11*)
@@ -5038,7 +5125,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      linux*)
+      linux* | k*bsd*-gnu)
 	case $cc_basename in
 	  KCC*)
 	    # KAI C++ Compiler
@@ -5065,6 +5152,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    ;;
 	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	      ;;
+	    esac
 	    ;;
 	esac
 	;;
@@ -5185,13 +5280,15 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
       ;;
 
@@ -5259,7 +5356,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
        esac
        ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
@@ -5292,7 +5389,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       ;;
 
-    linux*)
+    linux* | k*bsd*-gnu)
       case $cc_basename in
       icc* | ecc*)
 	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -5311,6 +5408,22 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
         # All Alpha code is PIC.
         _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
         ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	esac
+	;;
       esac
       ;;
 
@@ -5320,6 +5433,10 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
+    rdos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
     solaris*)
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -5414,7 +5531,8 @@ AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
 # ------------------------------------
 # See if the linker supports building shared libraries.
 AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
-[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
 ifelse([$1],[CXX],[
   _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
   case $host_os in
@@ -5431,7 +5549,7 @@ ifelse([$1],[CXX],[
     _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
   ;;
   cygwin* | mingw*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([[^ ]]*\) [[^ ]]*/\1 DATA/;/^I /d;/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
   ;;
   *)
     _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
@@ -5570,7 +5688,7 @@ EOF
       _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
       _LT_AC_TAGVAR(always_export_symbols, $1)=no
       _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -5603,7 +5721,7 @@ EOF
       _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
       ;;
 
-    linux*)
+    gnu* | linux* | k*bsd*-gnu)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	tmp_addflag=
 	case $cc_basename,$host_cpu in
@@ -5621,13 +5739,22 @@ EOF
 	ifc* | ifort*)			# Intel Fortran compiler
 	  tmp_addflag=' -nofor_main' ;;
 	esac
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 
 	if test $supports_anon_versioning = yes; then
 	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
   cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
   $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
 	fi
       else
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -5667,7 +5794,7 @@ EOF
 
     sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
       case `$LD -v 2>&1` in
-        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) 
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	cat <<_LT_EOF 1>&2
 
@@ -5786,7 +5913,7 @@ _LT_EOF
   	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	  then
   	  # We have reworked collect2
-  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+  	  :
 	  else
   	  # We have old collect2
   	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
@@ -5879,7 +6006,7 @@ _LT_EOF
       # The linker will automatically build a .lib file if we build a DLL.
       _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
       # FIXME: Should let the user specify the lib program.
-      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
       _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
       _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
       ;;
@@ -5964,7 +6091,7 @@ _LT_EOF
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu | dragonfly*)
+    freebsd* | dragonfly*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
       _LT_AC_TAGVAR(hardcode_direct, $1)=yes
@@ -6162,17 +6289,16 @@ _LT_EOF
       case $host_os in
       solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
       *)
- 	# The compiler driver will combine linker options so we
- 	# cannot just pass the convience library names through
- 	# without $wl, iff we do not link with $LD.
- 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
  	# Supported since Solaris 2.6 (maybe 2.5.1?)
- 	case $wlarc in
- 	'')
- 	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
- 	*)
- 	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
- 	esac ;;
+	if test "$GCC" = yes; then
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	fi
+	;;
       esac
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
       ;;
@@ -6229,7 +6355,7 @@ _LT_EOF
       fi
       ;;
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7*)
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
       _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
       _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
@@ -6304,7 +6430,7 @@ x|xyes)
       # to ld, don't add -lc before -lgcc.
       AC_MSG_CHECKING([whether -lc should be explicitly linked in])
       $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
         soname=conftest
@@ -6407,6 +6533,30 @@ AC_DEFUN([LT_AC_PROG_RC],
 [AC_CHECK_TOOL(RC, windres, no)
 ])
 
+
+# Cheap backport of AS_EXECUTABLE_P and required macros
+# from Autoconf 2.59; we should not use $as_executable_p directly.
+
+# _AS_TEST_PREPARE
+# ----------------
+m4_ifndef([_AS_TEST_PREPARE],
+[m4_defun([_AS_TEST_PREPARE],
+[if test -x / >/dev/null 2>&1; then
+  as_executable_p='test -x'
+else
+  as_executable_p='test -f'
+fi
+])])# _AS_TEST_PREPARE
+
+# AS_EXECUTABLE_P
+# ---------------
+# Check whether a file is executable.
+m4_ifndef([AS_EXECUTABLE_P],
+[m4_defun([AS_EXECUTABLE_P],
+[AS_REQUIRE([_AS_TEST_PREPARE])dnl
+$as_executable_p $1[]dnl
+])])# AS_EXECUTABLE_P
+
 # NOTE: This macro has been submitted for inclusion into   #
 #  GNU Autoconf as AC_PROG_SED.  When it is available in   #
 #  a released version of Autoconf we should remove this    #
@@ -6427,12 +6577,13 @@ do
   test -z "$as_dir" && as_dir=.
   for lt_ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+      if AS_EXECUTABLE_P(["$as_dir/$lt_ac_prog$ac_exec_ext"]); then
         lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
       fi
     done
   done
 done
+IFS=$as_save_IFS
 lt_ac_max=0
 lt_ac_count=0
 # Add /usr/xpg4/bin/sed as it is typically found on Solaris
@@ -6465,6 +6616,7 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
 done
 ])
 SED=$lt_cv_path_SED
+AC_SUBST([SED])
 AC_MSG_RESULT([$SED])
 ])
 
@@ -6606,7 +6758,8 @@ installed software in a non-standard prefix.
 
 _PKG_TEXT
 ])],
-		[$4])
+		[AC_MSG_RESULT([no])
+                $4])
 elif test $pkg_failed = untried; then
 	ifelse([$4], , [AC_MSG_FAILURE(dnl
 [The pkg-config script could not be found or is too old.  Make sure it
diff --git a/config.guess b/config.guess
index af7f02dc7..6960a397a 100755
--- a/config.guess
+++ b/config.guess
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
 #   Inc.
 
-timestamp='2006-07-02'
+timestamp='2007-01-15'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -178,6 +178,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	    arm*) machine=arm-unknown ;;
 	    sh3el) machine=shl-unknown ;;
 	    sh3eb) machine=sh-unknown ;;
+	    sh5el) machine=sh5le-unknown ;;
 	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
 	esac
 	# The Operating System including object format, if it has switched
@@ -797,7 +798,7 @@ EOF
     i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
 	exit ;;
-    i*:MINGW*:*)
+    *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
     i*:windows32*:*)
@@ -810,7 +811,7 @@ EOF
     x86:Interix*:[3456]*)
 	echo i586-pc-interix${UNAME_RELEASE}
 	exit ;;
-    EM64T:Interix*:[3456]*)
+    EM64T:Interix*:[3456]* | authenticamd:Interix*:[3456]*)
 	echo x86_64-unknown-interix${UNAME_RELEASE}
 	exit ;;
     [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
@@ -967,6 +968,9 @@ EOF
     x86_64:Linux:*:*)
 	echo x86_64-unknown-linux-${LIBC}
 	exit ;;
+    xtensa:Linux:*:*)
+    	echo xtensa-unknown-linux-${LIBC}
+	exit ;;
     i*86:Linux:*:*)
 	# The BFD linker knows what the default object file format is, so
 	# first see if it will tell us. cd to the root directory to prevent
@@ -1227,6 +1231,15 @@ EOF
     SX-6:SUPER-UX:*:*)
 	echo sx6-nec-superux${UNAME_RELEASE}
 	exit ;;
+    SX-7:SUPER-UX:*:*)
+	echo sx7-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8:SUPER-UX:*:*)
+	echo sx8-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8R:SUPER-UX:*:*)
+	echo sx8r-nec-superux${UNAME_RELEASE}
+	exit ;;
     Power*:Rhapsody:*:*)
 	echo powerpc-apple-rhapsody${UNAME_RELEASE}
 	exit ;;
diff --git a/config.sub b/config.sub
index ae0b3ddff..2a4932e7f 100755
--- a/config.sub
+++ b/config.sub
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
 #   Inc.
 
-timestamp='2006-07-02'
+timestamp='2007-01-18'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -245,12 +245,12 @@ case $basic_machine in
 	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx | dvp \
-	| fr30 | frv \
+	| fido | fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
 	| m32c | m32r | m32rle | m68000 | m68k | m88k \
-	| maxq | mb | microblaze | mcore \
+	| maxq | mb | microblaze | mcore | mep \
 	| mips | mipsbe | mipseb | mipsel | mipsle \
 	| mips16 \
 	| mips64 | mips64el \
@@ -276,6 +276,7 @@ case $basic_machine in
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
+	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]a*eb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
 	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
@@ -284,7 +285,7 @@ case $basic_machine in
 	| tahoe | thumb | tic4x | tic80 | tron \
 	| v850 | v850e \
 	| we32k \
-	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
 	| z8k)
 		basic_machine=$basic_machine-unknown
 		;;
@@ -323,7 +324,7 @@ case $basic_machine in
 	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
-	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
@@ -367,7 +368,7 @@ case $basic_machine in
 	| tron-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
 	| xstormy16-* | xtensa-* \
 	| ymp-* \
 	| z8k-*)
@@ -927,6 +928,10 @@ case $basic_machine in
 	sb1el)
 		basic_machine=mipsisa64sb1el-unknown
 		;;
+	sde)
+		basic_machine=mipsisa32-sde
+		os=-elf
+		;;
 	sei)
 		basic_machine=mips-sei
 		os=-seiux
@@ -938,6 +943,9 @@ case $basic_machine in
 		basic_machine=sh-hitachi
 		os=-hms
 		;;
+	sh5el)
+		basic_machine=sh5le-unknown
+		;;
 	sh64)
 		basic_machine=sh64-unknown
 		;;
@@ -1232,7 +1240,7 @@ case $os in
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos* | -toppers* | -irx*)
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -irx*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1384,6 +1392,9 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
+        score-*)
+		os=-elf
+		;;
         spu-*)
 		os=-elf
 		;;
@@ -1424,6 +1435,9 @@ case $basic_machine in
 	m68*-cisco)
 		os=-aout
 		;;
+        mep-*)
+		os=-elf
+		;;
 	mips*-cisco)
 		os=-elf
 		;;
diff --git a/configure b/configure
index 867338ff0..c79322bc3 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.1.3.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.1.4.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -726,8 +726,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.1.3'
-PACKAGE_STRING='strongSwan 4.1.3'
+PACKAGE_VERSION='4.1.4'
+PACKAGE_STRING='strongSwan 4.1.4'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -881,6 +881,7 @@ host
 host_cpu
 host_vendor
 host_os
+SED
 LN_S
 ECHO
 AR
@@ -1435,7 +1436,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.1.3 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.1.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1505,7 +1506,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.1.3:";;
+     short | recursive ) echo "Configuration of strongSwan 4.1.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1666,7 +1667,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.1.3
+strongSwan configure 4.1.4
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1680,7 +1681,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.1.3, which was
+It was created by strongSwan $as_me 4.1.4, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2350,7 +2351,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.1.3'
+ VERSION='4.1.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -5205,12 +5206,13 @@ do
   test -z "$as_dir" && as_dir=.
   for lt_ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+      if { test -f "$as_dir/$lt_ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$lt_ac_prog$ac_exec_ext"; }; then
         lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
       fi
     done
   done
 done
+IFS=$as_save_IFS
 lt_ac_max=0
 lt_ac_count=0
 # Add /usr/xpg4/bin/sed as it is typically found on Solaris
@@ -5245,6 +5247,7 @@ done
 fi
 
 SED=$lt_cv_path_SED
+
 { echo "$as_me:$LINENO: result: $SED" >&5
 echo "${ECHO_T}$SED" >&6; }
 
@@ -5444,8 +5447,8 @@ else
 echo "${ECHO_T}no, using $LN_S" >&6; }
 fi
 
-{ echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5
-echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
+echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
 if test "${lt_cv_deplibs_check_method+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5486,16 +5489,22 @@ cygwin*)
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
-  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
   ;;
 
 darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-freebsd* | kfreebsd*-gnu | dragonfly*)
+freebsd* | dragonfly*)
   if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
     case $host_cpu in
     i*86 )
@@ -5549,7 +5558,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -5583,6 +5592,10 @@ osf3* | osf4* | osf5*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
+rdos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
 solaris*)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -5669,7 +5682,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 5672 "configure"' > conftest.$ac_ext
+  echo '#line 5685 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -5704,7 +5717,8 @@ ia64-*-hpux*)
   rm -rf conftest*
   ;;
 
-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|sparc*-*linux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
@@ -5715,6 +5729,9 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
     case `/usr/bin/file conftest.o` in
     *32-bit*)
       case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_i386_fbsd"
+          ;;
         x86_64-*linux*)
           LD="${LD-ld} -m elf_i386"
           ;;
@@ -5731,6 +5748,9 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
       ;;
     *64-bit*)
       case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_x86_64_fbsd"
+          ;;
         x86_64-*linux*)
           LD="${LD-ld} -m elf_x86_64"
           ;;
@@ -7079,6 +7099,7 @@ fi
 
 
 
+
 # Check for command to grab the raw symbol name followed by C symbol from nm.
 { echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
 echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
@@ -7116,7 +7137,7 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
-linux*)
+linux* | k*bsd*-gnu)
   if test "$host_cpu" = ia64; then
     symcode='[ABCDGIRSTW]'
     lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
@@ -7872,7 +7893,7 @@ echo "$as_me: error:
 " >&2;}
    { (exit 1); exit 1; }; }
 fi
-gentoo_lt_version="1.5.22"
+gentoo_lt_version="1.5.23b"
 gentoo_ltmain_version=`sed -n '/^[ 	]*VERSION=/{s/^[ 	]*VERSION=//;p;q;}' "$ltmain"`
 if test "x$gentoo_lt_version" != "x$gentoo_ltmain_version" ; then
   { echo "$as_me:$LINENO: result: no" >&5
@@ -7928,10 +7949,10 @@ objext=o
 objext=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
+lt_simple_compile_test_code="int some_variable = 0;"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}\n'
+lt_simple_link_test_code='int main(){return(0);}'
 
 
 # If no C compiler was specified, use CC.
@@ -7946,13 +7967,13 @@ compiler=$CC
 
 # save warnings/boilerplate of simple test code
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
 $rm conftest*
 
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_link_test_code" >conftest.$ac_ext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -7972,7 +7993,7 @@ if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
 else
   lt_cv_prog_compiler_rtti_exceptions=no
   ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="-fno-rtti -fno-exceptions"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -7983,11 +8004,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7986: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8007: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7990: \$? = $ac_status" >&5
+   echo "$as_me:8011: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8038,13 +8059,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
       lt_prog_compiler_pic='-DDLL_EXPORT'
       ;;
 
@@ -8112,7 +8135,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
        esac
        ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic='-DDLL_EXPORT'
@@ -8145,7 +8168,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_static='-Bstatic'
       ;;
 
-    linux*)
+    linux* | k*bsd*-gnu)
       case $cc_basename in
       icc* | ecc*)
 	lt_prog_compiler_wl='-Wl,'
@@ -8164,6 +8187,22 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
         # All Alpha code is PIC.
         lt_prog_compiler_static='-non_shared'
         ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl=''
+	  ;;
+	esac
+	;;
       esac
       ;;
 
@@ -8173,6 +8212,10 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_static='-non_shared'
       ;;
 
+    rdos*)
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
     solaris*)
       lt_prog_compiler_pic='-KPIC'
       lt_prog_compiler_static='-Bstatic'
@@ -8240,7 +8283,7 @@ if test "${lt_prog_compiler_pic_works+set}" = set; then
 else
   lt_prog_compiler_pic_works=no
   ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -8251,11 +8294,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8254: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8297: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8258: \$? = $ac_status" >&5
+   echo "$as_me:8301: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8304,7 +8347,7 @@ else
   lt_prog_compiler_static_works=no
    save_LDFLAGS="$LDFLAGS"
    LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
      # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -8344,7 +8387,7 @@ else
    mkdir conftest
    cd conftest
    mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
    lt_compiler_flag="-o out/conftest2.$ac_objext"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -8355,11 +8398,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8358: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8401: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8362: \$? = $ac_status" >&5
+   echo "$as_me:8405: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -8551,7 +8594,7 @@ EOF
       allow_undefined_flag=unsupported
       always_export_symbols=no
       enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
         archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -8584,7 +8627,7 @@ EOF
       archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
       ;;
 
-    linux*)
+    gnu* | linux* | k*bsd*-gnu)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	tmp_addflag=
 	case $cc_basename,$host_cpu in
@@ -8602,13 +8645,22 @@ EOF
 	ifc* | ifort*)			# Intel Fortran compiler
 	  tmp_addflag=' -nofor_main' ;;
 	esac
-	archive_cmds='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 
 	if test $supports_anon_versioning = yes; then
 	  archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
   cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
   $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
 	fi
       else
 	ld_shlibs=no
@@ -8767,7 +8819,7 @@ _LT_EOF
   	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	  then
   	  # We have reworked collect2
-  	  hardcode_direct=yes
+  	  :
 	  else
   	  # We have old collect2
   	  hardcode_direct=unsupported
@@ -8841,11 +8893,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -8900,11 +8959,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -8958,7 +9024,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # The linker will automatically build a .lib file if we build a DLL.
       old_archive_From_new_cmds='true'
       # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs'
       fix_srcfile_path='`cygpath -w "$srcfile"`'
       enable_shared_with_static_runtimes=yes
       ;;
@@ -9043,7 +9109,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu | dragonfly*)
+    freebsd* | dragonfly*)
       archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec='-R$libdir'
       hardcode_direct=yes
@@ -9241,17 +9307,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       case $host_os in
       solaris2.[0-5] | solaris2.[0-5].*) ;;
       *)
- 	# The compiler driver will combine linker options so we
- 	# cannot just pass the convience library names through
- 	# without $wl, iff we do not link with $LD.
- 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
  	# Supported since Solaris 2.6 (maybe 2.5.1?)
- 	case $wlarc in
- 	'')
- 	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
- 	*)
- 	  whole_archive_flag_spec='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
- 	esac ;;
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract'
+	fi
+	;;
       esac
       link_all_deplibs=yes
       ;;
@@ -9308,7 +9373,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       fi
       ;;
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
       no_undefined_flag='${wl}-z,text'
       archive_cmds_need_lc=no
       hardcode_shlibpath_var=no
@@ -9385,7 +9450,7 @@ x|xyes)
       { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
 echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
@@ -9443,17 +9508,55 @@ shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 sys_lib_dlsearch_path_spec="/lib /usr/lib"
+
 if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
   else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
   fi
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[lt_foo]++; }
+  if (lt_freq[lt_foo] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`echo $lt_search_path_spec`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
 fi
@@ -9594,30 +9697,6 @@ cygwin* | mingw* | pw32*)
     esac
     ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        $archive_expsym_cmds="$archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
   *)
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
     ;;
@@ -9637,12 +9716,8 @@ darwin* | rhapsody*)
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
   shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
+
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -9659,18 +9734,6 @@ freebsd1*)
   dynamic_linker=no
   ;;
 
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -9721,7 +9784,7 @@ freebsd* | dragonfly*)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
-  freebsd*) # from 4.6 on
+  *) # from 4.6 on, and DragonFly
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
@@ -9839,7 +9902,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -9855,7 +9918,7 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -9868,18 +9931,6 @@ linux*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -9961,6 +10012,10 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
+rdos*)
+  dynamic_linker=no
+  ;;
+
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -10114,6 +10169,7 @@ else
    darwin*)
        if test -n "$STRIP" ; then
          striplib="$STRIP -x"
+         old_striplib="$STRIP -S"
          { echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6; }
        else
@@ -10700,7 +10756,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10703 "configure"
+#line 10759 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -10800,7 +10856,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10803 "configure"
+#line 10859 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11042,7 +11098,7 @@ echo "$as_me: creating $ofile" >&6;}
 # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
 # Free Software Foundation, Inc.
 #
 # This file is part of GNU Libtool:
@@ -11535,10 +11591,10 @@ objext=o
 objext_CXX=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
+lt_simple_compile_test_code="int some_variable = 0;"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 
@@ -11554,13 +11610,13 @@ compiler=$CC
 
 # save warnings/boilerplate of simple test code
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
 $rm conftest*
 
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_link_test_code" >conftest.$ac_ext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -11819,7 +11875,7 @@ case $host_os in
 	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	then
 	  # We have reworked collect2
-	  hardcode_direct_CXX=yes
+	  :
 	else
 	  # We have old collect2
 	  hardcode_direct_CXX=unsupported
@@ -11893,11 +11949,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -11953,11 +12016,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -12113,7 +12183,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
   freebsd-elf*)
     archive_cmds_need_lc_CXX=no
     ;;
-  freebsd* | kfreebsd*-gnu | dragonfly*)
+  freebsd* | dragonfly*)
     # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
     # conventions
     ld_shlibs_CXX=yes
@@ -12162,9 +12232,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       hardcode_libdir_separator_CXX=:
 
       case $host_cpu in
-      hppa*64*|ia64*)
-	hardcode_libdir_flag_spec_ld_CXX='+b $libdir'
-        ;;
+      hppa*64*|ia64*) ;;
       *)
 	export_dynamic_flag_spec_CXX='${wl}-E'
         ;;
@@ -12272,7 +12340,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
     hardcode_libdir_separator_CXX=:
     ;;
-  linux*)
+  linux* | k*bsd*-gnu)
     case $cc_basename in
       KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
@@ -12352,6 +12420,29 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	# dependencies.
 	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
 	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C++ 5.9
+	  no_undefined_flag_CXX=' -zdefs'
+	  archive_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  archive_expsym_cmds_CXX='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	  hardcode_libdir_flag_spec_CXX='-R$libdir'
+	  whole_archive_flag_spec_CXX='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+
+	  # Not sure whether something based on
+	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	  # would be better.
+	  output_verbose_link_cmd='echo'
+
+	  # Archives containing C++ object files must be created using
+	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	  # necessary to make sure instantiated templates are included
+	  # in the archive.
+	  old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
+	  ;;
+	esac
+	;;
     esac
     ;;
   lynxos*)
@@ -12561,15 +12652,10 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	case $host_os in
 	  solaris2.[0-5] | solaris2.[0-5].*) ;;
 	  *)
-	    # The C++ compiler is used as linker so we must use $wl
-	    # flag to pass the commands to the underlying system
-	    # linker. We must also pass each convience library through
-	    # to the system linker between allextract/defaultextract.
-	    # The C++ compiler will combine linker options so we
-	    # cannot just pass the convience library names through
-	    # without $wl.
+	    # The compiler driver will combine and reorder linker options,
+	    # but understands `-z linker_flag'.
 	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract'
+	    whole_archive_flag_spec_CXX='-z allextract$convenience -z defaultextract'
 	    ;;
 	esac
 	link_all_deplibs_CXX=yes
@@ -12616,6 +12702,12 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 	  fi
 
 	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
+	  case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	  esac
 	fi
 	;;
     esac
@@ -12815,13 +12907,46 @@ interix3*)
   postdeps_CXX=
   ;;
 
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+    #
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+    if test "$solaris_use_stlport4" != yes; then
+      postdeps_CXX='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
 solaris*)
   case $cc_basename in
   CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
     # Adding this requires a known-good setup of shared libraries for
     # Sun compiler versions before 5.6, else PIC objects from an old
     # archive will be linked into the output, leading to subtle bugs.
-    postdeps_CXX='-lCstd -lCrun'
+    if test "$solaris_use_stlport4" != yes; then
+      postdeps_CXX='-library=Cstd -library=Crun'
+    fi
     ;;
   esac
   ;;
@@ -12858,12 +12983,14 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       # like `-m68040'.
       lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
       ;;
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
-    mingw* | os2* | pw32*)
+    mingw* | cygwin* | os2* | pw32*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
       lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
       ;;
     darwin* | rhapsody*)
@@ -12941,7 +13068,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 	    ;;
 	esac
 	;;
-      freebsd* | kfreebsd*-gnu | dragonfly*)
+      freebsd* | dragonfly*)
 	# FreeBSD uses GNU C++
 	;;
       hpux9* | hpux10* | hpux11*)
@@ -12984,7 +13111,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 	    ;;
 	esac
 	;;
-      linux*)
+      linux* | k*bsd*-gnu)
 	case $cc_basename in
 	  KCC*)
 	    # KAI C++ Compiler
@@ -13011,6 +13138,14 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 	    lt_prog_compiler_static_CXX='-non_shared'
 	    ;;
 	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      lt_prog_compiler_pic_CXX='-KPIC'
+	      lt_prog_compiler_static_CXX='-Bstatic'
+	      lt_prog_compiler_wl_CXX='-Qoption ld '
+	      ;;
+	    esac
 	    ;;
 	esac
 	;;
@@ -13125,7 +13260,7 @@ if test "${lt_prog_compiler_pic_works_CXX+set}" = set; then
 else
   lt_prog_compiler_pic_works_CXX=no
   ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -13136,11 +13271,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13139: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13274: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13143: \$? = $ac_status" >&5
+   echo "$as_me:13278: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13189,7 +13324,7 @@ else
   lt_prog_compiler_static_works_CXX=no
    save_LDFLAGS="$LDFLAGS"
    LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
      # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -13229,7 +13364,7 @@ else
    mkdir conftest
    cd conftest
    mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
    lt_compiler_flag="-o out/conftest2.$ac_objext"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -13240,11 +13375,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13243: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13378: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13247: \$? = $ac_status" >&5
+   echo "$as_me:13382: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13310,7 +13445,7 @@ echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared librar
     export_symbols_cmds_CXX="$ltdll_cmds"
   ;;
   cygwin* | mingw*)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([^ ]*\) [^ ]*/\1 DATA/;/^I /d;/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;/^.*[ ]__nm__/s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
   ;;
   *)
     export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
@@ -13341,7 +13476,7 @@ x|xyes)
       { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
 echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
@@ -13399,20 +13534,7 @@ shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
+
 need_lib_prefix=unknown
 hardcode_into_libs=no
 
@@ -13550,30 +13672,6 @@ cygwin* | mingw* | pw32*)
     esac
     ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        $archive_expsym_cmds="$archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
   *)
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
     ;;
@@ -13593,12 +13691,7 @@ darwin* | rhapsody*)
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
   shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
+
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -13615,18 +13708,6 @@ freebsd1*)
   dynamic_linker=no
   ;;
 
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -13677,7 +13758,7 @@ freebsd* | dragonfly*)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
-  freebsd*) # from 4.6 on
+  *) # from 4.6 on, and DragonFly
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
@@ -13795,7 +13876,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -13811,7 +13892,7 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -13824,18 +13905,6 @@ linux*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -13917,6 +13986,10 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
+rdos*)
+  dynamic_linker=no
+  ;;
+
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -14522,10 +14595,17 @@ objext=o
 objext_F77=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code="      program t\n      end\n"
+lt_simple_link_test_code="\
+      program t
+      end
+"
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 
@@ -14541,13 +14621,13 @@ compiler=$CC
 
 # save warnings/boilerplate of simple test code
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
 $rm conftest*
 
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_link_test_code" >conftest.$ac_ext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -14634,13 +14714,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
       lt_prog_compiler_pic_F77='-DDLL_EXPORT'
       ;;
 
@@ -14708,7 +14790,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
        esac
        ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic_F77='-DDLL_EXPORT'
@@ -14741,7 +14823,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_static_F77='-Bstatic'
       ;;
 
-    linux*)
+    linux* | k*bsd*-gnu)
       case $cc_basename in
       icc* | ecc*)
 	lt_prog_compiler_wl_F77='-Wl,'
@@ -14760,6 +14842,22 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
         # All Alpha code is PIC.
         lt_prog_compiler_static_F77='-non_shared'
         ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic_F77='-KPIC'
+	  lt_prog_compiler_static_F77='-Bstatic'
+	  lt_prog_compiler_wl_F77='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic_F77='-KPIC'
+	  lt_prog_compiler_static_F77='-Bstatic'
+	  lt_prog_compiler_wl_F77=''
+	  ;;
+	esac
+	;;
       esac
       ;;
 
@@ -14769,6 +14867,10 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_static_F77='-non_shared'
       ;;
 
+    rdos*)
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
     solaris*)
       lt_prog_compiler_pic_F77='-KPIC'
       lt_prog_compiler_static_F77='-Bstatic'
@@ -14836,7 +14938,7 @@ if test "${lt_prog_compiler_pic_works_F77+set}" = set; then
 else
   lt_prog_compiler_pic_works_F77=no
   ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$lt_prog_compiler_pic_F77"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -14847,11 +14949,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14850: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14952: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14854: \$? = $ac_status" >&5
+   echo "$as_me:14956: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -14900,7 +15002,7 @@ else
   lt_prog_compiler_static_works_F77=no
    save_LDFLAGS="$LDFLAGS"
    LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
      # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -14940,7 +15042,7 @@ else
    mkdir conftest
    cd conftest
    mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
    lt_compiler_flag="-o out/conftest2.$ac_objext"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -14951,11 +15053,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14954: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15056: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14958: \$? = $ac_status" >&5
+   echo "$as_me:15060: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15147,7 +15249,7 @@ EOF
       allow_undefined_flag_F77=unsupported
       always_export_symbols_F77=no
       enable_shared_with_static_runtimes_F77=yes
-      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
         archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -15180,7 +15282,7 @@ EOF
       archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
       ;;
 
-    linux*)
+    gnu* | linux* | k*bsd*-gnu)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	tmp_addflag=
 	case $cc_basename,$host_cpu in
@@ -15198,13 +15300,22 @@ EOF
 	ifc* | ifort*)			# Intel Fortran compiler
 	  tmp_addflag=' -nofor_main' ;;
 	esac
-	archive_cmds_F77='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	archive_cmds_F77='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 
 	if test $supports_anon_versioning = yes; then
 	  archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
   cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
   $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
 	fi
       else
 	ld_shlibs_F77=no
@@ -15363,7 +15474,7 @@ _LT_EOF
   	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	  then
   	  # We have reworked collect2
-  	  hardcode_direct_F77=yes
+  	  :
 	  else
   	  # We have old collect2
   	  hardcode_direct_F77=unsupported
@@ -15427,11 +15538,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -15476,11 +15594,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -15534,7 +15659,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # The linker will automatically build a .lib file if we build a DLL.
       old_archive_From_new_cmds_F77='true'
       # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      old_archive_cmds_F77='lib -OUT:$oldlib$oldobjs$old_deplibs'
       fix_srcfile_path_F77='`cygpath -w "$srcfile"`'
       enable_shared_with_static_runtimes_F77=yes
       ;;
@@ -15619,7 +15744,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu | dragonfly*)
+    freebsd* | dragonfly*)
       archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec_F77='-R$libdir'
       hardcode_direct_F77=yes
@@ -15817,17 +15942,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       case $host_os in
       solaris2.[0-5] | solaris2.[0-5].*) ;;
       *)
- 	# The compiler driver will combine linker options so we
- 	# cannot just pass the convience library names through
- 	# without $wl, iff we do not link with $LD.
- 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
  	# Supported since Solaris 2.6 (maybe 2.5.1?)
- 	case $wlarc in
- 	'')
- 	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;;
- 	*)
- 	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
- 	esac ;;
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract'
+	fi
+	;;
       esac
       link_all_deplibs_F77=yes
       ;;
@@ -15884,7 +16008,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       fi
       ;;
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
       no_undefined_flag_F77='${wl}-z,text'
       archive_cmds_need_lc_F77=no
       hardcode_shlibpath_var_F77=no
@@ -15961,7 +16085,7 @@ x|xyes)
       { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
 echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
@@ -16019,20 +16143,7 @@ shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
+
 need_lib_prefix=unknown
 hardcode_into_libs=no
 
@@ -16170,30 +16281,6 @@ cygwin* | mingw* | pw32*)
     esac
     ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        $archive_expsym_cmds="$archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
   *)
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
     ;;
@@ -16213,12 +16300,7 @@ darwin* | rhapsody*)
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
   shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
+
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -16235,18 +16317,6 @@ freebsd1*)
   dynamic_linker=no
   ;;
 
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -16297,7 +16367,7 @@ freebsd* | dragonfly*)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
-  freebsd*) # from 4.6 on
+  *) # from 4.6 on, and DragonFly
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
@@ -16415,7 +16485,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -16431,7 +16501,7 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -16444,18 +16514,6 @@ linux*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -16537,6 +16595,10 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
+rdos*)
+  dynamic_linker=no
+  ;;
+
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -17109,10 +17171,10 @@ objext=o
 objext_GCJ=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}\n"
+lt_simple_compile_test_code="class foo {}"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 
@@ -17128,13 +17190,13 @@ compiler=$CC
 
 # save warnings/boilerplate of simple test code
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
 $rm conftest*
 
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_link_test_code" >conftest.$ac_ext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -17175,7 +17237,7 @@ if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
 else
   lt_cv_prog_compiler_rtti_exceptions=no
   ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="-fno-rtti -fno-exceptions"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -17186,11 +17248,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17189: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17251: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17193: \$? = $ac_status" >&5
+   echo "$as_me:17255: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -17241,13 +17303,15 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
       lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
       ;;
 
@@ -17315,7 +17379,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
        esac
        ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
@@ -17348,7 +17412,7 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_static_GCJ='-Bstatic'
       ;;
 
-    linux*)
+    linux* | k*bsd*-gnu)
       case $cc_basename in
       icc* | ecc*)
 	lt_prog_compiler_wl_GCJ='-Wl,'
@@ -17367,6 +17431,22 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
         # All Alpha code is PIC.
         lt_prog_compiler_static_GCJ='-non_shared'
         ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  lt_prog_compiler_pic_GCJ='-KPIC'
+	  lt_prog_compiler_static_GCJ='-Bstatic'
+	  lt_prog_compiler_wl_GCJ='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  lt_prog_compiler_pic_GCJ='-KPIC'
+	  lt_prog_compiler_static_GCJ='-Bstatic'
+	  lt_prog_compiler_wl_GCJ=''
+	  ;;
+	esac
+	;;
       esac
       ;;
 
@@ -17376,6 +17456,10 @@ echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
       lt_prog_compiler_static_GCJ='-non_shared'
       ;;
 
+    rdos*)
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
     solaris*)
       lt_prog_compiler_pic_GCJ='-KPIC'
       lt_prog_compiler_static_GCJ='-Bstatic'
@@ -17443,7 +17527,7 @@ if test "${lt_prog_compiler_pic_works_GCJ+set}" = set; then
 else
   lt_prog_compiler_pic_works_GCJ=no
   ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -17454,11 +17538,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17457: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17541: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17461: \$? = $ac_status" >&5
+   echo "$as_me:17545: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -17507,7 +17591,7 @@ else
   lt_prog_compiler_static_works_GCJ=no
    save_LDFLAGS="$LDFLAGS"
    LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
      # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -17547,7 +17631,7 @@ else
    mkdir conftest
    cd conftest
    mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
    lt_compiler_flag="-o out/conftest2.$ac_objext"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -17558,11 +17642,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17561: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17645: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17565: \$? = $ac_status" >&5
+   echo "$as_me:17649: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -17754,7 +17838,7 @@ EOF
       allow_undefined_flag_GCJ=unsupported
       always_export_symbols_GCJ=no
       enable_shared_with_static_runtimes_GCJ=yes
-      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
         archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
@@ -17787,7 +17871,7 @@ EOF
       archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
       ;;
 
-    linux*)
+    gnu* | linux* | k*bsd*-gnu)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	tmp_addflag=
 	case $cc_basename,$host_cpu in
@@ -17805,13 +17889,22 @@ EOF
 	ifc* | ifort*)			# Intel Fortran compiler
 	  tmp_addflag=' -nofor_main' ;;
 	esac
-	archive_cmds_GCJ='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	archive_cmds_GCJ='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
 
 	if test $supports_anon_versioning = yes; then
 	  archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
   cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
   $echo "local: *; };" >> $output_objdir/$libname.ver~
-	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
 	fi
       else
 	ld_shlibs_GCJ=no
@@ -17970,7 +18063,7 @@ _LT_EOF
   	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	  then
   	  # We have reworked collect2
-  	  hardcode_direct_GCJ=yes
+  	  :
 	  else
   	  # We have old collect2
   	  hardcode_direct_GCJ=unsupported
@@ -18044,11 +18137,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -18103,11 +18203,18 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest$ac_exeext &&
        $as_test_x conftest$ac_exeext; then
 
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
@@ -18161,7 +18268,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       # The linker will automatically build a .lib file if we build a DLL.
       old_archive_From_new_cmds_GCJ='true'
       # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      old_archive_cmds_GCJ='lib -OUT:$oldlib$oldobjs$old_deplibs'
       fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`'
       enable_shared_with_static_runtimes_GCJ=yes
       ;;
@@ -18246,7 +18353,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu | dragonfly*)
+    freebsd* | dragonfly*)
       archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       hardcode_libdir_flag_spec_GCJ='-R$libdir'
       hardcode_direct_GCJ=yes
@@ -18444,17 +18551,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       case $host_os in
       solaris2.[0-5] | solaris2.[0-5].*) ;;
       *)
- 	# The compiler driver will combine linker options so we
- 	# cannot just pass the convience library names through
- 	# without $wl, iff we do not link with $LD.
- 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
  	# Supported since Solaris 2.6 (maybe 2.5.1?)
- 	case $wlarc in
- 	'')
- 	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;;
- 	*)
- 	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
- 	esac ;;
+	if test "$GCC" = yes; then
+	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract'
+	fi
+	;;
       esac
       link_all_deplibs_GCJ=yes
       ;;
@@ -18511,7 +18617,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
       fi
       ;;
 
-    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
       no_undefined_flag_GCJ='${wl}-z,text'
       archive_cmds_need_lc_GCJ=no
       hardcode_shlibpath_var_GCJ=no
@@ -18588,7 +18694,7 @@ x|xyes)
       { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
 echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
@@ -18646,20 +18752,7 @@ shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
+
 need_lib_prefix=unknown
 hardcode_into_libs=no
 
@@ -18797,30 +18890,6 @@ cygwin* | mingw* | pw32*)
     esac
     ;;
 
-  linux*)
-    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
-      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        $archive_expsym_cmds="$archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
   *)
     library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
     ;;
@@ -18840,12 +18909,7 @@ darwin* | rhapsody*)
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
   shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
+
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -18862,18 +18926,6 @@ freebsd1*)
   dynamic_linker=no
   ;;
 
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 freebsd* | dragonfly*)
   # DragonFly does not have aout.  When/if they implement a new
   # versioning mechanism, adjust this.
@@ -18924,7 +18976,7 @@ freebsd* | dragonfly*)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
-  freebsd*) # from 4.6 on
+  *) # from 4.6 on, and DragonFly
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
@@ -19042,7 +19094,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -19058,7 +19110,7 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -19071,18 +19123,6 @@ linux*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -19164,6 +19204,10 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
+rdos*)
+  dynamic_linker=no
+  ;;
+
 solaris*)
   version_type=linux
   need_lib_prefix=no
@@ -19735,7 +19779,7 @@ objext=o
 objext_RC=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
 
 # Code to be used in simple link tests
 lt_simple_link_test_code="$lt_simple_compile_test_code"
@@ -19754,13 +19798,13 @@ compiler=$CC
 
 # save warnings/boilerplate of simple test code
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
 eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_compiler_boilerplate=`cat conftest.err`
 $rm conftest*
 
 ac_outfile=conftest.$ac_objext
-printf "$lt_simple_link_test_code" >conftest.$ac_ext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
 eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
 _lt_linker_boilerplate=`cat conftest.err`
 $rm conftest*
@@ -22003,7 +22047,9 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$dbus_PKG_ERRORS" >&5
 
-	{ { echo "$as_me:$LINENO: error: No libdbus package information found" >&5
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+                { { echo "$as_me:$LINENO: error: No libdbus package information found" >&5
 echo "$as_me: error: No libdbus package information found" >&2;}
    { (exit 1); exit 1; }; }
 elif test $pkg_failed = untried; then
@@ -22081,7 +22127,9 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
 
-	{ { echo "$as_me:$LINENO: error: No libxml2 package information found" >&5
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+                { { echo "$as_me:$LINENO: error: No libxml2 package information found" >&5
 echo "$as_me: error: No libxml2 package information found" >&2;}
    { (exit 1); exit 1; }; }
 elif test $pkg_failed = untried; then
@@ -23004,7 +23052,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.1.3, which was
+This file was extended by strongSwan $as_me 4.1.4, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -23051,7 +23099,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-strongSwan config.status 4.1.3
+strongSwan config.status 4.1.4
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -23390,6 +23438,7 @@ host!$host$ac_delim
 host_cpu!$host_cpu$ac_delim
 host_vendor!$host_vendor$ac_delim
 host_os!$host_os$ac_delim
+SED!$SED$ac_delim
 LN_S!$LN_S$ac_delim
 ECHO!$ECHO$ac_delim
 AR!$AR$ac_delim
@@ -23421,7 +23470,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 47; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 48; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index e661487e3..13f0ae71d 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.1.3)
+AC_INIT(strongSwan,4.1.4)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
diff --git a/debian/changelog b/debian/changelog
index 9ac7a4348..4e3c60ae2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,16 @@
-strongswan (4.1.3-1) unstable; urgency=low
+strongswan (4.1.4-1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Rene Mayrhofer <rmayr@debian.org>  Thu, 05 Jul 2007 00:53:01 +0100
+
+strongswan (4.1.3-1) unreleased; urgency=low
 
   * New upstream release.
 
  -- Rene Mayrhofer <rmayr@debian.org>  Sun, 03 Jun 2007 18:39:11 +0100
 
-strongswan (4.1.1-1) unstable; urgency=low
+strongswan (4.1.1-1) unreleased; urgency=low
 
   Major new upstream release:
   * IKEv2 support with the new "charon" daemon in addition to the old "pluto"
diff --git a/ltmain.sh b/ltmain.sh
index 8f7a6ac10..1e7283d59 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,8 +1,8 @@
 # ltmain.sh - Provide generalized library-building support services.
 # NOTE: Changing this file will not affect anything until you rerun configure.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005
-# Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
+# 2007  Free Software Foundation, Inc.
 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
 # This program is free software; you can redistribute it and/or modify
@@ -33,9 +33,6 @@ basename="s,^.*/,,g"
 # function.
 progpath="$0"
 
-# define SED for historic ltconfig's generated by Libtool 1.3
-test -z "$SED" && SED=sed
-
 # The name of this program:
 progname=`echo "$progpath" | $SED $basename`
 modename="$progname"
@@ -46,21 +43,22 @@ EXIT_FAILURE=1
 
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION=1.5.22
-TIMESTAMP=" (1.1220.2.365 2005/12/18 22:14:06)"
-
-# See if we are running on zsh, and set the options which allow our
-# commands through without removal of \ escapes.
-if test -n "${ZSH_VERSION+set}" ; then
+VERSION=1.5.23b
+TIMESTAMP=" (1.1220.2.437 2007/02/17 09:08:45)"
+
+# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
 fi
-# Same for EGREP, and just to be sure, do LTCC as well
-if test "X$EGREP" = X ; then
-    EGREP=egrep
-fi
-if test "X$LTCC" = X ; then
-    LTCC=${CC-gcc}
-fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
 
 # Check that we have a working $echo.
 if test "X$1" = X--no-reexec; then
@@ -115,12 +113,14 @@ esac
 # These must not be set unconditionally because not all systems understand
 # e.g. LANG=C (notably SCO).
 # We save the old values to restore during execute mode.
-if test "${LC_ALL+set}" = set; then
-  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
-fi
-if test "${LANG+set}" = set; then
-  save_LANG="$LANG"; LANG=C; export LANG
-fi
+for lt_var in LANG LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+do
+  eval "if test \"\${$lt_var+set}\" = set; then
+	  save_$lt_var=\$$lt_var
+	  $lt_var=C
+	  export $lt_var
+	fi"
+done
 
 # Make sure IFS has a sensible default
 lt_nl='
@@ -146,30 +146,8 @@ duplicate_deps=no
 preserve_args=
 lo2o="s/\\.lo\$/.${objext}/"
 o2lo="s/\\.${objext}\$/.lo/"
-
-if test -z "$max_cmd_len"; then
-  i=0
-  testring="ABCD"
-  new_result=
-  
-  # If test is not a shell built-in, we'll probably end up computing a
-  # maximum length that is only half of the actual maximum length, but
-  # we can't tell.
-  while (test "X"`$SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \
-             = "XX$testring") >/dev/null 2>&1 &&
-          new_result=`expr "X$testring" : ".*" 2>&1` &&
-          max_cmd_len="$new_result" &&
-          test "$i" != 17 # 1/2 MB should be enough
-  do
-    i=`expr $i + 1`
-    testring="$testring$testring"
-  done
-  testring=
-  # Add a significant safety factor because C++ compilers can tack on massive
-  # amounts of additional arguments before passing them to the linker.
-  # It appears as though 1/2 is a usable value.
-  max_cmd_len=`expr $max_cmd_len \/ 2`
-fi
+extracted_archives=
+extracted_serial=0
 
 #####################################
 # Shell function definitions:
@@ -230,7 +208,13 @@ func_win32_libid ()
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
       $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
       win32_nmres=`eval $NM -f posix -A $1 | \
-	$SED -n -e '1,100{/ I /{s,.*,import,;p;q;};}'`
+	$SED -n -e '1,100{
+		/ I /{
+			s,.*,import,
+			p
+			q
+			}
+		}'`
       case $win32_nmres in
       import*)  win32_libid_type="x86 archive import";;
       *)        win32_libid_type="x86 archive static";;
@@ -375,7 +359,17 @@ func_extract_archives ()
 	*) my_xabs=`pwd`"/$my_xlib" ;;
       esac
       my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
-      my_xdir="$my_gentop/$my_xlib"
+      my_xlib_u=$my_xlib
+      while :; do
+        case " $extracted_archives " in
+	*" $my_xlib_u "*)
+	  extracted_serial=`expr $extracted_serial + 1`
+	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
+	*) break ;;
+	esac
+      done
+      extracted_archives="$extracted_archives $my_xlib_u"
+      my_xdir="$my_gentop/$my_xlib_u"
 
       $show "${rm}r $my_xdir"
       $run ${rm}r "$my_xdir"
@@ -502,11 +496,12 @@ do
     ;;
 
   --version)
-    $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
-    $echo
-    $echo "Copyright (C) 2005  Free Software Foundation, Inc."
-    $echo "This is free software; see the source for copying conditions.  There is NO"
-    $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+    echo "\
+$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP
+
+Copyright (C) 2007  Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
     exit $?
     ;;
 
@@ -803,9 +798,10 @@ if test -z "$show_help"; then
     *.class) xform=class ;;
     *.cpp) xform=cpp ;;
     *.cxx) xform=cxx ;;
-    *.f90) xform=f90 ;;
+    *.[fF][09]?) xform=[fF][09]. ;;
     *.for) xform=for ;;
     *.java) xform=java ;;
+    *.obj) xform=obj ;;
     esac
 
     libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
@@ -1186,8 +1182,9 @@ EOF
     for arg
     do
       case $arg in
-      -all-static | -static)
-	if test "X$arg" = "X-all-static"; then
+      -all-static | -static | -static-libtool-libs)
+	case $arg in
+	-all-static)
 	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
 	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
 	  fi
@@ -1195,12 +1192,20 @@ EOF
 	    dlopen_self=$dlopen_self_static
 	  fi
 	  prefer_static_libs=yes
-	else
+	  ;;
+	-static)
 	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
 	    dlopen_self=$dlopen_self_static
 	  fi
 	  prefer_static_libs=built
-	fi
+	  ;;
+	-static-libtool-libs)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	  ;;
+	esac
 	build_libtool_libs=no
 	build_old_libs=yes
 	break
@@ -1648,7 +1653,7 @@ EOF
 	continue
 	;;
 
-     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
 	compiler_flags="$compiler_flags $arg"
 	compile_command="$compile_command $arg"
 	finalize_command="$finalize_command $arg"
@@ -1668,10 +1673,11 @@ EOF
       # -m* pass through architecture-specific compiler args for GCC
       # -m*, -t[45]*, -txscale* pass through architecture-specific
       # compiler args for GCC
-      # -pg pass through profiling flag for GCC
+      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
+      # -F/path gives path to uninstalled frameworks, gcc on darwin
       # @file GCC response files
-      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*|-pg| \
-      -t[45]*|-txscale*|@*)
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
 
 	# Unknown arguments in both finalize_command and compile_command need
 	# to be aesthetically quoted because they are evaled later.
@@ -1760,7 +1766,7 @@ EOF
 	continue
 	;;
 
-      -static)
+      -static | -static-libtool-libs)
 	# The effects of -static are defined in a previous loop.
 	# We used to do the same as -all-static on platforms that
 	# didn't have a PIC flag, but the assumption that the effects
@@ -2142,7 +2148,7 @@ EOF
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
@@ -2538,7 +2544,9 @@ EOF
 
 	if test "$linkmode,$pass" = "prog,link"; then
 	  if test -n "$library_names" &&
-	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	     { { test "$prefer_static_libs" = no ||
+		 test "$prefer_static_libs,$installed" = "built,yes"; } ||
+	       test -z "$old_library"; }; then
 	    # We need to hardcode the library path
 	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
 	      # Make sure the rpath contains only unique directories.
@@ -3234,7 +3242,7 @@ EOF
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
-	  darwin|linux|osf|windows)
+	  darwin|linux|osf|windows|none)
 	    current=`expr $number_major + $number_minor`
 	    age="$number_minor"
 	    revision="$number_revision"
@@ -3458,11 +3466,11 @@ EOF
       fi
 
       # Eliminate all temporary directories.
-      for path in $notinst_path; do
-	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
-	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
-	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
-      done
+      #for path in $notinst_path; do
+      #	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
+      #	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
+      #	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
+      #done
 
       if test -n "$xrpath"; then
 	# If the user specified any rpath flags, then add them.
@@ -3563,13 +3571,12 @@ EOF
 	  int main() { return 0; }
 EOF
 	  $rm conftest
-	  $LTCC $LTCFLAGS -o conftest conftest.c $deplibs
-	  if test "$?" -eq 0 ; then
+	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
 	    ldd_output=`ldd conftest`
 	    for i in $deplibs; do
 	      name=`expr $i : '-l\(.*\)'`
 	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" -ne "0"; then
+              if test "$name" != "" && test "$name" != "0"; then
 		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		  case " $predeps $postdeps " in
 		  *" $i "*)
@@ -3608,9 +3615,7 @@ EOF
 	      # If $name is empty we are operating on a -L argument.
               if test "$name" != "" && test "$name" != "0"; then
 		$rm conftest
-		$LTCC $LTCFLAGS -o conftest conftest.c $i
-		# Did it work?
-		if test "$?" -eq 0 ; then
+		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
 		  ldd_output=`ldd conftest`
 		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		    case " $predeps $postdeps " in
@@ -3642,7 +3647,7 @@ EOF
 		  droppeddeps=yes
 		  $echo
 		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $echo "***  make it link in!  You will probably need to install it or some"
+		  $echo "*** make it link in!  You will probably need to install it or some"
 		  $echo "*** library that it depends on before this library will be fully"
 		  $echo "*** functional.  Installing it before continuing would be even better."
 		fi
@@ -3690,13 +3695,6 @@ EOF
 			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
 			esac
 		      done
-		      # It is ok to link against an archive when
-		      # building a shared library.
-		      if $AR -t $potlib > /dev/null 2>&1; then
-		        newdeplibs="$newdeplibs $a_deplib"
-		        a_deplib=""
-		        break 2
-		      fi
 		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
 			 | ${SED} 10q \
 			 | $EGREP "$file_magic_regex" > /dev/null; then
@@ -3935,7 +3933,10 @@ EOF
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
 	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
+	      case $archive_cmds in
+	      *\$LD*) eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" ;;
+	      *)      eval dep_rpath=\"$hardcode_libdir_flag_spec\" ;;
+	      esac
 	    else
 	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
 	    fi
@@ -4294,12 +4295,14 @@ EOF
       reload_conv_objs=
       gentop=
       # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec
+      # -Wl from whole_archive_flag_spec and hope we can get by with
+      # turning comma into space..
       wl=
 
       if test -n "$convenience"; then
 	if test -n "$whole_archive_flag_spec"; then
-	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
+	  reload_conv_objs=$reload_objs\ `$echo "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
 	else
 	  gentop="$output_objdir/${obj}x"
 	  generated="$generated $gentop"
@@ -4747,16 +4750,16 @@ static const void *lt_preloaded_setup() {
           case $host in
           *cygwin* | *mingw* )
             if test -f "$output_objdir/${outputname}.def" ; then
-              compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%"`
-              finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%"`
+              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
+              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
             else
-              compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
-              finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
              fi
             ;;
           * )
-            compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
-            finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+            compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
             ;;
           esac
 	  ;;
@@ -4771,13 +4774,13 @@ static const void *lt_preloaded_setup() {
 	# really was required.
 
 	# Nullify the symbol file.
-	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
       fi
 
       if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
 	# Replace the output file specification.
-	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$output"'%g' | $NL2SP`
 	link_command="$compile_command$compile_rpath"
 
 	# We have no uninstalled library dependencies, so finalize right now.
@@ -4864,7 +4867,7 @@ static const void *lt_preloaded_setup() {
 	if test "$fast_install" != no; then
 	  link_command="$finalize_var$compile_command$finalize_rpath"
 	  if test "$fast_install" = yes; then
-	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $SP2NL | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g' | $NL2SP`
 	  else
 	    # fast_install is set to needless
 	    relink_command=
@@ -4901,7 +4904,7 @@ static const void *lt_preloaded_setup() {
 	  fi
 	done
 	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+	relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
       fi
 
       # Quote $echo for shipping.
@@ -5308,6 +5311,20 @@ EOF
 Xsed='${SED} -e 1s/^X//'
 sed_quote_subst='$sed_quote_subst'
 
+# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
@@ -5455,7 +5472,7 @@ else
 	  ;;
 	esac
 	$echo >> $output "\
-      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      \$echo \"\$0: cannot exec \$program \$*\"
       exit $EXIT_FAILURE
     fi
   else
@@ -5641,7 +5658,7 @@ fi\
       done
       # Quote the link command for shipping.
       relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
       if test "$hardcode_automatic" = yes ; then
 	relink_command=
       fi
@@ -6034,9 +6051,9 @@ relink_command=\"$relink_command\""
 
 	  if test -n "$inst_prefix_dir"; then
 	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%" | $NL2SP`
 	  else
-	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
+	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%%" | $NL2SP`
 	  fi
 
 	  $echo "$modename: warning: relinking \`$file'" 1>&2
@@ -6245,7 +6262,7 @@ relink_command=\"$relink_command\""
 	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
 	      outputname="$tmpdir/$file"
 	      # Replace the output file specification.
-	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+	      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g' | $NL2SP`
 
 	      $show "$relink_command"
 	      if $run eval "$relink_command"; then :
@@ -6456,8 +6473,10 @@ relink_command=\"$relink_command\""
 	if test -f "$dir/$objdir/$dlname"; then
 	  dir="$dir/$objdir"
 	else
-	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	  exit $EXIT_FAILURE
+	  if test ! -f "$dir/$dlname"; then
+	    $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
 	fi
 	;;
 
@@ -6521,12 +6540,14 @@ relink_command=\"$relink_command\""
       fi
 
       # Restore saved environment variables
-      if test "${save_LC_ALL+set}" = set; then
-	LC_ALL="$save_LC_ALL"; export LC_ALL
-      fi
-      if test "${save_LANG+set}" = set; then
-	LANG="$save_LANG"; export LANG
-      fi
+      for lt_var in LANG LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+      do
+	eval "if test \"\${save_$lt_var+set}\" = set; then
+		$lt_var=\$save_$lt_var; export $lt_var
+	      else
+		$lt_unset $lt_var
+	      fi"
+      done
 
       # Now prepare to actually exec the command.
       exec_cmd="\$cmd$args"
@@ -6883,9 +6904,9 @@ The following components of LINK-COMMAND are treated specially:
   -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
   -export-symbols SYMFILE
-		    try to export only the symbols listed in SYMFILE
+                    try to export only the symbols listed in SYMFILE
   -export-symbols-regex REGEX
-		    try to export only the symbols matching REGEX
+                    try to export only the symbols matching REGEX
   -LLIBDIR          search LIBDIR for required installed libraries
   -lNAME            OUTPUT-FILE requires the installed library libNAME
   -module           build a library that can dlopened
@@ -6899,9 +6920,11 @@ The following components of LINK-COMMAND are treated specially:
   -release RELEASE  specify package release information
   -rpath LIBDIR     the created library will eventually be installed in LIBDIR
   -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
-  -static           do not do any dynamic linking of libtool libraries
+  -static           do not do any dynamic linking of uninstalled libtool libraries
+  -static-libtool-libs
+                    do not do any dynamic linking of libtool libraries
   -version-info CURRENT[:REVISION[:AGE]]
-		    specify library version info [each variable defaults to 0]
+                    specify library version info [each variable defaults to 0]
 
 All other options (arguments beginning with \`-') are ignored.
 
diff --git a/src/Makefile.in b/src/Makefile.in
index 9fb649725..d9d363ab4 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -114,6 +114,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 68d2f0484..3b49498a3 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -130,6 +130,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 9118eef49..ff4651d05 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -113,6 +113,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/_updown/_updown b/src/_updown/_updown
index 8db74f737..795b6f388 100755
--- a/src/_updown/_updown
+++ b/src/_updown/_updown
@@ -4,7 +4,7 @@
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
 # 
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -191,14 +191,6 @@ addsource() {
 
 doroute() {
 	st=0
-	parms="$PLUTO_PEER_CLIENT"
-
-	parms2=
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	   parms2="via $PLUTO_NEXT_HOP"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
 
 	if [ -z "$PLUTO_MY_SOURCEIP" ]
 	then
@@ -218,6 +210,26 @@ doroute() {
 	    fi
         fi
 
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	parms2=
+	if [ -n "$KLIPS" ]
+	then
+	    if [ -n "$PLUTO_NEXT_HOP" ]
+	    then
+		parms2="via $PLUTO_NEXT_HOP"
+	    fi
+	else
+	    parms2="via $PLUTO_ME"
+	fi	
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
 	parms3=
 	if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
 	then
@@ -233,7 +245,7 @@ doroute() {
 		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
 			ip route $1 128.0.0.0/1 $parms2 $parms3"
 		;;
-	*)	it="ip route $1 $parms $parms2 $parms3"
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
 		;;
 	esac
 	oops="`eval $it 2>&1`"
@@ -252,9 +264,11 @@ doroute() {
 # in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
 then
+	KLIPS=1
 	IPSEC_POLICY_IN=""
 	IPSEC_POLICY_OUT=""
 else
+	KLIPS=
 	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
 	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
 	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
@@ -275,6 +289,13 @@ fi
 # the big choice
 case "$PLUTO_VERB:$1" in
 prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
 	# delete possibly-existing route (preliminary to adding a route)
 	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
 	"0.0.0.0/0.0.0.0")
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index da105b469..f2d3eadd6 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -113,6 +113,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index a64d9fa70..9812a32ae 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -48,20 +48,20 @@ network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
 network/socket.c network/socket.h \
-processing/event_queue.c processing/event_queue.h \
-processing/job_queue.c processing/job_queue.h \
+processing/jobs/job.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
-processing/jobs/job.c processing/jobs/job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
 processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/scheduler.c processing/scheduler.h \
-processing/thread_pool.c processing/thread_pool.h  \
+processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
@@ -82,7 +82,9 @@ sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
 sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
 sa/tasks/ike_init.c sa/tasks/ike_init.h \
 sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
 sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/task.c sa/tasks/task.h
 
 
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 9f4177f60..1646eec6c 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -114,13 +114,12 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	ts_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \
 	vendor_id_payload.$(OBJEXT) kernel_interface.$(OBJEXT) \
 	packet.$(OBJEXT) receiver.$(OBJEXT) sender.$(OBJEXT) \
-	socket.$(OBJEXT) event_queue.$(OBJEXT) job_queue.$(OBJEXT) \
-	acquire_job.$(OBJEXT) delete_child_sa_job.$(OBJEXT) \
-	delete_ike_sa_job.$(OBJEXT) job.$(OBJEXT) \
+	socket.$(OBJEXT) acquire_job.$(OBJEXT) callback_job.$(OBJEXT) \
+	delete_child_sa_job.$(OBJEXT) delete_ike_sa_job.$(OBJEXT) \
 	process_message_job.$(OBJEXT) rekey_child_sa_job.$(OBJEXT) \
 	rekey_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \
 	send_dpd_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \
-	scheduler.$(OBJEXT) thread_pool.$(OBJEXT) \
+	roam_job.$(OBJEXT) scheduler.$(OBJEXT) processor.$(OBJEXT) \
 	authenticator.$(OBJEXT) eap_authenticator.$(OBJEXT) \
 	eap_method.$(OBJEXT) psk_authenticator.$(OBJEXT) \
 	rsa_authenticator.$(OBJEXT) child_sa.$(OBJEXT) \
@@ -129,7 +128,8 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
 	child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \
 	ike_auth.$(OBJEXT) ike_cert.$(OBJEXT) ike_config.$(OBJEXT) \
 	ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) ike_init.$(OBJEXT) \
-	ike_natd.$(OBJEXT) ike_rekey.$(OBJEXT) task.$(OBJEXT)
+	ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) ike_rekey.$(OBJEXT) \
+	ike_reauth.$(OBJEXT) task.$(OBJEXT)
 charon_OBJECTS = $(am_charon_OBJECTS)
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
@@ -214,6 +214,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
@@ -344,20 +345,20 @@ network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
 network/socket.c network/socket.h \
-processing/event_queue.c processing/event_queue.h \
-processing/job_queue.c processing/job_queue.h \
+processing/jobs/job.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
-processing/jobs/job.c processing/jobs/job.h \
 processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
 processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
 processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
 processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
 processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
 processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/scheduler.c processing/scheduler.h \
-processing/thread_pool.c processing/thread_pool.h  \
+processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
@@ -378,7 +379,9 @@ sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
 sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
 sa/tasks/ike_init.c sa/tasks/ike_init.h \
 sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_mobike.c sa/tasks/ike_mobike.h \
 sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/task.c sa/tasks/task.h
 
 INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan \
@@ -584,6 +587,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Po@am__quote@
@@ -605,7 +609,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encodings.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event_queue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Po@am__quote@
@@ -617,14 +620,14 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_dpd.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_header.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_init.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_mobike.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_natd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_reauth.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_rekey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interface_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job_queue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_backend.Plo@am__quote@
@@ -637,6 +640,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Po@am__quote@
@@ -644,6 +648,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa_authenticator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Po@am__quote@
@@ -655,7 +660,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_pool.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Po@am__quote@
@@ -1316,34 +1320,6 @@ socket.obj: network/socket.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
 
-event_queue.o: processing/event_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.o -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.o `test -f 'processing/event_queue.c' || echo '$(srcdir)/'`processing/event_queue.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/event_queue.c' object='event_queue.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.o `test -f 'processing/event_queue.c' || echo '$(srcdir)/'`processing/event_queue.c
-
-event_queue.obj: processing/event_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.obj -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.obj `if test -f 'processing/event_queue.c'; then $(CYGPATH_W) 'processing/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/event_queue.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/event_queue.c' object='event_queue.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.obj `if test -f 'processing/event_queue.c'; then $(CYGPATH_W) 'processing/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/event_queue.c'; fi`
-
-job_queue.o: processing/job_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.o -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.o `test -f 'processing/job_queue.c' || echo '$(srcdir)/'`processing/job_queue.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/job_queue.c' object='job_queue.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.o `test -f 'processing/job_queue.c' || echo '$(srcdir)/'`processing/job_queue.c
-
-job_queue.obj: processing/job_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.obj -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.obj `if test -f 'processing/job_queue.c'; then $(CYGPATH_W) 'processing/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/job_queue.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/job_queue.c' object='job_queue.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.obj `if test -f 'processing/job_queue.c'; then $(CYGPATH_W) 'processing/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/job_queue.c'; fi`
-
 acquire_job.o: processing/jobs/acquire_job.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
@@ -1358,6 +1334,20 @@ acquire_job.obj: processing/jobs/acquire_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`
 
+callback_job.o: processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.o -MD -MP -MF "$(DEPDIR)/callback_job.Tpo" -c -o callback_job.o `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/callback_job.Tpo" "$(DEPDIR)/callback_job.Po"; else rm -f "$(DEPDIR)/callback_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.o `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+
+callback_job.obj: processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.obj -MD -MP -MF "$(DEPDIR)/callback_job.Tpo" -c -o callback_job.obj `if test -f 'processing/jobs/callback_job.c'; then $(CYGPATH_W) 'processing/jobs/callback_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/callback_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/callback_job.Tpo" "$(DEPDIR)/callback_job.Po"; else rm -f "$(DEPDIR)/callback_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.obj `if test -f 'processing/jobs/callback_job.c'; then $(CYGPATH_W) 'processing/jobs/callback_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/callback_job.c'; fi`
+
 delete_child_sa_job.o: processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
@@ -1386,20 +1376,6 @@ delete_ike_sa_job.obj: processing/jobs/delete_ike_sa_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
 
-job.o: processing/jobs/job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.o -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.o `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/job.c' object='job.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.o `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
-
-job.obj: processing/jobs/job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.obj -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.obj `if test -f 'processing/jobs/job.c'; then $(CYGPATH_W) 'processing/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/job.c' object='job.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.obj `if test -f 'processing/jobs/job.c'; then $(CYGPATH_W) 'processing/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/job.c'; fi`
-
 process_message_job.o: processing/jobs/process_message_job.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
@@ -1484,6 +1460,20 @@ send_keepalive_job.obj: processing/jobs/send_keepalive_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`
 
+roam_job.o: processing/jobs/roam_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.o -MD -MP -MF "$(DEPDIR)/roam_job.Tpo" -c -o roam_job.o `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/roam_job.Tpo" "$(DEPDIR)/roam_job.Po"; else rm -f "$(DEPDIR)/roam_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.o `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c
+
+roam_job.obj: processing/jobs/roam_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.obj -MD -MP -MF "$(DEPDIR)/roam_job.Tpo" -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/roam_job.Tpo" "$(DEPDIR)/roam_job.Po"; else rm -f "$(DEPDIR)/roam_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/roam_job.c' object='roam_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o roam_job.obj `if test -f 'processing/jobs/roam_job.c'; then $(CYGPATH_W) 'processing/jobs/roam_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/roam_job.c'; fi`
+
 scheduler.o: processing/scheduler.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
@@ -1498,19 +1488,19 @@ scheduler.obj: processing/scheduler.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`
 
-thread_pool.o: processing/thread_pool.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.o -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.o `test -f 'processing/thread_pool.c' || echo '$(srcdir)/'`processing/thread_pool.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/thread_pool.c' object='thread_pool.o' libtool=no @AMDEPBACKSLASH@
+processor.o: processing/processor.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.o -MD -MP -MF "$(DEPDIR)/processor.Tpo" -c -o processor.o `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/processor.Tpo" "$(DEPDIR)/processor.Po"; else rm -f "$(DEPDIR)/processor.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.o `test -f 'processing/thread_pool.c' || echo '$(srcdir)/'`processing/thread_pool.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.o `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
 
-thread_pool.obj: processing/thread_pool.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.obj -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.obj `if test -f 'processing/thread_pool.c'; then $(CYGPATH_W) 'processing/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/processing/thread_pool.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/thread_pool.c' object='thread_pool.obj' libtool=no @AMDEPBACKSLASH@
+processor.obj: processing/processor.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.obj -MD -MP -MF "$(DEPDIR)/processor.Tpo" -c -o processor.obj `if test -f 'processing/processor.c'; then $(CYGPATH_W) 'processing/processor.c'; else $(CYGPATH_W) '$(srcdir)/processing/processor.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/processor.Tpo" "$(DEPDIR)/processor.Po"; else rm -f "$(DEPDIR)/processor.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.obj `if test -f 'processing/thread_pool.c'; then $(CYGPATH_W) 'processing/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/processing/thread_pool.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.obj `if test -f 'processing/processor.c'; then $(CYGPATH_W) 'processing/processor.c'; else $(CYGPATH_W) '$(srcdir)/processing/processor.c'; fi`
 
 authenticator.o: sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c; \
@@ -1792,6 +1782,20 @@ ike_natd.obj: sa/tasks/ike_natd.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
 
+ike_mobike.o: sa/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.o -MD -MP -MF "$(DEPDIR)/ike_mobike.Tpo" -c -o ike_mobike.o `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_mobike.Tpo" "$(DEPDIR)/ike_mobike.Po"; else rm -f "$(DEPDIR)/ike_mobike.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.o `test -f 'sa/tasks/ike_mobike.c' || echo '$(srcdir)/'`sa/tasks/ike_mobike.c
+
+ike_mobike.obj: sa/tasks/ike_mobike.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_mobike.obj -MD -MP -MF "$(DEPDIR)/ike_mobike.Tpo" -c -o ike_mobike.obj `if test -f 'sa/tasks/ike_mobike.c'; then $(CYGPATH_W) 'sa/tasks/ike_mobike.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_mobike.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_mobike.Tpo" "$(DEPDIR)/ike_mobike.Po"; else rm -f "$(DEPDIR)/ike_mobike.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_mobike.c' object='ike_mobike.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_mobike.obj `if test -f 'sa/tasks/ike_mobike.c'; then $(CYGPATH_W) 'sa/tasks/ike_mobike.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_mobike.c'; fi`
+
 ike_rekey.o: sa/tasks/ike_rekey.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
@@ -1806,6 +1810,20 @@ ike_rekey.obj: sa/tasks/ike_rekey.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
 
+ike_reauth.o: sa/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.o -MD -MP -MF "$(DEPDIR)/ike_reauth.Tpo" -c -o ike_reauth.o `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_reauth.Tpo" "$(DEPDIR)/ike_reauth.Po"; else rm -f "$(DEPDIR)/ike_reauth.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.o `test -f 'sa/tasks/ike_reauth.c' || echo '$(srcdir)/'`sa/tasks/ike_reauth.c
+
+ike_reauth.obj: sa/tasks/ike_reauth.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_reauth.obj -MD -MP -MF "$(DEPDIR)/ike_reauth.Tpo" -c -o ike_reauth.obj `if test -f 'sa/tasks/ike_reauth.c'; then $(CYGPATH_W) 'sa/tasks/ike_reauth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_reauth.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_reauth.Tpo" "$(DEPDIR)/ike_reauth.Po"; else rm -f "$(DEPDIR)/ike_reauth.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_reauth.c' object='ike_reauth.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_reauth.obj `if test -f 'sa/tasks/ike_reauth.c'; then $(CYGPATH_W) 'sa/tasks/ike_reauth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_reauth.c'; fi`
+
 task.o: sa/tasks/task.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 5f46cd29e..5fda36925 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -238,30 +238,13 @@ static active_listener_t *get_active_listener(private_bus_t *this)
 	return found;
 }
 
-typedef struct cancel_info_t cancel_info_t;
-
-/**
- * cancellation info to cancel a listening operation cleanly
- */
-struct cancel_info_t {
-	/**
-	 * mutex to unlock on cancellation
-	 */
-	pthread_mutex_t *mutex;
-	
-	/**
-	 * listener to unregister
-	 */
-	active_listener_t *listener;
-};
-
 /**
  * disable a listener to cleanly clean up
  */
-static void unregister(cancel_info_t *info)
+static void unregister(active_listener_t *listener)
 {
-	info->listener->state = UNREGISTERED;
-	pthread_mutex_unlock(info->mutex);
+	listener->state = UNREGISTERED;
+	pthread_cond_broadcast(&listener->cond);
 }
 
 /**
@@ -272,7 +255,6 @@ static signal_t listen_(private_bus_t *this, level_t *level, int *thread,
 {
 	active_listener_t *listener;
 	int oldstate;
-	cancel_info_t info;
 	
 	pthread_mutex_lock(&this->mutex);
 	listener = get_active_listener(this);
@@ -281,13 +263,13 @@ static signal_t listen_(private_bus_t *this, level_t *level, int *thread,
 	pthread_cond_broadcast(&listener->cond);
 	/* wait until it has us delivered a signal, and go back to "registered".
 	 * we allow cancellation here, but must cleanly disable the listener. */
-	info.mutex = &this->mutex;
-	info.listener = listener;
-	pthread_cleanup_push((void*)unregister, &info);
+	pthread_cleanup_push((void*)pthread_mutex_unlock, &this->mutex);
+	pthread_cleanup_push((void*)unregister, listener);
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
 	pthread_cond_wait(&listener->cond, &this->mutex);
 	pthread_setcancelstate(oldstate, NULL);
 	pthread_cleanup_pop(0);
+	pthread_cleanup_pop(0);
 	
 	pthread_mutex_unlock(&this->mutex);
 	
@@ -320,7 +302,7 @@ static void set_listen_state(private_bus_t *this, bool active)
 	{
 		listener->state = UNREGISTERED;
 		/* say hello to signal emitter; we are finished processing the signal */
-		pthread_cond_signal(&listener->cond);
+		pthread_cond_broadcast(&listener->cond);
 	}
 	
 	pthread_mutex_unlock(&this->mutex);
@@ -390,7 +372,7 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level,
 			active_listener->format = format;
 			va_copy(active_listener->args, args);
 			active_listener->state = REGISTERED;
-			pthread_cond_signal(&active_listener->cond);
+			pthread_cond_broadcast(&active_listener->cond);
 		}
 	}
 	
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 4b46c7e82..e54fb1b1b 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -39,14 +39,18 @@ typedef struct bus_t bus_t;
  *
  * Signaling is for different purporses. First, it allows debugging via
  * "debugging signal messages", sencondly, it allows to follow certain
- * mechanisms currently going on in the daemon. As we are multithreaded, 
- * and of multiple transactions are involved, it's not possible to follow
+ * mechanisms currently going on in the daemon. As we are multithreaded,
+ * and multiple transactions are involved, it's not possible to follow
  * one connection setup without further infrastructure. These infrastructure
  * is provided by the bus and the signals the daemon emits to the bus.
  *
  * There are different scenarios to follow these signals, but all have
  * the same scheme. First, a START signal is emitted to indicate the daemon
- * has started to 
+ * has started to do something. After a start signal, a SUCCESS or a FAILED
+ * signal of the same type follows. This allows to track the operation. Any
+ * Debug signal betwee a START and a SUCCESS/FAILED belongs to that operation
+ * if the IKE_SA is the same. The thread may change, as multiple threads
+ * may be involved in a complex scenario.
  *
  * @ingroup bus
  */
@@ -247,7 +251,9 @@ struct bus_listener_t {
  * in receiving event signals registers at the bus. Any signals sent to
  * are delivered to all registered listeners.
  * To deliver signals to threads, the blocking listen() call may be used
- * to wait for a signal.
+ * to wait for a signal. However, passive listeners should be preferred,
+ * as listening actively requires some synchronization overhead as data
+ * must be passed from the raising thread to the listening thread.
  *
  * @ingroup bus
  */
@@ -283,7 +289,7 @@ struct bus_t {
 	 * it processes a signal, registration is required. This is done through
 	 * the set_listen_state() method, see below.
 	 *
-	 * The listen() function is (has) a thread cancellation point, so might
+	 * The listen() function is (has) a thread cancellation point, so you might
 	 * want to register cleanup handlers.
 	 *
 	 * @param this		bus
diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
index 6964345b3..649fcbcfb 100644
--- a/src/charon/config/credentials/local_credential_store.c
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -456,7 +456,10 @@ static void add_uris(ca_info_t *issuer, x509_t *cert)
 	
 	while (iterator->iterate(iterator, (void**)&uri))
 	{
-		issuer->add_crluri(issuer, uri->get_encoding(uri));
+		if (uri->get_type(uri) == ID_DER_ASN1_GN_URI)
+		{
+			issuer->add_crluri(issuer, uri->get_encoding(uri));
+		}
 	}
 	iterator->destroy(iterator);
 
@@ -465,7 +468,10 @@ static void add_uris(ca_info_t *issuer, x509_t *cert)
 	
 	while (iterator->iterate(iterator, (void**)&uri))
 	{
-		issuer->add_ocspuri(issuer, uri->get_encoding(uri));
+		if (uri->get_type(uri) == ID_DER_ASN1_GN_URI)
+		{
+			issuer->add_ocspuri(issuer, uri->get_encoding(uri));
+		}
 	}
 	iterator->destroy(iterator);
 }
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index b399074d1..da39c434d 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -175,6 +175,7 @@ static int print(FILE *stream, const struct printf_info *info,
 	bool has_proto;
 	bool has_ports;
 	size_t written = 0;
+	u_int32_t from[4], to[4];
 	
 	if (this == NULL)
 	{
@@ -193,7 +194,11 @@ static int print(FILE *stream, const struct printf_info *info,
 		return written;
 	}
 	
-	if (this->dynamic)
+	memset(from, 0, sizeof(from));
+	memset(to, 0xFF, sizeof(to));
+	if (this->dynamic &&
+		memeq(this->from, from, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16) && 
+		memeq(this->to, to, this->type == TS_IPV4_ADDR_RANGE ? 4 : 16))
 	{
 		return fprintf(stream, "dynamic/%d",
 					   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
@@ -341,6 +346,7 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
 		/* we have a match in protocol, port, and address: return it... */
 		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
 		new_ts->type = this->type;
+		new_ts->dynamic = this->dynamic || other->dynamic;
 		memcpy(new_ts->from, from, size);
 		memcpy(new_ts->to, to, size);
 		
@@ -475,11 +481,6 @@ static u_int8_t get_protocol(private_traffic_selector_t *this)
  */
 static bool is_host(private_traffic_selector_t *this, host_t *host)
 {
-	if (this->dynamic)
-	{
-		return TRUE;
-	}
-
 	if (host)
 	{
 		chunk_t addr;
@@ -498,7 +499,12 @@ static bool is_host(private_traffic_selector_t *this, host_t *host)
 	}
 	else
 	{
-		size_t length =  (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+		size_t length = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+		
+		if (this->dynamic)
+		{
+			return TRUE;
+		}
 		
 		if (memeq(this->from, this->to, length))
 		{
diff --git a/src/charon/control/interfaces/dbus_interface.c b/src/charon/control/interfaces/dbus_interface.c
index 443df635c..d93a5d048 100644
--- a/src/charon/control/interfaces/dbus_interface.c
+++ b/src/charon/control/interfaces/dbus_interface.c
@@ -30,6 +30,7 @@
 
 #include <library.h>
 #include <daemon.h>
+#include <processing/jobs/callback_job.h>
 
 
 #define NM_DBUS_SERVICE_STRONG "org.freedesktop.NetworkManager.strongswan"
@@ -64,9 +65,9 @@ struct private_dbus_interface_t {
 	NMVPNState state;
 	
 	/**
-	 * dispatcher thread for DBUS messages
+	 * job accepting stroke messages
 	 */
-	pthread_t thread;
+	callback_job_t *job;
 	
 	/**
 	 * name of the currently active connection
@@ -392,14 +393,13 @@ static DBusHandlerResult signal_handler(DBusConnection *con, DBusMessage *msg,
 /**
  * dispatcher function processed by a seperate thread
  */
-static void dispatch(private_dbus_interface_t *this)
+static job_requeue_t dispatch(private_dbus_interface_t *this)
 {
-	charon->drop_capabilities(charon, TRUE);
-
-	while (dbus_connection_read_write_dispatch(this->conn, -1))
+	if (dbus_connection_read_write_dispatch(this->conn, -1))
 	{
-		/* nothing */
+		return JOB_REQUEUE_DIRECT;
 	}
+	return JOB_REQUEUE_NONE;
 }
 
 /**
@@ -407,8 +407,7 @@ static void dispatch(private_dbus_interface_t *this)
  */
 static void destroy(private_dbus_interface_t *this)
 {
-	pthread_cancel(this->thread);
-	pthread_join(this->thread, NULL);
+	this->job->cancel(this->job);
 	dbus_connection_close(this->conn);
 	dbus_error_free(&this->err);
 	dbus_shutdown();
@@ -469,10 +468,8 @@ interface_t *interface_create()
 	this->state = NM_VPN_STATE_INIT;
 	set_state(this, NM_VPN_STATE_STOPPED);
 
-	if (pthread_create(&this->thread, NULL, (void*(*)(void*))dispatch, this) != 0)
-	{
-		charon->kill(charon, "unable to create stroke thread");
-	}
+	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 
 	return &this->public.interface;
 }
diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c
index 6e3427e8e..7885fc2e6 100755
--- a/src/charon/control/interfaces/stroke_interface.c
+++ b/src/charon/control/interfaces/stroke_interface.c
@@ -43,6 +43,7 @@
 #include <control/interface_manager.h>
 #include <control/interfaces/interface.h>
 #include <utils/leak_detective.h>
+#include <processing/jobs/callback_job.h>
 
 #define IKE_PORT	500
 #define PATH_BUF	256
@@ -69,9 +70,9 @@ struct private_stroke_interface_t {
 	int socket;
 	
 	/**
-	 * Thread which reads from the Socket
+	 * job accepting stroke messages
 	 */
-	pthread_t threads[STROKE_THREADS];
+	callback_job_t *job;
 };
 
 typedef struct stroke_log_info_t stroke_log_info_t;
@@ -224,8 +225,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
 /**
  * Add a connection to the configuration list
  */
-static void stroke_add_conn(private_stroke_interface_t *this,
-							stroke_msg_t *msg, FILE *out)
+static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
 {
 	ike_cfg_t *ike_cfg;
 	peer_cfg_t *peer_cfg;
@@ -288,16 +288,18 @@ static void stroke_add_conn(private_stroke_interface_t *this,
 		msg->add_conn.other = tmp_end;
 		free(interface);
 	}
-	if (!interface)
+	else
 	{
 		interface = charon->kernel_interface->get_interface(
 											charon->kernel_interface, my_host);
 		if (!interface)
 		{
-			DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
-			goto destroy_hosts;
+			DBG1(DBG_CFG, "left nor right host is our side, assuming left=local");
+		}
+		else
+		{
+			free(interface);
 		}
-		free(interface);
 	}
 
 	my_id = identification_create_from_string(msg->add_conn.me.id ?
@@ -628,8 +630,7 @@ destroy_hosts:
 /**
  * Delete a connection from the list
  */
-static void stroke_del_conn(private_stroke_interface_t *this,
-							stroke_msg_t *msg, FILE *out)
+static void stroke_del_conn(stroke_msg_t *msg, FILE *out)
 {
 	iterator_t *peer_iter, *child_iter;
 	peer_cfg_t *peer, *child;
@@ -747,8 +748,7 @@ static peer_cfg_t *get_peer_cfg_by_name(char *name)
 /**
  * initiate a connection by name
  */
-static void stroke_initiate(private_stroke_interface_t *this,
-							stroke_msg_t *msg, FILE *out)
+static void stroke_initiate(stroke_msg_t *msg, FILE *out)
 {
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
@@ -781,7 +781,6 @@ static void stroke_initiate(private_stroke_interface_t *this,
 	
 	info.out = out;
 	info.level = msg->output_verbosity;
-	
 	charon->interfaces->initiate(charon->interfaces, peer_cfg, child_cfg,
 								 (interface_manager_cb_t)stroke_log, &info);
 }
@@ -789,8 +788,7 @@ static void stroke_initiate(private_stroke_interface_t *this,
 /**
  * route a policy (install SPD entries)
  */
-static void stroke_route(private_stroke_interface_t *this,
-						 stroke_msg_t *msg, FILE *out)
+static void stroke_route(stroke_msg_t *msg, FILE *out)
 {
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
@@ -830,8 +828,7 @@ static void stroke_route(private_stroke_interface_t *this,
 /**
  * unroute a policy
  */
-static void stroke_unroute(private_stroke_interface_t *this,
-						   stroke_msg_t *msg, FILE *out)
+static void stroke_unroute(stroke_msg_t *msg, FILE *out)
 {
 	char *name;
 	ike_sa_t *ike_sa;
@@ -874,8 +871,7 @@ static void stroke_unroute(private_stroke_interface_t *this,
 /**
  * terminate a connection by name
  */
-static void stroke_terminate(private_stroke_interface_t *this,
-							 stroke_msg_t *msg, FILE *out)
+static void stroke_terminate(stroke_msg_t *msg, FILE *out)
 {
 	char *string, *pos = NULL, *name = NULL;
 	u_int32_t id = 0;
@@ -979,8 +975,7 @@ static void stroke_terminate(private_stroke_interface_t *this,
 /**
  * Add a ca information record to the cainfo list
  */
-static void stroke_add_ca(private_stroke_interface_t *this,
-						  stroke_msg_t *msg, FILE *out)
+static void stroke_add_ca(stroke_msg_t *msg, FILE *out)
 {
 	x509_t *cacert;
 	ca_info_t *ca_info;
@@ -1047,8 +1042,7 @@ static void stroke_add_ca(private_stroke_interface_t *this,
 /**
  * Delete a ca information record from the cainfo list
  */
-static void stroke_del_ca(private_stroke_interface_t *this,
-						  stroke_msg_t *msg, FILE *out)
+static void stroke_del_ca(stroke_msg_t *msg, FILE *out)
 {
 	status_t status;
 	
@@ -1194,11 +1188,9 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
 /**
  * show status of daemon
  */
-static void stroke_status(private_stroke_interface_t *this,
-						  stroke_msg_t *msg, FILE *out, bool all)
+static void stroke_status(stroke_msg_t *msg, FILE *out, bool all)
 {
 	iterator_t *iterator, *children;
-	linked_list_t *list;
 	host_t *host;
 	peer_cfg_t *peer_cfg;
 	ike_cfg_t *ike_cfg;
@@ -1218,21 +1210,20 @@ static void stroke_status(private_stroke_interface_t *this,
 	
 		fprintf(out, "Performance:\n");
 		fprintf(out, "  worker threads: %d idle of %d,",
-				charon->thread_pool->get_idle_threads(charon->thread_pool),
-				charon->thread_pool->get_pool_size(charon->thread_pool));
+				charon->processor->get_idle_threads(charon->processor),
+				charon->processor->get_total_threads(charon->processor));
 		fprintf(out, " job queue load: %d,",
-				charon->job_queue->get_count(charon->job_queue));
+				charon->processor->get_job_load(charon->processor));
 		fprintf(out, " scheduled events: %d\n",
-				charon->event_queue->get_count(charon->event_queue));
-		list = charon->kernel_interface->create_address_list(charon->kernel_interface);
-
-		fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list));
-		while (list->remove_first(list, (void**)&host) == SUCCESS)
+				charon->scheduler->get_job_load(charon->scheduler));
+		iterator = charon->kernel_interface->create_address_iterator(
+													charon->kernel_interface);
+		fprintf(out, "Listening IP addresses:\n");
+		while (iterator->iterate(iterator, (void**)&host))
 		{
 			fprintf(out, "  %H\n", host);
-			host->destroy(host);
 		}
-		list->destroy(list);
+		iterator->destroy(iterator);
 	
 		fprintf(out, "Connections:\n");
 		iterator = charon->backends->create_iterator(charon->backends);
@@ -1312,8 +1303,8 @@ static void stroke_status(private_stroke_interface_t *this,
 /**
  * list all authority certificates matching a specified flag 
  */
-static void list_auth_certificates(private_stroke_interface_t *this,  u_int flag,
-								   const char *label, bool utc, FILE *out)
+static void list_auth_certificates(u_int flag, const char *label,
+								   bool utc, FILE *out)
 {
 	bool first = TRUE;
 	x509_t *cert;
@@ -1341,8 +1332,7 @@ static void list_auth_certificates(private_stroke_interface_t *this,  u_int flag
 /**
  * list various information
  */
-static void stroke_list(private_stroke_interface_t *this, 
-						stroke_msg_t *msg, FILE *out)
+static void stroke_list(stroke_msg_t *msg, FILE *out)
 {
 	iterator_t *iterator;
 	
@@ -1372,15 +1362,15 @@ static void stroke_list(private_stroke_interface_t *this,
 	}
 	if (msg->list.flags & LIST_CACERTS)
 	{
-		list_auth_certificates(this, AUTH_CA, "CA", msg->list.utc, out);
+		list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
 	}
 	if (msg->list.flags & LIST_OCSPCERTS)
 	{
-		list_auth_certificates(this, AUTH_OCSP, "OCSP", msg->list.utc, out);
+		list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
 	}
 	if (msg->list.flags & LIST_AACERTS)
 	{
-		list_auth_certificates(this, AUTH_AA, "AA", msg->list.utc, out);
+		list_auth_certificates(AUTH_AA, "AA", msg->list.utc, out);
 	}
 	if (msg->list.flags & LIST_CAINFOS)
 	{
@@ -1453,8 +1443,7 @@ static void stroke_list(private_stroke_interface_t *this,
 /**
  * reread various information
  */
-static void stroke_reread(private_stroke_interface_t *this,
-						  stroke_msg_t *msg, FILE *out)
+static void stroke_reread(stroke_msg_t *msg, FILE *out)
 {
 	if (msg->reread.flags & REREAD_CACERTS)
 	{
@@ -1473,8 +1462,7 @@ static void stroke_reread(private_stroke_interface_t *this,
 /**
  * purge various information
  */
-static void stroke_purge(private_stroke_interface_t *this,
-						 stroke_msg_t *msg, FILE *out)
+static void stroke_purge(stroke_msg_t *msg, FILE *out)
 {
 	if (msg->purge.flags & PURGE_OCSP)
 	{
@@ -1510,8 +1498,7 @@ signal_t get_signal_from_logtype(char *type)
 /**
  * set the verbosity debug output
  */
-static void stroke_loglevel(private_stroke_interface_t *this,
-							stroke_msg_t *msg, FILE *out)
+static void stroke_loglevel(stroke_msg_t *msg, FILE *out)
 {
 	signal_t signal;
 	
@@ -1533,20 +1520,22 @@ static void stroke_loglevel(private_stroke_interface_t *this,
 /**
  * process a stroke request from the socket pointed by "fd"
  */
-static void stroke_process(private_stroke_interface_t *this, int strokefd)
+static job_requeue_t stroke_process(int *fdp)
 {
 	stroke_msg_t *msg;
 	u_int16_t msg_length;
 	ssize_t bytes_read;
 	FILE *out;
+	int strokefd = *fdp;
 	
 	/* peek the length */
 	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
 	if (bytes_read != sizeof(msg_length))
 	{
-		DBG1(DBG_CFG, "reading length of stroke message failed");
+		DBG1(DBG_CFG, "reading length of stroke message failed: %s",
+			 strerror(errno));
 		close(strokefd);
-		return;
+		return JOB_REQUEUE_NONE;
 	}
 	
 	/* read message */
@@ -1556,105 +1545,107 @@ static void stroke_process(private_stroke_interface_t *this, int strokefd)
 	{
 		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
 		close(strokefd);
-		return;
+		return JOB_REQUEUE_NONE;
 	}
 	
-	out = fdopen(dup(strokefd), "w");
+	out = fdopen(strokefd, "w");
 	if (out == NULL)
 	{
 		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
 		close(strokefd);
 		free(msg);
-		return;
+		return JOB_REQUEUE_NONE;
 	}
 	
 	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
 	
+	/* the stroke_* functions are blocking, as they listen on the bus. Add
+	 * cancellation handlers. */
+	pthread_cleanup_push((void*)fclose, out);
+	pthread_cleanup_push(free, msg);
+	
 	switch (msg->type)
 	{
 		case STR_INITIATE:
-			stroke_initiate(this, msg, out);
+			stroke_initiate(msg, out);
 			break;
 		case STR_ROUTE:
-			stroke_route(this, msg, out);
+			stroke_route(msg, out);
 			break;
 		case STR_UNROUTE:
-			stroke_unroute(this, msg, out);
+			stroke_unroute(msg, out);
 			break;
 		case STR_TERMINATE:
-			stroke_terminate(this, msg, out);
+			stroke_terminate(msg, out);
 			break;
 		case STR_STATUS:
-			stroke_status(this, msg, out, FALSE);
+			stroke_status(msg, out, FALSE);
 			break;
 		case STR_STATUS_ALL:
-			stroke_status(this, msg, out, TRUE);
+			stroke_status(msg, out, TRUE);
 			break;
 		case STR_ADD_CONN:
-			stroke_add_conn(this, msg, out);
+			stroke_add_conn(msg, out);
 			break;
 		case STR_DEL_CONN:
-			stroke_del_conn(this, msg, out);
+			stroke_del_conn(msg, out);
 			break;
 		case STR_ADD_CA:
-			stroke_add_ca(this, msg, out);
+			stroke_add_ca(msg, out);
 			break;
 		case STR_DEL_CA:
-			stroke_del_ca(this, msg, out);
+			stroke_del_ca(msg, out);
 			break;
 		case STR_LOGLEVEL:
-			stroke_loglevel(this, msg, out);
+			stroke_loglevel(msg, out);
 			break;
 		case STR_LIST:
-			stroke_list(this, msg, out);
+			stroke_list(msg, out);
 			break;
 		case STR_REREAD:
-			stroke_reread(this, msg, out);
+			stroke_reread(msg, out);
 			break;
 		case STR_PURGE:
-			stroke_purge(this, msg, out);
+			stroke_purge(msg, out);
 			break;
 		default:
 			DBG1(DBG_CFG, "received unknown stroke");
 	}
-	fclose(out);
-	close(strokefd);
-	free(msg);
+	/* remove and execute cancellation handlers */
+	pthread_cleanup_pop(1);
+	pthread_cleanup_pop(1);
+	
+	return JOB_REQUEUE_NONE;
 }
 
+
 /**
  * Implementation of private_stroke_interface_t.stroke_receive.
  */
-static void stroke_receive(private_stroke_interface_t *this)
+static job_requeue_t stroke_receive(private_stroke_interface_t *this)
 {
 	struct sockaddr_un strokeaddr;
 	int strokeaddrlen = sizeof(strokeaddr);
+	int strokefd, *fdp;
 	int oldstate;
-	int strokefd;
-	
-	charon->drop_capabilities(charon, TRUE);
+	callback_job_t *job;
 	
-	/* ignore sigpipe. writing over the pipe back to the console
-	 * only fails if SIGPIPE is ignored. */
-	signal(SIGPIPE, SIG_IGN);
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+	pthread_setcancelstate(oldstate, NULL);
 	
-	/* disable cancellation by default */
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
-	
-	while (TRUE)
+	if (strokefd < 0)
 	{
-		/* wait for connections, but allow thread to terminate */
-		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-		strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-		pthread_setcancelstate(oldstate, NULL);
-		
-		if (strokefd < 0)
-		{
-			DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
-			continue;
-		}
-		stroke_process(this, strokefd);
+		DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
+		return JOB_REQUEUE_FAIR;
 	}
+	
+	fdp = malloc_thing(int);
+	*fdp = strokefd;
+	job = callback_job_create((callback_job_cb_t)stroke_process, fdp, free, this->job);
+	charon->processor->queue_job(charon->processor, (job_t*)job);
+	
+	return JOB_REQUEUE_FAIR;
 }
 
 /**
@@ -1662,17 +1653,9 @@ static void stroke_receive(private_stroke_interface_t *this)
  */
 static void destroy(private_stroke_interface_t *this)
 {
-	int i;
-	
-	for (i = 0; i < STROKE_THREADS; i++)
-	{
-		pthread_cancel(this->threads[i]);
-		pthread_join(this->threads[i], NULL);
-	}
-
-	close(this->socket);
-	unlink(socket_addr.sun_path);
+	this->job->cancel(this->job);
 	free(this);
+	unlink(socket_addr.sun_path);
 }
 
 /*
@@ -1682,7 +1665,6 @@ interface_t *interface_create()
 {
 	private_stroke_interface_t *this = malloc_thing(private_stroke_interface_t);
 	mode_t old;
-	int i;
 
 	/* public functions */
 	this->public.interface.destroy = (void (*)(interface_t*))destroy;
@@ -1715,14 +1697,10 @@ interface_t *interface_create()
 		return NULL;
 	}
 	
-	/* start threads reading from the socket */
-	for (i = 0; i < STROKE_THREADS; i++)
-	{
-		if (pthread_create(&this->threads[i], NULL, (void*(*)(void*))stroke_receive, this) != 0)
-		{
-			charon->kill(charon, "unable to create stroke thread");
-		}
-	}
+	this->job = callback_job_create((callback_job_cb_t)stroke_receive,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 	
 	return &this->public.interface;
 }
+
diff --git a/src/charon/control/interfaces/xml_interface.c b/src/charon/control/interfaces/xml_interface.c
index e570f2543..992377436 100644
--- a/src/charon/control/interfaces/xml_interface.c
+++ b/src/charon/control/interfaces/xml_interface.c
@@ -24,8 +24,22 @@
 
 #include "xml_interface.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+#include <libxml/xmlreader.h>
+#include <libxml/xmlwriter.h>
+
 #include <library.h>
 #include <daemon.h>
+#include <processing/jobs/callback_job.h>
+
+static struct sockaddr_un socket_addr = { AF_UNIX, "/var/run/charon.xml"};
 
 
 typedef struct private_xml_interface_t private_xml_interface_t;
@@ -39,14 +53,166 @@ struct private_xml_interface_t {
 	 * Public part of xml_t object.
 	 */
 	xml_interface_t public;
+	
+	/**
+	 * XML unix socket fd
+	 */
+	int socket;
+	
+	/**
+	 * job accepting stroke messages
+	 */
+	callback_job_t *job;
 };
 
+/**
+ * process a getRequest message
+ */
+static void process_get(xmlTextReaderPtr reader, xmlTextWriterPtr writer)
+{
+	if (/* <GetResponse> */
+		xmlTextWriterStartElement(writer, "GetResponse") < 0 ||
+		/*   <Status Code="200"><Message/></Status> */
+		xmlTextWriterStartElement(writer, "Status") < 0 ||
+		xmlTextWriterWriteAttribute(writer, "Code", "200") < 0  ||
+		xmlTextWriterStartElement(writer, "Message") < 0 ||
+		xmlTextWriterEndElement(writer) < 0 ||
+		xmlTextWriterEndElement(writer) < 0 ||
+		/*   <ConnectionList/> */
+		xmlTextWriterStartElement(writer, "ConnectionList") < 0 ||
+		xmlTextWriterEndElement(writer) < 0 ||
+		/* </GetResponse> */
+		xmlTextWriterEndElement(writer) < 0)
+	{
+		DBG1(DBG_CFG, "error writing XML document (GetResponse)");
+	}
+}
+
+/**
+ * read from a opened connection and process it
+ */
+static job_requeue_t process(int *fdp)
+{
+	int oldstate, fd = *fdp;
+	char buffer[4096];
+	size_t len;
+	xmlTextReaderPtr reader;
+	xmlTextWriterPtr writer;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	len = read(fd, buffer, sizeof(buffer));
+	pthread_setcancelstate(oldstate, NULL);
+	if (len <= 0)
+	{
+		close(fd);
+		DBG2(DBG_CFG, "SMP XML connection closed");
+		return JOB_REQUEUE_NONE;
+	}
+	
+	reader = xmlReaderForMemory(buffer, len, NULL, NULL, 0);
+	if (reader == NULL)
+	{
+		DBG1(DBG_CFG, "opening SMP XML reader failed");
+		return JOB_REQUEUE_FAIR;;
+	}
+	
+	writer = xmlNewTextWriter(xmlOutputBufferCreateFd(fd, NULL));
+	if (writer == NULL)
+	{
+		xmlFreeTextReader(reader);
+		DBG1(DBG_CFG, "opening SMP XML writer failed");
+		return JOB_REQUEUE_FAIR;;
+	}
+	
+	/* create the standard message parts */
+	if (xmlTextWriterStartDocument(writer, NULL, NULL, NULL) < 0 ||
+		/* <SMPMessage xmlns="http://www.strongswan.org/smp/1.0"> */
+		xmlTextWriterStartElement(writer, "SMPMessage") < 0 ||
+		xmlTextWriterWriteAttribute(writer, "xmlns",
+						"http://www.strongswan.org/smp/1.0") < 0 ||
+		/* <Body> */
+		xmlTextWriterStartElement(writer, "Body") < 0)
+	{
+		xmlFreeTextReader(reader);
+		xmlFreeTextWriter(writer);
+		DBG1(DBG_CFG, "creating SMP XML message failed");
+		return JOB_REQUEUE_FAIR;;
+	}
+	
+    while (TRUE)
+    {
+    	switch (xmlTextReaderRead(reader))
+    	{
+    		case 1:
+    		{
+				if (xmlTextReaderNodeType(reader) == XML_READER_TYPE_ELEMENT)
+				{
+					if (streq(xmlTextReaderConstName(reader), "GetRequest"))
+					{
+						process_get(reader, writer);
+						break;
+					}
+				}
+				continue;
+			}
+			case 0:
+			    /* end of XML */
+			    break;
+			default:
+			    DBG1(DBG_CFG, "parsing SMP XML message failed");
+			    break;
+		}
+        xmlFreeTextReader(reader);
+        break;
+    }
+    /* write </Body></SMPMessage> and close document */
+    if (xmlTextWriterEndDocument(writer) < 0)
+    {
+		DBG1(DBG_CFG, "completing SMP XML message failed");
+    }
+    xmlFreeTextWriter(writer);
+    
+    /* write a newline to indicate end of xml */
+    write(fd, "\n", 1);
+    return JOB_REQUEUE_FAIR;;
+}
+
+/**
+ * accept from XML socket and create jobs to process connections
+ */
+static job_requeue_t dispatch(private_xml_interface_t *this)
+{
+	struct sockaddr_un strokeaddr;
+	int oldstate, fd, *fdp, strokeaddrlen = sizeof(strokeaddr);
+	callback_job_t *job;
+	
+	/* wait for connections, but allow thread to terminate */
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	fd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (fd < 0)
+	{
+		DBG1(DBG_CFG, "accepting SMP XML socket failed: %s", strerror(errno));
+		sleep(1);
+		return JOB_REQUEUE_FAIR;;
+	}
+	
+	fdp = malloc_thing(int);
+	*fdp = fd;
+	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
+	charon->processor->queue_job(charon->processor, (job_t*)job);
+	
+	return JOB_REQUEUE_DIRECT;
+}
 
 /**
  * Implementation of itnerface_t.destroy.
  */
 static void destroy(private_xml_interface_t *this)
 {
+	this->job->cancel(this->job);
+	unlink(socket_addr.sun_path);
 	free(this);
 }
 
@@ -56,8 +222,40 @@ static void destroy(private_xml_interface_t *this)
 interface_t *interface_create()
 {
 	private_xml_interface_t *this = malloc_thing(private_xml_interface_t);
+	mode_t old;
 
-	this->public.interface.destroy = (void (*)(xml_interface_t*))destroy;
+	this->public.interface.destroy = (void (*)(interface_t*))destroy;
+	
+	/* set up unix socket */
+	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "could not create XML socket");
+		free(this);
+		return NULL;
+	}
+	
+	old = umask(~S_IRWXU);
+	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
+	{
+		DBG1(DBG_CFG, "could not bind XML socket: %s", strerror(errno));
+		close(this->socket);
+		free(this);
+		return NULL;
+	}
+	umask(old);
+	
+	if (listen(this->socket, 0) < 0)
+	{
+		DBG1(DBG_CFG, "could not listen on XML socket: %s", strerror(errno));
+		close(this->socket);
+		free(this);
+		return NULL;
+	}
+
+	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 	
 	return &this->public.interface;
 }
+
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 62e29b365..37699f83f 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -115,25 +115,26 @@ static void dbg_stderr(int level, char *fmt, ...)
  */
 static void run(private_daemon_t *this)
 {
-	/* reselect signals for this thread */
-	sigemptyset(&(this->signal_set));
-	sigaddset(&(this->signal_set), SIGINT); 
-	sigaddset(&(this->signal_set), SIGHUP); 
-	sigaddset(&(this->signal_set), SIGTERM); 
-	pthread_sigmask(SIG_BLOCK, &(this->signal_set), 0);
-	
-	while(TRUE)
+	sigset_t set;
+	
+	/* handle SIGINT, SIGHUP ans SIGTERM in this handler */
+	sigemptyset(&set);
+	sigaddset(&set, SIGINT); 
+	sigaddset(&set, SIGHUP); 
+	sigaddset(&set, SIGTERM);
+	
+	while (TRUE)
 	{
-		int signal_number;
+		int sig;
 		int error;
 		
-		error = sigwait(&(this->signal_set), &signal_number);
-		if(error)
+		error = sigwait(&set, &sig);
+		if (error)
 		{
 			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
 			return;
 		}
-		switch (signal_number)
+		switch (sig)
 		{
 			case SIGHUP:
 			{
@@ -146,11 +147,13 @@ static void run(private_daemon_t *this)
 				return;
 			}
 			case SIGTERM:
+			{
 				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
 				return;
+			}
 			default:
 			{
-				DBG1(DBG_DMN, "unknown signal %d received. Ignored", signal_number);
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", sig);
 				break;
 			}
 		}
@@ -162,33 +165,22 @@ static void run(private_daemon_t *this)
  */
 static void destroy(private_daemon_t *this)
 {
-	/* destruction is a non trivial task, we need to follow 
-	* a strict order to prevent threading issues! 
-	* Kill active threads first, except the sender, as
-	* the killed IKE_SA want to send delete messages.
-	*/
-	/* we don't want to receive anything anymore... */
-	DESTROY_IF(this->public.receiver);
-	/* ignore all incoming user requests */
-	DESTROY_IF(this->public.interfaces);
-	/* stop scheduing jobs */
-	DESTROY_IF(this->public.scheduler);
-	/* stop processing jobs */
-	DESTROY_IF(this->public.thread_pool);
-	/* shut down manager with all IKE SAs */
+	/* terminate all idle threads */
+	this->public.processor->set_threads(this->public.processor, 0);
+	/* close all IKE_SAs */
 	DESTROY_IF(this->public.ike_sa_manager);
-	/* all child SAs should be down now, so kill kernel interface */
-	DESTROY_IF(this->public.kernel_interface);
-	/* destroy other infrastructure */
-	DESTROY_IF(this->public.job_queue);
-	DESTROY_IF(this->public.event_queue);
-	DESTROY_IF(this->public.credentials);
+	DESTROY_IF(this->public.scheduler);
+	DESTROY_IF(this->public.interfaces);
 	DESTROY_IF(this->public.backends);
-	/* we hope the sender could send the outstanding deletes, but 
-	 * we shut down here at any cost */
+	DESTROY_IF(this->public.credentials);
+	DESTROY_IF(this->public.kernel_interface);
 	DESTROY_IF(this->public.sender);
+	DESTROY_IF(this->public.receiver);
 	DESTROY_IF(this->public.socket);
-	/* before destroying bus with its listeners, rehook library logs */
+	/* wait until all threads are gone */
+	DESTROY_IF(this->public.processor);
+	
+	/* rehook library logging, shutdown logging */
 	dbg = dbg_stderr;
 	DESTROY_IF(this->public.bus);
 	DESTROY_IF(this->public.outlog);
@@ -197,7 +189,6 @@ static void destroy(private_daemon_t *this)
 	free(this);
 }
 
-
 /**
  * Enforce daemon shutdown, with a given reason to do so.
  */
@@ -228,6 +219,7 @@ static void drop_capabilities(private_daemon_t *this, bool full)
 {
 	struct __user_cap_header_struct hdr;
 	struct __user_cap_data_struct data;
+	
 	/* CAP_NET_ADMIN is needed to use netlink */
 	u_int32_t keep = (1<<CAP_NET_ADMIN);
 	
@@ -242,11 +234,11 @@ static void drop_capabilities(private_daemon_t *this, bool full)
 	}
 	else
 	{
-		/* CAP_NET_BIND_SERVICE to bind services below port 1024, 
-		 * CAP_NET_RAW to create RAW sockets.
-		 * CAP_DAC_READ_SEARCH is needed to read ipsec.secrets */
+		/* CAP_NET_BIND_SERVICE to bind services below port 1024 */
 		keep |= (1<<CAP_NET_BIND_SERVICE);
+		/* CAP_NET_RAW to create RAW sockets */
 		keep |= (1<<CAP_NET_RAW);
+		/* CAP_DAC_READ_SEARCH to read ipsec.secrets */
 		keep |= (1<<CAP_DAC_READ_SEARCH);
 	}
 
@@ -257,7 +249,7 @@ static void drop_capabilities(private_daemon_t *this, bool full)
 	
 	if (capset(&hdr, &data))
 	{
-		kill_daemon(this, "unable to drop threads capabilities");
+		kill_daemon(this, "unable to drop daemon capabilities");
 	}
 }
 
@@ -266,7 +258,6 @@ static void drop_capabilities(private_daemon_t *this, bool full)
  */
 static void initialize(private_daemon_t *this, bool syslog, level_t levels[])
 {
-	credential_store_t* credentials;
 	signal_t signal;
 	
 	/* for uncritical pseudo random numbers */
@@ -298,38 +289,32 @@ static void initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	
 	DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
 	
-	this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
 	this->public.ike_sa_manager = ike_sa_manager_create();
-	this->public.job_queue = job_queue_create();
-	this->public.event_queue = event_queue_create();
-	this->public.credentials = (credential_store_t*)local_credential_store_create();
-	this->public.backends = backend_manager_create();
-
-	/* initialize fetcher_t class */
-	fetcher_initialize();
+	this->public.processor = processor_create();
+	this->public.scheduler = scheduler_create();
 
 	/* load secrets, ca certificates and crls */
-	credentials = this->public.credentials;
-	credentials->load_ca_certificates(credentials);
-	credentials->load_aa_certificates(credentials);
-	credentials->load_attr_certificates(credentials);
-	credentials->load_ocsp_certificates(credentials);
-	credentials->load_crls(credentials);
-	credentials->load_secrets(credentials);
-	
-	/* start building threads, we are multi-threaded NOW */
+	this->public.credentials = (credential_store_t*)local_credential_store_create();
+	this->public.credentials->load_ca_certificates(this->public.credentials);
+	this->public.credentials->load_aa_certificates(this->public.credentials);
+	this->public.credentials->load_attr_certificates(this->public.credentials);
+	this->public.credentials->load_ocsp_certificates(this->public.credentials);
+	this->public.credentials->load_crls(this->public.credentials);
+	this->public.credentials->load_secrets(this->public.credentials);
+	
 	this->public.interfaces = interface_manager_create();
+	this->public.backends = backend_manager_create();
+	this->public.kernel_interface = kernel_interface_create();
+	this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
 	this->public.sender = sender_create();
 	this->public.receiver = receiver_create();
-	this->public.scheduler = scheduler_create();
-	this->public.kernel_interface = kernel_interface_create();
-	this->public.thread_pool = thread_pool_create(NUMBER_OF_WORKING_THREADS);
+	
 }
 
 /**
  * Handle SIGSEGV/SIGILL signals raised by threads
  */
-void signal_handler(int signal)
+static void segv_handler(int signal)
 {
 #ifdef HAVE_BACKTRACE
 	void *array[20];
@@ -340,7 +325,7 @@ void signal_handler(int signal)
 	size = backtrace(array, 20);
 	strings = backtrace_symbols(array, size);
 
-	DBG1(DBG_DMN, "thread %u received %s. Dumping %d frames from stack:",
+	DBG1(DBG_JOB, "thread %u received %s. Dumping %d frames from stack:",
 		 pthread_self(), signal == SIGSEGV ? "SIGSEGV" : "SIGILL", size);
 
 	for (i = 0; i < size; i++)
@@ -352,7 +337,7 @@ void signal_handler(int signal)
 	DBG1(DBG_DMN, "thread %u received %s",
 		 pthread_self(), signal == SIGSEGV ? "SIGSEGV" : "SIGILL");
 #endif /* HAVE_BACKTRACE */
-	DBG1(DBG_DMN, "killing ourself hard after SIGSEGV");
+	DBG1(DBG_DMN, "killing ourself, received critical signal");
 	raise(SIGKILL);
 }
 
@@ -361,25 +346,22 @@ void signal_handler(int signal)
  */
 private_daemon_t *daemon_create(void)
 {	
-	private_daemon_t *this = malloc_thing(private_daemon_t);
 	struct sigaction action;
+	private_daemon_t *this = malloc_thing(private_daemon_t);
 		
 	/* assign methods */
 	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
-	this->public.drop_capabilities = (void(*)(daemon_t*,bool))drop_capabilities;
 	
 	/* NULL members for clean destruction */
 	this->public.socket = NULL;
 	this->public.ike_sa_manager = NULL;
-	this->public.job_queue = NULL;
-	this->public.event_queue = NULL;
 	this->public.credentials = NULL;
 	this->public.backends = NULL;
 	this->public.sender= NULL;
 	this->public.receiver = NULL;
 	this->public.scheduler = NULL;
 	this->public.kernel_interface = NULL;
-	this->public.thread_pool = NULL;
+	this->public.processor = NULL;
 	this->public.interfaces = NULL;
 	this->public.bus = NULL;
 	this->public.outlog = NULL;
@@ -388,20 +370,22 @@ private_daemon_t *daemon_create(void)
 	
 	this->main_thread_id = pthread_self();
 	
-	/* setup signal handling for all threads */
-	sigemptyset(&(this->signal_set));
-	sigaddset(&(this->signal_set), SIGSEGV);
-	sigaddset(&(this->signal_set), SIGINT); 
-	sigaddset(&(this->signal_set), SIGHUP); 
-	sigaddset(&(this->signal_set), SIGTERM); 
-	pthread_sigmask(SIG_BLOCK, &(this->signal_set), 0);
-	
-	/* setup SIGSEGV handler for all threads */
-	action.sa_handler = signal_handler;
-	action.sa_mask = this->signal_set;
+	/* add handler for SEGV and ILL,
+	 * add handler for USR1 (cancellation).
+	 * INT, TERM and HUP are handled by sigwait() in run() */
+	action.sa_handler = segv_handler;
 	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaddset(&action.sa_mask, SIGINT);
+	sigaddset(&action.sa_mask, SIGTERM);
+	sigaddset(&action.sa_mask, SIGHUP);
 	sigaction(SIGSEGV, &action, NULL);
 	sigaction(SIGILL, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	sigaction(SIGPIPE, &action, NULL);
+	
+	pthread_sigmask(SIG_SETMASK, &action.sa_mask, 0);
+	
 	return this;
 }
 
@@ -445,15 +429,15 @@ int main(int argc, char *argv[])
 	private_daemon_t *private_charon;
 	FILE *pid_file;
 	struct stat stb;
-	linked_list_t *list;
-	host_t *host;
 	level_t levels[DBG_MAX];
 	int signal;
 	
-	prctl(PR_SET_KEEPCAPS, 1);
+	private_charon = daemon_create();
+	charon = (daemon_t*)private_charon;
 	
-	/* drop the capabilities we won't need at all */
-	drop_capabilities(NULL, FALSE);
+	/* drop the capabilities we won't need for initialization */
+	prctl(PR_SET_KEEPCAPS, 1);
+	drop_capabilities(private_charon, FALSE);
 	
 	/* use CTRL loglevel for default */
 	for (signal = 0; signal < DBG_MAX; signal++)
@@ -522,13 +506,11 @@ int main(int argc, char *argv[])
 		}
 		break;
 	}
-
-	private_charon = daemon_create();
-	charon = (daemon_t*)private_charon;
 	
 	/* initialize daemon */
 	initialize(private_charon, use_syslog, levels);
-
+	/* initialize fetcher_t class */
+	fetcher_initialize();
 	/* load pluggable EAP modules */
 	eap_method_load(eapdir);
 	
@@ -549,19 +531,12 @@ int main(int argc, char *argv[])
 		fclose(pid_file);
 	}
 	
-	/* log socket info */
-	list = charon->kernel_interface->create_address_list(charon->kernel_interface);
-	DBG1(DBG_NET, "listening on %d addresses:", list->get_count(list));
-	while (list->remove_first(list, (void**)&host) == SUCCESS)
-	{
-		DBG1(DBG_NET, "  %H", host);
-		host->destroy(host);
-	}
-	list->destroy(list);
-	
 	/* drop additional capabilites (bind & root) */
 	drop_capabilities(private_charon, TRUE);
 	
+	/* start the engine, go multithreaded */
+	charon->processor->set_threads(charon->processor, WORKER_THREADS);
+	
 	/* run daemon */
 	run(private_charon);
 	
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 640bc6a09..0b5205ce7 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -33,9 +33,7 @@ typedef struct daemon_t daemon_t;
 #include <network/receiver.h>
 #include <network/socket.h>
 #include <processing/scheduler.h>
-#include <processing/thread_pool.h>
-#include <processing/job_queue.h>
-#include <processing/event_queue.h>
+#include <processing/processor.h>
 #include <kernel/kernel_interface.h>
 #include <control/interface_manager.h>
 #include <bus/bus.h>
@@ -49,50 +47,73 @@ typedef struct daemon_t daemon_t;
  *
  * @brief IKEv2 keying daemon.
  *
- * @section Architecture
- *
  * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
- * architecture than pluto. Charon uses a thread-pool, which allows parallel
- * execution SA-management. Beside the thread-pool, there are some special purpose
- * threads which do their job for the common health of the daemon.
-   @verbatim 
-                         +------+
-                         | E  Q |
-                         | v  u |---+                   +------+  +------+
-                         | e  e |   |                   |      |  | IKE- |
-                         | n  u |  +-----------+        |      |--| SA   |
-                         | t  e |  |           |        | I  M |  +------+
-       +------------+    | -    |  | Scheduler |        | K  a |
-       |  receiver  |    +------+  |           |        | E  n |  +------+
-       +----+-------+              +-----------+        | -  a |  | IKE- |
-            |      |     +------+   |                   | S  g |--| SA   |
-    +-------+--+   +-----| J  Q |---+  +------------+   | A  e |  +------+
-   -|  socket  |         | o  u |      |            |   | -  r |
-    +-------+--+         | b  e |      |   Thread-  |   |      |
-            |            | -  u |      |   Pool     |   |      |
-       +----+-------+    |    e |------|            |---|      |
-       |   sender   |    +------+      +------------+   +------+
-       +------------+
+ * architecture than pluto. Charon uses a thread-pool (called processor),
+ * which allows parallel execution SA-management. All threads originate
+ * from the processor. Work is delegated to the processor by queueing jobs
+ * to it.
+   @verbatim                                             
+                          
+      +--------+   +-------+   +--------+       +-----------+    +-----------+
+      | Stroke |   |  XML  |   |  DBUS  |       |   Local   |    |   SQLite  |
+      +--------+   +-------+   +--------+       +-----------+    +-----------+
+          |            |           |                  |                |
+      +---------------------------------+       +----------------------------+
+      |             Interfaces          |       |          Backends          |
+      +---------------------------------+       +----------------------------+  
+                                                                              
+                                                                                
+       +------------+    +-----------+        +------+            +----------+
+       |  receiver  |    |           |        |      |  +------+  | CHILD_SA |
+       +----+-------+    | Scheduler |        | IKE- |  | IKE- |--+----------+
+            |            |           |        | SA   |--| SA   |  | CHILD_SA |
+    +-------+--+         +-----------+        |      |  +------+  +----------+
+ <->|  socket  |               |              | Man- |
+    +-------+--+         +-----------+        | ager |  +------+  +----------+
+            |            |           |        |      |  | IKE- |--| CHILD_SA |
+       +----+-------+    | Processor |--------|      |--| SA   |  +----------+
+       |   sender   |    |           |        |      |  +------+                  
+       +------------+    +-----------+        +------+                   
+                                                                                 
+                                                                                
+      +---------------------------------+       +----------------------------+
+      |               Bus               |       |      Kernel Interface      |
+      +---------------------------------+       +----------------------------+                                                                 
+             |                    |                           |
+      +-------------+     +-------------+                     V
+      | File-Logger |     |  Sys-Logger |                  //////
+      +-------------+     +-------------+                       
+
 
    @endverbatim
- * The thread-pool is the heart of the architecture. It processes jobs from a
- * (fully synchronized) job-queue. Mostly, a job is associated with a specific
- * IKE SA. These IKE SAs are synchronized, only one thread can work one an IKE SA.
- * This makes it unnecesary to use further synchronisation methods once a IKE SA
- * is checked out. The (rather complex) synchronization of IKE SAs is completely
- * done in the IKE SA manager.
- * The sceduler is responsible for event firing. It waits until a event in the
- * (fully synchronized) event-queue is ready for processing and pushes the event
- * down to the job-queue. A thread form the pool will pick it up as quick as
- * possible. Every thread can queue events or jobs. Furter, an event can place a
- * packet in the sender. The sender thread waits for those packets and sends
- * them over the wire, via the socket. The receiver does exactly the opposite of
- * the sender. It waits on the socket, reads in packets an places them on the
- * job-queue for further processing by a thread from the pool.
- * There are even more threads, not drawn in the upper scheme. The stroke thread
- * is responsible for reading and processessing commands from another process. The
- * kernel interface thread handles communication from and to the kernel via a
- * netlink socket. It waits for kernel events and processes them appropriately.
+ * The scheduler is responsible to execute timed events. Jobs may be queued to 
+ * the scheduler to get executed at a defined time (e.g. rekeying). The scheduler
+ * does not execute the jobs itself, it queues them to the processor.
+ * 
+ * The IKE_SA manager managers all IKE_SA. It further handles the synchronization:
+ * Each IKE_SA must be checked out strictly and checked in again after use. The 
+ * manager guarantees that only one thread may check out a single IKE_SA. This allows
+ * us to write the (complex) IKE_SAs routines non-threadsave.
+ * The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.
+ * 
+ * The CHILD_SA contains state about a IPsec security association and manages them. 
+ * An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place
+ * here through the kernel interface.
+ * 
+ * The kernel interface installs IPsec security associations, policies routes and 
+ * virtual addresses. It further provides methods to enumerate interfaces and may notify
+ * the daemon about state changes at lower layers.
+ * 
+ * The bus receives signals from the different threads and relais them to interested 
+ * listeners. Debugging signals, but also important state changes or error messages are
+ * sent over the bus. 
+ * It's listeners are not only for logging, but also to track the state of an IKE_SA.
+ * 
+ * The interface manager loads pluggable controlling interfaces. These are written to control
+ * the daemon from external inputs (e.g. initiate IKE_SA, close IKE_SA, ...). The interface
+ * manager further provides a simple API to establish these tasks.
+ * Backends are pluggable modules which provide configuration. They have to implement an API
+ * which the daemon core uses to get configuration.
  */
 
 /**
@@ -234,12 +255,9 @@ typedef struct daemon_t daemon_t;
 /**
  * @brief Number of threads in the thread pool.
  * 
- * There are several other threads, this defines
- * only the number of threads in thread_pool_t.
- * 
  * @ingroup charon
  */
-#define NUMBER_OF_WORKING_THREADS 4
+#define WORKER_THREADS 16
 
 /**
  * UDP Port on which the daemon will listen for incoming traffic.
@@ -338,20 +356,11 @@ typedef struct daemon_t daemon_t;
  * @ingroup charon
  */
 struct daemon_t {
+	
 	/**
 	 * A socket_t instance.
 	 */
 	socket_t *socket;
-	
-	/**
-	 * A job_queue_t instance.
-	 */
-	job_queue_t *job_queue;
-	
-	/**
-	 * A event_queue_t instance.
-	 */
-	event_queue_t *event_queue;
 
 	/**
 	 * A ike_sa_manager_t instance.
@@ -384,9 +393,9 @@ struct daemon_t {
 	scheduler_t *scheduler;
 	
 	/**
-	 * The Thread pool managing the worker threads.
+	 * Job processing using a thread pool.
 	 */
-	thread_pool_t *thread_pool;
+	processor_t *processor;
 	
 	/**
 	 * The signaling bus.
@@ -419,14 +428,6 @@ struct daemon_t {
 	interface_manager_t *interfaces;
 	
 	/**
-	 * @brief Let the calling thread drop its capabilities.
-	 * 
-	 * @param this			calling daemon
-	 * @param full			TRUE to drop as many as possible
-	 */
-	void (*drop_capabilities) (daemon_t *this, bool full);
-	
-	/**
 	 * @brief Shut down the daemon.
 	 * 
 	 * @param this			the daemon to kill
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index b31b21afa..980ff12b5 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -611,9 +611,13 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	int written;
 	char *pos = buf;
 	
-	written = snprintf(pos, len, "%N %s [", 
-					   exchange_type_names, this->exchange_type,
-					   this->is_request ? "request" : "response");
+	memset(buf, 0, len);
+	len--;
+	
+	written = snprintf(pos, len, "%N %s %d [",
+					   exchange_type_names, this->exchange_type, 
+					   this->is_request ? "request" : "response",
+					   this->message_id);
 	if (written >= len || written < 0)
 	{
 		return "";
@@ -621,16 +625,10 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	pos += written;
 	len -= written;
 	
-	if (this->payloads->get_count(this->payloads) == 0)
-	{
-		snprintf(pos, len, "]");
-		return buf;
-	}
-	
 	iterator = this->payloads->create_iterator(this->payloads, TRUE);
 	while (iterator->iterate(iterator, (void**)&payload))
 	{
-		written = snprintf(pos, len, "%N ", payload_type_short_names,
+		written = snprintf(pos, len, " %N", payload_type_short_names,
 				  		   payload->get_type(payload));
 		if (written >= len || written < 0)
 		{
@@ -638,13 +636,23 @@ static char* get_string(private_message_t *this, char *buf, int len)
 		}
 		pos += written;
 		len -= written;
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			written = snprintf(pos, len, "(%N)", notify_type_short_names,
+					  		   notify->get_notify_type(notify));
+			if (written >= len || written < 0)
+			{
+				return buf;
+			}
+			pos += written;
+			len -= written;
+		}
 	}
 	iterator->destroy(iterator);
 	
 	/* remove last space */
-	pos--;
-	len++;
-	snprintf(pos, len, "]");
+	snprintf(pos, len, " ]");
 	return buf;
 }
 
@@ -734,7 +742,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
 	iterator_t *iterator;
 	status_t status;
 	chunk_t packet_data;
-	char str[128];
+	char str[256];
 	
 	if (is_encoded(this))
 	{
@@ -1140,7 +1148,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 {
 	status_t status = SUCCESS;
 	payload_type_t current_payload_type;
-	char str[128];
+	char str[256];
 		
 	current_payload_type = this->first_payload;	
 		
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
index a04901a90..e27d3c68f 100644
--- a/src/charon/encoding/payloads/notify_payload.c
+++ b/src/charon/encoding/payloads/notify_payload.c
@@ -47,14 +47,16 @@ ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL
 	"INVALID_KE_PAYLOAD");
 ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTHENTICATION_FAILED");
-ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, INVALID_SELECTORS, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR_REQUIRED",
 	"NO_ADDITIONAL_SAS",
 	"INTERNAL_ADDRESS_FAILURE",
 	"FAILED_CP_REQUIRED",
 	"TS_UNACCEPTABLE",
-	"INVALID_SELECTORS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, INVALID_SELECTORS,
+	"INVALID_SELECTORS",
+	"UNACCEPTABLE_ADDRESSES",
+	"UNEXPECTED_NAT_DETECTED");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, UNEXPECTED_NAT_DETECTED,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -79,6 +81,59 @@ ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, A
 	"EAP_ONLY_AUTHENTICATION");
 ENUM_END(notify_type_names, EAP_ONLY_AUTHENTICATION);
 
+
+ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"CRIT");
+ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"INVAL_IKE_SPI",
+	"INVAL_MAJOR");
+ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
+	"INVAL_SYN");
+ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
+	"INVAL_MID");
+ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
+	"INVAL_SPI");
+ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+	"NO_PROP");
+ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
+	"INVAL_KE");
+ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
+	"AUTH_FAILED");
+ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED,
+	"SINGLE_PAIR",
+	"NO_ADD_SAS",
+	"INT_ADDR_FAIL",
+	"FAIL_CP_REQ",
+	"TS_UNACCEPT",
+	"INVAL_SEL",
+	"UNACCEPT_ADDR",
+	"UNEXPECT_NAT");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, AUTH_LIFETIME, UNEXPECTED_NAT_DETECTED,
+	"INIT_CONTACT",
+	"SET_WINSIZE",
+	"ADD_TS_POSS",
+	"IPCOMP_SUPP",
+	"NATD_S_IP",
+	"NATD_D_IP",
+	"COOKIE",
+	"USE_TRANSP",
+	"HTTP_CERT_LOOK",
+	"REKEY_SA",
+	"ESP_TFC_PAD_N",
+	"NON_FIRST_FRAG",
+	"MOBIKE_SUP",
+	"ADD_4_ADDR",
+	"ADD_6_ADDR",
+	"NO_ADD_ADDR",
+	"UPD_SA_ADDR",
+	"COOKIE2",
+	"NO_NATS",
+	"AUTH_LFT");
+ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME,
+	"EAP_ONLY");
+ENUM_END(notify_type_short_names, EAP_ONLY_AUTHENTICATION);
+
+
 typedef struct private_notify_payload_t private_notify_payload_t;
 
 /**
@@ -189,6 +244,8 @@ encoding_rule_t notify_payload_encodings[] = {
  */
 static status_t verify(private_notify_payload_t *this)
 {
+	bool bad_length = FALSE;
+
 	switch (this->protocol_id)
 	{
 		case PROTO_NONE:
@@ -205,30 +262,9 @@ static status_t verify(private_notify_payload_t *this)
 	{
 		case INVALID_KE_PAYLOAD:
 		{
-			/* check notification data */
-			diffie_hellman_group_t dh_group;
 			if (this->notification_data.len != 2)
 			{
-				DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
-					 notify_type_names, this->notify_type,
-					 this->notification_data.len);
-				return FAILED;
-			}
-			dh_group = ntohs(*((u_int16_t*)this->notification_data.ptr));
-			switch (dh_group)
-			{
-				case MODP_768_BIT:
-				case MODP_1024_BIT:
-				case MODP_1536_BIT:
-				case MODP_2048_BIT:
-				case MODP_3072_BIT:
-				case MODP_4096_BIT:
-				case MODP_6144_BIT:
-				case MODP_8192_BIT:
-					break;
-				default:
-					DBG1(DBG_ENC, "Bad DH group (%d)", dh_group);
-					return FAILED;
+				bad_length = TRUE;
 			}
 			break;
 		}
@@ -237,9 +273,7 @@ static status_t verify(private_notify_payload_t *this)
 		{
 			if (this->notification_data.len != HASH_SIZE_SHA1)
 			{
-				DBG1(DBG_ENC, "invalid %N notify length",
-					 notify_type_names, this->notify_type);
-				return FAILED;
+				bad_length = TRUE;
 			}
 			break;
 		}
@@ -249,9 +283,23 @@ static status_t verify(private_notify_payload_t *this)
 		{
 			if (this->notification_data.len != 0)
 			{
-				DBG1(DBG_ENC, "invalid %N notify",
-					 notify_type_names, this->notify_type);
-				return FAILED;
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case ADDITIONAL_IP4_ADDRESS:
+		{
+			if (this->notification_data.len != 4)
+			{
+				bad_length = TRUE;
+			}
+			break;
+		}
+		case ADDITIONAL_IP6_ADDRESS:
+		{
+			if (this->notification_data.len != 16)
+			{
+				bad_length = TRUE;
 			}
 			break;
 		}
@@ -259,6 +307,13 @@ static status_t verify(private_notify_payload_t *this)
 			/* TODO: verify */
 			break;
 	}
+	if (bad_length)
+	{
+		DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
+			 notify_type_names, this->notify_type,
+			 this->notification_data.len);
+		return FAILED;
+	}
 	return SUCCESS;
 }
 
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
index 431932631..231d0408d 100644
--- a/src/charon/encoding/payloads/notify_payload.h
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -65,6 +65,8 @@ enum notify_type_t {
 	FAILED_CP_REQUIRED = 37,
 	TS_UNACCEPTABLE = 38,
 	INVALID_SELECTORS = 39,
+	UNACCEPTABLE_ADDRESSES = 40,
+	UNEXPECTED_NAT_DETECTED = 41,
 	/* notify status messages */
 	INITIAL_CONTACT = 16384,
 	SET_WINDOW_SIZE = 16385,
@@ -102,6 +104,13 @@ enum notify_type_t {
 extern enum_name_t *notify_type_names;
 
 /**
+ * enum name for notify_type_t (shorter strings).
+ *
+ * @ingroup payloads
+ */
+extern enum_name_t *notify_type_short_names;
+
+/**
  * @brief Class representing an IKEv2-Notify Payload.
  * 
  * The Notify Payload format is described in Draft section 3.10.
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index d82783b03..4770c7538 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -48,6 +48,8 @@
 #include <processing/jobs/delete_child_sa_job.h>
 #include <processing/jobs/rekey_child_sa_job.h>
 #include <processing/jobs/acquire_job.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
 
 /** kernel level protocol identifiers */
 #define KERNEL_ESP 50
@@ -156,7 +158,7 @@ char* lookup_algorithm(kernel_algorithm_t *kernel_algo,
 		}
 		kernel_algo++;
 	}
-	return NULL;	
+	return NULL;
 }
 
 typedef struct route_entry_t route_entry_t;
@@ -216,54 +218,61 @@ struct policy_entry_t {
 	u_int refcount;
 };
 
-typedef struct vip_entry_t vip_entry_t;
+typedef struct addr_entry_t addr_entry_t;
 
 /**
- * Installed virtual ip
+ * IP address in an inface_entry_t
  */
-struct vip_entry_t {
-	/** Index of the interface the ip is bound to */
-	u_int8_t if_index;
+struct addr_entry_t {
 	
 	/** The ip address */
 	host_t *ip;
 	
-	/** Number of times this IP is used */
+	/** virtual IP managed by us */
+	bool virtual;
+	
+	/** scope of the address */
+	u_char scope;
+	
+	/** Number of times this IP is used, if virtual */
 	u_int refcount;
 };
 
 /**
- * destroy a vip_entry_t object
+ * destroy a addr_entry_t object
  */
-static void vip_entry_destroy(vip_entry_t *this)
+static void addr_entry_destroy(addr_entry_t *this)
 {
 	this->ip->destroy(this->ip);
 	free(this);
 }
 
-typedef struct address_entry_t address_entry_t;
+typedef struct iface_entry_t iface_entry_t;
 
 /**
- * an address found on the system, containg address and interface info 
+ * A network interface on this system, containing addr_entry_t's
  */
-struct address_entry_t {
-
-	/** address of this entry */
-	host_t *host;
+struct iface_entry_t {
 	
 	/** interface index */
 	int ifindex;
 	
-	/** name of the index */
+	/** name of the interface */
 	char ifname[IFNAMSIZ];
+	
+	/** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+	u_int flags;
+	
+	/** list of addresses as host_t */
+	linked_list_t *addrs;
 };
 
 /**
- * destroy an address entry
+ * destroy an interface entry
  */
-static void address_entry_destroy(address_entry_t *this)
+static void iface_entry_destroy(iface_entry_t *this)
 {
-	this->host->destroy(this->host);
+	this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
 	free(this);
 }
 
@@ -279,29 +288,34 @@ struct private_kernel_interface_t {
 	kernel_interface_t public;
 	
 	/**
-	 * List of installed policies (kernel_entry_t)
+	 * mutex to lock access to the various lists
 	 */
-	linked_list_t *policies;
+	pthread_mutex_t mutex;
 	
 	/**
-	 * Mutex locks access to policies
+	 * List of installed policies (policy_entry_t)
 	 */
-	pthread_mutex_t policies_mutex;
+	linked_list_t *policies;
 	
 	/**
-	 * List of installed virtual IPs. (vip_entry_t)
+	 * Cached list of interfaces and its adresses (iface_entry_t)
 	 */
-	linked_list_t *vips;
+	linked_list_t *ifaces;
 	
 	/**
-	 * Mutex to lock access to vips.
+	 * iterator used in hook()
+	 */
+	iterator_t *hiter;
+	 
+	/**
+	 * job receiving netlink events
 	 */
-	pthread_mutex_t vips_mutex;
+	callback_job_t *job;
 	
 	/**
-	 * netlink xfrm socket to receive acquire and expire events
+	 * current sequence number for netlink request
 	 */
-	int socket_xfrm_events;
+	int seq;
 	
 	/**
 	 * Netlink xfrm socket (IPsec)
@@ -309,14 +323,19 @@ struct private_kernel_interface_t {
 	int socket_xfrm;
 	
 	/**
+	 * netlink xfrm socket to receive acquire and expire events
+	 */
+	int socket_xfrm_events;
+	
+	/**
 	 * Netlink rt socket (routing)
 	 */
 	int socket_rt;
 	
 	/**
-	 * Thread receiving events from kernel
+	 * Netlink rt socket to receive address change events
 	 */
-	pthread_t event_thread;
+	int socket_rt_events;
 };
 
 /**
@@ -442,107 +461,382 @@ static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
 }
 
 /**
- * Receives events from kernel
+ * process a XFRM_MSG_ACQUIRE from kernel
  */
-static void receive_events(private_kernel_interface_t *this)
+static void process_acquire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
 {
-	charon->drop_capabilities(charon, TRUE);
+	u_int32_t reqid = 0;
+	job_t *job;
+	struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
+	size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
+	
+	if (RTA_OK(rtattr, rtsize))
+	{
+		if (rtattr->rta_type == XFRMA_TMPL)
+		{
+			struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
+			reqid = tmpl->reqid;
+		}
+	}
+	if (reqid == 0)
+	{
+		DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
+		return;
+	}
+	DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid);
+	job = (job_t*)acquire_job_create(reqid);
+	charon->processor->queue_job(charon->processor, job);
+}
 
-	while(TRUE) 
+/**
+ * process a XFRM_MSG_EXPIRE from kernel
+ */
+static void process_expire(private_kernel_interface_t *this, struct nlmsghdr *hdr)
+{
+	job_t *job;
+	protocol_id_t protocol;
+	u_int32_t spi, reqid;
+	struct xfrm_user_expire *expire;
+	
+	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
+	protocol = expire->state.id.proto == KERNEL_ESP ? PROTO_ESP : PROTO_AH;
+	spi = expire->state.id.spi;
+	reqid = expire->state.reqid;
+	
+	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
+		 expire->hard ? "delete" : "rekey",  protocol_id_names,
+		 protocol, ntohl(spi), reqid);
+	if (expire->hard)
 	{
-		unsigned char response[512];
-		struct nlmsghdr *hdr;
-		struct sockaddr_nl addr;
-		socklen_t addr_len = sizeof(addr);
-		int len;
-		
-		hdr = (struct nlmsghdr*)response;
-		len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
-					   0, (struct sockaddr*)&addr, &addr_len);
-		if (len < 0)
+		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+	}
+	charon->processor->queue_job(charon->processor, job);
+}
+
+/**
+ * process RTM_NEWLINK/RTM_DELLINK from kernel
+ */
+static void process_link(private_kernel_interface_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifinfomsg* msg = (struct ifinfomsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFLA_RTA(msg);
+	size_t rtasize = IFLA_PAYLOAD (hdr);
+	iterator_t *iterator;
+	iface_entry_t *current, *entry = NULL;
+	char *name = NULL;
+	bool update = FALSE;
+	
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
 		{
-			if (errno == EINTR)
+			case IFLA_IFNAME:
+				name = RTA_DATA(rta);
+				break;
+		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (!name)
+	{
+		name = "(unknown)";
+	}
+	
+	switch (hdr->nlmsg_type)
+	{
+		case RTM_NEWLINK:
+		{
+			if (msg->ifi_flags & IFF_LOOPBACK)
+			{	/* ignore loopback interfaces */
+				break;
+			}
+			iterator = this->ifaces->create_iterator_locked(this->ifaces,
+															&this->mutex);
+			while (iterator->iterate(iterator, (void**)&current))
 			{
-				/* interrupted, try again */
-				continue;
+				if (current->ifindex == msg->ifi_index)
+				{
+					entry = current;
+					break;
+				}
+			}
+			if (!entry)
+			{
+				entry = malloc_thing(iface_entry_t);
+				entry->ifindex = msg->ifi_index;
+				entry->flags = 0;
+				entry->addrs = linked_list_create();
+				this->ifaces->insert_last(this->ifaces, entry);
+			}
+			memcpy(entry->ifname, name, IFNAMSIZ);
+			entry->ifname[IFNAMSIZ-1] = '\0';
+			if (event)
+			{
+				if (!(entry->flags & IFF_UP) && (msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s activated", name);
+				}
+				if ((entry->flags & IFF_UP) && !(msg->ifi_flags & IFF_UP))
+				{
+					update = TRUE;
+					DBG1(DBG_KNL, "interface %s deactivated", name);
+				}
 			}
-			charon->kill(charon, "unable to receive netlink events");
+			entry->flags = msg->ifi_flags;
+			iterator->destroy(iterator);
+			break;
 		}
-		
-		if (!NLMSG_OK(hdr, len))
+		case RTM_DELLINK:
 		{
-			/* bad netlink message */
-			continue;
+			iterator = this->ifaces->create_iterator_locked(this->ifaces,
+															&this->mutex);
+			while (iterator->iterate(iterator, (void**)&current))
+			{
+				if (current->ifindex == msg->ifi_index)
+				{
+					/* we do not remove it, as an address may be added to a 
+					 * "down" interface and we wan't to know that. */
+					current->flags = msg->ifi_flags;
+					break;
+				}
+			}
+			iterator->destroy(iterator);
+			break;
 		}
+	}
+	
+	/* send an update to all IKE_SAs */
+	if (update && event)
+	{
+		charon->processor->queue_job(charon->processor,
+									 (job_t*)roam_job_create(TRUE));
+	}
+}
 
-		if (addr.nl_pid != 0)
+/**
+ * process RTM_NEWADDR/RTM_DELADDR from kernel
+ */
+static void process_addr(private_kernel_interface_t *this,
+						 struct nlmsghdr *hdr, bool event)
+{
+	struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
+	struct rtattr *rta = IFA_RTA(msg);
+	size_t rtasize = IFA_PAYLOAD (hdr);
+	host_t *host = NULL;
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	chunk_t local = chunk_empty, address = chunk_empty;
+	bool update = FALSE, found = FALSE, changed = FALSE;
+	
+	while(RTA_OK(rta, rtasize))
+	{
+		switch (rta->rta_type)
 		{
-			/* not from kernel. not interested, try another one */
-			continue;
+			case IFA_LOCAL:
+				local.ptr = RTA_DATA(rta);
+				local.len = RTA_PAYLOAD(rta);
+				break;
+			case IFA_ADDRESS:
+				address.ptr = RTA_DATA(rta);
+				address.len = RTA_PAYLOAD(rta);
+				break;
 		}
-		
-		/* we handle ACQUIRE and EXPIRE messages directly */
-		if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	
+	/* For PPP interfaces, we need the IFA_LOCAL address,
+	 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
+	 * not included in all cases (IPv6?), so fallback to IFA_ADDRESS. */
+	if (local.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, local, 0);
+	}
+	else if (address.ptr)
+	{
+		host = host_create_from_chunk(msg->ifa_family, address, 0);
+	}
+	
+	if (host == NULL)
+	{	/* bad family? */
+		return;
+	}
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		if (iface->ifindex == msg->ifa_index)
 		{
-			u_int32_t reqid = 0;
-			job_t *job;
-			struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
-			size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
-			if (RTA_OK(rtattr, rtsize))
+			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+			while (addrs->iterate(addrs, (void**)&addr))
 			{
-				if (rtattr->rta_type == XFRMA_TMPL)
+				if (host->ip_equals(host, addr->ip))
 				{
-					struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
-					reqid = tmpl->reqid;
+					found = TRUE;
+					if (hdr->nlmsg_type == RTM_DELADDR)
+					{
+						changed = TRUE;
+						addrs->remove(addrs);
+						addr_entry_destroy(addr);
+						DBG1(DBG_KNL, "%H disappeared from %s", host, iface->ifname);
+					}
 				}
 			}
-			if (reqid == 0)
+			addrs->destroy(addrs);
+		
+			if (hdr->nlmsg_type == RTM_NEWADDR)
 			{
-				DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
+				if (!found)
+				{
+					found = TRUE;
+					changed = TRUE;
+					addr = malloc_thing(addr_entry_t);
+					addr->ip = host->clone(host);
+					addr->virtual = FALSE;
+					addr->refcount = 1;
+					addr->scope = msg->ifa_scope;
+					
+					iface->addrs->insert_last(iface->addrs, addr);
+					if (event)
+					{
+						DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+					}
+				}
 			}
-			else
+			if (found && (iface->flags & IFF_UP))
 			{
-				DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
-				DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
-					 reqid);
-				job = (job_t*)acquire_job_create(reqid);
-				charon->job_queue->add(charon->job_queue, job);
+				update = TRUE;
 			}
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	host->destroy(host);
+	
+	/* send an update to all IKE_SAs */
+	if (update && event && changed)
+	{
+		charon->processor->queue_job(charon->processor,
+									 (job_t*)roam_job_create(TRUE));
+	}
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_interface_t *this)
+{
+	char response[1024];
+	struct nlmsghdr *hdr = (struct nlmsghdr*)response;
+	struct sockaddr_nl addr;
+	socklen_t addr_len = sizeof(addr);
+	int len, oldstate, maxfd, selected;
+	fd_set rfds;
+
+	FD_ZERO(&rfds);
+	FD_SET(this->socket_xfrm_events, &rfds);
+	FD_SET(this->socket_rt_events, &rfds);
+	maxfd = max(this->socket_xfrm_events, this->socket_rt_events);
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	selected = select(maxfd + 1, &rfds, NULL, NULL, NULL);
+	pthread_setcancelstate(oldstate, NULL);
+	if (selected <= 0)
+	{
+		DBG1(DBG_KNL, "selecting on sockets failed: %s", strerror(errno));
+		return JOB_REQUEUE_FAIR;
+	}
+	if (FD_ISSET(this->socket_xfrm_events, &rfds))
+	{
+		selected = this->socket_xfrm_events;
+	}
+	else if (FD_ISSET(this->socket_rt_events, &rfds))
+	{
+		selected = this->socket_rt_events;
+	}
+	else
+	{
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	len = recvfrom(selected, response, sizeof(response), MSG_DONTWAIT,
+				   (struct sockaddr*)&addr, &addr_len);
+	if (len < 0)
+	{
+		switch (errno)
+		{
+			case EINTR:
+				/* interrupted, try again */
+				return JOB_REQUEUE_DIRECT;
+			case EAGAIN:
+				/* no data ready, select again */
+				return JOB_REQUEUE_DIRECT;
+			default:
+				DBG1(DBG_KNL, "unable to receive from xfrm event socket");
+				sleep(1);
+				return JOB_REQUEUE_FAIR;
 		}
-		else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
+	}
+	if (addr.nl_pid != 0)
+	{	/* not from kernel. not interested, try another one */
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	while (NLMSG_OK(hdr, len))
+	{
+		/* looks good so far, dispatch netlink message */
+		if (selected == this->socket_xfrm_events)
 		{
-			job_t *job;
-			protocol_id_t protocol;
-			u_int32_t spi, reqid;
-			struct xfrm_user_expire *expire;
-			
-			expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
-			protocol = expire->state.id.proto == KERNEL_ESP ?
-														PROTO_ESP : PROTO_AH;
-			spi = expire->state.id.spi;
-			reqid = expire->state.reqid;
-			
-			DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
-			DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
-				 expire->hard ? "delete" : "rekey",  protocol_id_names,
-				 protocol, ntohl(spi), reqid);
-			if (expire->hard)
+			switch (hdr->nlmsg_type)
 			{
-				job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+				case XFRM_MSG_ACQUIRE:
+					process_acquire(this, hdr);
+					break;
+				case XFRM_MSG_EXPIRE:
+					process_expire(this, hdr);
+					break;
+				default:
+					break;
 			}
-			else
+		}
+		else if (selected == this->socket_rt_events)
+		{
+			switch (hdr->nlmsg_type)
 			{
-				job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+				case RTM_NEWADDR:
+				case RTM_DELADDR:
+					process_addr(this, hdr, TRUE);
+					break;
+				case RTM_NEWLINK:
+				case RTM_DELLINK:
+					process_link(this, hdr, TRUE);
+					break;
+				case RTM_NEWROUTE:
+				case RTM_DELROUTE:
+					charon->processor->queue_job(charon->processor,
+												 (job_t*)roam_job_create(FALSE));
+					break;
+				default:
+					break;
 			}
-			charon->job_queue->add(charon->job_queue, job);
 		}
+		hdr = NLMSG_NEXT(hdr, len);
 	}
+	return JOB_REQUEUE_DIRECT;
 }
 
 /**
  * send a netlink message and wait for a reply
  */
-static status_t netlink_send(int socket, struct nlmsghdr *in,
+static status_t netlink_send(private_kernel_interface_t *this,
+							 int socket, struct nlmsghdr *in,
 							 struct nlmsghdr **out, size_t *out_len)
 {
 	int len, addr_len;
@@ -550,13 +844,9 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 	chunk_t result = chunk_empty, tmp;
 	struct nlmsghdr *msg, peek;
 	
-	static int seq = 200;
-	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
-	
+	pthread_mutex_lock(&this->mutex);
 	
-	pthread_mutex_lock(&mutex);
-	
-	in->nlmsg_seq = ++seq;
+	in->nlmsg_seq = ++this->seq;
 	in->nlmsg_pid = getpid();
 	
 	memset(&addr, 0, sizeof(addr));
@@ -576,7 +866,7 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 				/* interrupted, try again */
 				continue;
 			}
-			pthread_mutex_unlock(&mutex);
+			pthread_mutex_unlock(&this->mutex);
 			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
 			return FAILED;
 		}
@@ -585,7 +875,7 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 	
 	while (TRUE)
 	{	
-		char buf[1024];
+		char buf[4096];
 		tmp.len = sizeof(buf);
 		tmp.ptr = buf;
 		msg = (struct nlmsghdr*)tmp.ptr;
@@ -603,28 +893,28 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 		{
 			if (errno == EINTR)
 			{
-				DBG1(DBG_IKE, "got interrupted");
+				DBG1(DBG_KNL, "got interrupted");
 				/* interrupted, try again */
 				continue;
 			}
-			DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno));
-			pthread_mutex_unlock(&mutex);
+			DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
+			pthread_mutex_unlock(&this->mutex);
 			return FAILED;
 		}
 		if (!NLMSG_OK(msg, len))
 		{
-			DBG1(DBG_IKE, "received corrupted netlink message");
-			pthread_mutex_unlock(&mutex);
+			DBG1(DBG_KNL, "received corrupted netlink message");
+			pthread_mutex_unlock(&this->mutex);
 			return FAILED;
 		}
-		if (msg->nlmsg_seq != seq)
+		if (msg->nlmsg_seq != this->seq)
 		{
-			DBG1(DBG_IKE, "received invalid netlink sequence number");
-			if (msg->nlmsg_seq < seq)
+			DBG1(DBG_KNL, "received invalid netlink sequence number");
+			if (msg->nlmsg_seq < this->seq)
 			{
 				continue;
 			}
-			pthread_mutex_unlock(&mutex);
+			pthread_mutex_unlock(&this->mutex);
 			return FAILED;
 		}
 		
@@ -636,7 +926,7 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 		len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
 					   (struct sockaddr*)&addr, &addr_len);
 		
-		if (len == sizeof(peek) && peek.nlmsg_seq == seq)
+		if (len == sizeof(peek) && peek.nlmsg_seq == this->seq)
 		{
 			/* seems to be multipart */
 			continue;
@@ -647,7 +937,7 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 	*out_len = result.len;
 	*out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
 	
-	pthread_mutex_unlock(&mutex);
+	pthread_mutex_unlock(&this->mutex);
 	
 	return SUCCESS;
 }
@@ -655,12 +945,13 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 /**
  * send a netlink message and wait for its acknowlegde
  */
-static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
+static status_t netlink_send_ack(private_kernel_interface_t *this,
+								 int socket, struct nlmsghdr *in)
 {
 	struct nlmsghdr *out, *hdr;
 	size_t len;
 
-	if (netlink_send(socket, in, &out, &len) != SUCCESS)
+	if (netlink_send(this, socket, in, &out, &len) != SUCCESS)
 	{
 		return FAILED;
 	}
@@ -697,132 +988,153 @@ static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
 }
 	
 /**
- * Create a list of local addresses.
+ * Initialize a list of local addresses.
  */
-static linked_list_t *create_address_list(private_kernel_interface_t *this)
+static status_t init_address_list(private_kernel_interface_t *this)
 {
 	char request[BUFFER_SIZE];
-	struct nlmsghdr *out, *hdr;
+	struct nlmsghdr *out, *current, *in;
 	struct rtgenmsg *msg;
 	size_t len;
-	linked_list_t *list;
-	
-	DBG2(DBG_IKE, "getting local address list");
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
 	
-	list = linked_list_create();
+	DBG1(DBG_KNL, "listening on interfaces:");
 	
 	memset(&request, 0, sizeof(request));
 
-	hdr = (struct nlmsghdr*)&request;
-	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
-	hdr->nlmsg_type = RTM_GETADDR;
-	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
-	msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
+	in = (struct nlmsghdr*)&request;
+	in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
+	in->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
+	msg = (struct rtgenmsg*)NLMSG_DATA(in);
 	msg->rtgen_family = AF_UNSPEC;
-		
-	if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS)
+	
+	/* get all links */
+	in->nlmsg_type = RTM_GETLINK;
+	if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
 	{
-		hdr = out;
-		while (NLMSG_OK(hdr, len))
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
 		{
-			switch (hdr->nlmsg_type)
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWLINK:
+				process_link(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+	
+	/* get all interface addresses */
+	in->nlmsg_type = RTM_GETADDR;
+	if (netlink_send(this, this->socket_rt, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	current = out;
+	while (NLMSG_OK(current, len))
+	{
+		switch (current->nlmsg_type)
+		{
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWADDR:
+				process_addr(this, current, FALSE);
+				/* fall through */
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
+		}
+		break;
+	}
+	free(out);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
+	{
+		if (iface->flags & IFF_UP)
+		{
+			DBG1(DBG_KNL, "  %s", iface->ifname);
+			addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+			while (addrs->iterate(addrs, (void**)&addr))
 			{
-				case RTM_NEWADDR:
-				{
-					struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
-	      			struct rtattr *rta = IFA_RTA(msg);
-	     			size_t rtasize = IFA_PAYLOAD (hdr);
-					host_t *host = NULL;
-					char *name = NULL;
-					chunk_t local = chunk_empty, address = chunk_empty;
-	     			
-					while(RTA_OK(rta, rtasize))
-					{
-						switch (rta->rta_type)
-						{
-							case IFA_LOCAL:
-								local.ptr = RTA_DATA(rta);
-								local.len = RTA_PAYLOAD(rta);
-								break;
-							case IFA_ADDRESS:
-								address.ptr = RTA_DATA(rta);
-								address.len = RTA_PAYLOAD(rta);
-								break;
-							case IFA_LABEL:
-								name = RTA_DATA(rta);
-								break;
-						}
-						rta = RTA_NEXT(rta, rtasize);
-					}
-					
-					/* For PPP interfaces, we need the IFA_LOCAL address,
-					 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
-					 * not included in all cases, so fallback to IFA_ADDRESS. */
-					if (local.ptr)
-					{
-						host = host_create_from_chunk(msg->ifa_family, local, 0);
-					}
-					else if (address.ptr)
-					{
-						host = host_create_from_chunk(msg->ifa_family, address, 0);
-					}
-					
-					if (host)
-					{
-						address_entry_t *entry;
-						
-						entry = malloc_thing(address_entry_t);
-						entry->host = host;
-						entry->ifindex = msg->ifa_index;
-						if (name)
-						{
-							memcpy(entry->ifname, name, IFNAMSIZ);
-						}
-						else
-						{
-							strcpy(entry->ifname, "(unknown)");
-						}
-						list->insert_last(list, entry);
-					}
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				}
-				default:
-					hdr = NLMSG_NEXT(hdr, len);
-					continue;
-				case NLMSG_DONE:
-					break;
+				DBG1(DBG_KNL, "    %H", addr->ip);
 			}
-			break;
+			addrs->destroy(addrs);
 		}
-		free(out);
 	}
-	else
-	{
-		DBG1(DBG_IKE, "unable to get local address list");
+	ifaces->destroy(ifaces);
+	return SUCCESS;
+}
+
+/**
+ * iterator hook to iterate over addrs
+ */
+static hook_result_t addr_hook(private_kernel_interface_t *this,
+							   addr_entry_t *in, host_t **out)
+{
+	if (in->virtual)
+	{	/* skip virtual interfaces added by us */
+		return HOOK_SKIP;
+	}
+	if (in->scope >= RT_SCOPE_LINK)
+	{	/* skip addresses with a unusable scope */
+		return HOOK_SKIP;
+	}
+	*out = in->ip;
+	return HOOK_NEXT;
+}
+								
+/**
+ * iterator hook to iterate over ifaces
+ */
+static hook_result_t iface_hook(private_kernel_interface_t *this,
+								iface_entry_t *in, host_t **out)
+{
+	if (!(in->flags & IFF_UP))
+	{	/* skip interfaces not up */
+		return HOOK_SKIP;
 	}
 
-	return list;
+	if (this->hiter == NULL)
+	{
+		this->hiter = in->addrs->create_iterator(in->addrs, TRUE);
+		this->hiter->set_iterator_hook(this->hiter,
+									   (iterator_hook_t*)addr_hook, this);
+	}
+	while (this->hiter->iterate(this->hiter, (void**)out))
+	{
+		return HOOK_AGAIN;
+	}
+	this->hiter->destroy(this->hiter);
+	this->hiter = NULL;
+	return HOOK_SKIP;
 }
 
 /**
- * Implements kernel_interface_t.create_address_list.
+ * Implements kernel_interface_t.create_address_iterator.
  */
-static linked_list_t *create_address_list_public(private_kernel_interface_t *this)
+static iterator_t *create_address_iterator(private_kernel_interface_t *this)
 {
-	linked_list_t *result, *list;
-	address_entry_t *entry;
+	iterator_t *iterator;
 	
-	result = linked_list_create();
-	list = create_address_list(this);
-	while (list->remove_last(list, (void**)&entry) == SUCCESS)
-	{
-		result->insert_last(result, entry->host);
-		free(entry);
-	}
-	list->destroy(list);
+	/* This iterator is not only hooked, is is double-hooked. As we have stored
+	 * our addresses in iface_entry->addr_entry->ip, we need to iterate the
+	 * entries in each interface we iterate. This does the iface_hook. The
+	 * addr_hook returns the ip instead of the addr_entry. */
 	
-	return result;
+	iterator = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	iterator->set_iterator_hook(iterator, (iterator_hook_t*)iface_hook, this);
+	return iterator;
 }
 
 /**
@@ -830,30 +1142,40 @@ static linked_list_t *create_address_list_public(private_kernel_interface_t *thi
  */
 static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
 {
-	linked_list_t *list;
-	address_entry_t *entry;
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
 	char *name = NULL;
 	
-	DBG2(DBG_IKE, "getting interface name for %H", ip);
+	DBG2(DBG_KNL, "getting interface name for %H", ip);
 	
-	list = create_address_list(this);
-	while (!name && list->remove_last(list, (void**)&entry) == SUCCESS)
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
 	{
-		if (ip->ip_equals(ip, entry->host))
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				name = strdup(iface->ifname);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (name)
 		{
-			name = strdup(entry->ifname);
+			break;
 		}
-		address_entry_destroy(entry);
 	}
-	list->destroy_function(list, (void*)address_entry_destroy);
+	ifaces->destroy(ifaces);
 	
 	if (name)
 	{
-		DBG2(DBG_IKE, "%H is on interface %s", ip, name);
+		DBG2(DBG_KNL, "%H is on interface %s", ip, name);
 	}
 	else
 	{
-		DBG2(DBG_IKE, "%H is not a local address", ip);
+		DBG2(DBG_KNL, "%H is not a local address", ip);
 	}
 	return name;
 }
@@ -865,13 +1187,14 @@ static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
 static status_t get_address_by_ts(private_kernel_interface_t *this,
 								  traffic_selector_t *ts, host_t **ip)
 {
-	address_entry_t *entry;
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
 	host_t *host;
 	int family;
-	linked_list_t *list;
 	bool found = FALSE;
 	
-	DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
+	DBG2(DBG_KNL, "getting a local address in traffic selector %R", ts);
 	
 	/* if we have a family which includes localhost, we do not
 	 * search for an IP, we use the default */
@@ -890,29 +1213,38 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
 	{
 		*ip = host_create_any(family);
 		host->destroy(host);
-		DBG2(DBG_IKE, "using host %H", *ip);
+		DBG2(DBG_KNL, "using host %H", *ip);
 		return SUCCESS;
 	}
 	host->destroy(host);
 	
-	list = create_address_list(this);
-	while (!found && list->remove_last(list, (void**)&entry) == SUCCESS)
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces,	&this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
 	{
-		if (ts->includes(ts, entry->host))
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
 		{
-			found = TRUE;
-			*ip = entry->host->clone(entry->host);
+			if (ts->includes(ts, addr->ip))
+			{
+				found = TRUE;
+				*ip = addr->ip->clone(addr->ip);
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (found)
+		{
+			break;
 		}
-		address_entry_destroy(entry);
 	}
-	list->destroy_function(list, (void*)address_entry_destroy);
+	ifaces->destroy(ifaces);
 	
 	if (!found)
 	{
-		DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
+		DBG1(DBG_KNL, "no local address found in traffic selector %R", ts);
 		return FAILED;
 	}
-	DBG2(DBG_IKE, "using host %H", *ip);
+	DBG2(DBG_KNL, "using host %H", *ip);
 	return SUCCESS;
 }
 
@@ -921,26 +1253,36 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
  */
 static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
 {
-	linked_list_t *list;
-	address_entry_t *entry;
+	iterator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
 	int ifindex = 0;
 	
-	DBG2(DBG_IKE, "getting iface for %H", ip);
+	DBG2(DBG_KNL, "getting iface for %H", ip);
 	
-	list = create_address_list(this);
-	while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS)
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces,	&this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
 	{
-		if (ip->ip_equals(ip, entry->host))
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (ip->ip_equals(ip, addr->ip))
+			{
+				ifindex = iface->ifindex;
+				break;
+			}
+		}
+		addrs->destroy(addrs);
+		if (ifindex)
 		{
-			ifindex = entry->ifindex;
+			break;
 		}
-		address_entry_destroy(entry);
 	}
-	list->destroy_function(list, (void*)address_entry_destroy);
-	
+	ifaces->destroy(ifaces);
+
 	if (ifindex == 0)
 	{
-		DBG1(DBG_IKE, "unable to get interface for %H", ip);
+		DBG1(DBG_KNL, "unable to get interface for %H", ip);
 	}
 	return ifindex;
 }
@@ -975,7 +1317,7 @@ static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
 	
 	add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
 
-	return netlink_send_ack(this->socket_rt, hdr);
+	return netlink_send_ack(this, this->socket_rt, hdr);
 }
 
 /**
@@ -1036,107 +1378,206 @@ static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type
 	chunk.len = sizeof(route->if_index);
 	add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
 
-	return netlink_send_ack(this->socket_rt, hdr);
+	return netlink_send_ack(this, this->socket_rt, hdr);
 }
 
-
 /**
- * Implementation of kernel_interface_t.add_ip.
+ * Get the nexthop gateway for dest; or the source addr if gateway = FALSE
  */
-static status_t add_ip(private_kernel_interface_t *this, 
-						host_t *virtual_ip, host_t *iface_ip)
+static host_t* get_addr(private_kernel_interface_t *this,
+						host_t *dest, bool gateway)
 {
-	int targetif;
-	vip_entry_t *listed;
-	iterator_t *iterator;
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr, *out, *current;
+	struct rtmsg *msg;
+	chunk_t chunk;
+	size_t len;
+	host_t *addr = NULL;
+	
+	DBG2(DBG_KNL, "getting address to reach %H", dest);
+	
+	memset(&request, 0, sizeof(request));
 
-	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = RTM_GETROUTE;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
 
-	targetif = get_interface_index(this, iface_ip);
-	if (targetif == 0)
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = dest->get_family(dest);
+	msg->rtm_dst_len = msg->rtm_family == AF_INET ? 32 : 128;
+	msg->rtm_table = RT_TABLE_MAIN;
+	msg->rtm_protocol = RTPROT_STATIC;
+	msg->rtm_type = RTN_UNICAST;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+	
+	chunk = dest->get_address(dest);
+	add_attribute(hdr, RTA_DST, chunk, sizeof(request));
+			
+	if (netlink_send(this, this->socket_rt, hdr, &out, &len) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
-			 virtual_ip, iface_ip);
-		return FAILED;
+		DBG1(DBG_KNL, "getting address to %H failed", dest);
+		return NULL;
 	}
-
-	/* beware of deadlocks (e.g. send/receive packets while holding the lock) */
-	iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
-	while (iterator->iterate(iterator, (void**)&listed))
+	current = out;
+	while (NLMSG_OK(current, len))
 	{
-		if (listed->if_index == targetif &&
-			virtual_ip->ip_equals(virtual_ip, listed->ip))
+		switch (current->nlmsg_type)
 		{
-			listed->refcount++;
-			iterator->destroy(iterator);
-			DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
-				 virtual_ip, targetif);
-			return SUCCESS;
+			case NLMSG_DONE:
+				break;
+			case RTM_NEWROUTE:
+			{
+				struct rtattr *rta;
+				size_t rtasize;
+				
+				msg = (struct rtmsg*)(NLMSG_DATA(current));
+				rta = RTM_RTA(msg);
+				rtasize = RTM_PAYLOAD(current);
+				while(RTA_OK(rta, rtasize))
+				{
+					if ((rta->rta_type == RTA_PREFSRC && !gateway) ||
+						(rta->rta_type == RTA_GATEWAY && gateway))
+					{
+						chunk.ptr = RTA_DATA(rta);
+						chunk.len = RTA_PAYLOAD(rta);
+						addr = host_create_from_chunk(msg->rtm_family, 
+													  chunk, 0);
+						break;
+					}
+					rta = RTA_NEXT(rta, rtasize);
+				}
+				break;
+			}
+			default:
+				current = NLMSG_NEXT(current, len);
+				continue;
 		}
+		break;
 	}
-	iterator->destroy(iterator);
+	free(out);
+	if (addr == NULL)
+	{
+		DBG2(DBG_KNL, "no route found to %H", dest);
+	}
+	return addr;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_interface_t *this, host_t *dest)
+{
+	return get_addr(this, dest, FALSE);
+}
 
-	if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
-					  targetif, virtual_ip) == SUCCESS)
+/**
+ * Implementation of kernel_interface_t.add_ip.
+ */
+static status_t add_ip(private_kernel_interface_t *this, 
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	iterator_t *addrs, *ifaces;
+
+	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
 	{
-		listed = malloc_thing(vip_entry_t);
-		listed->ip = virtual_ip->clone(virtual_ip);
-		listed->if_index = targetif;
-		listed->refcount = 1;
-		this->vips->insert_last(this->vips, listed);
-		DBG2(DBG_KNL, "virtual IP %H added to iface %d",
-				 virtual_ip, targetif);
-		return SUCCESS;
+		bool iface_found = FALSE;
+	
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
+		{
+			if (iface_ip->ip_equals(iface_ip, addr->ip))
+			{
+				iface_found = TRUE;
+			}
+			else if (virtual_ip->ip_equals(virtual_ip, addr->ip))
+			{
+				addr->refcount++;
+				DBG2(DBG_KNL, "virtual IP %H already installed on %s",
+					 virtual_ip, iface->ifname);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				return SUCCESS;
+			}
+		}
+		addrs->destroy(addrs);
+		
+		if (iface_found)
+		{
+			int ifindex = iface->ifindex;
+			ifaces->destroy(ifaces);
+			if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
+							  ifindex, virtual_ip) == SUCCESS)
+			{
+				addr = malloc_thing(addr_entry_t);
+				addr->ip = virtual_ip->clone(virtual_ip);
+				addr->refcount = 1;
+				addr->virtual = TRUE;
+				addr->scope = RT_SCOPE_UNIVERSE;
+				pthread_mutex_lock(&this->mutex);
+				iface->addrs->insert_last(iface->addrs, addr);
+				pthread_mutex_unlock(&this->mutex);
+				return SUCCESS;
+			}
+			DBG2(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
+			return FAILED;
+			
+		}
+		
 	}
+	ifaces->destroy(ifaces);
 	
-	DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
-		 virtual_ip, targetif);
+	DBG2(DBG_KNL, "interface address %H not found, unable to install"
+		 "virtual IP %H", iface_ip, virtual_ip);
 	return FAILED;
 }
 
 /**
  * Implementation of kernel_interface_t.del_ip.
  */
-static status_t del_ip(private_kernel_interface_t *this,
-						host_t *virtual_ip, host_t *iface_ip)
+static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
 {
-	int targetif;
-	vip_entry_t *listed;
-	iterator_t *iterator;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	iterator_t *addrs, *ifaces;
 
 	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
-
-	targetif = get_interface_index(this, iface_ip);
-	if (targetif == 0)
-	{
-		DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
-			 virtual_ip, iface_ip);
-		return FAILED;
-	}
-
-	/* beware of deadlocks (e.g. send/receive packets while holding the lock) */
-	iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
-	while (iterator->iterate(iterator, (void**)&listed))
+	
+	ifaces = this->ifaces->create_iterator_locked(this->ifaces, &this->mutex);
+	while (ifaces->iterate(ifaces, (void**)&iface))
 	{
-		if (listed->if_index == targetif &&
-			virtual_ip->ip_equals(virtual_ip, listed->ip))
+		addrs = iface->addrs->create_iterator(iface->addrs, TRUE);
+		while (addrs->iterate(addrs, (void**)&addr))
 		{
-			listed->refcount--;
-			if (listed->refcount == 0)
+			if (virtual_ip->ip_equals(virtual_ip, addr->ip))
 			{
-				iterator->remove(iterator);
-				vip_entry_destroy(listed);
-				iterator->destroy(iterator);
-				return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
+				int ifindex = iface->ifindex;
+				addr->refcount--;
+				if (addr->refcount == 0)
+				{
+					addrs->remove(addrs);
+					addrs->destroy(addrs);
+					ifaces->destroy(ifaces);
+					addr_entry_destroy(addr);
+					return manage_ipaddr(this, RTM_DELADDR, 0,
+										 ifindex, virtual_ip);
+				}
+				DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
+					 virtual_ip);
+				addrs->destroy(addrs);
+				ifaces->destroy(ifaces);
+				return SUCCESS;
 			}
-			iterator->destroy(iterator);
-			DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
-		 		 virtual_ip);
-			return SUCCESS;
 		}
+		addrs->destroy(addrs);
 	}
-	iterator->destroy(iterator);
- 
+	ifaces->destroy(ifaces);
+	
 	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
 	return FAILED;
 }
@@ -1174,7 +1615,7 @@ static status_t get_spi(private_kernel_interface_t *this,
 	userspi->min = 0xc0000000;
 	userspi->max = 0xcFFFFFFF;
 	
-	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
 		while (NLMSG_OK(hdr, len))
@@ -1226,7 +1667,7 @@ static status_t add_sa(private_kernel_interface_t *this,
 					   protocol_id_t protocol, u_int32_t reqid,
 					   u_int64_t expire_soft, u_int64_t expire_hard,
 					   algorithm_t *enc_alg, algorithm_t *int_alg,
-					   prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
+					   prf_plus_t *prf_plus, mode_t mode, bool encap,
 					   bool replace)
 {
 	unsigned char request[BUFFER_SIZE];
@@ -1324,7 +1765,7 @@ static status_t add_sa(private_kernel_interface_t *this,
 	
 	/* TODO: add IPComp here */
 	
-	if (natt)
+	if (encap)
 	{
 		rthdr->rta_type = XFRMA_ENCAP;
 		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
@@ -1335,11 +1776,11 @@ static status_t add_sa(private_kernel_interface_t *this,
 			return FAILED;
 		}
 
-		struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
-		encap->encap_type = UDP_ENCAP_ESPINUDP;
-		encap->encap_sport = htons(natt->sport);
-		encap->encap_dport = htons(natt->dport);
-		memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
+		struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = htons(src->get_port(src));
+		tmpl->encap_dport = htons(dst->get_port(dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
 		/* encap_oa could probably be derived from the 
 		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation 
 		 * pluto does the same as we do here but it uses encap_oa in the 
@@ -1352,9 +1793,9 @@ static status_t add_sa(private_kernel_interface_t *this,
 		rthdr = XFRM_RTA_NEXT(rthdr);
 	}
 	
-	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
+		DBG1(DBG_KNL, "unable to add SAD entry with SPI 0x%x", spi);
 		return FAILED;
 	}
 	return SUCCESS;
@@ -1364,21 +1805,24 @@ static status_t add_sa(private_kernel_interface_t *this,
  * Implementation of kernel_interface_t.update_sa.
  */
 static status_t update_sa(private_kernel_interface_t *this,
-						  host_t *src, host_t *dst, 
-						  host_t *new_src, host_t *new_dst, 
-						  host_diff_t src_changes, host_diff_t dst_changes,
-						  u_int32_t spi, protocol_id_t protocol)
+						  u_int32_t spi, protocol_id_t protocol,
+						  host_t *src, host_t *dst,
+						  host_t *new_src, host_t *new_dst, bool encap)
 {
-	unsigned char request[BUFFER_SIZE];
+	unsigned char request[BUFFER_SIZE], *pos;
 	struct nlmsghdr *hdr, *out = NULL;
 	struct xfrm_usersa_id *sa_id;
-	struct xfrm_usersa_info *sa = NULL;
+	struct xfrm_usersa_info *out_sa = NULL, *sa;
 	size_t len;
+	struct rtattr *rta;
+	size_t rtasize;
+	struct xfrm_encap_tmpl* tmpl = NULL;
 	
 	memset(&request, 0, sizeof(request));
 	
-	DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
+	DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x for update", spi);
 
+	/* query the exisiting SA first */
 	hdr = (struct nlmsghdr*)request;
 	hdr->nlmsg_flags = NLM_F_REQUEST;
 	hdr->nlmsg_type = XFRM_MSG_GETSA;
@@ -1390,7 +1834,7 @@ static status_t update_sa(private_kernel_interface_t *this,
 	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
 	sa_id->family = dst->get_family(dst);
 	
-	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
 		while (NLMSG_OK(hdr, len))
@@ -1399,7 +1843,7 @@ static status_t update_sa(private_kernel_interface_t *this,
 			{
 				case XFRM_MSG_NEWSA:
 				{
-					sa = NLMSG_DATA(hdr);
+					out_sa = NLMSG_DATA(hdr);
 					break;
 				}
 				case NLMSG_ERROR:
@@ -1418,59 +1862,76 @@ static status_t update_sa(private_kernel_interface_t *this,
 			break;
 		}
 	}
-	if (sa == NULL)
+	if (out_sa == NULL ||
+		this->public.del_sa(&this->public, dst, spi, protocol) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
 		free(out);
 		return FAILED;
 	}
 	
-	DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
+	DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x from %#H..%#H to %#H..%#H",
+		 spi, src, dst, new_src, new_dst);
 	
-	hdr = out;
+	/* copy over the SA from out to request */
+	hdr = (struct nlmsghdr*)request;
+	memcpy(hdr, out, min(out->nlmsg_len, sizeof(request)));
 	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;	
-	hdr->nlmsg_type = XFRM_MSG_UPDSA;
+	hdr->nlmsg_type = XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+	sa = NLMSG_DATA(hdr);
+	sa->family = new_dst->get_family(new_dst);
 	
-	if (src_changes & HOST_DIFF_ADDR)
+	if (!src->ip_equals(src, new_src))
 	{
 		host2xfrm(new_src, &sa->saddr);
 	}
-
-	if (dst_changes & HOST_DIFF_ADDR)
+	if (!dst->ip_equals(dst, new_dst))
 	{
-		hdr->nlmsg_type = XFRM_MSG_NEWSA;
 		host2xfrm(new_dst, &sa->id.daddr);
 	}
 	
-	if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
+	rta = XFRM_RTA(out, struct xfrm_usersa_info);
+	rtasize = XFRM_PAYLOAD(out, struct xfrm_usersa_info);
+	pos = (u_char*)XFRM_RTA(hdr, struct xfrm_usersa_info);
+	while(RTA_OK(rta, rtasize))
 	{
-		struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
-		size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
-		while (RTA_OK(rtattr, rtsize))
+		/* copy all attributes, but not XFRMA_ENCAP if we are disabling it */
+		if (rta->rta_type != XFRMA_ENCAP || encap)
 		{
-			if (rtattr->rta_type == XFRMA_ENCAP)
-			{
-				struct xfrm_encap_tmpl* encap;
-				encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
-				encap->encap_sport = ntohs(new_src->get_port(new_src));
-				encap->encap_dport = ntohs(new_dst->get_port(new_dst));
-				break;
-			}
-			rtattr = RTA_NEXT(rtattr, rtsize);
+			if (rta->rta_type == XFRMA_ENCAP)
+			{	/* update encap tmpl */
+				tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+				tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+				tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+			}	
+			memcpy(pos, rta, rta->rta_len);
+			pos += rta->rta_len;
+			hdr->nlmsg_len += rta->rta_len;
 		}
+		rta = RTA_NEXT(rta, rtasize);
+	}
+	if (tmpl == NULL && encap)
+	{	/* add tmpl if we are enabling it */
+		rta = (struct rtattr*)pos;
+		rta->rta_type = XFRMA_ENCAP;
+		rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+		hdr->nlmsg_len += rta->rta_len;
+		tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta);
+		tmpl->encap_type = UDP_ENCAP_ESPINUDP;
+		tmpl->encap_sport = ntohs(new_src->get_port(new_src));
+		tmpl->encap_dport = ntohs(new_dst->get_port(new_dst));
+		memset(&tmpl->encap_oa, 0, sizeof (xfrm_address_t));
 	}
-	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	
+	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
 		free(out);
 		return FAILED;
 	}
 	free(out);
 	
-	if (dst_changes & HOST_DIFF_ADDR)
-	{
-		return this->public.del_sa(&this->public, dst, spi, protocol);
-	}
 	return SUCCESS;
 }
 
@@ -1501,7 +1962,7 @@ static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
 	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
 	sa_id->family = dst->get_family(dst);
 	
-	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
 		while (NLMSG_OK(hdr, len))
@@ -1567,9 +2028,9 @@ static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
 	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
 	sa_id->family = dst->get_family(dst);
 	
-	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
 	{
-		DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
+		DBG1(DBG_KNL, "unable to delete SAD entry with SPI 0x%x", spi);
 		return FAILED;
 	}
 	DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
@@ -1584,8 +2045,7 @@ static status_t add_policy(private_kernel_interface_t *this,
 						   traffic_selector_t *src_ts,
 						   traffic_selector_t *dst_ts,
 						   policy_dir_t direction, protocol_id_t protocol,
-						   u_int32_t reqid, bool high_prio, mode_t mode,
-						   bool update)
+						   u_int32_t reqid, bool high_prio, mode_t mode)
 {
 	iterator_t *iterator;
 	policy_entry_t *current, *policy;
@@ -1601,7 +2061,7 @@ static status_t add_policy(private_kernel_interface_t *this,
 	policy->direction = direction;
 	
 	/* find the policy, which matches EXACTLY */
-	pthread_mutex_lock(&this->policies_mutex);
+	pthread_mutex_lock(&this->mutex);
 	iterator = this->policies->create_iterator(this->policies, TRUE);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
@@ -1609,12 +2069,9 @@ static status_t add_policy(private_kernel_interface_t *this,
 			policy->direction == current->direction)
 		{
 			/* use existing policy */
-			if (!update)
-			{
-				current->refcount++;
-				DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
-					 "refcount", src_ts, dst_ts);
-			}
+			current->refcount++;
+			DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
+				 "refcount", src_ts, dst_ts);
 			free(policy);
 			policy = current;
 			found = TRUE;
@@ -1646,7 +2103,7 @@ static status_t add_policy(private_kernel_interface_t *this,
 	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
 	policy_info->action = XFRM_POLICY_ALLOW;
 	policy_info->share = XFRM_SHARE_ANY;
-	pthread_mutex_unlock(&this->policies_mutex);
+	pthread_mutex_unlock(&this->mutex);
 	
 	/* policies don't expire */
 	policy_info->lft.soft_byte_limit = XFRM_INF;
@@ -1680,7 +2137,7 @@ static status_t add_policy(private_kernel_interface_t *this,
 	host2xfrm(src, &tmpl->saddr);
 	host2xfrm(dst, &tmpl->id.daddr);
 	
-	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
 		return FAILED;
@@ -1698,7 +2155,13 @@ static status_t add_policy(private_kernel_interface_t *this,
 		policy->route = malloc_thing(route_entry_t);
 		if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
 		{
-			policy->route->gateway = dst->clone(dst);
+			/* if we have a gateway (via), we use it. If it's direct, we 
+			 * use the peers address (which is src, as we are in POLICY_FWD).*/
+			policy->route->gateway = get_addr(this, src, TRUE);
+			if (policy->route->gateway == NULL)
+			{
+				policy->route->gateway = src->clone(src);
+			}
 			policy->route->if_index = get_interface_index(this, dst);
 			policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
 			memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
@@ -1750,7 +2213,7 @@ static status_t query_policy(private_kernel_interface_t *this,
 	policy_id->sel = ts2selector(src_ts, dst_ts);
 	policy_id->dir = direction;
 	
-	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	if (netlink_send(this, this->socket_xfrm, hdr, &out, &len) == SUCCESS)
 	{
 		hdr = out;
 		while (NLMSG_OK(hdr, len))
@@ -1814,8 +2277,7 @@ static status_t del_policy(private_kernel_interface_t *this,
 	policy.direction = direction;
 	
 	/* find the policy */
-	pthread_mutex_lock(&this->policies_mutex);
-	iterator = this->policies->create_iterator(this->policies, TRUE);
+	iterator = this->policies->create_iterator_locked(this->policies, &this->mutex);
 	while (iterator->iterate(iterator, (void**)&current))
 	{
 		if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
@@ -1827,7 +2289,6 @@ static status_t del_policy(private_kernel_interface_t *this,
 				/* is used by more SAs, keep in kernel */
 				DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
 				iterator->destroy(iterator);
-				pthread_mutex_unlock(&this->policies_mutex);
 				return SUCCESS;
 			}
 			/* remove if last reference */
@@ -1836,7 +2297,6 @@ static status_t del_policy(private_kernel_interface_t *this,
 		}
 	}
 	iterator->destroy(iterator);
-	pthread_mutex_unlock(&this->policies_mutex);
 	if (!to_delete)
 	{
 		DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
@@ -1857,7 +2317,7 @@ static status_t del_policy(private_kernel_interface_t *this,
 	route = to_delete->route;
 	free(to_delete);
 	
-	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	if (netlink_send_ack(this, this->socket_xfrm, hdr) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
 		return FAILED;
@@ -1880,13 +2340,13 @@ static status_t del_policy(private_kernel_interface_t *this,
  */
 static void destroy(private_kernel_interface_t *this)
 {
-	pthread_cancel(this->event_thread);
-	pthread_join(this->event_thread, NULL);
+	this->job->cancel(this->job);
 	close(this->socket_xfrm_events);
 	close(this->socket_xfrm);
+	close(this->socket_rt_events);
 	close(this->socket_rt);
-	this->vips->destroy(this->vips);
 	this->policies->destroy(this->policies);
+	this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
 	free(this);
 }
 
@@ -1900,41 +2360,29 @@ kernel_interface_t *kernel_interface_create()
 	
 	/* public functions */
 	this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
-	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
-	this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
+	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,mode_t,bool,bool))add_sa;
+	this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_t*,host_t*,bool))update_sa;
 	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
 	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
-	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
+	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t))add_policy;
 	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
 	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
-
 	this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
-	this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public;
+	this->public.create_address_iterator = (iterator_t*(*)(kernel_interface_t*))create_address_iterator;
+	this->public.get_source_addr = (host_t*(*)(kernel_interface_t*, host_t *dest))get_source_addr;
 	this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
-	this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
+	this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*)) del_ip;
 	this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
 
 	/* private members */
-	this->vips = linked_list_create();
 	this->policies = linked_list_create();
-	pthread_mutex_init(&this->policies_mutex,NULL);
-	pthread_mutex_init(&this->vips_mutex,NULL);
+	this->ifaces = linked_list_create();
+	this->hiter = NULL;
+	this->seq = 200;
+	pthread_mutex_init(&this->mutex,NULL);
 	
+	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = 0;
-	addr.nl_groups = 0;
-	
-	/* create and bind XFRM socket */
-	this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	if (this->socket_xfrm <= 0)
-	{
-		charon->kill(charon, "unable to create XFRM netlink socket");
-	}
-	
-	if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
-	{
-		charon->kill(charon, "unable to bind XFRM netlink socket");
-	}
 	
 	/* create and bind RT socket */
 	this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
@@ -1942,33 +2390,58 @@ kernel_interface_t *kernel_interface_create()
 	{
 		charon->kill(charon, "unable to create RT netlink socket");
 	}
-	
+	addr.nl_groups = 0;
 	if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
 	{
 		charon->kill(charon, "unable to bind RT netlink socket");
 	}
 	
+	/* create and bind RT socket for events (address/interface/route changes) */
+	this->socket_rt_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	if (this->socket_rt_events <= 0)
+	{
+		charon->kill(charon, "unable to create RT event socket");
+	}
+	addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | 
+					 RTMGRP_IPV4_ROUTE | RTMGRP_IPV4_ROUTE | RTMGRP_LINK;
+	if (bind(this->socket_rt_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind RT event socket");
+	}
+	
+	/* create and bind XFRM socket */ 
+	this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (this->socket_xfrm <= 0)
+	{
+		charon->kill(charon, "unable to create XFRM netlink socket");
+	}
+	addr.nl_groups = 0;
+	if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind XFRM netlink socket");
+	}
+	
 	/* create and bind XFRM socket for ACQUIRE & EXPIRE */
-	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
 	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
 	if (this->socket_xfrm_events <= 0)
 	{
 		charon->kill(charon, "unable to create XFRM event socket");
 	}
-	
+	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
 	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
 	{
 		charon->kill(charon, "unable to bind XFRM event socket");
 	}
 	
-	/* create a thread receiving ACQUIRE & EXPIRE events */
-	if (pthread_create(&this->event_thread, NULL,
-					   (void*(*)(void*))receive_events, this))
+	this->job = callback_job_create((callback_job_cb_t)receive_events,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	
+	if (init_address_list(this) != SUCCESS)
 	{
-		charon->kill(charon, "unable to create xfrm event dispatcher thread");
+		charon->kill(charon, "unable to get interface list");
 	}
 	
 	return &this->public;
 }
 
-/* vim: set ts=4 sw=4 noet: */
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 2a3eaff7a..256c20797 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -25,7 +25,6 @@
 #ifndef KERNEL_INTERFACE_H_
 #define KERNEL_INTERFACE_H_
 
-typedef struct natt_conf_t natt_conf_t;
 typedef enum policy_dir_t policy_dir_t;
 typedef struct kernel_interface_t kernel_interface_t;
 
@@ -33,17 +32,6 @@ typedef struct kernel_interface_t kernel_interface_t;
 #include <crypto/prf_plus.h>
 #include <encoding/payloads/proposal_substructure.h>
 
-/**
- * Configuration for NAT-T
- *
- * @ingroup kernel
- */
-struct natt_conf_t {
-	/** source port to use for UDP-encapsulated packets */
-	u_int16_t sport;
-	/** dest port to use for UDP-encapsulated packets */
-	u_int16_t dport;
-};
 
 /**
  * Direction of a policy. These are equal to those
@@ -121,8 +109,8 @@ struct kernel_interface_t {
 	 * @param enc_alg		Algorithm to use for encryption (ESP only)
 	 * @param int_alg		Algorithm to use for integrity protection
 	 * @param prf_plus		PRF to derive keys from
-	 * @param natt			NAT-T Configuration, or NULL of no NAT-T used
 	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param encap			enable UDP encapsulation for NAT traversal
 	 * @param replace		Should an already installed SA be updated?
 	 * @return
 	 * 						- SUCCESS
@@ -133,8 +121,8 @@ struct kernel_interface_t {
 						protocol_id_t protocol, u_int32_t reqid,
 						u_int64_t expire_soft, u_int64_t expire_hard,
 						algorithm_t *enc_alg, algorithm_t *int_alg,
-						prf_plus_t *prf_plus, natt_conf_t *natt,
-						mode_t mode, bool update);
+						prf_plus_t *prf_plus, mode_t mode, bool encap,
+						bool update);
 	
 	/**
 	 * @brief Update the hosts on an installed SA.
@@ -145,21 +133,21 @@ struct kernel_interface_t {
 	 * create a new SA and delete the old one.
 	 *
 	 * @param this			calling object
-	 * @param dst			destination address for this SA
 	 * @param spi			SPI of the SA
 	 * @param protocol		protocol for this SA (ESP/AH)
-	 * @param new_src		new source address for this SA
-	 * @param new_dst		new destination address for this SA
-	 * @param src_changes	changes in src
-	 * @param dst_changes	changes in dst
+	 * @param src			current source address
+	 * @param dst			current destination address
+	 * @param new_src		new source address
+	 * @param new_dst		new destination address
+	 * @param encap			use UDP encapsulation
 	 * @return
 	 * 						- SUCCESS
 	 * 						- FAILED if kernel comm failed
 	 */
-	status_t (*update_sa)(kernel_interface_t *this, host_t *dst, u_int32_t spi,
-						  protocol_id_t protocol,
-						  host_t *new_src, host_t *new_dst,
-						  host_diff_t src_changes, host_diff_t dst_changes);
+	status_t (*update_sa)(kernel_interface_t *this,
+						  u_int32_t spi, protocol_id_t protocol,
+						  host_t *src, host_t *dst, 
+						  host_t *new_src, host_t *new_dst, bool encap);
 	
 	/**
 	 * @brief Query the use time of an SA.
@@ -198,10 +186,6 @@ struct kernel_interface_t {
 	 * 
 	 * A policy is always associated to an SA. Traffic which matches a
 	 * policy is handled by the SA with the same reqid.
-	 * If the update flag is set, the policy is updated with the new
-	 * src/dst addresses.
-	 * If the update flag is not set, but a such policy is already in the
-	 * kernel, the reference count to this policy is increased.
 	 * 
 	 * @param this			calling object
 	 * @param src			source address of SA
@@ -213,7 +197,6 @@ struct kernel_interface_t {
 	 * @param reqid			uniqe ID of an SA to use to enforce policy
 	 * @param high_prio		if TRUE, uses a higher priority than any with FALSE
 	 * @param mode			mode of SA (tunnel, transport)
-	 * @param update		update an existing policy, if TRUE
 	 * @return
 	 * 						- SUCCESS
 	 * 						- FAILED if kernel comm failed
@@ -223,8 +206,7 @@ struct kernel_interface_t {
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
 							policy_dir_t direction, protocol_id_t protocol,
-							u_int32_t reqid, bool high_prio, 
-							mode_t mode, bool update);
+							u_int32_t reqid, bool high_prio, mode_t mode);
 	
 	/**
 	 * @brief Query the use time of a policy.
@@ -268,6 +250,18 @@ struct kernel_interface_t {
 							policy_dir_t direction);
 	
 	/**
+	 * @brief Get our outgoing source address for a destination.
+	 *
+	 * Does a route lookup to get the source address used to reach dest.
+	 * The returned host is allocated and must be destroyed.
+	 *
+	 * @param this			calling object
+	 * @param dest			target destination address
+	 * @return				outgoing source address, NULL if unreachable
+	 */
+	host_t* (*get_source_addr)(kernel_interface_t *this, host_t *dest);
+	
+	/**
 	 * @brief Get the interface name of a local address.
 	 *
 	 * @param this			calling object
@@ -277,12 +271,16 @@ struct kernel_interface_t {
 	char* (*get_interface) (kernel_interface_t *this, host_t *host);
 	
 	/**
-	 * @brief Creates a list of all local addresses.
+	 * @brief Creates an iterator over all local addresses.
+	 *
+	 * This function blocks an internal cached address list until the
+	 * iterator gets destroyed.
+	 * These hosts are read-only, do not modify or free.
 	 *
 	 * @param this			calling object
-	 * @return 				allocated list with host_t objects
+	 * @return 				iterator over host_t's
 	 */
-	linked_list_t *(*create_address_list) (kernel_interface_t *this);
+	iterator_t *(*create_address_iterator) (kernel_interface_t *this);
 	
 	/**
 	 * @brief Add a virtual IP to an interface.
@@ -309,13 +307,11 @@ struct kernel_interface_t {
 	 *
 	 * @param this			calling object
 	 * @param virtual_ip	virtual ip address to assign
-	 * @param iface_ip		IP of an interface to remove virtual IP from
 	 * @return
 	 * 						- SUCCESS
 	 * 						- FAILED if kernel comm failed
 	 */
-	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
-						host_t *iface_ip);
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip);
 	
 	/**
 	 * @brief Destroys a kernel_interface object.
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 9b4bf71ac..1de1dd3d2 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -30,9 +30,9 @@
 #include <daemon.h>
 #include <network/socket.h>
 #include <network/packet.h>
-#include <processing/job_queue.h>
 #include <processing/jobs/job.h>
 #include <processing/jobs/process_message_job.h>
+#include <processing/jobs/callback_job.h>
 
 /** length of the full cookie, including time (u_int32_t + SHA1()) */
 #define COOKIE_LENGTH 24
@@ -56,12 +56,17 @@ struct private_receiver_t {
 	/**
 	 * Public part of a receiver_t object.
 	 */
-	 receiver_t public;
+	receiver_t public;
+	 
+	/**
+	 * Threads job receiving packets
+	 */
+	callback_job_t *job;
 
-	 /**
-	  * Assigned thread.
-	  */
-	 pthread_t assigned_thread;
+	/**
+	 * Assigned thread.
+	 */
+	pthread_t assigned_thread;
 	 
  	/**
  	 * current secret to use for cookie calculation
@@ -245,94 +250,84 @@ static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
 /**
  * Implementation of receiver_t.receive_packets.
  */
-static void receive_packets(private_receiver_t *this)
+static job_requeue_t receive_packets(private_receiver_t *this)
 {
 	packet_t *packet;
 	message_t *message;
 	job_t *job;
 	
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
-	DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", 
-		 (int)pthread_self());
+	/* read in a packet */
+	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+	{
+		DBG2(DBG_NET, "receiving from socket failed!");
+		return JOB_REQUEUE_FAIR;
+	}
 	
-	charon->drop_capabilities(charon, TRUE);
+	/* parse message header */
+	message = message_create_from_packet(packet);
+	if (message->parse_header(message) != SUCCESS)
+	{
+		DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
+			 packet->get_source(packet));
+		message->destroy(message);
+		return JOB_REQUEUE_DIRECT;
+	}
 	
-	while (TRUE)
+	/* check IKE major version */
+	if (message->get_major_version(message) != IKE_MAJOR_VERSION)
 	{
-		/* read in a packet */
-		if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
-		{
-			DBG2(DBG_NET, "receiving from socket failed!");
-			/* try again after a delay */
-			sleep(1);
-			continue;
-		}
-		
-		/* parse message header */
-		message = message_create_from_packet(packet);
-		if (message->parse_header(message) != SUCCESS)
+		DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
+			 "sending INVALID_MAJOR_VERSION", message->get_major_version(message), 
+			 message->get_minor_version(message), packet->get_source(packet));
+		send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
+		message->destroy(message);
+		return JOB_REQUEUE_DIRECT;
+	}
+	
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		/* check for cookies */
+		if (cookie_required(this, message))
 		{
-			DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
-				 packet->get_source(packet));
+			u_int32_t now = time(NULL);
+			chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
+										  chunk_from_thing(this->secret));	
+			
+			DBG2(DBG_NET, "received packet from: %#H to %#H",
+				 message->get_source(message),
+				 message->get_destination(message));
+			DBG2(DBG_NET, "sending COOKIE notify to %H",
+				 message->get_source(message));
+			send_notify(message, COOKIE, cookie);
+			chunk_free(&cookie);
+			if (++this->secret_used > COOKIE_REUSE)
+			{
+				/* create new cookie */
+				DBG1(DBG_NET, "generating new cookie secret after %d uses",
+					 this->secret_used);
+				memcpy(this->secret_old, this->secret, SECRET_LENGTH);	
+				this->randomizer->get_pseudo_random_bytes(this->randomizer,
+												SECRET_LENGTH, this->secret);
+				this->secret_switch = now;
+				this->secret_used = 0;
+			}
 			message->destroy(message);
-			continue;
+			return JOB_REQUEUE_DIRECT;
 		}
 		
-		/* check IKE major version */
-		if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+		/* check if peer has not too many IKE_SAs half open */
+		if (peer_to_aggressive(this, message))
 		{
-			DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
-				 "sending INVALID_MAJOR_VERSION", message->get_major_version(message), 
-				 message->get_minor_version(message), packet->get_source(packet));
-			send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
+			DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
+				 "peer to aggressive", message->get_source(message));
 			message->destroy(message);
-			continue;
-		}
-		
-		if (message->get_request(message) &&
-			message->get_exchange_type(message) == IKE_SA_INIT)
-		{
-			/* check for cookies */
-			if (cookie_required(this, message))
-			{
-				u_int32_t now = time(NULL);
-				chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
-											  chunk_from_thing(this->secret));	
-				
-				DBG2(DBG_NET, "received packet from: %#H to %#H",
-					 message->get_source(message),
-					 message->get_destination(message));
-				DBG2(DBG_NET, "sending COOKIE notify to %H",
-					 message->get_source(message));
-				send_notify(message, COOKIE, cookie);
-				chunk_free(&cookie);
-				if (++this->secret_used > COOKIE_REUSE)
-				{
-					/* create new cookie */
-					DBG1(DBG_NET, "generating new cookie secret after %d uses",
-						 this->secret_used);
-					memcpy(this->secret_old, this->secret, SECRET_LENGTH);	
-					this->randomizer->get_pseudo_random_bytes(this->randomizer,
-													SECRET_LENGTH, this->secret);
-					this->secret_switch = now;
-					this->secret_used = 0;
-				}
-				message->destroy(message);
-				continue;
-			}
-			
-			/* check if peer has not too many IKE_SAs half open */
-			if (peer_to_aggressive(this, message))
-			{
-				DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
-					 "peer to aggressive", message->get_source(message));
-				message->destroy(message);
-				continue;
-			}
+			return JOB_REQUEUE_DIRECT;
 		}
-		job = (job_t *)process_message_job_create(message);
-		charon->job_queue->add(charon->job_queue, job);
 	}
+	job = (job_t*)process_message_job_create(message);
+	charon->processor->queue_job(charon->processor, job);
+	return JOB_REQUEUE_DIRECT;
 }
 
 /**
@@ -340,8 +335,7 @@ static void receive_packets(private_receiver_t *this)
  */
 static void destroy(private_receiver_t *this)
 {
-	pthread_cancel(this->assigned_thread);
-	pthread_join(this->assigned_thread, NULL);
+	this->job->cancel(this->job);
 	this->randomizer->destroy(this->randomizer);
 	this->hasher->destroy(this->hasher);
 	free(this);
@@ -366,12 +360,10 @@ receiver_t *receiver_create()
 											  this->secret);
 	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
 
-	if (pthread_create(&this->assigned_thread, NULL,
-					   (void*)receive_packets, this) != 0)
-	{
-		free(this);
-		charon->kill(charon, "unable to create receiver thread");
-	}
+	this->job = callback_job_create((callback_job_cb_t)receive_packets,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 	
 	return &this->public;
 }
+
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 933b8c192..f934dc509 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -28,6 +28,7 @@
 
 #include <daemon.h>
 #include <network/socket.h>
+#include <processing/jobs/callback_job.h>
 
 
 typedef struct private_sender_t private_sender_t;
@@ -39,12 +40,12 @@ struct private_sender_t {
 	/**
 	 * Public part of a sender_t object.
 	 */
-	 sender_t public;
+	sender_t public;
 
-	 /**
-	  * Assigned thread.
-	  */
-	 pthread_t assigned_thread;
+	/**
+	 * Sender threads job.
+	 */
+	callback_job_t *job;
 	 
 	/**
 	 * The packets are stored in a linked list
@@ -82,37 +83,29 @@ static void send_(private_sender_t *this, packet_t *packet)
 /**
  * Implementation of private_sender_t.send_packets.
  */
-static void send_packets(private_sender_t * this)
+static job_requeue_t send_packets(private_sender_t * this)
 {
-	/* cancellation disabled by default */
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
-	DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self());
+	packet_t *packet;
+	int oldstate;
 	
-	charon->drop_capabilities(charon, TRUE);
-
-	while (TRUE)
+	pthread_mutex_lock(&this->mutex);
+	while (this->list->get_count(this->list) == 0)
 	{
-		packet_t *packet;
-		int oldstate;
-	
-		pthread_mutex_lock(&this->mutex);
-		/* go to wait while no packets available */
-		while (this->list->get_count(this->list) == 0)
-		{
-			/* add cleanup handler, wait for packet, remove cleanup handler */
-			pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex);
-			pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-			pthread_cond_wait(&this->condvar, &this->mutex);
-			
-			pthread_setcancelstate(oldstate, NULL);
-			pthread_cleanup_pop(0);
-		}
-		this->list->remove_first(this->list, (void**)&packet);
-		pthread_mutex_unlock(&this->mutex);
+		/* add cleanup handler, wait for packet, remove cleanup handler */
+		pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex);
+		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		
+		pthread_cond_wait(&this->condvar, &this->mutex);
 		
-		charon->socket->send(charon->socket, packet);
-		packet->destroy(packet);
+		pthread_setcancelstate(oldstate, NULL);
+		pthread_cleanup_pop(0);
 	}
+	this->list->remove_first(this->list, (void**)&packet);
+	pthread_mutex_unlock(&this->mutex);
+	
+	charon->socket->send(charon->socket, packet);
+	packet->destroy(packet);
+	return JOB_REQUEUE_DIRECT;
 }
 
 /**
@@ -125,8 +118,7 @@ static void destroy(private_sender_t *this)
 	{
 		sched_yield();
 	}
-	pthread_cancel(this->assigned_thread);
-	pthread_join(this->assigned_thread, NULL);
+	this->job->cancel(this->job);
 	this->list->destroy(this->list);
 	free(this);
 }
@@ -145,11 +137,10 @@ sender_t * sender_create()
 	pthread_mutex_init(&this->mutex, NULL);
 	pthread_cond_init(&this->condvar, NULL);
 
-	if (pthread_create(&this->assigned_thread, NULL,
-					   (void*)send_packets, this) != 0)
-	{
-		charon->kill(charon, "unable to create sender thread");
-	}
+	this->job = callback_job_create((callback_job_cb_t)send_packets,
+									this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 
-	return &(this->public);
+	return &this->public;
 }
+
diff --git a/src/charon/processing/event_queue.c b/src/charon/processing/event_queue.c
deleted file mode 100644
index 40bcb1ed8..000000000
--- a/src/charon/processing/event_queue.c
+++ /dev/null
@@ -1,290 +0,0 @@
-/**
- * @file event_queue.c
- *
- * @brief Implementation of event_queue_t
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <pthread.h>
-#include <stdlib.h>
-
-#include "event_queue.h"
-
-#include <library.h>
-#include <utils/linked_list.h>
-
-
-
-typedef struct event_t event_t;
-
-/**
- * Event containing a job and a schedule time
- */
-struct event_t {
-	/**
-	 * Time to fire the event.
-	 */
-	timeval_t time;
-
-	/**
-	 * Every event has its assigned job.
-	 */
-	job_t * job;
-};
-
-/**
- * destroy an event and its job
- */
-static void event_destroy(event_t *event)
-{
-	event->job->destroy(event->job);
-	free(event);
-}
-
-typedef struct private_event_queue_t private_event_queue_t;
-
-/**
- * Private Variables and Functions of event_queue_t class.
- */
-struct private_event_queue_t {
-	/**
-	 * Public part.
-	 */
- 	event_queue_t public;
-
-	/**
-	 * The events are stored in a linked list of type linked_list_t.
-	 */
-	linked_list_t *list;
-
-	/**
-	 * Access to linked_list is locked through this mutex.
-	 */
-	pthread_mutex_t mutex;
-
-	/**
-	 * If the queue is empty or an event has not to be fired
-	 * a thread has to wait.
-	 * 
-	 * This condvar is used to wake up such a thread.
-	 */
-	pthread_cond_t condvar;
-};
-
-/**
- * Returns the difference of to timeval structs in milliseconds
- */
-static long time_difference(struct timeval *end_time, struct timeval *start_time)
-{
-	time_t s;
-	suseconds_t us;
-	
-	s = (end_time->tv_sec - start_time->tv_sec);
-	us = (end_time->tv_usec - start_time->tv_usec);
-	return ((s * 1000) + us/1000);
-}
-
-/**
- * Implements event_queue_t.get_count
- */
-static int get_count(private_event_queue_t *this)
-{
-	int count;
-	pthread_mutex_lock(&(this->mutex));
-	count = this->list->get_count(this->list);
-	pthread_mutex_unlock(&(this->mutex));
-	return count;
-}
-
-/**
- * Implements event_queue_t.get
- */
-static job_t *get(private_event_queue_t *this)
-{
-	timespec_t timeout;
-	timeval_t current_time;
-	event_t * next_event;
-	job_t *job;
-	int oldstate;
-	
-	pthread_mutex_lock(&(this->mutex));
-	
-	while (TRUE)
-	{
-		while(this->list->get_count(this->list) == 0)
-		{
-			/* add mutex unlock handler for cancellation, enable cancellation */
-			pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex));
-			pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-			
-			pthread_cond_wait( &(this->condvar), &(this->mutex));
-			
-			/* reset cancellation, remove mutex-unlock handler (without executing) */
-			pthread_setcancelstate(oldstate, NULL);
-			pthread_cleanup_pop(0);
-		}
-		
-		this->list->get_first(this->list, (void **)&next_event);
-		
-		gettimeofday(&current_time, NULL);
-		long difference = time_difference(&current_time,&(next_event->time));
-		if (difference <= 0)
-		{
-			timeout.tv_sec = next_event->time.tv_sec;
-			timeout.tv_nsec = next_event->time.tv_usec * 1000;
-			
-			/* add mutex unlock handler for cancellation, enable cancellation */
-			pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex));
-			pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-			
-			pthread_cond_timedwait(&(this->condvar), &(this->mutex), &timeout);
-			
-			/* reset cancellation, remove mutex-unlock handler (without executing) */
-			pthread_setcancelstate(oldstate, NULL);
-			pthread_cleanup_pop(0);
-		}
-		else
-		{
-			/* event available */
-			this->list->remove_first(this->list, (void **)&next_event);
-			job = next_event->job;
-			free(next_event);
-			break;
-		}
-	}
-	pthread_cond_signal( &(this->condvar));
-	pthread_mutex_unlock(&(this->mutex));
-	
-	return job;
-}
-
-/**
- * Implements function add_absolute of event_queue_t.
- * See #event_queue_s.add_absolute for description.
- */
-static void add_absolute(private_event_queue_t *this, job_t *job, timeval_t time)
-{
-	event_t *event;
-	event_t *current_event;
-	iterator_t *iterator;
-	
-	/* create event */
-	event = malloc_thing(event_t);
-	event->time = time;
-	event->job = job;
-
-	pthread_mutex_lock(&(this->mutex));
-
-	/* while just used to break out */
-	while(TRUE)
-	{
-		if (this->list->get_count(this->list) == 0)
-		{
-			this->list->insert_first(this->list,event);
-			break;
-		}
-
-		/* check last entry */
-		this->list->get_last(this->list,(void **) &current_event);
-
-		if (time_difference(&(event->time), &(current_event->time)) >= 0)
-		{
-			/* my event has to be fired after the last event in list */
-			this->list->insert_last(this->list,event);
-			break;
-		}
-
-		/* check first entry */
-		this->list->get_first(this->list,(void **) &current_event);
-
-		if (time_difference(&(event->time), &(current_event->time)) < 0)
-		{
-			/* my event has to be fired before the first event in list */
-			this->list->insert_first(this->list,event);
-			break;
-		}
-		
-		iterator = this->list->create_iterator(this->list,TRUE);
-		iterator->iterate(iterator, (void**)&current_event);
-		/* first element has not to be checked (already done) */
-		while(iterator->iterate(iterator, (void**)&current_event))
-		{
-			if (time_difference(&(event->time), &(current_event->time)) <= 0)
-			{
-				/* my event has to be fired before the current event in list */
-				iterator->insert_before(iterator,event);
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-		break;
-	}
-
-	pthread_cond_signal( &(this->condvar));
-	pthread_mutex_unlock(&(this->mutex));
-}
-
-/**
- * Implements  event_queue_t.add_relative.
- */
-static void add_relative(event_queue_t *this, job_t *job, u_int32_t ms)
-{
-	timeval_t current_time;
-	timeval_t time;
-	
-	time_t s = ms / 1000;
-	suseconds_t us = (ms - s * 1000) * 1000;
-	
-	gettimeofday(&current_time, NULL);
-	
-	time.tv_usec = (current_time.tv_usec + us) % 1000000;
-	time.tv_sec = current_time.tv_sec + (current_time.tv_usec + us)/1000000 + s;
-	
-	this->add_absolute(this, job, time);
-}
-
-
-/**
- * Implements event_queue_t.destroy.
- */
-static void event_queue_destroy(private_event_queue_t *this)
-{
-	this->list->destroy_function(this->list, (void*)event_destroy);
-	free(this);
-}
-
-/*
- * Documented in header
- */
-event_queue_t *event_queue_create()
-{
-	private_event_queue_t *this = malloc_thing(private_event_queue_t);
-
-	this->public.get_count = (int (*) (event_queue_t *event_queue)) get_count;
-	this->public.get = (job_t *(*) (event_queue_t *event_queue)) get;
-	this->public.add_absolute = (void (*) (event_queue_t *event_queue, job_t *job, timeval_t time)) add_absolute;
-	this->public.add_relative = (void (*) (event_queue_t *event_queue, job_t *job, u_int32_t ms)) add_relative;
-	this->public.destroy = (void (*) (event_queue_t *event_queue)) event_queue_destroy;
-
-	this->list = linked_list_create();
-	pthread_mutex_init(&(this->mutex), NULL);
-	pthread_cond_init(&(this->condvar), NULL);
-
-	return (&this->public);
-}
diff --git a/src/charon/processing/event_queue.h b/src/charon/processing/event_queue.h
deleted file mode 100644
index c85286bf2..000000000
--- a/src/charon/processing/event_queue.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * @file event_queue.h
- *
- * @brief Interface of job_queue_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef EVENT_QUEUE_H_
-#define EVENT_QUEUE_H_
-
-typedef struct event_queue_t event_queue_t;
-
-#include <sys/time.h>
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-/**
- * @brief Event-Queue used to store timed events.
- * 
- * Added events are sorted. The get method blocks until
- * the time is elapsed to process the next event. The get 
- * method is called from the scheduler_t thread, which
- * will add the jobs to to job_queue_t for further processing.
- *
- * Although the event-queue is based on a linked_list_t
- * all access functions are thread-save implemented.
- * 
- * @b Constructors:
- * - event_queue_create()
- * 
- * @ingroup processing
- */
-struct event_queue_t {
-
-	/**
-	 * @brief Returns number of events in queue.
-	 *
-	 * @param event_queue 	calling object
-	 * @return 				number of events in queue
-	 */
-	int (*get_count) (event_queue_t *event_queue);
-
-	/**
-	 * @brief Get the next job from the event-queue.
-	 *
-	 * If no event is pending, this function blocks until a job can be returned.
-	 *
-	 * @param event_queue 	calling object
- 	 * @param[out] job 		pointer to a job pointer where to job is returned to
-	 * @return 				next job
-	 */
-	job_t *(*get) (event_queue_t *event_queue);
-
-	/**
-	 * @brief Adds a event to the queue, using a relative time.
-	 *
-	 * This function is non blocking and adds a job_t at a specific time to the list.
-	 * The specific job object has to get destroyed by the thread which
-	 * removes the job.
-	 *
-	 * @param event_queue 	calling object
- 	 * @param[in] job 		job to add to the queue (job is not copied)
-  	 * @param[in] time 		relative time, when the event has to get fired
-	 */
-	void (*add_relative) (event_queue_t *event_queue, job_t *job, u_int32_t ms);
-
-	/**
-	 * @brief Adds a event to the queue, using an absolute time.
-	 *
-	 * This function is non blocking and adds a job_t at a specific time to the list.
-	 * The specific job object has to get destroyed by the thread which
-	 * removes the job.
-	 *
-	 * @param event_queue 	calling object
- 	 * @param[in] job		job to add to the queue (job is not copied)
-  	 * @param[in] time		absolute time, when the event has to get fired
-	 */
-	void (*add_absolute) (event_queue_t *event_queue, job_t *job, timeval_t time);
-
-	/**
-	 * @brief Destroys a event_queue object.
-	 *
-	 * @warning The caller of this function has to make sure
-	 * that no thread is going to add or get an event from the event_queue
-	 * after calling this function.
-	 *
-	 * @param event_queue 	calling object
-	 */
-	void (*destroy) (event_queue_t *event_queue);
-};
-
-/**
- * @brief Creates an empty event_queue.
- *
- * @returns event_queue_t object
- * 
- * @ingroup processing
- */
-event_queue_t *event_queue_create(void);
-		  
-#endif /*EVENT_QUEUE_H_*/
diff --git a/src/charon/processing/job_queue.c b/src/charon/processing/job_queue.c
deleted file mode 100644
index 2310ca6ff..000000000
--- a/src/charon/processing/job_queue.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/**
- * @file job_queue.c
- *
- * @brief Implementation of job_queue_t
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <pthread.h>
-
-#include "job_queue.h"
-
-#include <utils/linked_list.h>
-
-
-typedef struct private_job_queue_t private_job_queue_t;
-
-/**
- * @brief Private Variables and Functions of job_queue class
- *
- */
-struct private_job_queue_t {
-	
-	/**
-	 * public members
-	 */
- 	job_queue_t public;
-
-	/**
-	 * The jobs are stored in a linked list
-	 */
-	linked_list_t *list;
-	
-	/**
-	 * access to linked_list is locked through this mutex
-	 */
-	pthread_mutex_t mutex;
-
-	/**
-	 * If the queue is empty a thread has to wait
-	 * This condvar is used to wake up such a thread
-	 */
-	pthread_cond_t condvar;
-};
-
-
-/**
- * implements job_queue_t.get_count
- */
-static int get_count(private_job_queue_t *this)
-{
-	int count;
-	pthread_mutex_lock(&(this->mutex));
-	count = this->list->get_count(this->list);
-	pthread_mutex_unlock(&(this->mutex));
-	return count;
-}
-
-/**
- * implements job_queue_t.get
- */
-static job_t *get(private_job_queue_t *this)
-{
-	int oldstate;
-	job_t *job;
-	pthread_mutex_lock(&(this->mutex));
-	/* go to wait while no jobs available */
-	while(this->list->get_count(this->list) == 0)
-	{
-		/* add mutex unlock handler for cancellation, enable cancellation */
-		pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex));
-		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-		
-		pthread_cond_wait( &(this->condvar), &(this->mutex));
-		
-		/* reset cancellation, remove mutex-unlock handler (without executing) */
-		pthread_setcancelstate(oldstate, NULL);
-		pthread_cleanup_pop(0);
-	}
-	this->list->remove_first(this->list, (void **)&job);
-	pthread_mutex_unlock(&(this->mutex));
-	return job;
-}
-
-/**
- * implements function job_queue_t.add
- */
-static void add(private_job_queue_t *this, job_t *job)
-{
-	pthread_mutex_lock(&(this->mutex));
-	this->list->insert_last(this->list,job);
-	pthread_cond_signal( &(this->condvar));
-	pthread_mutex_unlock(&(this->mutex));
-}
-
-/**
- * implements job_queue_t.destroy
- */
-static void job_queue_destroy (private_job_queue_t *this)
-{
-	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
-	free(this);
-}
-
-/*
- *
- * Documented in header
- */
-job_queue_t *job_queue_create(void)
-{
-	private_job_queue_t *this = malloc_thing(private_job_queue_t);
-
-	this->public.get_count = (int(*)(job_queue_t*))get_count;
-	this->public.get = (job_t*(*)(job_queue_t*))get;
-	this->public.add = (void(*)(job_queue_t*, job_t*))add;
-	this->public.destroy = (void(*)(job_queue_t*))job_queue_destroy;
-
-	this->list = linked_list_create();
-	pthread_mutex_init(&(this->mutex), NULL);
-	pthread_cond_init(&(this->condvar), NULL);
-
-	return (&this->public);
-}
diff --git a/src/charon/processing/job_queue.h b/src/charon/processing/job_queue.h
deleted file mode 100644
index 9b58588ae..000000000
--- a/src/charon/processing/job_queue.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/**
- * @file job_queue.h
- *
- * @brief Interface of job_queue_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef JOB_QUEUE_H_
-#define JOB_QUEUE_H_
-
-typedef struct job_queue_t job_queue_t;
-
-#include <library.h>
-#include <processing/jobs/job.h>
-
-/**
- * @brief The job queue stores jobs, which will be processed by the thread_pool_t.
- *
- * Jobs are added from various sources, from the threads and 
- * from the event_queue_t.
- * Although the job-queue is based on a linked_list_t
- * all access functions are thread-save implemented.
- * 
- * @b Constructors:
- * - job_queue_create()
- * 
- * @ingroup processing
- */
-struct job_queue_t {
-
-	/**
-	 * @brief Returns number of jobs in queue.
-	 *
-	 * @param job_queue_t 	calling object
-	 * @returns 			number of items in queue
-	 */
-	int (*get_count) (job_queue_t *job_queue);
-
-	/**
-	 * @brief Get the next job from the queue.
-	 *
-	 * If the queue is empty, this function blocks until a job can be returned.
-	 * After using, the returned job has to get destroyed by the caller.
-	 *
-	 * @param job_queue_t 	calling object
- 	 * @param[out] job 		pointer to a job pointer where to job is returned to
-	 * @return				next job
-	 */
-	job_t *(*get) (job_queue_t *job_queue);
-
-	/**
-	 * @brief Adds a job to the queue.
-	 *
-	 * This function is non blocking and adds a job_t to the list.
-	 * The specific job object has to get destroyed by the thread which
-	 * removes the job.
-	 *
-	 * @param job_queue_t 	calling object
- 	 * @param job 			job to add to the queue (job is not copied)
-	 */
-	void (*add) (job_queue_t *job_queue, job_t *job);
-
-	/**
-	 * @brief Destroys a job_queue object.
-	 *
-	 * @warning The caller of this function has to make sure
-	 * that no thread is going to add or get a job from the job_queue
-	 * after calling this function.
-	 *
-	 * @param job_queue_t 	calling object
-	 */
-	void (*destroy) (job_queue_t *job_queue);
-};
-
-/**
- * @brief Creates an empty job_queue.
- *
- * @return job_queue_t object
- * 
- * @ingroup processing
- */
-job_queue_t *job_queue_create(void);
-
-#endif /*JOB_QUEUE_H_*/
diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
index b4ffb258d..48a77f558 100644
--- a/src/charon/processing/jobs/acquire_job.c
+++ b/src/charon/processing/jobs/acquire_job.c
@@ -43,17 +43,17 @@ struct private_acquire_job_t {
 };
 
 /**
- * Implementation of job_t.get_type.
+ * Implementation of job_t.destroy.
  */
-static job_type_t get_type(private_acquire_job_t *this)
+static void destroy(private_acquire_job_t *this)
 {
-	return ACQUIRE;
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_acquire_job_t *this)
+static void execute(private_acquire_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
@@ -63,20 +63,14 @@ static status_t execute(private_acquire_job_t *this)
 	{
 		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring",
 			 this->reqid);
-		return DESTROY_ME;
 	}
-	ike_sa->acquire(ike_sa, this->reqid);
-	
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_acquire_job_t *this)
-{
-	free(this);
+	else
+	{
+		ike_sa->acquire(ike_sa, this->reqid);
+		
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
 }
 
 /*
@@ -87,12 +81,11 @@ acquire_job_t *acquire_job_create(u_int32_t reqid)
 	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
 	
 	/* private variables */
 	this->reqid = reqid;
 	
-	return &(this->public);
+	return &this->public;
 }
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
new file mode 100644
index 000000000..53e7caa95
--- /dev/null
+++ b/src/charon/processing/jobs/callback_job.c
@@ -0,0 +1,213 @@
+/**
+ * @file callback_job.c
+ * 
+ * @brief Implementation of callback_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include "callback_job.h"
+
+#include <daemon.h>
+
+typedef struct private_callback_job_t private_callback_job_t;
+
+/**
+ * Private data of an callback_job_t Object.
+ */
+struct private_callback_job_t {
+	/**
+	 * Public callback_job_t interface.
+	 */
+	callback_job_t public;
+	
+	/**
+	 * Callback to call on execution
+	 */
+	callback_job_cb_t callback;
+
+	/**
+	 * parameter to supply to callback
+	 */
+	void *data;
+	
+	/**
+	 * cleanup function for data
+	 */
+	callback_job_cleanup_t cleanup;
+	
+	/**
+	 * thread ID of the job, if running
+	 */
+	pthread_t thread;
+
+	/**
+	 * mutex to access jobs interna
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * condvar to synchronize thread startup/cancellation
+	 */
+	pthread_cond_t condvar;
+	
+	/**
+	 * list of asociated child jobs
+	 */
+	linked_list_t *children;
+	
+	/**
+	 * parent of this job, or NULL
+	 */
+	private_callback_job_t *parent;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_callback_job_t *this)
+{
+	if (this->cleanup)
+	{
+		this->cleanup(this->data);
+	}
+	this->children->destroy(this->children);
+	free(this);
+}
+
+/**
+ * unregister a child from its parent, if any.
+ */
+static void unregister(private_callback_job_t *this)
+{
+	if (this->parent)
+	{
+		iterator_t *iterator;
+		private_callback_job_t *child;
+		
+		pthread_mutex_lock(&this->parent->mutex);
+		iterator = this->parent->children->create_iterator(this->parent->children, TRUE);
+		while (iterator->iterate(iterator, (void**)&child))
+		{
+			if (child == this)
+			{
+				iterator->remove(iterator);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+		pthread_mutex_unlock(&this->parent->mutex);
+	}
+}
+
+/**
+ * Implementation of callback_job_t.cancel.
+ */
+static void cancel(private_callback_job_t *this)
+{
+	pthread_t thread;
+	
+	/* wait until thread has started */
+	pthread_mutex_lock(&this->mutex);
+	while (this->thread == 0)
+	{
+		pthread_cond_wait(&this->condvar, &this->mutex);
+	}
+	thread = this->thread;
+	
+	/* terminate its children */
+	this->children->invoke(this->children, offsetof(callback_job_t, cancel));
+	pthread_mutex_unlock(&this->mutex);
+	
+	/* terminate thread */
+	pthread_cancel(thread);
+	pthread_join(thread, NULL);
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static void execute(private_callback_job_t *this)
+{
+	bool cleanup = FALSE;
+
+	pthread_mutex_lock(&this->mutex);
+	this->thread = pthread_self();
+	pthread_cond_signal(&this->condvar);
+	pthread_mutex_unlock(&this->mutex);
+	
+	pthread_cleanup_push((void*)destroy, this);
+	while (TRUE)
+	{
+		switch (this->callback(this->data))
+		{
+			case JOB_REQUEUE_DIRECT:
+				continue;
+			case JOB_REQUEUE_FAIR:
+			{
+				charon->processor->queue_job(charon->processor,
+											 &this->public.job_interface);
+				break;
+			}
+			case JOB_REQUEUE_NONE:
+			default:
+			{
+				cleanup = TRUE;
+				break;
+			}
+		}
+		break;
+	}
+	unregister(this);
+	pthread_cleanup_pop(cleanup);
+}
+
+/*
+ * Described in header.
+ */
+callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+									callback_job_cleanup_t cleanup,
+									callback_job_t *parent)
+{
+	private_callback_job_t *this = malloc_thing(private_callback_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	this->public.cancel = (void(*)(callback_job_t*))cancel;
+
+	/* private variables */
+	pthread_mutex_init(&this->mutex, NULL);
+	pthread_cond_init(&this->condvar, NULL);
+	this->callback = cb;
+	this->data = data;
+	this->cleanup = cleanup;
+	this->thread = 0;
+	this->children = linked_list_create();
+	this->parent = (private_callback_job_t*)parent;
+	
+	/* register us at parent */
+	if (parent)
+	{
+		pthread_mutex_lock(&this->parent->mutex);
+		this->parent->children->insert_last(this->parent->children, this);
+		pthread_mutex_unlock(&this->parent->mutex);
+	}
+	
+	return &this->public;
+}
+
diff --git a/src/charon/processing/jobs/callback_job.h b/src/charon/processing/jobs/callback_job.h
new file mode 100644
index 000000000..169f2d207
--- /dev/null
+++ b/src/charon/processing/jobs/callback_job.h
@@ -0,0 +1,135 @@
+/**
+ * @file callback_job.h
+ * 
+ * @brief Interface of callback_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CALLBACK_JOB_H_
+#define CALLBACK_JOB_H_
+
+typedef struct callback_job_t callback_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+
+typedef enum job_requeue_t job_requeue_t;
+
+/**
+ * @brief Job requeueing policy
+ *
+ * The job requeueing policy defines how a job is handled when the callback
+ * function returns.
+ *
+ * @ingroup jobs
+ */
+enum job_requeue_t {
+
+	/**
+	 * Do not requeue job, destroy it
+	 */
+	JOB_REQUEUE_NONE,
+	
+	/**
+	 * Reque the job fairly, meaning it has to requeue as any other job
+	 */
+	JOB_REQUEUE_FAIR,
+	
+	/**
+	 * Reexecute the job directly, without the need of requeueing it
+	 */
+	JOB_REQUEUE_DIRECT,
+};
+
+/**
+ * @brief The callback function to use for the callback job.
+ *
+ * This is the function to use as callback for a callback job. It receives
+ * a parameter supplied to the callback jobs constructor.
+ *
+ * @param data			param supplied to job
+ * @return				requeing policy how to requeue the job
+ *
+ * @ingroup jobs
+ */
+typedef job_requeue_t (*callback_job_cb_t)(void *data);
+
+/**
+ * @brief Cleanup function to use for data cleanup.
+ *
+ * The callback has an optional user argument which receives data. However,
+ * this data may be cleaned up if it is allocated. This is the function
+ * to supply to the constructor.
+ *
+ * @param data			param supplied to job
+ * @return				requeing policy how to requeue the job
+ *
+ * @ingroup jobs
+ */
+typedef void (*callback_job_cleanup_t)(void *data);
+
+/**
+ * @brief Class representing an callback Job.
+ *
+ * This is a special job which allows a simple callback function to
+ * be executed by a thread of the thread pool. This allows simple execution
+ * of asynchronous methods, without to manage threads.
+ *
+ * @b Constructors:
+ * - callback_job_create()
+ *
+ * @ingroup jobs
+ */
+struct callback_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+	
+	/**
+	 * @brief Cancel the jobs thread and wait for its termination.
+	 *
+	 * @param this		calling object
+	 */
+	void (*cancel)(callback_job_t *this);
+};
+
+/**
+ * @brief Creates a callback job.
+ *
+ * The cleanup function is called when the job gets destroyed to destroy
+ * the associated data.
+ * If parent is not NULL, the specified job gets an association. Whenever
+ * the parent gets cancelled (or runs out), all of its children are cancelled,
+ * too.
+ * 
+ * @param cb				callback to call from the processor
+ * @param data				user data to supply to callback
+ * @param cleanup			destructor for data on destruction, or NULL
+ * @param parent			parent of this job
+ * @return					callback_job_t object
+ * 
+ * @ingroup jobs
+ */
+callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+									callback_job_cleanup_t cleanup,
+									callback_job_t *parent);
+
+#endif /* CALLBACK_JOB_H_ */
+
diff --git a/src/charon/processing/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c
index f694696b0..23f330293 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.c
+++ b/src/charon/processing/jobs/delete_child_sa_job.c
@@ -54,17 +54,17 @@ struct private_delete_child_sa_job_t {
 };
 
 /**
- * Implementation of job_t.get_type.
+ * Implementation of job_t.destroy.
  */
-static job_type_t get_type(private_delete_child_sa_job_t *this)
+static void destroy(private_delete_child_sa_job_t *this)
 {
-	return DELETE_CHILD_SA;
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_delete_child_sa_job_t *this)
+static void execute(private_delete_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
@@ -74,20 +74,14 @@ static status_t execute(private_delete_child_sa_job_t *this)
 	{
 		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
 			 this->reqid);
-		return DESTROY_ME;
 	}
-	ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
-	
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_delete_child_sa_job_t *this)
-{
-	free(this);
+	else
+	{
+		ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
+		
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
 }
 
 /*
@@ -100,8 +94,7 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 	private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
 	
 	/* private variables */
@@ -109,5 +102,6 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
 	this->protocol = protocol;
 	this->spi = spi;
 	
-	return &(this->public);
+	return &this->public;
 }
+
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
index 706155aa6..8d8c0cf36 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.c
+++ b/src/charon/processing/jobs/delete_ike_sa_job.c
@@ -47,18 +47,20 @@ struct private_delete_ike_sa_job_t {
 	bool delete_if_established;
 };
 
+
 /**
- * Implements job_t.get_type.
+ * Implements job_t.destroy.
  */
-static job_type_t get_type(private_delete_ike_sa_job_t *this)
+static void destroy(private_delete_ike_sa_job_t *this)
 {
-	return DELETE_IKE_SA;
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_delete_ike_sa_job_t *this)
+static void execute(private_delete_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
@@ -93,16 +95,7 @@ static status_t execute(private_delete_ike_sa_job_t *this)
 			}
 		}
 	}
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_delete_ike_sa_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
+	destroy(this);
 }
 
 /*
@@ -114,8 +107,7 @@ delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
 	private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
 	
 	/* private variables */
diff --git a/src/charon/processing/jobs/job.c b/src/charon/processing/jobs/job.c
deleted file mode 100644
index d32d1bc61..000000000
--- a/src/charon/processing/jobs/job.c
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * @file job.c
- * 
- * @brief Interface additions to job_t.
- * 
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include "job.h"
-
-ENUM(job_type_names, PROCESS_MESSAGE, SEND_DPD,
-	"PROCESS_MESSAGE",
-	"RETRANSMIT",
-	"INITIATE",
-	"ROUTE",
-	"ACQUIRE",
-	"DELETE_IKE_SA",
-	"DELETE_CHILD_SA",
-	"REKEY_CHILD_SA",
-	"REKEY_IKE_SA",
-	"SEND_KEEPALIVE",
-	"SEND_DPD",
-);
diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h
index 28632672d..1826c53b4 100644
--- a/src/charon/processing/jobs/job.h
+++ b/src/charon/processing/jobs/job.h
@@ -24,108 +24,14 @@
 #ifndef JOB_H_
 #define JOB_H_
 
-typedef enum job_type_t job_type_t;
 typedef struct job_t job_t;
 
 #include <library.h>
 
-/**
- * @brief Definition of the various job types.
- *
- * @ingroup jobs
- */
-enum job_type_t {
-	/** 
-	 * Process an incoming IKEv2-Message.
-	 * 
- 	 * Job is implemented in class process_message_job_t
-	 */
-	PROCESS_MESSAGE,
-	
-	/** 
-	 * Retransmit an IKEv2-Message.
-	 * 
-	 * Job is implemented in class retransmit_job_t
-	 */
-	RETRANSMIT,
-	
-	/** 
-	 * Set up a CHILD_SA, optional with an IKE_SA.
-	 * 
-	 * Job is implemented in class initiate_job_t
-	 */
-	INITIATE,
-	
-	/** 
-	 * Install SPD entries.
-	 * 
-	 * Job is implemented in class route_job_t
-	 */
-	ROUTE,
-	
-	/** 
-	 * React on a acquire message from the kernel (e.g. setup CHILD_SA)
-	 * 
-	 * Job is implemented in class acquire_job_t
-	 */
-	ACQUIRE,
-	
-	/** 
-	 * Delete an IKE_SA.
-	 * 
-	 * Job is implemented in class delete_ike_sa_job_t
-	 */
-	DELETE_IKE_SA,
-	
-	/**
-	 * Delete a CHILD_SA.
-	 * 
-	 * Job is implemented in class delete_child_sa_job_t
-	 */
-	DELETE_CHILD_SA,
-	
-	/**
-	 * Rekey a CHILD_SA.
-	 * 
-	 * Job is implemented in class rekey_child_sa_job_t
-	 */
-	REKEY_CHILD_SA,
-	
-	/**
-	 * Rekey an IKE_SA.
-	 * 
-	 * Job is implemented in class rekey_ike_sa_job_t
-	 */
-	REKEY_IKE_SA,
-	
-	/**
-	 * Send a keepalive packet.
-	 * 
-	 * Job is implemented in class type send_keepalive_job_t
-	 */
-	SEND_KEEPALIVE,
-	
-	/**
-	 * Send a DPD packet.
-	 * 
-	 * Job is implemented in class type send_dpd_job_t
-	 */
-	SEND_DPD
-};
-
-/**
- * enum name  for job_type_t
- * 
- * @ingroup jobs
- */
-extern enum_name_t *job_type_names;
-
 
 /**
  * @brief Job-Interface as it is stored in the job queue.
  * 
- * A job consists of a job-type and one or more assigned values.
- * 
  * @b Constructors:
  * - None, use specific implementation of the interface.
  * 
@@ -134,32 +40,26 @@ extern enum_name_t *job_type_names;
 struct job_t {
 
 	/**
-	 * @brief get type of job.
-	 *
-	 * @param this 				calling object
-	 * @return 					type of this job
-	 */
-	job_type_t (*get_type) (job_t *this);
-
-	/**
 	 * @brief Execute a job.
 	 * 
-	 * Call the internall job routine to process the
-	 * job. If this method returns DESTROY_ME, the job
-	 * must be destroyed by the caller.
+	 * The processing facility executes a job using this method. Jobs are
+	 * one-shot, they destroy themself after execution, so don't use a job
+	 * once it has been executed.
 	 *
 	 * @param this 				calling object
-	 * @return 					status of job execution
 	 */
-	status_t (*execute) (job_t *this);
+	void (*execute) (job_t *this);
 
 	/**
-	 * @brief Destroys a job_t object
+	 * @brief Destroy a job.
+	 *
+	 * Is only called whenever a job was not executed (e.g. due daemon shutdown).
+	 * After execution, jobs destroy themself.
 	 * 
 	 * @param job_t calling object
 	 */
 	void (*destroy) (job_t *job);
 };
 
-
 #endif /* JOB_H_ */
+
diff --git a/src/charon/processing/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c
index ee7484bbd..6a0921248 100644
--- a/src/charon/processing/jobs/process_message_job.c
+++ b/src/charon/processing/jobs/process_message_job.c
@@ -44,17 +44,18 @@ struct private_process_message_job_t {
 };
 
 /**
- * Implements job_t.get_type.
+ * Implements job_t.destroy.
  */
-static job_type_t get_type(private_process_message_job_t *this)
+static void destroy(private_process_message_job_t *this)
 {
-	return PROCESS_MESSAGE;
+	this->message->destroy(this->message);
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_process_message_job_t *this)
+static void execute(private_process_message_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
@@ -75,16 +76,7 @@ static status_t execute(private_process_message_job_t *this)
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_process_message_job_t *this)
-{
-	this->message->destroy(this->message);
-	free(this);
+	destroy(this);
 }
 
 /*
@@ -95,8 +87,7 @@ process_message_job_t *process_message_job_create(message_t *message)
 	private_process_message_job_t *this = malloc_thing(private_process_message_job_t);
 
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void(*)(job_t*))destroy;
 	
 	/* private variables */
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c
index 3422b614d..f754e5a1f 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.c
+++ b/src/charon/processing/jobs/rekey_child_sa_job.c
@@ -53,17 +53,17 @@ struct private_rekey_child_sa_job_t {
 };
 
 /**
- * Implementation of job_t.get_type.
+ * Implementation of job_t.destroy.
  */
-static job_type_t get_type(private_rekey_child_sa_job_t *this)
+static void destroy(private_rekey_child_sa_job_t *this)
 {
-	return REKEY_CHILD_SA;
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_rekey_child_sa_job_t *this)
+static void execute(private_rekey_child_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
@@ -73,20 +73,13 @@ static status_t execute(private_rekey_child_sa_job_t *this)
 	{
 		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
 			 this->reqid);
-		return DESTROY_ME;
 	}
-	ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
-	
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_rekey_child_sa_job_t *this)
-{
-	free(this);
+	else
+	{
+		ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);	
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	destroy(this);
 }
 
 /*
@@ -99,8 +92,7 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
 	private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
 		
 	/* private variables */
@@ -108,5 +100,5 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
 	this->protocol = protocol;
 	this->spi = spi;
 	
-	return &(this->public);
+	return &this->public;
 }
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c
index f6c058634..020c3cce8 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.c
@@ -48,17 +48,18 @@ struct private_rekey_ike_sa_job_t {
 };
 
 /**
- * Implementation of job_t.get_type.
+ * Implementation of job_t.destroy.
  */
-static job_type_t get_type(private_rekey_ike_sa_job_t *this)
+static void destroy(private_rekey_ike_sa_job_t *this)
 {
-	return REKEY_IKE_SA;
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_rekey_ike_sa_job_t *this)
+static void execute(private_rekey_ike_sa_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	status_t status = SUCCESS;
@@ -68,36 +69,28 @@ static status_t execute(private_rekey_ike_sa_job_t *this)
 	if (ike_sa == NULL)
 	{
 		DBG2(DBG_JOB, "IKE_SA to rekey not found");
-		return DESTROY_ME;
-	}
-	
-	if (this->reauth)
-	{
-		ike_sa->reestablish(ike_sa);
 	}
 	else
 	{
-		status = ike_sa->rekey(ike_sa);
-	}
-	
-	if (status == DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-	}
-	else
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		if (this->reauth)
+		{
+			status = ike_sa->reestablish(ike_sa);
+		}
+		else
+		{
+			status = ike_sa->rekey(ike_sa);
+		}
+		
+		if (status == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
 	}
-	return DESTROY_ME;
-}
-
-/**
- * Implementation of job_t.destroy.
- */
-static void destroy(private_rekey_ike_sa_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
+	destroy(this);
 }
 
 /*
@@ -108,8 +101,7 @@ rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
 	private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
 		
 	/* private variables */
diff --git a/src/charon/processing/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c
index 5bfa20dfd..8c15aa651 100644
--- a/src/charon/processing/jobs/retransmit_job.c
+++ b/src/charon/processing/jobs/retransmit_job.c
@@ -48,17 +48,18 @@ struct private_retransmit_job_t {
 };
 
 /**
- * Implements job_t.get_type.
+ * Implements job_t.destroy.
  */
-static job_type_t get_type(private_retransmit_job_t *this)
+static void destroy(private_retransmit_job_t *this)
 {
-	return RETRANSMIT;
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */
-static status_t execute(private_retransmit_job_t *this)
+static void execute(private_retransmit_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
@@ -77,16 +78,7 @@ static status_t execute(private_retransmit_job_t *this)
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 		}
 	}
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_retransmit_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
+	destroy(this);
 }
 
 /*
@@ -97,8 +89,7 @@ retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa
 	private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
 
 	/* private variables */
diff --git a/src/charon/processing/jobs/roam_job.c b/src/charon/processing/jobs/roam_job.c
new file mode 100644
index 000000000..3b5cd0ed2
--- /dev/null
+++ b/src/charon/processing/jobs/roam_job.c
@@ -0,0 +1,115 @@
+/**
+ * @file roam_job.c
+ * 
+ * @brief Implementation of roam_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include <stdlib.h>
+
+#include "roam_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_roam_job_t private_roam_job_t;
+
+/**
+ * Private data of an roam_job_t Object
+ */
+struct private_roam_job_t {
+	/**
+	 * public roam_job_t interface
+	 */
+	roam_job_t public;
+	
+	/**
+	 * has the address list changed, or the routing only?
+	 */
+	bool address;
+};
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_roam_job_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of job_t.execute. 
+ */ 
+static void execute(private_roam_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	linked_list_t *list;
+	ike_sa_id_t *id;
+	iterator_t *iterator;
+	
+	/* iterating over all IKE_SAs gives us no way to checkin_and_destroy 
+	 * after a DESTROY_ME, so we check out each available IKE_SA by hand. */
+	list = linked_list_create();
+	iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		id = ike_sa->get_id(ike_sa);
+		list->insert_last(list, id->clone(id));
+	}
+	iterator->destroy(iterator);
+	
+	while (list->remove_last(list, (void**)&id) == SUCCESS)
+	{
+		ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+		if (ike_sa)
+		{
+			if (ike_sa->roam(ike_sa, this->address) == DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+											charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+		}
+		id->destroy(id);
+	}
+	list->destroy(list);
+
+	destroy(this);
+}
+
+/*
+ * Described in header
+ */
+roam_job_t *roam_job_create(bool address)
+{
+	private_roam_job_t *this = malloc_thing(private_roam_job_t);
+	
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	
+	this->address = address;
+
+	return &this->public;
+}
+
diff --git a/src/charon/processing/jobs/roam_job.h b/src/charon/processing/jobs/roam_job.h
new file mode 100644
index 000000000..293b09f08
--- /dev/null
+++ b/src/charon/processing/jobs/roam_job.h
@@ -0,0 +1,61 @@
+/**
+ * @file roam_job.h
+ * 
+ * @brief Interface of roam_job_t.
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ROAM_JOB_H_
+#define ROAM_JOB_H_
+
+typedef struct roam_job_t roam_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <processing/jobs/job.h>
+
+/**
+ * @brief A job to inform IKE_SAs about changed local address setup.
+ * 
+ * If a local address appears or disappears, the kernel fires this job to
+ * update all IKE_SAs.
+ * 
+ * @b Constructors:
+ * - roam_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct roam_job_t {
+
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job to inform IKE_SAs about an updated address list.
+ * 
+ * @param address		TRUE if address list changed, FALSE if routing changed
+ * @return				initiate_ike_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+roam_job_t *roam_job_create(bool address);
+
+#endif /*ROAM_JOB_H_*/
+
diff --git a/src/charon/processing/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c
index 7294d78d5..f6786bfb4 100644
--- a/src/charon/processing/jobs/send_dpd_job.c
+++ b/src/charon/processing/jobs/send_dpd_job.c
@@ -47,45 +47,35 @@ struct private_send_dpd_job_t {
 };
 
 /**
- * Implements send_dpd_job_t.get_type.
+ * Implements job_t.destroy.
  */
-static job_type_t get_type(private_send_dpd_job_t *this)
+static void destroy(private_send_dpd_job_t *this)
 {
-	return SEND_DPD;
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute. 
  */ 
-static status_t execute(private_send_dpd_job_t *this)
+static void execute(private_send_dpd_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
-	if (ike_sa == NULL)
-	{
-		return DESTROY_ME;
-	}
-	
-	if (ike_sa->send_dpd(ike_sa) == DESTROY_ME)
+	if (ike_sa)
 	{
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		if (ike_sa->send_dpd(ike_sa) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
 	}
-	else
-	{
-		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	}
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_send_dpd_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
+	destroy(this);
 }
 
 /*
@@ -96,15 +86,12 @@ send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
 	private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
-	
-	/* public functions */
-	this->public.destroy = (void (*)(send_dpd_job_t *)) destroy;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
 	
 	/* private variables */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 
-	return &(this->public);
+	return &this->public;
 }
diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
index 26c9e2e81..0e4059131 100644
--- a/src/charon/processing/jobs/send_dpd_job.h
+++ b/src/charon/processing/jobs/send_dpd_job.h
@@ -45,13 +45,6 @@ struct send_dpd_job_t {
 	 * implements job_t interface
 	 */
 	job_t job_interface;
-	
-	/**
-	 * @brief Destroys an send_dpd_job_t object.
-	 *
-	 * @param this 	send_dpd_job_t object to destroy
-	 */
-	void (*destroy) (send_dpd_job_t *this);
 };
 
 /**
diff --git a/src/charon/processing/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c
index 1c1cb288e..8cb51e5dd 100644
--- a/src/charon/processing/jobs/send_keepalive_job.c
+++ b/src/charon/processing/jobs/send_keepalive_job.c
@@ -47,38 +47,29 @@ struct private_send_keepalive_job_t {
 };
 
 /**
- * Implements send_keepalive_job_t.get_type.
+ * Implements job_t.destroy.
  */
-static job_type_t get_type(private_send_keepalive_job_t *this)
+static void destroy(private_send_keepalive_job_t *this)
 {
-	return SEND_KEEPALIVE;
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
 }
 
 /**
  * Implementation of job_t.execute.
  */ 
-static status_t execute(private_send_keepalive_job_t *this)
+static void execute(private_send_keepalive_job_t *this)
 {
 	ike_sa_t *ike_sa;
 	
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
 											  this->ike_sa_id);
-	if (ike_sa == NULL)
+	if (ike_sa)
 	{
-		return DESTROY_ME;
+		ike_sa->send_keepalive(ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 	}
-	ike_sa->send_keepalive(ike_sa);
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_send_keepalive_job_t *this)
-{
-	this->ike_sa_id->destroy(this->ike_sa_id);
-	free(this);
+	destroy(this);
 }
 
 /*
@@ -89,15 +80,12 @@ send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
 	private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
 	
 	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
 	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
-	
-	/* public functions */
-	this->public.destroy = (void (*)(send_keepalive_job_t *)) destroy;
+	this->public.job_interface.execute = (void (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
 	
 	/* private variables */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 
-	return &(this->public);
+	return &this->public;
 }
diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
index f7b38337e..e8d214aed 100644
--- a/src/charon/processing/jobs/send_keepalive_job.h
+++ b/src/charon/processing/jobs/send_keepalive_job.h
@@ -44,13 +44,6 @@ struct send_keepalive_job_t {
 	 * implements job_t interface
 	 */
 	job_t job_interface;
-	
-	/**
-	 * @brief Destroys an send_keepalive_job_t object.
-	 *
-	 * @param this 	send_keepalive_job_t object to destroy
-	 */
-	void (*destroy) (send_keepalive_job_t *this);
 };
 
 /**
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
new file mode 100644
index 000000000..b3815eeb1
--- /dev/null
+++ b/src/charon/processing/processor.c
@@ -0,0 +1,233 @@
+/**
+ * @file processor.c
+ *
+ * @brief Implementation of processor_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include <stdlib.h>
+#include <pthread.h>
+#include <string.h>
+#include <errno.h>
+
+#include "processor.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_processor_t private_processor_t;
+
+/**
+ * @brief Private data of processor_t class.
+ */
+struct private_processor_t {
+	/**
+	 * Public processor_t interface.
+	 */
+	processor_t public;
+
+	/**
+	 * Number of running threads
+	 */
+	u_int total_threads;
+	
+	/**
+	 * Desired number of threads
+	 */
+	u_int desired_threads;
+	
+	/**
+	 * Number of threads waiting for work
+	 */
+	u_int idle_threads;
+
+	/**
+	 * The jobs are stored in a linked list
+	 */
+	linked_list_t *list;
+	
+	/**
+	 * access to linked_list is locked through this mutex
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * Condvar to wait for new jobs
+	 */
+	pthread_cond_t condvar;
+};
+
+static void process_jobs(private_processor_t *this);
+
+/**
+ * restart a terminated thread
+ */
+static void restart(private_processor_t *this)
+{
+	pthread_t thread;
+	
+	if (pthread_create(&thread, NULL, (void*)process_jobs, this) != 0)
+	{
+		this->total_threads--;
+	}
+}
+
+/**
+ * Process queued jobs, called by the worker threads
+ */
+static void process_jobs(private_processor_t *this)
+{
+	int oldstate;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate);
+	
+	DBG2(DBG_JOB, "started worker thread, thread_ID: %06u", (int)pthread_self());
+	
+	pthread_mutex_lock(&this->mutex);
+	while (this->desired_threads >= this->total_threads)
+	{
+		job_t *job;
+		
+		if (this->list->get_count(this->list) == 0)
+		{
+			this->idle_threads++;
+			pthread_cond_wait(&this->condvar, &this->mutex);
+			this->idle_threads--;
+			continue;
+		}
+		this->list->remove_first(this->list, (void**)&job);
+		pthread_mutex_unlock(&this->mutex);
+		/* terminated threads are restarted, so we have a constant pool */
+		pthread_cleanup_push((void*)restart, this);
+		job->execute(job);
+		pthread_cleanup_pop(0);
+		pthread_mutex_lock(&this->mutex);
+	}
+	this->total_threads--;
+	pthread_cond_broadcast(&this->condvar);
+	pthread_mutex_unlock(&this->mutex);
+}
+
+/**
+ * Implementation of processor_t.get_total_threads.
+ */
+static u_int get_total_threads(private_processor_t *this)
+{
+	return this->total_threads;
+}
+
+/**
+ * Implementation of processor_t.get_idle_threads.
+ */
+static u_int get_idle_threads(private_processor_t *this)
+{
+	return this->idle_threads;
+}
+
+/**
+ * implements processor_t.get_job_load
+ */
+static u_int get_job_load(private_processor_t *this)
+{
+	u_int load;
+	pthread_mutex_lock(&this->mutex);
+	load = this->list->get_count(this->list);
+	pthread_mutex_unlock(&this->mutex);
+	return load;
+}
+
+/**
+ * implements function processor_t.queue_job
+ */
+static void queue_job(private_processor_t *this, job_t *job)
+{
+	pthread_mutex_lock(&this->mutex);
+	this->list->insert_last(this->list, job);
+	pthread_mutex_unlock(&this->mutex);
+	pthread_cond_signal(&this->condvar);
+}
+	
+/**
+ * Implementation of processor_t.set_threads.
+ */
+static void set_threads(private_processor_t *this, u_int count)
+{
+	pthread_mutex_lock(&this->mutex);
+	if (count > this->total_threads)
+	{	/* increase thread count */
+		int i;
+		pthread_t current;
+		
+		this->desired_threads = count;
+		DBG1(DBG_JOB, "spawning %d worker threads", count - this->total_threads);
+		for (i = this->total_threads; i < count; i++)
+		{
+			if (pthread_create(&current, NULL, (void*)process_jobs, this) == 0)
+			{
+				this->total_threads++;
+			}
+		}
+	}
+	else if (count < this->total_threads)
+	{	/* decrease thread count */
+		this->desired_threads = count;
+	}
+	pthread_mutex_unlock(&this->mutex);
+}
+
+/**
+ * Implementation of processor_t.destroy.
+ */
+static void destroy(private_processor_t *this)
+{
+	set_threads(this, 0);
+	while (this->total_threads > 0)
+	{
+		pthread_cond_broadcast(&this->condvar);
+		pthread_cond_wait(&this->condvar, &this->mutex);
+	}
+	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+processor_t *processor_create(size_t pool_size)
+{
+	private_processor_t *this = malloc_thing(private_processor_t);
+	
+	this->public.get_total_threads = (u_int(*)(processor_t*))get_total_threads;
+	this->public.get_idle_threads = (u_int(*)(processor_t*))get_idle_threads;
+	this->public.get_job_load = (u_int(*)(processor_t*))get_job_load;
+	this->public.queue_job = (void(*)(processor_t*, job_t*))queue_job;
+	this->public.set_threads = (void(*)(processor_t*, u_int))set_threads;
+	this->public.destroy = (void(*)(processor_t*))destroy;
+	
+	this->list = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	pthread_cond_init(&this->condvar, NULL);
+	this->total_threads = 0;
+	this->desired_threads = 0;
+	this->idle_threads = 0;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/processing/processor.h b/src/charon/processing/processor.h
new file mode 100644
index 000000000..f12c7f10e
--- /dev/null
+++ b/src/charon/processing/processor.h
@@ -0,0 +1,111 @@
+/**
+ * @file processor.h
+ * 
+ * @brief Interface of processor_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PROCESSOR_H_
+#define PROCESSOR_H_
+
+typedef struct processor_t processor_t;
+
+#include <stdlib.h>
+
+#include <library.h>
+#include <processing/jobs/job.h>
+
+/**
+ * @brief The processor uses threads to process queued jobs.
+ *
+ * @b Constructors:
+ *  - processor_create()
+ * 
+ * @ingroup processing
+ */
+struct processor_t {
+	
+	/**
+	 * @brief Get the total number of threads used by the processor.
+	 *
+	 * @param this			calling object		
+	 * @return				size of thread pool
+	 */
+	u_int (*get_total_threads) (processor_t *this);
+	
+	/**
+	 * @brief Get the number of threads currently waiting.
+	 *
+	 * @param this			calling object		
+	 * @return				number of idle threads
+	 */
+	u_int (*get_idle_threads) (processor_t *this);
+	
+	/**
+	 * @brief Get the number of queued jobs.
+	 *
+	 * @param this			calling object
+	 * @returns 			number of items in queue
+	 */
+	u_int (*get_job_load) (processor_t *this);
+
+	/**
+	 * @brief Adds a job to the queue.
+	 *
+	 * This function is non blocking and adds a job_t to the queue.
+	 *
+	 * @param this		 	calling object
+ 	 * @param job 			job to add to the queue
+	 */
+	void (*queue_job) (processor_t *this, job_t *job);
+	
+	/**
+	 * @brief Set the number of threads to use in the processor.
+	 *
+	 * If the number of threads is smaller than number of currently running
+	 * threads, thread count is decreased. Use 0 to disable the processor.
+	 * This call blocks if it decreases thread count until threads have
+	 * terminated, so make sure there are not too many blocking jobs.
+	 *
+	 * @param this			calling object
+	 * @param count			number of threads to allocate
+	 */
+	void (*set_threads)(processor_t *this, u_int count);
+	
+	/**
+	 * @brief Destroy a processor object.
+	 * 
+	 * @param processor	calling object
+	 */
+	void (*destroy) (processor_t *processor);
+};
+
+/**
+ * @brief Create the thread pool without any threads.
+ *
+ * Use the set_threads method to start processing jobs.
+ *
+ * @return					processor_t object
+ *
+ * @ingroup processing
+ */
+processor_t *processor_create();
+
+#endif /*PROCESSOR_H_*/
+
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index 7249e43e6..2706585b0 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -23,12 +23,39 @@
 
 #include <stdlib.h>
 #include <pthread.h>
+#include <sys/time.h>
 
 #include "scheduler.h"
 
 #include <daemon.h>
-#include <processing/job_queue.h>
+#include <processing/processor.h>
+#include <processing/jobs/callback_job.h>
 
+typedef struct event_t event_t;
+
+/**
+ * Event containing a job and a schedule time
+ */
+struct event_t {
+	/**
+	 * Time to fire the event.
+	 */
+	timeval_t time;
+
+	/**
+	 * Every event has its assigned job.
+	 */
+	job_t *job;
+};
+
+/**
+ * destroy an event and its job
+ */
+static void event_destroy(event_t *event)
+{
+	event->job->destroy(event->job);
+	free(event);
+}
 
 typedef struct private_scheduler_t private_scheduler_t;
 
@@ -42,36 +69,164 @@ struct private_scheduler_t {
 	 scheduler_t public;
 
 	/**
-	 * Assigned thread.
+	 * Job wich schedules
 	 */
-	pthread_t assigned_thread;
+	callback_job_t *job;
+	
+	/**
+	 * The jobs are scheduled in a list.
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Exclusive access to list
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * Condvar to wait for next job.
+	 */
+	pthread_cond_t condvar;
 };
 
 /**
- * Implementation of private_scheduler_t.get_events.
+ * Returns the difference of two timeval structs in milliseconds
+ */
+static long time_difference(timeval_t *end, timeval_t *start)
+{
+	time_t s;
+	suseconds_t us;
+	
+	s = end->tv_sec - start->tv_sec;
+	us = end->tv_usec - start->tv_usec;
+	return (s * 1000 + us/1000);
+}
+
+/**
+ * Get events from the queue and pass it to the processor
  */
-static void get_events(private_scheduler_t * this)
+static job_requeue_t schedule(private_scheduler_t * this)
 {
-	job_t *current_job;
+	timespec_t timeout;
+	timeval_t now;
+	event_t *event;
+	long difference;
+	int oldstate;
+	bool timed = FALSE;
 	
-	/* cancellation disabled by default */
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	DBG2(DBG_JOB, "waiting for next event...");
+	pthread_mutex_lock(&this->mutex);
 	
-	DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", 
-		 (int)pthread_self());
+	gettimeofday(&now, NULL);
+	
+	if (this->list->get_count(this->list) > 0)
+	{
+		this->list->get_first(this->list, (void **)&event);
+		difference = time_difference(&now, &event->time);
+		if (difference > 0)
+		{
+			DBG2(DBG_JOB, "got event, queueing job for execution");
+			this->list->remove_first(this->list, (void **)&event);	
+			pthread_mutex_unlock(&this->mutex);
+			charon->processor->queue_job(charon->processor, event->job);
+			free(event);
+			return JOB_REQUEUE_DIRECT;
+		}
+		timeout.tv_sec = event->time.tv_sec;
+		timeout.tv_nsec = event->time.tv_usec * 1000;
+		timed = TRUE;
+	}
+	pthread_cleanup_push((void*)pthread_mutex_unlock, &this->mutex);
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	
+	if (timed)
+	{
+		pthread_cond_timedwait(&this->condvar, &this->mutex, &timeout);
+	}
+	else
+	{
+		pthread_cond_wait(&this->condvar, &this->mutex);
+	}
+	pthread_setcancelstate(oldstate, NULL);
+	pthread_cleanup_pop(0);
+		
+	pthread_mutex_unlock(&this->mutex);
+	return JOB_REQUEUE_DIRECT;
+}
 
-	charon->drop_capabilities(charon, TRUE);
+/**
+ * Implements scheduler_t.get_job_load
+ */
+static u_int get_job_load(private_scheduler_t *this)
+{
+	int count;
+	pthread_mutex_lock(&this->mutex);
+	count = this->list->get_count(this->list);
+	pthread_mutex_unlock(&this->mutex);
+	return count;
+}
 
-	while (TRUE)
+/**
+ * Implements scheduler_t.schedule_job.
+ */
+static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
+{
+	timeval_t now;
+	event_t *event, *current;
+	iterator_t *iterator;
+	time_t s;
+	suseconds_t us;
+	
+	event = malloc_thing(event_t);
+	event->job = job;
+	
+	/* calculate absolute time */
+	s = time / 1000;
+	us = (time - s * 1000) * 1000;
+	gettimeofday(&now, NULL);
+	event->time.tv_usec = (now.tv_usec + us) % 1000000;
+	event->time.tv_sec = now.tv_sec + (now.tv_usec + us)/1000000 + s;
+	
+	pthread_mutex_lock(&this->mutex);
+	while(TRUE)
 	{
-		DBG2(DBG_JOB, "waiting for next event...");
-		/* get a job, this block until one is available */
-		current_job = charon->event_queue->get(charon->event_queue);
-		/* queue the job in the job queue, workers will eat them */
-		DBG2(DBG_JOB, "got event, adding job %N to job-queue",
-			 job_type_names, current_job->get_type(current_job));
-		charon->job_queue->add(charon->job_queue, current_job);
+		if (this->list->get_count(this->list) == 0)
+		{
+			this->list->insert_first(this->list,event);
+			break;
+		}
+
+		this->list->get_last(this->list, (void**)&current);
+		if (time_difference(&event->time, &current->time) >= 0)
+		{	/* new event has to be fired after the last event in list */
+			this->list->insert_last(this->list, event);
+			break;
+		}
+
+		this->list->get_first(this->list, (void**)&current);
+		if (time_difference(&event->time, &current->time) < 0)
+		{	/* new event has to be fired before the first event in list */
+			this->list->insert_first(this->list, event);
+			break;
+		}
+		
+		iterator = this->list->create_iterator(this->list, TRUE);
+		/* first element has not to be checked (already done) */
+		iterator->iterate(iterator, (void**)&current);
+		while(iterator->iterate(iterator, (void**)&current))
+		{
+			if (time_difference(&event->time, &current->time) <= 0)
+			{
+				/* new event has to be fired before the current event in list */
+				iterator->insert_before(iterator, event);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+		break;
 	}
+	pthread_cond_signal(&this->condvar);
+	pthread_mutex_unlock(&this->mutex);
 }
 
 /**
@@ -79,8 +234,8 @@ static void get_events(private_scheduler_t * this)
  */
 static void destroy(private_scheduler_t *this)
 {
-	pthread_cancel(this->assigned_thread);
-	pthread_join(this->assigned_thread, NULL);
+	this->job->cancel(this->job);
+	this->list->destroy_function(this->list, (void*)event_destroy);
 	free(this);
 }
 
@@ -91,14 +246,17 @@ scheduler_t * scheduler_create()
 {
 	private_scheduler_t *this = malloc_thing(private_scheduler_t);
 	
+	this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
+	this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job;
 	this->public.destroy = (void(*)(scheduler_t*)) destroy;
 	
-	if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))get_events, this) != 0)
-	{
-		/* thread could not be created  */
-		free(this);
-		charon->kill(charon, "unable to create scheduler thread");
-	}
+	this->list = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	pthread_cond_init(&this->condvar, NULL);
+	
+	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
+	charon->processor->queue_job(charon->processor, (job_t*)this->job);
 	
-	return &(this->public);
+	return &this->public;
 }
+
diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h
index bea93e7c9..7bde6e638 100644
--- a/src/charon/processing/scheduler.h
+++ b/src/charon/processing/scheduler.h
@@ -6,7 +6,7 @@
  */
 
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,14 +27,12 @@
 typedef struct scheduler_t scheduler_t;
 
 #include <library.h>
+#include <processing/jobs/job.h>
 
 /**
- * @brief The scheduler thread is responsible for timed events.
+ * @brief The scheduler queues and executes timed events.
  *
- * The scheduler thread takes out jobs from the event-queue and adds them
- * to the job-queue.
- *
- * Starts a thread which does the work, since event-queue is blocking.
+ * The scheduler stores timed events and passes them to the processor.
  *
  * @b Constructors:
  *  - scheduler_create()
@@ -44,25 +42,40 @@ typedef struct scheduler_t scheduler_t;
 struct scheduler_t { 	
 
 	/**
+	 * @brief Adds a event to the queue, using a relative time offset.
+	 *
+	 * Schedules a job for execution using a relative time offset.
+	 *
+	 * @param this			calling object
+ 	 * @param job 			job to schedule
+  	 * @param time 			relative to to schedule job (in ms)
+	 */
+	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t time);
+	
+	/**
+	 * @brief Returns number of jobs scheduled.
+	 *
+	 * @param this			calling object
+	 * @return 				number of scheduled jobs
+	 */
+	u_int (*get_job_load) (scheduler_t *this);
+	
+	/**
 	 * @brief Destroys a scheduler object.
 	 * 
-	 * @param scheduler 	calling object
+	 * @param this		 	calling object
 	 */
-	void (*destroy) (scheduler_t *scheduler);
+	void (*destroy) (scheduler_t *this);
 };
 
 /**
- * @brief Create a scheduler with its associated thread.
- * 
- * The thread will start to get jobs form the event queue 
- * and adds them to the job queue.
+ * @brief Create a scheduler.
  * 
- * @return 
- * 				- scheduler_t object
- * 				- NULL if thread could not be started
+ * @return 		scheduler_t object
  * 
  * @ingroup processing
  */
-scheduler_t * scheduler_create(void);
+scheduler_t *scheduler_create(void);
 
 #endif /*SCHEDULER_H_*/
+
diff --git a/src/charon/processing/thread_pool.c b/src/charon/processing/thread_pool.c
deleted file mode 100644
index a9891da15..000000000
--- a/src/charon/processing/thread_pool.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/**
- * @file thread_pool.c
- *
- * @brief Implementation of thread_pool_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-#include <stdlib.h>
-#include <pthread.h>
-#include <string.h>
-#include <errno.h>
-
-#include "thread_pool.h"
-
-#include <daemon.h>
-#include <processing/job_queue.h>
-
-
-typedef struct private_thread_pool_t private_thread_pool_t;
-
-/**
- * @brief Private data of thread_pool_t class.
- */
-struct private_thread_pool_t {
-	/**
-	 * Public thread_pool_t interface.
-	 */
-	thread_pool_t public;
-
-	/**
-	 * Number of running threads.
-	 */
-	u_int pool_size;
-	
-	/**
-	 * Number of threads waiting for work
-	 */
-	u_int idle_threads;
-	
-	/**
-	 * Array of thread ids.
-	 */
-	pthread_t *threads;
-};
-
-/**
- * Implementation of private_thread_pool_t.process_jobs.
- */
-static void process_jobs(private_thread_pool_t *this)
-{
-	job_t *job;
-	status_t status;
-	
-	/* cancellation disabled by default */
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
-	
-	DBG1(DBG_JOB, "worker thread running, thread_ID: %06u",
-		 (int)pthread_self());
-	
-	charon->drop_capabilities(charon, TRUE);
-	
-	while (TRUE)
-	{
-		/* TODO: should be atomic, but is not mission critical */
-		this->idle_threads++;
-		job = charon->job_queue->get(charon->job_queue);
-		this->idle_threads--;
-		
-		status = job->execute(job);
-		
-		if (status == DESTROY_ME)
-		{
-			job->destroy(job);
-		}
-	}
-}
-
-/**
- * Implementation of thread_pool_t.get_pool_size.
- */
-static u_int get_pool_size(private_thread_pool_t *this)
-{
-	return this->pool_size;
-}
-
-/**
- * Implementation of thread_pool_t.get_idle_threads.
- */
-static u_int get_idle_threads(private_thread_pool_t *this)
-{
-	return this->idle_threads;
-}
-
-/**
- * Implementation of thread_pool_t.destroy.
- */
-static void destroy(private_thread_pool_t *this)
-{	
-	int current;
-	/* flag thread for termination */
-	for (current = 0; current < this->pool_size; current++)
-	{
-		DBG1(DBG_JOB, "cancelling worker thread #%d", current+1);
-		pthread_cancel(this->threads[current]);
-	}
-	
-	/* wait for all threads */
-	for (current = 0; current < this->pool_size; current++) {
-		if (pthread_join(this->threads[current], NULL) == 0)
-		{
-			DBG1(DBG_JOB, "worker thread #%d terminated", current+1);
-		}
-		else
-		{
-			DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1);
-		}
-	}
-	
-	/* free mem */
-	free(this->threads);
-	free(this);
-}
-
-/*
- * Described in header.
- */
-thread_pool_t *thread_pool_create(size_t pool_size)
-{
-	int current;
-	private_thread_pool_t *this = malloc_thing(private_thread_pool_t);
-	
-	/* fill in public fields */
-	this->public.destroy = (void(*)(thread_pool_t*))destroy;
-	this->public.get_pool_size = (u_int(*)(thread_pool_t*))get_pool_size;
-	this->public.get_idle_threads = (u_int(*)(thread_pool_t*))get_idle_threads;
-	
-	/* initialize member */
-	this->pool_size = pool_size;
-	this->idle_threads = 0;
-	this->threads = malloc(sizeof(pthread_t) * pool_size);
-	
-	/* try to create as many threads as possible, up to pool_size */
-	for (current = 0; current < pool_size; current++)
-	{
-		if (pthread_create(&(this->threads[current]), NULL,
-						   (void*(*)(void*))process_jobs, this) == 0)
-		{
-			DBG1(DBG_JOB, "created worker thread #%d", current+1);
-		}
-		else
-		{
-			/* creation failed, is it the first one? */	
-			if (current == 0)
-			{
-				free(this->threads);
-				free(this);
-				charon->kill(charon, "could not create any worker threads");
-			}
-			/* not all threads could be created, but at least one :-/ */
-			DBG1(DBG_JOB, "could only create %d from requested %d threads!",
-				 current, pool_size);
-			this->pool_size = current;
-			break;
-		}
-	}
-	return (thread_pool_t*)this;
-}
diff --git a/src/charon/processing/thread_pool.h b/src/charon/processing/thread_pool.h
deleted file mode 100644
index 09a6312a8..000000000
--- a/src/charon/processing/thread_pool.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * @file thread_pool.h
- * 
- * @brief Interface of thread_pool_t.
- * 
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef THREAD_POOL_H_
-#define THREAD_POOL_H_
-
-typedef struct thread_pool_t thread_pool_t;
-
-#include <stdlib.h>
-
-#include <library.h>
-
-/**
- * @brief A thread_pool consists of a pool of threads processing jobs from the job queue.
- *
- * Current implementation uses as many threads as specified in constructor.
- * A more improved version would dynamically increase thread count if necessary.
- *
- * @b Constructors:
- *  - thread_pool_create()
- *
- * @todo Add support for dynamic thread handling
- * 
- * @ingroup processing
- */
-struct thread_pool_t {
-	
-	/**
-	 * @brief Return currently instanciated thread count.
-	 *
-	 * @param thread_pool	calling object		
-	 * @return				size of thread pool
-	 */
-	u_int (*get_pool_size) (thread_pool_t *thread_pool);
-	
-	/**
-	 * @brief Get the number of threads currently waiting for work.
-	 *
-	 * @param thread_pool	calling object		
-	 * @return				number of idle threads
-	 */
-	u_int (*get_idle_threads) (thread_pool_t *thread_pool);
-	
-	/**
-	 * @brief Destroy a thread_pool_t object.
-	 * 
-	 * Sends cancellation request to all threads and AWAITS their termination.
-	 * 
-	 * @param thread_pool	calling object
-	 */
-	void (*destroy) (thread_pool_t *thread_pool);
-};
-
-/**
- * @brief Create the thread pool using using pool_size of threads.
- * 
- * @param pool_size			desired pool size
- * @return
- *							- thread_pool_t object if one ore more threads could be started, or
- *							- NULL if no threads could be created
- *
- * @ingroup processing
- */
-thread_pool_t *thread_pool_create(size_t pool_size);
-
-
-#endif /*THREAD_POOL_H_*/
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 1e7b6cb2c..118af3b30 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -60,7 +60,7 @@ struct sa_policy_t {
 typedef struct private_child_sa_t private_child_sa_t;
 
 /**
- * Private data of a child_sa_t 
bject.
+ * Private data of a child_sa_t object.
  */
 struct private_child_sa_t {
 	/**
@@ -138,9 +138,9 @@ struct private_child_sa_t {
 	child_sa_state_t state;
 
 	/**
-	 * Specifies if NAT traversal is used
+	 * Specifies if UDP encapsulation is enabled (NAT traversal)
 	 */
-	bool use_natt;
+	bool encap;
 	
 	/**
 	 * mode this SA uses, tunnel/transport
@@ -156,6 +156,11 @@ struct private_child_sa_t {
 	 * config used to create this child
 	 */
 	child_cfg_t *config;
+	
+	/**
+	 * cached interface name for iptables
+	 */
+	char *iface;
 };
 
 /**
@@ -276,11 +281,10 @@ static void updown(private_child_sa_t *this, bool up)
 	while (iterator->iterate(iterator, (void**)&policy))
 	{
 		char command[1024];
-		char *ifname = NULL;
 		char *my_client, *other_client, *my_client_mask, *other_client_mask;
 		char *pos, *virtual_ip;
 		FILE *shell;
-		
+
 		/* get subnet/bits from string */
 		asprintf(&my_client, "%R", policy->my_ts);
 		pos = strchr(my_client, '/');
@@ -301,18 +305,24 @@ static void updown(private_child_sa_t *this, bool up)
 			*pos = '\0';
 		}
 
-        if (this->virtual_ip)
-        {
-                asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ",
-                		 this->virtual_ip);
-        }
-        else
-        {
-                asprintf(&virtual_ip, "");
-        }
+		if (this->virtual_ip)
+		{
+			asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ",
+		        		 this->virtual_ip);
+		}
+		else
+		{
+			asprintf(&virtual_ip, "");
+		}
 
-		ifname = charon->kernel_interface->get_interface(charon->kernel_interface, 
-														 this->me.addr);
+		/* we cache the iface name, as it may not be available when
+		 * the SA gets deleted */
+		if (up)
+		{
+			free(this->iface); 
+			this->iface = charon->kernel_interface->get_interface(
+								charon->kernel_interface, this->me.addr);
+		}
 		
 		/* build the command with all env variables.
 		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
@@ -346,7 +356,7 @@ static void updown(private_child_sa_t *this, bool up)
 							this->me.addr) ? "-host" : "-client",
 				 this->me.addr->get_family(this->me.addr) == AF_INET ? "" : "-ipv6",
 				 this->config->get_name(this->config),
-				 ifname ? ifname : "(unknown)",
+				 this->iface ? this->iface : "unknown",
 				 this->reqid,
 				 this->me.addr,
 				 this->me.id,
@@ -364,11 +374,11 @@ static void updown(private_child_sa_t *this, bool up)
 				 this->config->get_hostaccess(this->config) ?
 				 	"PLUTO_HOST_ACCESS='1' " : "",
 				 script);
-		free(ifname);
 		free(my_client);
 		free(other_client);
 		free(virtual_ip);
 		
+		DBG3(DBG_CHD, "running updown script: %s", command);
 		shell = popen(command, "r");
 
 		if (shell == NULL)
@@ -494,7 +504,6 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 	algorithm_t int_algo_none = {AUTH_UNDEFINED, 0};
 	host_t *src;
 	host_t *dst;
-	natt_conf_t *natt;
 	status_t status;
 	
 	this->protocol = proposal->get_protocol(proposal);
@@ -561,18 +570,6 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 		int_algo = &int_algo_none;
 	}
 	
-	/* setup nat-t */
-	if (this->use_natt)
-	{
-		natt = alloca(sizeof(natt_conf_t));
-		natt->sport = src->get_port(src);
-		natt->dport = dst->get_port(dst);
-	}
-	else
-	{
-		natt = NULL;
-	}
-	
 	soft = this->config->get_lifetime(this->config, TRUE);
 	hard = this->config->get_lifetime(this->config, FALSE);
 	
@@ -582,7 +579,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 											  src, dst, spi, this->protocol,
 											  this->reqid, mine ? soft : 0,
 											  hard, enc_algo, int_algo,
-											  prf_plus, natt, mode, mine);
+											  prf_plus, mode, this->encap, mine);
 	
 	this->encryption = *enc_algo;
 	this->integrity = *int_algo;
@@ -689,15 +686,15 @@ static status_t add_policies(private_child_sa_t *this,
 			/* install 3 policies: out, in and forward */
 			status = charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->me.addr, this->other.addr, my_ts, other_ts, POLICY_OUT,
-					this->protocol, this->reqid, high_prio, mode, FALSE);
+					this->protocol, this->reqid, high_prio, mode);
 			
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other.addr, this->me.addr, other_ts, my_ts, POLICY_IN,
-					this->protocol, this->reqid, high_prio, mode, FALSE);
+					this->protocol, this->reqid, high_prio, mode);
 			
 			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
 					this->other.addr, this->me.addr, other_ts, my_ts, POLICY_FWD,
-					this->protocol, this->reqid, high_prio, mode, FALSE);
+					this->protocol, this->reqid, high_prio, mode);
 			
 			if (status != SUCCESS)
 			{
@@ -782,139 +779,89 @@ static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use
 }
 
 /**
- * Update the host adress/port of a SA
- */
-static status_t update_sa_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other, 
-								int my_changes, int other_changes, bool mine)
-{
-	host_t *src, *dst, *new_src, *new_dst;
-	int src_changes, dst_changes;
-	status_t status;
-	u_int32_t spi;
-	
-	if (mine)
-	{
-		src = this->other.addr;
-		dst = this->me.addr;
-		new_src = new_other;
-		new_dst = new_me;
-		src_changes = other_changes;
-		dst_changes = my_changes;
-		spi = this->other.spi;
-	}
-	else
-	{
-		src = this->me.addr;
-		dst = this->other.addr;
-		new_src = new_me;
-		new_dst = new_other;
-		src_changes = my_changes;
-		dst_changes = other_changes;
-		spi = this->me.spi;
-	}
-	
-	DBG2(DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H",
-		 protocol_id_names, this->protocol, ntohl(spi), src, dst, new_src, new_dst);
-	
-	status = charon->kernel_interface->update_sa(charon->kernel_interface,
-												 dst, spi, this->protocol, 
-												 new_src, new_dst, 
-												 src_changes, dst_changes);
-	
-	if (status != SUCCESS)
-	{
-		return FAILED;
-	}
-	return SUCCESS;
-}
-
-/**
- * Update the host adress/port of a policy
- */
-static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other)
-{
-	iterator_t *iterator;
-	sa_policy_t *policy;
-	status_t status;
-	/* we always use high priorities, as hosts getting updated are INSTALLED */
-	
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&policy))
-	{
-		status = charon->kernel_interface->add_policy(
-				charon->kernel_interface,
-				new_me, new_other,
-				policy->my_ts, policy->other_ts,
-				POLICY_OUT, this->protocol, this->reqid, TRUE, this->mode, TRUE);
-		
-		status |= charon->kernel_interface->add_policy(
-				charon->kernel_interface,
-				new_other, new_me,
-				policy->other_ts, policy->my_ts,
-				POLICY_IN, this->protocol, this->reqid, TRUE, this->mode, TRUE);
-		
-		status |= charon->kernel_interface->add_policy(
-				charon->kernel_interface,
-				new_other, new_me,
-				policy->other_ts, policy->my_ts,
-				POLICY_FWD, this->protocol, this->reqid, TRUE, this->mode, TRUE);
-		
-		if (status != SUCCESS)
-		{
-			iterator->destroy(iterator);
-			return FAILED;
-		}
-	}
-	iterator->destroy(iterator);
-	
-	return SUCCESS;
-}
-
-/**
  * Implementation of child_sa_t.update_hosts.
  */
-static status_t update_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other, 
-							 host_diff_t my_changes, host_diff_t other_changes) 
+static status_t update_hosts(private_child_sa_t *this, 
+							 host_t *me, host_t *other, bool encap) 
 {
-	if (!my_changes && !other_changes)
+	/* anything changed at all? */
+	if (me->equals(me, this->me.addr) && 
+		other->equals(other, this->other.addr) && this->encap == encap)
 	{
 		return SUCCESS;
 	}
-
+	/* run updown script to remove iptables rules */
+	updown(this, FALSE);
+	
+	this->encap = encap;
+	
 	/* update our (initator) SAs */
-	if (update_sa_hosts(this, new_me, new_other, my_changes, other_changes, TRUE) != SUCCESS)
-	{
-		return FAILED;
-	}
-
+	charon->kernel_interface->update_sa(charon->kernel_interface, this->me.spi,
+			this->protocol, this->other.addr, this->me.addr, other, me, encap);
 	/* update his (responder) SAs */
-	if (update_sa_hosts(this, new_me, new_other, my_changes, other_changes, FALSE) != SUCCESS)
-	{
-		return FAILED;
-	}
+	charon->kernel_interface->update_sa(charon->kernel_interface, this->other.spi, 
+			this->protocol, this->me.addr, this->other.addr, me, other, encap);
 	
 	/* update policies */
-	if (my_changes & HOST_DIFF_ADDR || other_changes & HOST_DIFF_ADDR)
+	if (!me->ip_equals(me, this->me.addr) ||
+		!other->ip_equals(other, this->other.addr))
 	{
-		if (update_policy_hosts(this, new_me, new_other) != SUCCESS)
+		iterator_t *iterator;
+		sa_policy_t *policy;
+		
+		/* always use high priorities, as hosts getting updated are INSTALLED */
+		iterator = this->policies->create_iterator(this->policies, TRUE);
+		while (iterator->iterate(iterator, (void**)&policy))
 		{
-			return FAILED;
+			/* remove old policies first */
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+								policy->my_ts, policy->other_ts, POLICY_OUT);
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+								policy->other_ts, policy->my_ts,  POLICY_IN);
+			charon->kernel_interface->del_policy(charon->kernel_interface,
+								policy->other_ts, policy->my_ts, POLICY_FWD);
+		
+			/* check wether we have to update a "dynamic" traffic selector */
+			if (!me->ip_equals(me, this->me.addr) &&
+				policy->my_ts->is_host(policy->my_ts, this->me.addr))
+			{
+				policy->my_ts->set_address(policy->my_ts, me);
+			}
+			if (!other->ip_equals(other, this->other.addr) &&
+				policy->other_ts->is_host(policy->other_ts, this->other.addr))
+			{
+				policy->other_ts->set_address(policy->other_ts, other);
+			}
+		
+			/* reinstall updated policies */
+			charon->kernel_interface->add_policy(charon->kernel_interface,
+					me, other, policy->my_ts, policy->other_ts, POLICY_OUT,
+					this->protocol,	this->reqid, TRUE, this->mode);
+			charon->kernel_interface->add_policy(charon->kernel_interface, 
+					other, me, policy->other_ts, policy->my_ts, POLICY_IN,
+					this->protocol, this->reqid, TRUE, this->mode);
+			charon->kernel_interface->add_policy(charon->kernel_interface,
+					other, me, policy->other_ts, policy->my_ts, POLICY_FWD,
+					this->protocol, this->reqid, TRUE, this->mode);
 		}
+		iterator->destroy(iterator);
 	}
 
-	/* update hosts */
-	if (my_changes)
+	/* apply hosts */
+	if (!me->equals(me, this->me.addr))
 	{
 		this->me.addr->destroy(this->me.addr);
-		this->me.addr = new_me->clone(new_me);
+		this->me.addr = me->clone(me);
 	}
-
-	if (other_changes)
+	if (!other->equals(other, this->other.addr))
 	{
 		this->other.addr->destroy(this->other.addr);
-		this->other.addr = new_other->clone(new_other);
-	}	
-
+		this->other.addr = other->clone(other);
+	}
+	
+	/* install new iptables rules */
+	updown(this, TRUE);
+	
 	return SUCCESS;
 }
 
@@ -988,6 +935,7 @@ static void destroy(private_child_sa_t *this)
 	this->me.id->destroy(this->me.id);
 	this->other.id->destroy(this->other.id);
 	this->config->destroy(this->config);
+	free(this->iface);
 	DESTROY_IF(this->virtual_ip);
 	free(this);
 }
@@ -997,7 +945,7 @@ static void destroy(private_child_sa_t *this)
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
 							 identification_t *my_id, identification_t *other_id,
-							 child_cfg_t *config, u_int32_t rekey, bool use_natt)
+							 child_cfg_t *config, u_int32_t rekey, bool encap)
 {
 	static u_int32_t reqid = 0;
 	private_child_sa_t *this = malloc_thing(private_child_sa_t);
@@ -1011,7 +959,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
 	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))add;
 	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))update;
-	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,host_diff_t,host_diff_t))update_hosts;
+	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,bool))update_hosts;
 	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t))add_policies;
 	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
 	this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
@@ -1030,7 +978,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->other.spi = 0;
 	this->alloc_ah_spi = 0;
 	this->alloc_esp_spi = 0;
-	this->use_natt = use_natt;
+	this->encap = encap;
 	this->state = CHILD_CREATED;
 	/* reuse old reqid if we are rekeying an existing CHILD_SA */
 	this->reqid = rekey ? rekey : ++reqid;
@@ -1044,6 +992,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->protocol = PROTO_NONE;
 	this->mode = MODE_TUNNEL;
 	this->virtual_ip = NULL;
+	this->iface = NULL;
 	this->config = config;
 	config->get_ref(config);
 	
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index cf5f3e7d7..b801dd012 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -35,11 +35,6 @@ typedef struct child_sa_t child_sa_t;
 #include <config/child_cfg.h>
 
 /**
- * Where we should start with reqid enumeration
- */
-#define REQID_START 2000000000
-
-/**
  * @brief States of a CHILD_SA
  */
 enum child_sa_state_t {
@@ -200,19 +195,18 @@ struct child_sa_t {
 					   prf_plus_t *prf_plus);
 
 	/**
-	 * @brief Update the hosts in the kernel SAs and policies
+	 * @brief Update the hosts in the kernel SAs and policies.
 	 *
-	 * @warning only call this after update() has been called.
+	 * The CHILD must be INSTALLED to do this update.
 	 *
-	 * @param this			calling object
-	 * @param new_me		the new local host
-	 * @param new_other		the new remote host
-	 * @param my_diff		differences to apply for me
-	 * @param other_diff	differences to apply for other
-	 * @return				SUCCESS or FAILED
+	 * @param this		calling object
+	 * @param me		the new local host
+	 * @param other		the new remote host
+	 * @param			TRUE to use UDP encapsulation for NAT traversal
+	 * @return			SUCCESS or FAILED
 	 */
-	status_t (*update_hosts)(child_sa_t *this, host_t *new_me, host_t *new_other,
-							 host_diff_t my_diff, host_diff_t other_diff);
+	status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
+							 bool encap);
 	
 	/**
 	 * @brief Install the policies using some traffic selectors.
@@ -298,13 +292,13 @@ struct child_sa_t {
  * @param other_id		id of remote peer
  * @param config		config to use for this CHILD_SA
  * @param reqid			reqid of old CHILD_SA when rekeying, 0 otherwise
- * @param use_natt		TRUE if NAT traversal is used
+ * @param encap			TRUE to enable UDP encapsulation (NAT traversal)
  * @return				child_sa_t object
  * 
  * @ingroup sa
  */
 child_sa_t * child_sa_create(host_t *me, host_t *other,
 							 identification_t *my_id, identification_t* other_id,
-							 child_cfg_t *config, u_int32_t reqid, bool use_natt);
+							 child_cfg_t *config, u_int32_t reqid, bool encap);
 
 #endif /*CHILD_SA_H_*/
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 8b4b53e10..0a996329d 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -48,10 +48,12 @@
 #include <sa/task_manager.h>
 #include <sa/tasks/ike_init.h>
 #include <sa/tasks/ike_natd.h>
+#include <sa/tasks/ike_mobike.h>
 #include <sa/tasks/ike_auth.h>
 #include <sa/tasks/ike_config.h>
 #include <sa/tasks/ike_cert.h>
 #include <sa/tasks/ike_rekey.h>
+#include <sa/tasks/ike_reauth.h>
 #include <sa/tasks/ike_delete.h>
 #include <sa/tasks/ike_dpd.h>
 #include <sa/tasks/child_create.h>
@@ -142,6 +144,16 @@ struct private_ike_sa_t {
 	 * CA that issued the certificate of other
 	 */
 	ca_info_t *other_ca;
+	
+	/**
+	 * set of extensions the peer supports
+	 */
+	ike_extension_t extensions;
+	
+	/**
+	 * set of condition flags currently enabled for this IKE_SA
+	 */
+	ike_condition_t conditions;
 
 	/**
 	 * Linked List containing the child sa's of the current IKE_SA.
@@ -189,16 +201,6 @@ struct private_ike_sa_t {
 	chunk_t skp_verify;
 	
 	/**
-	 * NAT status of local host.
-	 */
-	bool nat_here;
-	
-	/**
-	 * NAT status of remote host.
-	 */
-	bool nat_there;
-	
-	/**
 	 * Virtual IP on local host, if any
 	 */
 	host_t *my_virtual_ip;
@@ -212,6 +214,16 @@ struct private_ike_sa_t {
 	 * List of DNS servers installed by us
 	 */
 	linked_list_t *dns_servers;
+	
+	/**
+	 * list of peers additional addresses, transmitted via MOBIKE
+	 */
+	linked_list_t *additional_addresses;
+	
+	/**
+	 * number pending UPDATE_SA_ADDRESS (MOBIKE)
+	 */
+	u_int32_t pending_updates;
 
 	/**
 	 * Timestamps for this IKE_SA
@@ -356,33 +368,68 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 	if (this->my_host->is_anyaddr(this->my_host))
 	{
 		host_t *me = this->ike_cfg->get_my_host(this->ike_cfg);
-
 		set_my_host(this, me->clone(me));
 	}
 	if (this->other_host->is_anyaddr(this->other_host))
 	{
 		host_t *other = this->ike_cfg->get_other_host(this->ike_cfg);
-
 		set_other_host(this, other->clone(other));
 	}
 	/* apply IDs if they are not already set */
 	if (this->my_id->contains_wildcards(this->my_id))
 	{
-		identification_t *my_id = this->peer_cfg->get_my_id(this->peer_cfg);
-		
 		DESTROY_IF(this->my_id);
-		this->my_id = my_id->clone(my_id);
+		this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
+		this->my_id = this->my_id->clone(this->my_id);
 	}
 	if (this->other_id->contains_wildcards(this->other_id))
 	{
-		identification_t *other_id = this->peer_cfg->get_other_id(this->peer_cfg);
-
 		DESTROY_IF(this->other_id);
-		this->other_id = other_id->clone(other_id);
+		this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
+		this->other_id = this->other_id->clone(this->other_id);
 	}
 }
 
 /**
+ * Implementation of ike_sa_t.send_keepalive
+ */
+static void send_keepalive(private_ike_sa_t *this)
+{
+	send_keepalive_job_t *job;
+	time_t last_out, now, diff;
+	
+	if (!(this->conditions & COND_NAT_HERE))
+	{	/* disable keep alives if we are not NATed anymore */
+		return;
+	}
+	
+	last_out = get_use_time(this, FALSE);
+	now = time(NULL);
+	
+	diff = now - last_out;
+	
+	if (diff >= KEEPALIVE_INTERVAL)
+	{
+		packet_t *packet;
+		chunk_t data;
+		
+		packet = packet_create();
+		packet->set_source(packet, this->my_host->clone(this->my_host));
+		packet->set_destination(packet, this->other_host->clone(this->other_host));
+		data.ptr = malloc(1);
+		data.ptr[0] = 0xFF;
+		data.len = 1;
+		packet->set_data(packet, data);
+		DBG1(DBG_IKE, "sending keep alive");
+		charon->sender->send(charon->sender, packet);
+		diff = 0;
+	}
+	job = send_keepalive_job_create(this->ike_sa_id);
+	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
+									(KEEPALIVE_INTERVAL - diff) * 1000);
+}
+
+/**
  * Implementation of ike_sa_t.get_ike_cfg
  */
 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
@@ -398,6 +445,80 @@ static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
 	ike_cfg->get_ref(ike_cfg);
 	this->ike_cfg = ike_cfg;
 }
+/**
+ * Implementation of ike_sa_t.enable_extension.
+ */
+static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
+{
+	this->extensions |= extension;
+}
+
+/**
+ * Implementation of ike_sa_t.has_extension.
+ */
+static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
+{
+	return (this->extensions & extension) != FALSE;
+}
+
+/**
+ * Implementation of ike_sa_t.has_condition.
+ */
+static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
+{
+	return (this->conditions & condition) != FALSE;
+}
+
+/**
+ * Implementation of ike_sa_t.enable_condition.
+ */
+static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
+						  bool enable)
+{
+	if (has_condition(this, condition) != enable)
+	{
+		if (enable)
+		{
+			this->conditions |= condition;
+			switch (condition)
+			{
+				case COND_STALE:
+					DBG1(DBG_IKE, "no route to %H, setting IKE_SA to stale",
+						 this->other_host);
+					break;
+				case COND_NAT_HERE:
+					DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
+					this->conditions |= COND_NAT_ANY;
+					send_keepalive(this);
+					break;
+				case COND_NAT_THERE:
+					DBG1(DBG_IKE, "remote host is behind NAT");
+					this->conditions |= COND_NAT_ANY;
+					break;
+				default:
+					break;
+			}
+		}
+		else
+		{
+			this->conditions &= ~condition;
+			switch (condition)
+			{
+				case COND_STALE:
+					DBG1(DBG_IKE, "new route to %H found", this->other_host);
+					break;
+				case COND_NAT_HERE:
+				case COND_NAT_THERE:
+					set_condition(this, COND_NAT_ANY,
+								  has_condition(this, COND_NAT_HERE) ||
+								  has_condition(this, COND_NAT_THERE));
+					break;
+				default:
+					break;
+			}
+		}
+	}
+}
 
 /**
  * Implementation of ike_sa_t.send_dpd
@@ -442,46 +563,12 @@ static status_t send_dpd(private_ike_sa_t *this)
 	}
 	/* recheck in "interval" seconds */
 	job = send_dpd_job_create(this->ike_sa_id);
-	charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
-									  (delay - diff) * 1000);
+	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
+									(delay - diff) * 1000);
 	return SUCCESS;
 }
 
 /**
- * Implementation of ike_sa_t.send_keepalive
- */
-static void send_keepalive(private_ike_sa_t *this)
-{
-	send_keepalive_job_t *job;
-	time_t last_out, now, diff;
-	
-	last_out = get_use_time(this, FALSE);
-	now = time(NULL);
-	
-	diff = now - last_out;
-	
-	if (diff >= KEEPALIVE_INTERVAL)
-	{
-		packet_t *packet;
-		chunk_t data;
-		
-		packet = packet_create();
-		packet->set_source(packet, this->my_host->clone(this->my_host));
-		packet->set_destination(packet, this->other_host->clone(this->other_host));
-		data.ptr = malloc(1);
-		data.ptr[0] = 0xFF;
-		data.len = 1;
-		packet->set_data(packet, data);
-		charon->sender->send(charon->sender, packet);
-		DBG1(DBG_IKE, "sending keep alive");
-		diff = 0;
-	}
-	job = send_keepalive_job_create(this->ike_sa_id);
-	charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
-									  (KEEPALIVE_INTERVAL - diff) * 1000);
-}
-
-/**
  * Implementation of ike_sa_t.get_state.
  */
 static ike_sa_state_t get_state(private_ike_sa_t *this)
@@ -524,16 +611,16 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 				{
 					this->time.rekey = now + soft;
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, reauth);
-					charon->event_queue->add_relative(charon->event_queue, job,
-													  soft * 1000);
+					charon->scheduler->schedule_job(charon->scheduler, job,
+													soft * 1000);
 				}
 				
 				if (hard)
 				{
 					this->time.delete = now + hard;
 					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->event_queue->add_relative(charon->event_queue, job,
-													  hard * 1000);
+					charon->scheduler->schedule_job(charon->scheduler, job,
+													hard * 1000);
 				}
 			}
 			break;
@@ -542,8 +629,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 		{
 			/* delete may fail if a packet gets lost, so set a timeout */
 			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-			charon->event_queue->add_relative(charon->event_queue, job, 
-											  HALF_OPEN_IKE_SA_TIMEOUT);
+			charon->scheduler->schedule_job(charon->scheduler, job, 
+											HALF_OPEN_IKE_SA_TIMEOUT);
 			break;
 		}
 		default:
@@ -570,67 +657,151 @@ static void reset(private_ike_sa_t *this)
 }
 
 /**
+ * Implementation of ike_sa_t.set_virtual_ip
+ */
+static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
+{
+	if (local)
+	{
+		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+		if (this->my_virtual_ip)
+		{
+			DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
+			charon->kernel_interface->del_ip(charon->kernel_interface,
+											 this->my_virtual_ip);
+			this->my_virtual_ip->destroy(this->my_virtual_ip);
+		}
+		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
+											 this->my_host) == SUCCESS)
+		{
+			this->my_virtual_ip = ip->clone(ip);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			this->my_virtual_ip = NULL;
+		}
+	}
+	else
+	{
+		DESTROY_IF(this->other_virtual_ip);
+		this->other_virtual_ip = ip->clone(ip);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_virtual_ip
+ */
+static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
+{
+	if (local)
+	{
+		return this->my_virtual_ip;
+	}
+	else
+	{
+		return this->other_virtual_ip;
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.add_additional_address.
+ */
+static void add_additional_address(private_ike_sa_t *this, host_t *host)
+{
+	this->additional_addresses->insert_last(this->additional_addresses, host);
+}
+	
+/**
+ * Implementation of ike_sa_t.create_additional_address_iterator.
+ */
+static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
+{
+	return this->additional_addresses->create_iterator(
+											this->additional_addresses, TRUE);
+}
+	
+/**
+ * Implementation of ike_sa_t.set_pending_updates.
+ */
+static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
+{
+	this->pending_updates = updates;
+}
+
+/**
+ * Implementation of ike_sa_t.get_pending_updates.
+ */
+static u_int32_t get_pending_updates(private_ike_sa_t *this)
+{
+	return this->pending_updates;
+}
+
+/**
  * Update hosts, as addresses may change (NAT)
  */
 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 {
-	iterator_t *iterator = NULL;
-	child_sa_t *child_sa = NULL;
-	host_diff_t my_diff, other_diff;
+	bool update = FALSE;
 	
-	if (this->my_host->is_anyaddr(this->my_host) ||
-		this->other_host->is_anyaddr(this->other_host))
-	{
-		/* on first received message */
-		this->my_host->destroy(this->my_host);
-		this->my_host = me->clone(me);
-		this->other_host->destroy(this->other_host);
-		this->other_host = other->clone(other);
+	if (supports_extension(this, EXT_MOBIKE))
+	{	/* if peer speaks mobike, address updates are explicit only */
 		return;
 	}
 	
-	my_diff = me->get_differences(me, this->my_host);
-	other_diff = other->get_differences(other, this->other_host);
-	
-	if (!my_diff && !other_diff)
+	if (me == NULL)
 	{
-		return;
+		me = this->my_host;
 	}
-	
-	if (my_diff)
+	if (other == NULL)
 	{
-		this->my_host->destroy(this->my_host);
-		this->my_host = me->clone(me);
+		other = this->other_host;
 	}
 	
-	if (!this->nat_here)
+	/* apply hosts on first received message */
+	if (this->my_host->is_anyaddr(this->my_host) ||
+		this->other_host->is_anyaddr(this->other_host))
 	{
-		/* update without restrictions if we are not NATted */
-		if (other_diff)
-		{
-			this->other_host->destroy(this->other_host);
-			this->other_host = other->clone(other);
-		}
+		set_my_host(this, me->clone(me));
+		set_other_host(this, other->clone(other));
+		update = TRUE;
 	}
 	else
 	{
-		/* if we are natted, only port may change */
-		if (other_diff & HOST_DIFF_ADDR)
+		/* update our address in any case */
+		if (!me->equals(me, this->my_host))
 		{
-			return;
+			set_my_host(this, me->clone(me));
+			update = TRUE;
 		}
-		else if (other_diff & HOST_DIFF_PORT)
+		
+		if (!other->equals(other, this->other_host))
 		{
-			this->other_host->set_port(this->other_host, other->get_port(other));
+			/* update others adress if we are NOT NATed,
+			 * and allow port changes if we are NATed */
+			if (!has_condition(this, COND_NAT_HERE) ||
+				other->ip_equals(other, this->other_host))
+			{
+				set_other_host(this, other->clone(other));
+				update = TRUE;
+			}
 		}
 	}
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while (iterator->iterate(iterator, (void**)&child_sa))
+	
+	/* update all associated CHILD_SAs, if required */
+	if (update)
 	{
-		child_sa->update_hosts(child_sa, this->my_host, this->other_host, 
-							   my_diff, other_diff);
+		iterator_t *iterator;
+		child_sa_t *child_sa;
+	
+		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			child_sa->update_hosts(child_sa, this->my_host, this->other_host,
+								   has_condition(this, COND_NAT_ANY));
+		}
+		iterator->destroy(iterator);
 	}
-	iterator->destroy(iterator);
 }
 
 /**
@@ -761,12 +932,12 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			}
 			/* add a timeout if peer does not establish it completely */
 			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
-			charon->event_queue->add_relative(charon->event_queue, job,
-											  HALF_OPEN_IKE_SA_TIMEOUT);
+			charon->scheduler->schedule_job(charon->scheduler, job,
+											HALF_OPEN_IKE_SA_TIMEOUT);
 		}
 		
 		/* check if message is trustworthy, and update host information */
-		if (this->state == IKE_CREATED ||
+		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
 			message->get_exchange_type(message) != IKE_SA_INIT)
 		{
 			update_hosts(this, me, other);
@@ -788,6 +959,7 @@ static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
 		
 		if (this->other_host->is_anyaddr(this->other_host))
 		{
+			child_cfg->destroy(child_cfg);
 			SIG(IKE_UP_START, "initiating IKE_SA");
 			SIG(IKE_UP_FAILED, "unable to initiate to %%any");
 			return DESTROY_ME;
@@ -803,6 +975,8 @@ static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
 		this->task_manager->queue_task(this->task_manager, task);
 		task = (task_t*)ike_config_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_mobike_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
 	}
 	
 	task = (task_t*)child_create_create(&this->public, child_cfg);
@@ -863,6 +1037,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 		this->task_manager->queue_task(this->task_manager, task);
 		task = (task_t*)ike_config_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_mobike_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
 	}
 	
 	child_cfg = child_sa->get_config(child_sa);
@@ -881,6 +1057,7 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	child_sa_t *child_sa;
 	iterator_t *iterator;
 	linked_list_t *my_ts, *other_ts;
+	host_t *me, *other;
 	status_t status;
 	
 	SIG(CHILD_ROUTE_START, "routing CHILD_SA");
@@ -916,11 +1093,19 @@ static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 	/* install kernel policies */
 	child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
 							   this->other_id, child_cfg, FALSE, 0);
+	me = this->my_host;
+	if (this->my_virtual_ip)
+	{
+		me = this->my_virtual_ip;
+	}
+	other = this->other_host;
+	if (this->other_virtual_ip)
+	{
+		other = this->other_virtual_ip;
+	}
 	
-	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL,
-											 this->my_host);
-	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL,
-												this->other_host);
+	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
+	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
 	status = child_sa->add_policies(child_sa, my_ts, other_ts,
 									child_cfg->get_mode(child_cfg));
 	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -1063,6 +1248,16 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 			/* use actual used host, not the wildcarded one in config */
 			new->other_host->destroy(new->other_host);
 			new->other_host = this->other_host->clone(this->other_host);
+			/* reset port to 500, but only if peer is not NATed */
+			if (!has_condition(this, COND_NAT_THERE))
+			{
+				new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
+			}
+			/* take over virtual ip, as we need it for a proper route */
+			if (this->my_virtual_ip)
+			{
+				set_virtual_ip(new, TRUE, this->my_virtual_ip);
+			}
 			
 			/* install routes */
 			while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS)
@@ -1089,6 +1284,8 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 					task = (task_t*)child_create_create(&new->public, child_cfg);
 					new->task_manager->queue_task(new->task_manager, task);
 				}
+				task = (task_t*)ike_mobike_create(&new->public, TRUE);
+				new->task_manager->queue_task(new->task_manager, task);
 				new->task_manager->initiate(new->task_manager);
 			}
 			charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
@@ -1191,55 +1388,6 @@ static void set_other_ca(private_ike_sa_t *this, ca_info_t *other_ca)
 }
 
 /**
- * Implementation of ike_sa_t.set_virtual_ip
- */
-static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
-{
-	if (local)
-	{
-		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (this->my_virtual_ip)
-		{
-			DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
-			charon->kernel_interface->del_ip(charon->kernel_interface,
-											 this->my_virtual_ip,
-											 this->my_host);
-			this->my_virtual_ip->destroy(this->my_virtual_ip);
-		}
-		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
-											 this->my_host) == SUCCESS)
-		{
-			this->my_virtual_ip = ip->clone(ip);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
-			this->my_virtual_ip = NULL;
-		}
-	}
-	else
-	{
-		DESTROY_IF(this->other_virtual_ip);
-		this->other_virtual_ip = ip->clone(ip);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.get_virtual_ip
- */
-static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
-{
-	if (local)
-	{
-		return this->my_virtual_ip;
-	}
-	else
-	{
-		return this->other_virtual_ip;
-	}
-}
-
-/**
  * Implementation of ike_sa_t.derive_keys.
  */
 static status_t derive_keys(private_ike_sa_t *this,
@@ -1560,72 +1708,78 @@ static status_t rekey(private_ike_sa_t *this)
 /**
  * Implementation of ike_sa_t.reestablish
  */
-static void reestablish(private_ike_sa_t *this)
+static status_t reestablish(private_ike_sa_t *this)
 {
-	private_ike_sa_t *other;
-	iterator_t *iterator;
-	child_sa_t *child_sa;
-	child_cfg_t *child_cfg;
 	task_t *task;
-	job_t *job;
-	
-	other = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
-											charon->ike_sa_manager, TRUE);
 	
-	set_peer_cfg(other, this->peer_cfg);
-	other->other_host->destroy(other->other_host);
-	other->other_host = this->other_host->clone(this->other_host);
-	if (this->my_virtual_ip)
-	{
-		/* if we already have a virtual IP, we reuse it */
-		set_virtual_ip(other, TRUE, this->my_virtual_ip);
-	}
-		
-	if (this->state == IKE_ESTABLISHED)
-	{
-		task = (task_t*)ike_init_create(&other->public, TRUE, NULL);
-		other->task_manager->queue_task(other->task_manager, task);
-		task = (task_t*)ike_natd_create(&other->public, TRUE);
-		other->task_manager->queue_task(other->task_manager, task);
-		task = (task_t*)ike_cert_create(&other->public, TRUE);
-		other->task_manager->queue_task(other->task_manager, task);
-		task = (task_t*)ike_config_create(&other->public, TRUE);
-		other->task_manager->queue_task(other->task_manager, task);
-		task = (task_t*)ike_auth_create(&other->public, TRUE);
-		other->task_manager->queue_task(other->task_manager, task);
-	}
+	task = (task_t*)ike_reauth_create(&this->public);
+	this->task_manager->queue_task(this->task_manager, task);
 	
-	other->task_manager->adopt_tasks(other->task_manager, this->task_manager);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.roam.
+ */
+static status_t roam(private_ike_sa_t *this, bool address)
+{
+	host_t *me, *other;
+	ike_mobike_t *mobike;
 	
-	/* Create task for established children, adopt routed children directly */
-	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
-	while(iterator->iterate(iterator, (void**)&child_sa))
+	/* responder just updates the peer about changed address config */
+	if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
 	{
-		switch (child_sa->get_state(child_sa))
+		if (supports_extension(this, EXT_MOBIKE) && address)
 		{
-			case CHILD_ROUTED:
-			{
-				iterator->remove(iterator);
-				other->child_sas->insert_first(other->child_sas, child_sa);
-				break;
-			}
-			default:
-			{
-				child_cfg = child_sa->get_config(child_sa);
-				task = (task_t*)child_create_create(&other->public, child_cfg);
-				other->task_manager->queue_task(other->task_manager, task);
-				break;
-			}
+			DBG1(DBG_IKE, "sending address list update using MOBIKE");
+			mobike = ike_mobike_create(&this->public, TRUE);
+			this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+			return this->task_manager->initiate(this->task_manager);
 		}
+		return SUCCESS;
 	}
-	iterator->destroy(iterator);
 	
-	other->task_manager->initiate(other->task_manager);
+	/* get best address pair to use */
+	other = this->other_host;
+	me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+												   other);
+												   
+	/* TODO: find a better path using additional addresses of peer */
 	
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, &other->public);
+	if (!me)
+	{
+		/* no route found to host, set to stale, wait for a new route */
+		set_condition(this, COND_STALE, TRUE);
+		return FAILED;
+	}
+	
+	set_condition(this, COND_STALE, FALSE);
+	if (me->ip_equals(me, this->my_host) &&
+		other->ip_equals(other, this->other_host))
+	{
+		DBG2(DBG_IKE, "%H still reached through %H, no update needed",
+			 this->other_host, me);
+		me->destroy(me);
+		return SUCCESS;
+	}
+	me->set_port(me, this->my_host->get_port(this->my_host));
+	other = other->clone(other);
+	other->set_port(other, this->other_host->get_port(this->other_host));
+	set_my_host(this, me);
+	set_other_host(this, other);
 	
-	job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-	charon->job_queue->add(charon->job_queue, job);
+	/* update addresses with mobike, if supported ... */
+	if (supports_extension(this, EXT_MOBIKE))
+	{
+		DBG1(DBG_IKE, "requesting address change using MOBIKE");
+		mobike = ike_mobike_create(&this->public, TRUE);
+		mobike->roam(mobike, address);
+		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+		return this->task_manager->initiate(this->task_manager);
+	}
+	DBG1(DBG_IKE, "reestablishing IKE_SA due address change");
+	/* ... reestablish if not */
+	return reestablish(this);
 }
 
 /**
@@ -1680,32 +1834,6 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
 }
 
 /**
- * Implementation of ike_sa_t.is_natt_enabled.
- */
-static bool is_natt_enabled(private_ike_sa_t *this)
-{
-	return this->nat_here || this->nat_there;
-}
-
-/**
- * Implementation of ike_sa_t.enable_natt.
- */
-static void enable_natt(private_ike_sa_t *this, bool local)
-{
-	if (local)
-	{
-		DBG1(DBG_IKE, "local host is behind NAT, scheduling keep alives");
-		this->nat_here = TRUE;
-		send_keepalive(this);
-	}
-	else
-	{
-		DBG1(DBG_IKE, "remote host is behind NAT");
-		this->nat_there = TRUE;
-	}
-}
-
-/**
  * Implementation of ike_sa_t.remove_dns_server
  */
 static void remove_dns_servers(private_ike_sa_t *this)
@@ -1857,13 +1985,16 @@ static void destroy(private_ike_sa_t *this)
 	if (this->my_virtual_ip)
 	{
 		charon->kernel_interface->del_ip(charon->kernel_interface,
-										 this->my_virtual_ip, this->my_host);
+										 this->my_virtual_ip);
 		this->my_virtual_ip->destroy(this->my_virtual_ip);
 	}
 	DESTROY_IF(this->other_virtual_ip);
 	
 	remove_dns_servers(this);
-	this->dns_servers->destroy_offset(this->dns_servers, offsetof(host_t, destroy));
+	this->dns_servers->destroy_offset(this->dns_servers,
+													offsetof(host_t, destroy));
+	this->additional_addresses->destroy_offset(this->additional_addresses,
+													offsetof(host_t, destroy));
 	
 	DESTROY_IF(this->my_host);
 	DESTROY_IF(this->other_host);
@@ -1905,12 +2036,21 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
 	this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
 	this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
+	this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
 	this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
 	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
 	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
 	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
 	this->public.get_other_ca = (ca_info_t* (*)(ike_sa_t*)) get_other_ca;
 	this->public.set_other_ca = (void (*)(ike_sa_t*,ca_info_t*)) set_other_ca;
+	this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
+	this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
+	this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
+	this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
+	this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
+	this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
+	this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
+	this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
 	this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
 	this->public.delete = (status_t (*)(ike_sa_t*))delete_;
 	this->public.destroy = (void (*)(ike_sa_t*))destroy;
@@ -1927,10 +2067,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
 	this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
 	this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
-	this->public.enable_natt = (void (*)(ike_sa_t*, bool)) enable_natt;
-	this->public.is_natt_enabled = (bool (*)(ike_sa_t*)) is_natt_enabled;
 	this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
-	this->public.reestablish = (void (*)(ike_sa_t*))reestablish;
+	this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
+	this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
 	this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
 	this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
 	this->public.reset = (void (*)(ike_sa_t*))reset;
@@ -1947,6 +2086,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_ca = NULL;
+	this->extensions = 0;
+	this->conditions = 0;
 	this->crypter_in = NULL;
 	this->crypter_out = NULL;
 	this->signer_in = NULL;
@@ -1955,8 +2096,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->skp_verify = chunk_empty;
 	this->skp_build = chunk_empty;
  	this->child_prf = NULL;
-	this->nat_here = FALSE;
-	this->nat_there = FALSE;
 	this->state = IKE_CREATED;
 	this->time.inbound = this->time.outbound = time(NULL);
 	this->time.established = 0;
@@ -1969,6 +2108,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->my_virtual_ip = NULL;
 	this->other_virtual_ip = NULL;
 	this->dns_servers = linked_list_create();
+	this->additional_addresses = linked_list_create();
+	this->pending_updates = 0;
 	this->keyingtry = 0;
 	
 	return &this->public;
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 76942b208..ba189577c 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -25,6 +25,8 @@
 #ifndef IKE_SA_H_
 #define IKE_SA_H_
 
+typedef enum ike_extension_t ike_extension_t;
+typedef enum ike_condition_t ike_condition_t;
 typedef enum ike_sa_state_t ike_sa_state_t;
 typedef struct ike_sa_t ike_sa_t;
 
@@ -70,6 +72,47 @@ typedef struct ike_sa_t ike_sa_t;
  */
 #define RETRY_JITTER 20
 
+/**
+ * @brief Extensions (or optional features) the peer supports
+ */
+enum ike_extension_t {
+	
+	/**
+	 * peer supports NAT traversal as specified in RFC4306
+	 */
+	EXT_NATT = (1<<0),
+
+	/**
+	 * peer supports MOBIKE (RFC4555)
+	 */
+	EXT_MOBIKE = (1<<1),
+};
+
+/**
+ * @brief Conditions of an IKE_SA, change during its lifetime
+ */
+enum ike_condition_t {
+	
+	/**
+	 * Connection is natted somewhere
+	 */
+	COND_NAT_ANY = (1<<0),
+	
+	/**
+	 * we are behind NAT
+	 */
+	COND_NAT_HERE = (1<<1),
+	
+	/**
+	 * other is behind NAT
+	 */
+	COND_NAT_THERE = (1<<2),
+
+	/**
+	 * peer is currently not reachable (due missing route, ...)
+	 */
+	COND_STALE = (1<<3),
+};
 
 /**
  * @brief State of an IKE_SA.
@@ -240,6 +283,17 @@ struct ike_sa_t {
 	void (*set_other_host) (ike_sa_t *this, host_t *other);
 	
 	/**
+	 * @brief Update the IKE_SAs host.
+	 *
+	 * Hosts may be NULL to use current host.
+	 *
+	 * @param this			calling object
+	 * @param me			new local host address, or NULL
+	 * @param other			new remote host address, or NULL
+	 */
+	void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other);
+	
+	/**
 	 * @brief Get the own identification.
 	 * 
 	 * @param this 			calling object
@@ -318,8 +372,83 @@ struct ike_sa_t {
 	 * @param config		peer_config to use
 	 */
 	void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
+	
+	/**
+	 * @brief Add an additional address for the peer.
+	 *
+	 * In MOBIKE, a peer may transmit additional addresses where it is
+	 * reachable. These are stored in the IKE_SA.
+	 * The own list of addresses is not stored, they are queried from
+	 * the kernel when required.
+	 *
+	 * @param this			calling object
+	 * @param host			host to add to list
+	 */
+	void (*add_additional_address)(ike_sa_t *this, host_t *host);
+	
+	/**
+	 * @brief Create an iterator over all additional addresses of the peer.
+	 *
+	 * @param this			calling object
+	 * @return 				iterator over addresses
+	 */
+	iterator_t* (*create_additional_address_iterator)(ike_sa_t *this);
+	
+	/**
+	 * @brief Enable an extension the peer supports.
+	 *
+	 * If support for an IKE extension is detected, this method is called
+	 * to enable that extension and behave accordingly.
+	 *
+	 * @param this			calling object
+	 * @param extension		extension to enable
+	 */
+	void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
+	
+	/**
+	 * @brief Check if the peer supports an extension.
+	 *
+	 * @param this			calling object
+	 * @param extension		extension to check for support
+	 * @return				TRUE if peer supports it, FALSE otherwise
+	 */
+	bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
+	
+	/**
+	 * @brief Enable/disable a condition flag for this IKE_SA.
+	 *
+	 * @param this 			calling object
+	 * @param condition		condition to enable/disable
+	 * @param enable		TRUE to enable condition, FALSE to disable
+	 */
+	void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
 
 	/**
+	 * @brief Check if a condition flag is set.
+	 *
+	 * @param this 			calling object
+	 * @param condition		condition to check
+	 * @return				TRUE if condition flag set, FALSE otherwise
+	 */
+	bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
+	
+	/**
+	 * @brief Get the number of queued MOBIKE address updates.
+	 *
+	 * @param this			calling object
+	 * @return				number of pending updates
+	 */
+	u_int32_t (*get_pending_updates)(ike_sa_t *this);
+	
+	/**
+	 * @brief Set the number of queued MOBIKE address updates.
+	 *
+	 * @param this			calling object
+	 * @param updates		number of pending updates
+	 */
+	void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates);
+	
+	/**
 	 * @brief Initiate a new connection.
 	 *
 	 * The configs are owned by the IKE_SA after the call.
@@ -389,6 +518,21 @@ struct ike_sa_t {
 	status_t (*delete) (ike_sa_t *this);
 	
 	/**
+	 * @brief Update IKE_SAs after network interfaces have changed.
+	 *
+	 * Whenever the network interface configuration changes, the kernel
+	 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
+	 * the new network config requires changes, and handles appropriate.
+	 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
+	 * restarted.
+	 *
+	 * @param this			calling object
+	 * @param address		TRUE if address list changed, FALSE otherwise
+	 * @return				SUCCESS, FAILED, DESTROY_ME
+	 */
+	status_t (*roam)(ike_sa_t *this, bool address);
+	
+	/**
 	 * @brief Processes a incoming IKEv2-Message.
 	 *
 	 * Message processing may fail. If a critical failure occurs, 
@@ -457,29 +601,6 @@ struct ike_sa_t {
 	 * @param this			calling object
 	 */
 	void (*send_keepalive) (ike_sa_t *this);
-	
-	/**
-	 * @brief Check if NAT traversal is enabled for this IKE_SA.
-	 *
-	 * @param this 			calling object
-	 * @return 				TRUE if NAT traversal enabled
-	 */
-	bool (*is_natt_enabled) (ike_sa_t *this);
-
-	/**
-	 * @brief Enable NAT detection for this IKE_SA.
-	 *
-	 * If a Network address translation is detected with
-	 * NAT_DETECTION notifys, a SA must switch to ports
-	 * 4500. To enable this behavior, call enable_natt().
-	 * It is relevant which peer is NATted, this is specified
-	 * with the "local" parameter. Call it twice when both
-	 * are NATted.
-	 *
-	 * @param this 			calling object
-	 * @param local			TRUE, if we are NATted, FALSE if other
-	 */
-	void (*enable_natt) (ike_sa_t *this, bool local);
 
 	/**
 	 * @brief Derive all keys and create the transforms for IKE communication.
@@ -621,11 +742,12 @@ struct ike_sa_t {
 	 * @brief Restablish the IKE_SA.
 	 *
 	 * Create a completely new IKE_SA with authentication, recreates all children
-	 * within the IKE_SA, but lets the old IKE_SA untouched.
+	 * within the IKE_SA, closes this IKE_SA.
 	 *
 	 * @param this 			calling object
+	 * @return				DESTROY_ME to destroy the IKE_SA
 	 */
-	void (*reestablish) (ike_sa_t *this);
+	status_t (*reestablish) (ike_sa_t *this);
 	
 	/**
 	 * @brief Set the virtual IP to use for this IKE_SA and its children.
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index a62ec5e3c..56b865891 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -525,19 +525,21 @@ static ike_sa_t* checkout_by_peer(private_ike_sa_manager_t *this,
 			/* IKE_SA has no IDs yet, so we can't use it */
 			continue;
 		}
-		
+		DBG2(DBG_MGR, "candidate IKE_SA for \n\t%H[%D]...%H[%D]\n\t%H[%D]...%H[%D]",
+			 my_host, my_id, other_host, other_id,
+			 found_my_host, found_my_id, found_other_host, found_other_id);
 		/* compare ID and hosts. Supplied ID may contain wildcards, and IP
 		 * may be %any. */
-		if ((found_my_host->is_anyaddr(found_my_host) ||
+		if ((my_host->is_anyaddr(my_host) ||
 			 my_host->ip_equals(my_host, found_my_host)) &&
-			(found_other_host->is_anyaddr(found_other_host) ||
+			(other_host->is_anyaddr(other_host) ||
 			 other_host->ip_equals(other_host, found_other_host)) &&
 			found_my_id->matches(found_my_id, my_id, &wc) &&
 			found_other_id->matches(found_other_id, other_id, &wc))
 		{
 			/* looks good, we take this one */
 			DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
-				 my_host, other_host, my_id, other_id);
+				 my_host, my_id, other_host, other_id);
 			entry->checked_out = TRUE;
 			ike_sa = entry->ike_sa;
 		}
@@ -682,16 +684,16 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
 /**
  * Iterator hook for iterate, gets ike_sas instead of entries
  */
-static bool iterator_hook(private_ike_sa_manager_t* this, entry_t *in,
-						  ike_sa_t **out)
+static hook_result_t iterator_hook(private_ike_sa_manager_t* this, entry_t *in,
+								   ike_sa_t **out)
 {
 	/* check out entry */
 	if (wait_for_entry(this, in))
 	{
 		*out = in->ike_sa;
-		return TRUE;
+		return HOOK_NEXT;
 	}
-	return FALSE;
+	return HOOK_SKIP;
 }
 
 /**
@@ -701,6 +703,7 @@ static iterator_t *create_iterator(private_ike_sa_manager_t* this)
 {
 	iterator_t *iterator = this->ike_sa_list->create_iterator_locked(
 											this->ike_sa_list, &this->mutex);
+	
 	/* register hook to iterator over ike_sas, not entries */
 	iterator->set_iterator_hook(iterator, (iterator_hook_t*)iterator_hook, this);
 	return iterator;
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index e67508ed1..55592f437 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -27,6 +27,7 @@
 #include <daemon.h>
 #include <sa/tasks/ike_init.h>
 #include <sa/tasks/ike_natd.h>
+#include <sa/tasks/ike_mobike.h>
 #include <sa/tasks/ike_auth.h>
 #include <sa/tasks/ike_cert.h>
 #include <sa/tasks/ike_rekey.h>
@@ -130,6 +131,11 @@ struct private_task_manager_t {
 	 * List of tasks initiated by peer
 	 */
 	linked_list_t *passive_tasks;
+	
+	/**
+	 * the task manager has been reset 
+	 */
+	bool reset;
 };
 
 /**
@@ -140,7 +146,7 @@ static void flush(private_task_manager_t *this)
 	task_t *task;
 	
 	this->queued_tasks->destroy_offset(this->queued_tasks, 
-									   offsetof(task_t, destroy));
+										offsetof(task_t, destroy));
 	this->passive_tasks->destroy_offset(this->passive_tasks,
 										offsetof(task_t, destroy));
 	
@@ -235,7 +241,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 					this->initiating.packet->clone(this->initiating.packet));
 		job = (job_t*)retransmit_job_create(this->initiating.mid,
 											this->ike_sa->get_id(this->ike_sa));
-		charon->event_queue->add_relative(charon->event_queue, job, timeout);
+		charon->scheduler->schedule_job(charon->scheduler, job, timeout);
 	}
 	return SUCCESS;
 }
@@ -274,6 +280,7 @@ static status_t build_request(private_task_manager_t *this)
 					activate_task(this, IKE_AUTHENTICATE);
 					activate_task(this, IKE_CONFIG);
 					activate_task(this, CHILD_CREATE);
+					activate_task(this, IKE_MOBIKE);
 				}
 				break;
 			case IKE_ESTABLISHED:
@@ -302,7 +309,17 @@ static status_t build_request(private_task_manager_t *this)
 					exchange = CREATE_CHILD_SA;
 					break;
 				}
-				if (activate_task(this, IKE_DEADPEER))
+				if (activate_task(this, IKE_REAUTH))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, IKE_MOBIKE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, IKE_DPD))
 				{
 					exchange = INFORMATIONAL;
 					break;
@@ -338,6 +355,8 @@ static status_t build_request(private_task_manager_t *this)
 				case IKE_REKEY:
 					exchange = CREATE_CHILD_SA;
 					break;
+				case IKE_MOBIKE:
+					exchange = INFORMATIONAL;
 				default:
 					continue;
 			}
@@ -415,6 +434,8 @@ static status_t process_response(private_task_manager_t *this,
 		return DESTROY_ME;
 	}
 
+	/* catch if we get resetted while processing */
+	this->reset = FALSE;
 	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
 	while (iterator->iterate(iterator, (void*)&task))
 	{
@@ -434,6 +455,12 @@ static status_t process_response(private_task_manager_t *this,
 	            iterator->destroy(iterator);
 	            return DESTROY_ME;
 	    }
+	    if (this->reset)
+	    {	/* start all over again if we were reset */
+	    	this->reset = FALSE;
+	    	iterator->destroy(iterator);
+			return build_request(this);
+		}	
 	}
 	iterator->destroy(iterator);
 	
@@ -456,7 +483,7 @@ static void handle_collisions(private_task_manager_t *this, task_t *task)
 	
 	/* do we have to check  */
 	if (type == IKE_REKEY || type == CHILD_REKEY ||
-		type == CHILD_DELETE || type == IKE_DELETE)
+		type == CHILD_DELETE || type == IKE_DELETE || type == IKE_REAUTH)
 	{
 	    /* find an exchange collision, and notify these tasks */
 	    iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
@@ -465,7 +492,8 @@ static void handle_collisions(private_task_manager_t *this, task_t *task)
 	    	switch (active->get_type(active))
 	    	{
 	    		case IKE_REKEY:
-	    			if (type == IKE_REKEY || type == IKE_DELETE)
+	    			if (type == IKE_REKEY || type == IKE_DELETE ||
+	    				type == IKE_REAUTH)
 	    			{
 	    				ike_rekey_t *rekey = (ike_rekey_t*)active;
 	    				rekey->collide(rekey, task);
@@ -571,6 +599,7 @@ static status_t process_request(private_task_manager_t *this,
 	exchange_type_t exchange;
 	payload_t *payload;
 	notify_payload_t *notify;
+	delete_payload_t *delete;
 
 	exchange = message->get_exchange_type(message);
 
@@ -591,6 +620,8 @@ static status_t process_request(private_task_manager_t *this,
 			this->passive_tasks->insert_last(this->passive_tasks, task);
 			task = (task_t*)child_create_create(this->ike_sa, NULL);
 			this->passive_tasks->insert_last(this->passive_tasks, task);
+			task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
 			break;
 		}
 		case CREATE_CHILD_SA:
@@ -646,27 +677,60 @@ static status_t process_request(private_task_manager_t *this,
 		}
 		case INFORMATIONAL:
 		{
-			delete_payload_t *delete;
-			
-			delete = (delete_payload_t*)message->get_payload(message, DELETE);
-			if (delete)
+			iterator = message->get_payload_iterator(message);
+			while (iterator->iterate(iterator, (void**)&payload))
 			{
-				if (delete->get_protocol_id(delete) == PROTO_IKE)
+				switch (payload->get_type(payload))
 				{
-					task = (task_t*)ike_delete_create(this->ike_sa, FALSE);
-					this->passive_tasks->insert_last(this->passive_tasks, task);
+					case NOTIFY:
+					{
+						notify = (notify_payload_t*)payload;
+						switch (notify->get_notify_type(notify))
+						{
+							case ADDITIONAL_IP4_ADDRESS:
+							case ADDITIONAL_IP6_ADDRESS:
+							case NO_ADDITIONAL_ADDRESSES:
+							case UPDATE_SA_ADDRESSES:
+							case NO_NATS_ALLOWED:
+							case UNACCEPTABLE_ADDRESSES:
+							case UNEXPECTED_NAT_DETECTED:
+							case COOKIE2:
+								task = (task_t*)ike_mobike_create(this->ike_sa,
+																  FALSE);
+								break;
+							default:
+								break;
+						}
+						break;
+					}
+					case DELETE:
+					{
+						delete = (delete_payload_t*)payload;
+						if (delete->get_protocol_id(delete) == PROTO_IKE)
+						{
+							task = (task_t*)ike_delete_create(this->ike_sa, FALSE);
+						}
+						else
+						{
+							task = (task_t*)child_delete_create(this->ike_sa, NULL);
+						}
+						break;
+					}
+					default:
+						break;
 				}
-				else
+				if (task)
 				{
-					task = (task_t*)child_delete_create(this->ike_sa, NULL);
-					this->passive_tasks->insert_last(this->passive_tasks, task);
+					break;
 				}
 			}
-			else
+			iterator->destroy(iterator);
+			
+			if (task == NULL)
 			{
 				task = (task_t*)ike_dpd_create(FALSE);
-				this->passive_tasks->insert_last(this->passive_tasks, task);
 			}
+			this->passive_tasks->insert_last(this->passive_tasks, task);
 			break;
 		}
 		default:
@@ -806,7 +870,7 @@ static void reset(private_task_manager_t *this)
 	this->responding.packet = NULL;
 	this->initiating.packet = NULL;
 	this->responding.mid = 0;
-	this->initiating.mid = -1;
+	this->initiating.mid = 0;
 	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
 	
 	/* reset active tasks */
@@ -816,6 +880,8 @@ static void reset(private_task_manager_t *this)
 		task->migrate(task, this->ike_sa);
 		this->queued_tasks->insert_first(this->queued_tasks, task);
 	}
+	
+	this->reset = TRUE;
 }
 
 /**
@@ -859,6 +925,7 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa)
 	this->queued_tasks = linked_list_create();
 	this->active_tasks = linked_list_create();
 	this->passive_tasks = linked_list_create();
+	this->reset = FALSE;
 
 	return &this->public;
 }
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index f70730b05..42f34a94b 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -297,7 +297,7 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 					this->mode = MODE_TUNNEL;
 					DBG1(DBG_IKE, "not using tranport mode, not host-to-host");
 				}
-				else if (this->ike_sa->is_natt_enabled(this->ike_sa))
+				else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
 				{
 					this->mode = MODE_TUNNEL;
 					DBG1(DBG_IKE, "not using tranport mode, connection NATed");
@@ -493,6 +493,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 static status_t build_i(private_child_create_t *this, message_t *message)
 {
 	host_t *me, *other, *vip;
+	bool propose_all = FALSE;
 	peer_cfg_t *peer_cfg;
 
 	switch (message->get_exchange_type(message))
@@ -523,33 +524,53 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	
 	SIG(CHILD_UP_START, "establishing CHILD_SA");
 	
-	me = this->ike_sa->get_my_host(this->ike_sa);
-	other = this->ike_sa->get_other_host(this->ike_sa);
-	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	vip = peer_cfg->get_my_virtual_ip(peer_cfg);
+	/* reuse virtual IP if we already have one */
+	me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+	if (me == NULL)
+	{
+		me = this->ike_sa->get_my_host(this->ike_sa);
+	}
+	other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+	if (other == NULL)
+	{
+		other = this->ike_sa->get_other_host(this->ike_sa);
+	}
 	
-	if (vip)
+	/* check if we want a virtual IP, but don't have one */
+	if (!this->reqid)
+	{
+		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		vip = peer_cfg->get_my_virtual_ip(peer_cfg);
+		if (vip)
+		{
+			propose_all = TRUE;
+			vip->destroy(vip);
+		}
+	}
+	
+	if (propose_all)
 	{	/* propose a 0.0.0.0/0 subnet when we use virtual ip */
 		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
 														NULL, NULL);
-		vip->destroy(vip);
 	}
 	else
-	{	/* but shorten a 0.0.0.0/0 subnet to the actual address if host2host */
+	{	/* but shorten a 0.0.0.0/0 subnet for host2host/we already have a vip */
 		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
 														NULL, me);
 	}
 	this->tsr = this->config->get_traffic_selectors(this->config, FALSE, 
 													NULL, other);
+
 	this->proposals = this->config->get_proposals(this->config,
 												  this->dh_group == MODP_NONE);
 	this->mode = this->config->get_mode(this->config);
 	
-	this->child_sa = child_sa_create(me, other,
-									 this->ike_sa->get_my_id(this->ike_sa),
-									 this->ike_sa->get_other_id(this->ike_sa),
-									 this->config, this->reqid,
-									 this->ike_sa->is_natt_enabled(this->ike_sa));
+	this->child_sa = child_sa_create(
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_my_id(this->ike_sa), 
+			this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid,
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
 	if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
 	{
@@ -609,9 +630,21 @@ static status_t process_r(private_child_create_t *this, message_t *message)
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 	if (peer_cfg)
 	{
-		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr, this->tsi,
-									this->ike_sa->get_my_host(this->ike_sa),
-									this->ike_sa->get_other_host(this->ike_sa));
+		host_t *me, *other;
+		
+		me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+		if (me == NULL)
+		{
+			me = this->ike_sa->get_my_host(this->ike_sa);
+		}
+		other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+		if (other == NULL)
+		{
+			other = this->ike_sa->get_other_host(this->ike_sa);
+		}
+		
+		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
+												  this->tsi, me, other);
 	}
 	return NEED_MORE;
 }
@@ -660,12 +693,12 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		return SUCCESS;
 	}
 	
-	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
-									 this->ike_sa->get_other_host(this->ike_sa),
-									 this->ike_sa->get_my_id(this->ike_sa),
-									 this->ike_sa->get_other_id(this->ike_sa),
-									 this->config, this->reqid,
-									 this->ike_sa->is_natt_enabled(this->ike_sa));
+	this->child_sa = child_sa_create(
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_my_id(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa), this->config, this->reqid,
+			this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
 	
 	switch (select_and_install(this, no_dh))
 	{
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 4f3c69034..3667d8fad 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -206,7 +206,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
 				 				"trying again in %d seconds", retry);
 			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			charon->event_queue->add_relative(charon->event_queue, job, retry * 1000);
+			charon->scheduler->schedule_job(charon->scheduler, job, retry * 1000);
 		}
 		return SUCCESS;
 	}
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index d0dd49aee..c1c0cd5a2 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -636,7 +636,12 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 				case INVALID_SELECTORS:
 					/* these are errors, but are not critical as only the
 					 * CHILD_SA won't get build, but IKE_SA establishes anyway */
-					 break;
+					break;
+				case MOBIKE_SUPPORTED:
+				case ADDITIONAL_IP4_ADDRESS:
+				case ADDITIONAL_IP6_ADDRESS:
+					/* handled in ike_mobike task */
+					break;
 				default:
 				{
 					if (type < 16383)
diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c
index 1cb05c45c..be751766e 100644
--- a/src/charon/sa/tasks/ike_dpd.c
+++ b/src/charon/sa/tasks/ike_dpd.c
@@ -61,7 +61,7 @@ static status_t return_success(private_ike_dpd_t *this, message_t *message)
  */
 static task_type_t get_type(private_ike_dpd_t *this)
 {
-	return IKE_DEADPEER;
+	return IKE_DPD;
 }
 
 /**
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
new file mode 100644
index 000000000..8d4dce36c
--- /dev/null
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -0,0 +1,431 @@
+/**
+ * @file ike_mobike.c
+ *
+ * @brief Implementation of the ike_mobike task.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_mobike.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <sa/tasks/ike_natd.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_ike_mobike_t private_ike_mobike_t;
+
+/**
+ * Private members of a ike_mobike_t task.
+ */
+struct private_ike_mobike_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_mobike_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * cookie2 value to verify new addresses
+	 */
+	chunk_t cookie2;
+	
+	/**
+	 * NAT discovery reusing the IKE_NATD task
+	 */
+	ike_natd_t *natd;
+	
+	/**
+	 * use task to update addresses
+	 */
+	bool roam;
+	
+	/**
+	 * include address list update
+	 */
+	bool address;
+};
+
+/**
+ * flush the IKE_SAs list of additional addresses
+ */
+static void flush_additional_addresses(private_ike_mobike_t *this)
+{
+	iterator_t *iterator;
+	host_t *host;
+	
+	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&host))
+	{
+		iterator->remove(iterator);
+		host->destroy(host);
+	}
+	iterator->destroy(iterator);
+}
+
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_mobike_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	bool first = TRUE;
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		int family = AF_INET;
+		notify_payload_t *notify;
+		chunk_t data;
+		host_t *host;
+		
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			continue;
+		}
+		notify = (notify_payload_t*)payload;
+		switch (notify->get_notify_type(notify))
+		{
+			case MOBIKE_SUPPORTED:
+			{
+				DBG1(DBG_IKE, "peer supports MOBIKE");
+				this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+				break;
+			}
+			case ADDITIONAL_IP6_ADDRESS:
+			{
+				family = AF_INET6;
+				/* fall through */
+			}
+			case ADDITIONAL_IP4_ADDRESS:
+			{
+				if (first)
+				{	/* an ADDITIONAL_*_ADDRESS means replace, so flush once */
+					flush_additional_addresses(this);
+					first = FALSE;
+				}
+				data = notify->get_notification_data(notify);
+				host = host_create_from_chunk(family, data, 0);
+				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
+				this->ike_sa->add_additional_address(this->ike_sa, host);
+				break;
+			}
+			case UPDATE_SA_ADDRESSES:
+			{
+				this->roam = TRUE;
+				break;
+			}
+			case NO_ADDITIONAL_ADDRESSES:
+			{
+				flush_additional_addresses(this);
+				break;
+			}
+			case NAT_DETECTION_SOURCE_IP:
+			case NAT_DETECTION_DESTINATION_IP:
+			{
+				/* NAT check in this MOBIKE exchange, create subtask for it */
+				if (this->natd == NULL)
+				{
+					this->natd = ike_natd_create(this->ike_sa, this->initiator);
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
+ */
+static void build_address_list(private_ike_mobike_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	host_t *host, *me;
+	notify_type_t type;
+	bool additional = FALSE;
+
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	iterator = charon->kernel_interface->create_address_iterator(
+												charon->kernel_interface);
+	while (iterator->iterate(iterator, (void**)&host))
+	{
+		if (me->ip_equals(me, host))
+		{	/* "ADDITIONAL" means do not include IKE_SAs host */
+			continue;
+		}
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				type = ADDITIONAL_IP4_ADDRESS;
+				break;
+			case AF_INET6:
+				type = ADDITIONAL_IP6_ADDRESS;
+				break;
+			default:
+				continue;
+		}
+		message->add_notify(message, FALSE, type, host->get_address(host));
+		additional = TRUE;
+	}
+	if (!additional)
+	{
+		message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * update addresses of associated CHILD_SAs
+ */
+static void update_children(private_ike_mobike_t *this)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	
+	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		child_sa->update_hosts(child_sa,
+						this->ike_sa->get_my_host(this->ike_sa), 
+						this->ike_sa->get_other_host(this->ike_sa),
+						this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, SECURITY_ASSOCIATION))
+	{
+		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
+		build_address_list(this, message);
+	}
+	else 
+	{
+		if (this->roam)
+		{
+			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
+		}
+		if (this->address)
+		{
+			build_address_list(this, message);
+		}
+		
+		this->natd = ike_natd_create(this->ike_sa, this->initiator);
+		this->natd->task.build(&this->natd->task, message);
+		update_children(this);
+	}
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, SECURITY_ASSOCIATION))
+	{
+		process_payloads(this, message);
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		process_payloads(this, message);
+		if (this->roam)
+		{
+			host_t *me, *other;
+			
+			me = message->get_destination(message);
+			other = message->get_source(message);
+			this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
+			this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+		}
+		
+		if (this->natd)
+		{
+			this->natd->task.process(&this->natd->task, message);
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, SECURITY_ASSOCIATION))
+	{
+		if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+		{
+			message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
+			build_address_list(this, message);
+		}
+		return SUCCESS;
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		if (this->natd)
+		{
+			this->natd->task.build(&this->natd->task, message);
+		}
+		if (this->roam)
+		{
+			update_children(this);
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_mobike_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, SECURITY_ASSOCIATION))
+	{
+		process_payloads(this, message);
+
+		return SUCCESS;
+	}
+	else if (message->get_exchange_type(message) == INFORMATIONAL)
+	{
+		u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
+		this->ike_sa->set_pending_updates(this->ike_sa, updates);
+		if (updates > 0)
+		{
+			/* newer update queued, ignore this one */
+			return SUCCESS;
+		}
+		process_payloads(this, message);
+		if (this->natd)
+		{
+			this->natd->task.process(&this->natd->task, message);
+		}
+		if (this->roam)
+		{
+			/* update again, as NAT state may have changed */
+			update_children(this);
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of ike_mobike_t.roam.
+ */
+static void roam(private_ike_mobike_t *this, bool address)
+{
+	this->roam = TRUE;
+	this->address = address;
+	this->ike_sa->set_pending_updates(this->ike_sa, 
+							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_mobike_t *this)
+{
+	return IKE_MOBIKE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->cookie2);
+	this->ike_sa = ike_sa;
+	if (this->natd)
+	{
+		this->natd->task.migrate(&this->natd->task, ike_sa);
+	}
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_mobike_t *this)
+{
+	chunk_free(&this->cookie2);
+	if (this->natd)
+	{
+		this->natd->task.destroy(&this->natd->task);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
+
+	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->roam = FALSE;
+	this->address = TRUE;
+	this->cookie2 = chunk_empty;
+	this->natd = NULL;
+	
+	return &this->public;
+}
+
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
new file mode 100644
index 000000000..db493c459
--- /dev/null
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -0,0 +1,73 @@
+/**
+ * @file ike_mobike.h
+ * 
+ * @brief Interface ike_mobike_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_MOBIKE_H_
+#define IKE_MOBIKE_H_
+
+typedef struct ike_mobike_t ike_mobike_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_mobike, detects and handles MOBIKE extension.
+ *
+ * The MOBIKE extension is defined in RFC4555. It allows to update IKE
+ * and IPsec tunnel addresses.
+ * This tasks handles the MOBIKE_SUPPORTED notify exchange to detect MOBIKE
+ * support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional
+ * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update 
+ * endpoints.
+ *
+ * @b Constructors:
+ *  - ike_mobike_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_mobike_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+	
+	/**
+	 * @brief Use the task to roam to other addresses.
+	 *
+	 * @param this			calling object
+	 * @param address		TRUE to include address list update
+	 */
+	void (*roam)(ike_mobike_t *this, bool address);
+};
+
+/**
+ * @brief Create a new ike_mobike task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if taks is initiated by us
+ * @return			  	ike_mobike task to handle by the task_manager
+ */
+ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /* IKE_MOBIKE_H_ */
+
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index 50b5d652b..84a28d024 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -203,14 +203,12 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 	
 	if (this->src_seen && this->dst_seen)
 	{
-		if (!this->dst_matched)
-		{
-			this->ike_sa->enable_natt(this->ike_sa, TRUE);
-		}
-		if (!this->src_matched)
-		{
-			this->ike_sa->enable_natt(this->ike_sa, FALSE);
-		}
+		this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
+
+		this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
+									!this->dst_matched);
+		this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
+									!this->src_matched);
 	}
 }
 
@@ -220,8 +218,11 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 static status_t process_i(private_ike_natd_t *this, message_t *message)
 {
 	process_payloads(this, message);
-
-	if (this->ike_sa->is_natt_enabled(this->ike_sa))
+			
+	/* if peer supports NAT-T, we switch to port 4500 even
+	 * if no NAT is detected. MOBIKE requires this. */
+	if (message->get_exchange_type(message) == IKE_SA_INIT &&
+		this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
 	{
 		host_t *me, *other;
 	
@@ -240,33 +241,49 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 static status_t build_i(private_ike_natd_t *this, message_t *message)
 {
 	notify_payload_t *notify;
-	linked_list_t *list;
+	iterator_t *iterator;
 	host_t *host;
 	
-	/* include one notify if our address is defined, all addresses otherwise */
+	/* destination is always set */
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
+	message->add_payload(message, (payload_t*)notify);
+	
+	/* source may be any, we have 3 possibilities to get our source address:
+	 * 1. It is defined in the config => use the one of the IKE_SA
+	 * 2. We do a routing lookup in the kernel interface
+	 * 3. Include all possbile addresses
+	 */
 	host = this->ike_sa->get_my_host(this->ike_sa);
-	if (host->is_anyaddr(host))
+	if (!host->is_anyaddr(host))
+	{	/* 1. */
+		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+		message->add_payload(message, (payload_t*)notify);
+	}
+	else
 	{
-		/* TODO: we could get the src address from netlink!? */
-		list = charon->kernel_interface->create_address_list(charon->kernel_interface);
-		while (list->remove_first(list, (void**)&host) == SUCCESS)
-		{
+		host = charon->kernel_interface->get_source_addr(
+									charon->kernel_interface,
+									this->ike_sa->get_other_host(this->ike_sa));
+		if (host)
+		{	/* 2. */
+			host->set_port(host, IKEV2_UDP_PORT);
 			notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-			host->destroy(host);
 			message->add_payload(message, (payload_t*)notify);
+			host->destroy(host);
+		}
+		else
+		{	/* 3. */
+			iterator = charon->kernel_interface->create_address_iterator(
+													charon->kernel_interface);
+			while (iterator->iterate(iterator, (void**)&host))
+			{
+				notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+				message->add_payload(message, (payload_t*)notify);
+			}
+			iterator->destroy(iterator);
 		}
-		list->destroy(list);
-	}
-	else
-	{
-		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
-		message->add_payload(message, (payload_t*)notify);
 	}
-	
-	host = this->ike_sa->get_other_host(this->ike_sa);
-	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
-	message->add_payload(message, (payload_t*)notify);
-	
 	return NEED_MORE;
 }
 
@@ -279,7 +296,8 @@ static status_t build_r(private_ike_natd_t *this, message_t *message)
 	host_t *me, *other;
 	
 	/* only add notifies on successfull responses. */
-	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	if (message->get_exchange_type(message) == IKE_SA_INIT &&
+		message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
 	{
 		return SUCCESS;
 	}
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
new file mode 100644
index 000000000..0e98382a8
--- /dev/null
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -0,0 +1,175 @@
+/**
+ * @file ike_reauth.c
+ *
+ * @brief Implementation of the ike_reauth task.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_reauth.h"
+
+#include <daemon.h>
+#include <sa/tasks/ike_delete.h>
+
+
+typedef struct private_ike_reauth_t private_ike_reauth_t;
+
+/**
+ * Private members of a ike_reauth_t task.
+ */
+struct private_ike_reauth_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_reauth_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * reused ike_delete task
+	 */
+	ike_delete_t *ike_delete;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_reauth_t *this, message_t *message)
+{
+	return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_reauth_t *this, message_t *message)
+{
+	ike_sa_t *new;
+	host_t *host;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	
+	/* process delete response first */
+	this->ike_delete->task.process(&this->ike_delete->task, message);
+	
+	/* reestablish only if we have children */
+	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
+	if (iterator->get_count(iterator) == 0)
+	{
+		DBG1(DBG_IKE, "unable to reestablish IKE_SA, no CHILD_SA to recreate");
+		iterator->destroy(iterator);
+		return FAILED;
+	}
+	
+	new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
+	
+	new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	new->set_other_host(new, host->clone(host));
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	new->set_my_host(new, host->clone(host));
+	/* if we already have a virtual IP, we reuse it */
+	host = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+	if (host)
+	{
+		new->set_virtual_ip(new, TRUE, host);
+	}
+	
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		switch (child_sa->get_state(child_sa))
+		{
+			case CHILD_ROUTED:
+			{
+				/* move routed child directly */
+				iterator->remove(iterator);
+				new->add_child_sa(new, child_sa);
+				break;
+			}
+			default:
+			{
+				/* initiate/queue all child SAs */
+				child_cfg_t *child_cfg = child_sa->get_config(child_sa);
+				child_cfg->get_ref(child_cfg);
+				if (new->initiate(new, child_cfg) == DESTROY_ME)
+				{
+					iterator->destroy(iterator);
+					charon->ike_sa_manager->checkin_and_destroy(
+										charon->ike_sa_manager, new);
+					DBG1(DBG_IKE, "reestablishing IKE_SA failed");
+					return FAILED;
+				}
+				break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+	
+	/* we always return failed to delete the obsolete IKE_SA */
+	return FAILED;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_reauth_t *this)
+{
+	return IKE_REAUTH;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_reauth_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
+	this->ike_sa = ike_sa;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_reauth_t *this)
+{
+	this->ike_delete->task.destroy(&this->ike_delete->task);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
+{
+	private_ike_reauth_t *this = malloc_thing(private_ike_reauth_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	
+	this->ike_sa = ike_sa;
+	this->ike_delete = ike_delete_create(ike_sa, TRUE);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/sa/tasks/ike_reauth.h b/src/charon/sa/tasks/ike_reauth.h
new file mode 100644
index 000000000..3c872e1e1
--- /dev/null
+++ b/src/charon/sa/tasks/ike_reauth.h
@@ -0,0 +1,59 @@
+/**
+ * @file ike_reauth.h
+ * 
+ * @brief Interface ike_reauth_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_REAUTH_H_
+#define IKE_REAUTH_H_
+
+typedef struct ike_reauth_t ike_reauth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_reauth, reestablishes an IKE_SA.
+ *
+ * @b Constructors:
+ *  - ike_reauth_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_reauth_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new ike_reauth task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @return				ike_reauth task to handle by the task_manager
+ */
+ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa);
+
+#endif /* IKE_REAUTH_H_ */
+
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index d54fc3524..827f95156 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -170,8 +170,9 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	{
 		case FAILED:
 			/* rekeying failed, fallback to old SA */
-			if (!(this->collision &&
-				this->collision->get_type(this->collision) == IKE_DELETE))
+			if (!(this->collision && (
+				this->collision->get_type(this->collision) == IKE_DELETE ||
+				this->collision->get_type(this->collision) == IKE_REAUTH)))
 			{
 				job_t *job;
 				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
@@ -180,7 +181,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
 					 					"trying again in %d seconds", retry);
 				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				charon->event_queue->add_relative(charon->event_queue, job, retry * 1000);
+				charon->scheduler->schedule_job(charon->scheduler, job, retry * 1000);
 			}
 			return SUCCESS;
 		case NEED_MORE:
@@ -231,7 +232,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	}
 	
 	job = (job_t*)delete_ike_sa_job_create(to_delete, TRUE);
-	charon->job_queue->add(charon->job_queue, job);	
+	charon->processor->queue_job(charon->processor, job);	
 	
 	return SUCCESS;
 }
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
index 68d8ebf0c..713403d47 100644
--- a/src/charon/sa/tasks/task.c
+++ b/src/charon/sa/tasks/task.c
@@ -25,14 +25,16 @@
 ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
 	"IKE_INIT",
 	"IKE_NATD",
+	"IKE_MOBIKE",
 	"IKE_AUTHENTICATE",
 	"IKE_CERT",
 	"IKE_CONFIG",
-	"IKE_DPD",
 	"IKE_REKEY",
+	"IKE_REAUTH",
 	"IKE_DELETE",
-	"IKE_DEADPEER",
+	"IKE_DPD",
 	"CHILD_CREATE",
 	"CHILD_DELETE",
 	"CHILD_REKEY",
 );
+
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index 128d7db4a..ff60ea816 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -40,16 +40,18 @@ enum task_type_t {
 	IKE_INIT,
 	/** detect NAT situation */
 	IKE_NATD,
+	/** handle MOBIKE stuff */
+	IKE_MOBIKE,
 	/** authenticate the initiated IKE_SA */
 	IKE_AUTHENTICATE,
 	/** exchange certificates and requests */
 	IKE_CERT,
 	/** Configuration payloads, virtual IP and such */
 	IKE_CONFIG,
-	/** DPD detection */
-	IKE_DEADPEER,
 	/** rekey an IKE_SA */
 	IKE_REKEY,
+	/** reestablish a complete IKE_SA */
+	IKE_REAUTH,
 	/** delete an IKE_SA */
 	IKE_DELETE,
 	/** liveness check */
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 68477343f..7fb9ccb22 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -105,6 +105,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 3a12ba5b9..decd32b88 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -113,6 +113,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 067d24784..e4cedd09a 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -36,8 +36,7 @@ IPSEC_STARTER="${IPSEC_DIR}/starter"
 
 export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_PLUTO_PID IPSEC_CHARON_PID
 
-IPSEC_DISTRO="Institute for Internet Technologies and Applications\n
-              University of Applied Sciences Rapperswil, Switzerland"
+IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
 
 case "$1" in
 '')
@@ -82,10 +81,6 @@ case "$1" in
 	echo "$IPSEC_VERSION"
 	exit 0
 	;;
---copyright)
-	set _copyright
-	# and fall through, invoking "ipsec _copyright"
-	;;
 --directory)
 	echo "$IPSEC_DIR"
 	exit 0
@@ -94,6 +89,10 @@ case "$1" in
 	echo "$IPSEC_CONFDIR"
 	exit 0
 	;;
+copyright|--copyright)
+	set _copyright
+	# and fall through, invoking "ipsec _copyright"
+	;;
 down)
 	shift
 	if [ "$#" -ne 1 ]
@@ -266,8 +265,8 @@ update)
 	;;
 version|--version)
 	echo "Linux $IPSEC_NAME $IPSEC_VERSION"
+	echo -e $IPSEC_DISTRO
 	echo "See \`ipsec --copyright' for copyright information."
-	echo $IPSEC_DISTRO
 	exit 0
 	;;
 --*)
diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in
index dca1b18e7..f46022521 100644
--- a/src/libcrypto/Makefile.in
+++ b/src/libcrypto/Makefile.in
@@ -131,6 +131,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index fa57d5aab..9cb648d9d 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -144,6 +144,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c
index 0e836f6c2..8796751fe 100644
--- a/src/libfreeswan/copyright.c
+++ b/src/libfreeswan/copyright.c
@@ -18,12 +18,12 @@
 #include "freeswan.h"
 
 static const char *co[] = {
- "Copyright (C) 1999-2005  Henry Spencer, Richard Guy Briggs,",
+ "Copyright (C) 1999-2007  Henry Spencer, Richard Guy Briggs,",
  "    D. Hugh Redelmeier, Sandy Harris, Claudia Schmeing,",
  "    Michael Richardson, Angelos D. Keromytis, John Ioannidis,",
  "",
  "    Ken Bantoft, Stephen J. Bevan, JuanJo Ciarlante, Mathieu Lafon,",
- "    Stephane Laroche, Kai Martius, Tuomo Soini, Herbert Xu,",
+ "    Stephane Laroche, Kai Martius, Stephan Scholz, Tuomo Soini, Herbert Xu,",
  "",
  "    Andreas Steffen, Martin Berner, Marco Bertossa, David Buechi,",
  "    Ueli Galizzi, Christoph Gysin, Andreas Hess, Patric Lichtsteiner,",
@@ -31,7 +31,8 @@ static const char *co[] = {
  "    Mario Strasser, Lukas Suter, Roger Wegmann, Simon Zwahlen,",
  "    Zuercher Hochschule Winterthur (Switzerland).",
  "",
- "    Jan Hutter, Martin Willi, Andreas Steffen,",
+ "    Tobias Brunner, Fabian Hartmann, Noah Heusser, Jan Hutter,",
+ "    Daniel Röthlisberger, Martin Willi, Andreas Steffen,",
  "    Hochschule fuer Technik Rapperswil (Switzerland).",
  "",
  "This program is free software; you can redistribute it and/or modify it",
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 015308449..f1144144e 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -144,6 +144,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 48df1b7c4..6b16d5a64 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -62,137 +62,142 @@ const oid_t oid_names[] = {
   {    0x25,                  50, 0, "extendedKeyUsage"       },  /*  49 */
   {    0x37,                  51, 0, "targetInformation"      },  /*  50 */
   {    0x38,                   0, 0, "noRevAvail"             },  /*  51 */
-  {0x2A,                      89, 1, ""                       },  /*  52 */
+  {0x2A,                      94, 1, ""                       },  /*  52 */
   {  0x86,                     0, 1, ""                       },  /*  53 */
   {    0x48,                   0, 1, ""                       },  /*  54 */
   {      0x86,                 0, 1, ""                       },  /*  55 */
-  {        0xF7,               0, 1, ""                       },  /*  56 */
-  {          0x0D,             0, 1, "RSADSI"                 },  /*  57 */
-  {            0x01,          84, 1, "PKCS"                   },  /*  58 */
-  {              0x01,        67, 1, "PKCS-1"                 },  /*  59 */
-  {                0x01,      61, 0, "rsaEncryption"          },  /*  60 */
-  {                0x02,      62, 0, "md2WithRSAEncryption"   },  /*  61 */
-  {                0x04,      63, 0, "md5WithRSAEncryption"   },  /*  62 */
-  {                0x05,      64, 0, "sha-1WithRSAEncryption" },  /*  63 */
-  {                0x0B,      65, 0, "sha256WithRSAEncryption"},  /*  64 */
-  {                0x0C,      66, 0, "sha384WithRSAEncryption"},  /*  65 */
-  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  66 */
-  {              0x07,        74, 1, "PKCS-7"                 },  /*  67 */
-  {                0x01,      69, 0, "data"                   },  /*  68 */
-  {                0x02,      70, 0, "signedData"             },  /*  69 */
-  {                0x03,      71, 0, "envelopedData"          },  /*  70 */
-  {                0x04,      72, 0, "signedAndEnvelopedData" },  /*  71 */
-  {                0x05,      73, 0, "digestedData"           },  /*  72 */
-  {                0x06,       0, 0, "encryptedData"          },  /*  73 */
-  {              0x09,         0, 1, "PKCS-9"                 },  /*  74 */
-  {                0x01,      76, 0, "E"                      },  /*  75 */
-  {                0x02,      77, 0, "unstructuredName"       },  /*  76 */
-  {                0x03,      78, 0, "contentType"            },  /*  77 */
-  {                0x04,      79, 0, "messageDigest"          },  /*  78 */
-  {                0x05,      80, 0, "signingTime"            },  /*  79 */
-  {                0x06,      81, 0, "counterSignature"       },  /*  80 */
-  {                0x07,      82, 0, "challengePassword"      },  /*  81 */
-  {                0x08,      83, 0, "unstructuredAddress"    },  /*  82 */
-  {                0x0E,       0, 0, "extensionRequest"       },  /*  83 */
-  {            0x02,          87, 1, "digestAlgorithm"        },  /*  84 */
-  {              0x02,        86, 0, "md2"                    },  /*  85 */
-  {              0x05,         0, 0, "md5"                    },  /*  86 */
-  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  87 */
-  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  88 */
-  {0x2B,                     150, 1, ""                       },  /*  89 */
-  {  0x06,                   137, 1, "dod"                    },  /*  90 */
-  {    0x01,                   0, 1, "internet"               },  /*  91 */
-  {      0x04,               106, 1, "private"                },  /*  92 */
-  {        0x01,               0, 1, "enterprise"             },  /*  93 */
-  {          0x82,            99, 1, ""                       },  /*  94 */
-  {            0x37,           0, 1, "Microsoft"              },  /*  95 */
-  {              0x0A,         0, 1, ""                       },  /*  96 */
-  {                0x03,       0, 1, ""                       },  /*  97 */
-  {                  0x03,     0, 0, "msSGC"                  },  /*  98 */
-  {          0x89,             0, 1, ""                       },  /*  99 */
-  {            0x31,           0, 1, ""                       },  /* 100 */
-  {              0x01,         0, 1, ""                       },  /* 101 */
-  {                0x01,       0, 1, ""                       },  /* 102 */
-  {                  0x02,     0, 1, ""                       },  /* 103 */
-  {                    0x02, 105, 0, ""                       },  /* 104 */
-  {                    0x4B,   0, 0, "TCGID"                  },  /* 105 */
-  {      0x05,                 0, 1, "security"               },  /* 106 */
-  {        0x05,               0, 1, "mechanisms"             },  /* 107 */
-  {          0x07,             0, 1, "id-pkix"                },  /* 108 */
-  {            0x01,         111, 1, "id-pe"                  },  /* 109 */
-  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 110 */
-  {            0x03,         121, 1, "id-kp"                  },  /* 111 */
-  {              0x01,       113, 0, "serverAuth"             },  /* 112 */
-  {              0x02,       114, 0, "clientAuth"             },  /* 113 */
-  {              0x03,       115, 0, "codeSigning"            },  /* 114 */
-  {              0x04,       116, 0, "emailProtection"        },  /* 115 */
-  {              0x05,       117, 0, "ipsecEndSystem"         },  /* 116 */
-  {              0x06,       118, 0, "ipsecTunnel"            },  /* 117 */
-  {              0x07,       119, 0, "ipsecUser"              },  /* 118 */
-  {              0x08,       120, 0, "timeStamping"           },  /* 119 */
-  {              0x09,         0, 0, "ocspSigning"            },  /* 120 */
-  {            0x08,         123, 1, "id-otherNames"          },  /* 121 */
-  {              0x05,         0, 0, "xmppAddr"               },  /* 122 */
-  {            0x0A,         128, 1, "id-aca"                 },  /* 123 */
-  {              0x01,       125, 0, "authenticationInfo"     },  /* 124 */
-  {              0x02,       126, 0, "accessIdentity"         },  /* 125 */
-  {              0x03,       127, 0, "chargingIdentity"       },  /* 126 */
-  {              0x04,         0, 0, "group"                  },  /* 127 */
-  {            0x30,           0, 1, "id-ad"                  },  /* 128 */
-  {              0x01,         0, 1, "ocsp"                   },  /* 129 */
-  {                0x01,     131, 0, "basic"                  },  /* 130 */
-  {                0x02,     132, 0, "nonce"                  },  /* 131 */
-  {                0x03,     133, 0, "crl"                    },  /* 132 */
-  {                0x04,     134, 0, "response"               },  /* 133 */
-  {                0x05,     135, 0, "noCheck"                },  /* 134 */
-  {                0x06,     136, 0, "archiveCutoff"          },  /* 135 */
-  {                0x07,       0, 0, "serviceLocator"         },  /* 136 */
-  {  0x0E,                   143, 1, "oiw"                    },  /* 137 */
-  {    0x03,                   0, 1, "secsig"                 },  /* 138 */
-  {      0x02,                 0, 1, "algorithms"             },  /* 139 */
-  {        0x07,             141, 0, "des-cbc"                },  /* 140 */
-  {        0x1A,             142, 0, "sha-1"                  },  /* 141 */
-  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 142 */
-  {  0x24,                     0, 1, "TeleTrusT"              },  /* 143 */
-  {    0x03,                   0, 1, "algorithm"              },  /* 144 */
-  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 145 */
-  {        0x01,               0, 1, "rsaSignature"           },  /* 146 */
-  {          0x02,           148, 0, "rsaSigWithripemd160"    },  /* 147 */
-  {          0x03,           149, 0, "rsaSigWithripemd128"    },  /* 148 */
-  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 149 */
-  {0x60,                       0, 1, ""                       },  /* 150 */
-  {  0x86,                     0, 1, ""                       },  /* 151 */
-  {    0x48,                   0, 1, ""                       },  /* 152 */
-  {      0x01,                 0, 1, "organization"           },  /* 153 */
-  {        0x65,             161, 1, "gov"                    },  /* 154 */
-  {          0x03,             0, 1, "csor"                   },  /* 155 */
-  {            0x04,           0, 1, "nistalgorithm"          },  /* 156 */
-  {              0x02,         0, 1, "hashalgs"               },  /* 157 */
-  {                0x01,     159, 0, "id-SHA-256"             },  /* 158 */
-  {                0x02,     160, 0, "id-SHA-384"             },  /* 159 */
-  {                0x03,       0, 0, "id-SHA-512"             },  /* 160 */
-  {        0x86,               0, 1, ""                       },  /* 161 */
-  {          0xf8,             0, 1, ""                       },  /* 162 */
-  {            0x42,         175, 1, "netscape"               },  /* 163 */
-  {              0x01,       170, 1, ""                       },  /* 164 */
-  {                0x01,     166, 0, "nsCertType"             },  /* 165 */
-  {                0x03,     167, 0, "nsRevocationUrl"        },  /* 166 */
-  {                0x04,     168, 0, "nsCaRevocationUrl"      },  /* 167 */
-  {                0x08,     169, 0, "nsCaPolicyUrl"          },  /* 168 */
-  {                0x0d,       0, 0, "nsComment"              },  /* 169 */
-  {              0x03,       173, 1, "directory"              },  /* 170 */
-  {                0x01,       0, 1, ""                       },  /* 171 */
-  {                  0x03,     0, 0, "employeeNumber"         },  /* 172 */
-  {              0x04,         0, 1, "policy"                 },  /* 173 */
-  {                0x01,       0, 0, "nsSGC"                  },  /* 174 */
-  {            0x45,           0, 1, "verisign"               },  /* 175 */
-  {              0x01,         0, 1, "pki"                    },  /* 176 */
-  {                0x09,       0, 1, "attributes"             },  /* 177 */
-  {                  0x02,   179, 0, "messageType"            },  /* 178 */
-  {                  0x03,   180, 0, "pkiStatus"              },  /* 179 */
-  {                  0x04,   181, 0, "failInfo"               },  /* 180 */
-  {                  0x05,   182, 0, "senderNonce"            },  /* 181 */
-  {                  0x06,   183, 0, "recipientNonce"         },  /* 182 */
-  {                  0x07,   184, 0, "transID"                },  /* 183 */
-  {                  0x08,     0, 0, "extensionReq"           }   /* 184 */
+  {        0xF6,              61, 1, ""                       },  /*  56 */
+  {          0x7D,             0, 1, "NortelNetworks"         },  /*  57 */
+  {            0x07,           0, 1, "Entrust"                },  /*  58 */
+  {              0x41,         0, 1, "nsn-ce"                 },  /*  59 */
+  {                0x00,       0, 0, "entrustVersInfo"        },  /*  60 */
+  {        0xF7,               0, 1, ""                       },  /*  61 */
+  {          0x0D,             0, 1, "RSADSI"                 },  /*  62 */
+  {            0x01,          89, 1, "PKCS"                   },  /*  63 */
+  {              0x01,        72, 1, "PKCS-1"                 },  /*  64 */
+  {                0x01,      66, 0, "rsaEncryption"          },  /*  65 */
+  {                0x02,      67, 0, "md2WithRSAEncryption"   },  /*  66 */
+  {                0x04,      68, 0, "md5WithRSAEncryption"   },  /*  67 */
+  {                0x05,      69, 0, "sha-1WithRSAEncryption" },  /*  68 */
+  {                0x0B,      70, 0, "sha256WithRSAEncryption"},  /*  69 */
+  {                0x0C,      71, 0, "sha384WithRSAEncryption"},  /*  70 */
+  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  71 */
+  {              0x07,        79, 1, "PKCS-7"                 },  /*  72 */
+  {                0x01,      74, 0, "data"                   },  /*  73 */
+  {                0x02,      75, 0, "signedData"             },  /*  74 */
+  {                0x03,      76, 0, "envelopedData"          },  /*  75 */
+  {                0x04,      77, 0, "signedAndEnvelopedData" },  /*  76 */
+  {                0x05,      78, 0, "digestedData"           },  /*  77 */
+  {                0x06,       0, 0, "encryptedData"          },  /*  78 */
+  {              0x09,         0, 1, "PKCS-9"                 },  /*  79 */
+  {                0x01,      81, 0, "E"                      },  /*  80 */
+  {                0x02,      82, 0, "unstructuredName"       },  /*  81 */
+  {                0x03,      83, 0, "contentType"            },  /*  82 */
+  {                0x04,      84, 0, "messageDigest"          },  /*  83 */
+  {                0x05,      85, 0, "signingTime"            },  /*  84 */
+  {                0x06,      86, 0, "counterSignature"       },  /*  85 */
+  {                0x07,      87, 0, "challengePassword"      },  /*  86 */
+  {                0x08,      88, 0, "unstructuredAddress"    },  /*  87 */
+  {                0x0E,       0, 0, "extensionRequest"       },  /*  88 */
+  {            0x02,          92, 1, "digestAlgorithm"        },  /*  89 */
+  {              0x02,        91, 0, "md2"                    },  /*  90 */
+  {              0x05,         0, 0, "md5"                    },  /*  91 */
+  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  92 */
+  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  93 */
+  {0x2B,                     155, 1, ""                       },  /*  94 */
+  {  0x06,                   142, 1, "dod"                    },  /*  95 */
+  {    0x01,                   0, 1, "internet"               },  /*  96 */
+  {      0x04,               111, 1, "private"                },  /*  97 */
+  {        0x01,               0, 1, "enterprise"             },  /*  98 */
+  {          0x82,           104, 1, ""                       },  /*  99 */
+  {            0x37,           0, 1, "Microsoft"              },  /* 100 */
+  {              0x0A,         0, 1, ""                       },  /* 101 */
+  {                0x03,       0, 1, ""                       },  /* 102 */
+  {                  0x03,     0, 0, "msSGC"                  },  /* 103 */
+  {          0x89,             0, 1, ""                       },  /* 104 */
+  {            0x31,           0, 1, ""                       },  /* 105 */
+  {              0x01,         0, 1, ""                       },  /* 106 */
+  {                0x01,       0, 1, ""                       },  /* 107 */
+  {                  0x02,     0, 1, ""                       },  /* 108 */
+  {                    0x02, 110, 0, ""                       },  /* 109 */
+  {                    0x4B,   0, 0, "TCGID"                  },  /* 110 */
+  {      0x05,                 0, 1, "security"               },  /* 111 */
+  {        0x05,               0, 1, "mechanisms"             },  /* 112 */
+  {          0x07,             0, 1, "id-pkix"                },  /* 113 */
+  {            0x01,         116, 1, "id-pe"                  },  /* 114 */
+  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 115 */
+  {            0x03,         126, 1, "id-kp"                  },  /* 116 */
+  {              0x01,       118, 0, "serverAuth"             },  /* 117 */
+  {              0x02,       119, 0, "clientAuth"             },  /* 118 */
+  {              0x03,       120, 0, "codeSigning"            },  /* 119 */
+  {              0x04,       121, 0, "emailProtection"        },  /* 120 */
+  {              0x05,       122, 0, "ipsecEndSystem"         },  /* 121 */
+  {              0x06,       123, 0, "ipsecTunnel"            },  /* 122 */
+  {              0x07,       124, 0, "ipsecUser"              },  /* 123 */
+  {              0x08,       125, 0, "timeStamping"           },  /* 124 */
+  {              0x09,         0, 0, "ocspSigning"            },  /* 125 */
+  {            0x08,         128, 1, "id-otherNames"          },  /* 126 */
+  {              0x05,         0, 0, "xmppAddr"               },  /* 127 */
+  {            0x0A,         133, 1, "id-aca"                 },  /* 128 */
+  {              0x01,       130, 0, "authenticationInfo"     },  /* 129 */
+  {              0x02,       131, 0, "accessIdentity"         },  /* 130 */
+  {              0x03,       132, 0, "chargingIdentity"       },  /* 131 */
+  {              0x04,         0, 0, "group"                  },  /* 132 */
+  {            0x30,           0, 1, "id-ad"                  },  /* 133 */
+  {              0x01,         0, 1, "ocsp"                   },  /* 134 */
+  {                0x01,     136, 0, "basic"                  },  /* 135 */
+  {                0x02,     137, 0, "nonce"                  },  /* 136 */
+  {                0x03,     138, 0, "crl"                    },  /* 137 */
+  {                0x04,     139, 0, "response"               },  /* 138 */
+  {                0x05,     140, 0, "noCheck"                },  /* 139 */
+  {                0x06,     141, 0, "archiveCutoff"          },  /* 140 */
+  {                0x07,       0, 0, "serviceLocator"         },  /* 141 */
+  {  0x0E,                   148, 1, "oiw"                    },  /* 142 */
+  {    0x03,                   0, 1, "secsig"                 },  /* 143 */
+  {      0x02,                 0, 1, "algorithms"             },  /* 144 */
+  {        0x07,             146, 0, "des-cbc"                },  /* 145 */
+  {        0x1A,             147, 0, "sha-1"                  },  /* 146 */
+  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 147 */
+  {  0x24,                     0, 1, "TeleTrusT"              },  /* 148 */
+  {    0x03,                   0, 1, "algorithm"              },  /* 149 */
+  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 150 */
+  {        0x01,               0, 1, "rsaSignature"           },  /* 151 */
+  {          0x02,           153, 0, "rsaSigWithripemd160"    },  /* 152 */
+  {          0x03,           154, 0, "rsaSigWithripemd128"    },  /* 153 */
+  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 154 */
+  {0x60,                       0, 1, ""                       },  /* 155 */
+  {  0x86,                     0, 1, ""                       },  /* 156 */
+  {    0x48,                   0, 1, ""                       },  /* 157 */
+  {      0x01,                 0, 1, "organization"           },  /* 158 */
+  {        0x65,             166, 1, "gov"                    },  /* 159 */
+  {          0x03,             0, 1, "csor"                   },  /* 160 */
+  {            0x04,           0, 1, "nistalgorithm"          },  /* 161 */
+  {              0x02,         0, 1, "hashalgs"               },  /* 162 */
+  {                0x01,     164, 0, "id-SHA-256"             },  /* 163 */
+  {                0x02,     165, 0, "id-SHA-384"             },  /* 164 */
+  {                0x03,       0, 0, "id-SHA-512"             },  /* 165 */
+  {        0x86,               0, 1, ""                       },  /* 166 */
+  {          0xf8,             0, 1, ""                       },  /* 167 */
+  {            0x42,         180, 1, "netscape"               },  /* 168 */
+  {              0x01,       175, 1, ""                       },  /* 169 */
+  {                0x01,     171, 0, "nsCertType"             },  /* 170 */
+  {                0x03,     172, 0, "nsRevocationUrl"        },  /* 171 */
+  {                0x04,     173, 0, "nsCaRevocationUrl"      },  /* 172 */
+  {                0x08,     174, 0, "nsCaPolicyUrl"          },  /* 173 */
+  {                0x0d,       0, 0, "nsComment"              },  /* 174 */
+  {              0x03,       178, 1, "directory"              },  /* 175 */
+  {                0x01,       0, 1, ""                       },  /* 176 */
+  {                  0x03,     0, 0, "employeeNumber"         },  /* 177 */
+  {              0x04,         0, 1, "policy"                 },  /* 178 */
+  {                0x01,       0, 0, "nsSGC"                  },  /* 179 */
+  {            0x45,           0, 1, "verisign"               },  /* 180 */
+  {              0x01,         0, 1, "pki"                    },  /* 181 */
+  {                0x09,       0, 1, "attributes"             },  /* 182 */
+  {                  0x02,   184, 0, "messageType"            },  /* 183 */
+  {                  0x03,   185, 0, "pkiStatus"              },  /* 184 */
+  {                  0x04,   186, 0, "failInfo"               },  /* 185 */
+  {                  0x05,   187, 0, "senderNonce"            },  /* 186 */
+  {                  0x06,   188, 0, "recipientNonce"         },  /* 187 */
+  {                  0x07,   189, 0, "transID"                },  /* 188 */
+  {                  0x08,     0, 0, "extensionReq"           }   /* 189 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 49260c9f4..a29b1f0a1 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -29,56 +29,56 @@ extern const oid_t oid_names[];
 #define OID_EXTENDED_KEY_USAGE				49
 #define OID_TARGET_INFORMATION				50
 #define OID_NO_REV_AVAIL					51
-#define OID_RSA_ENCRYPTION					60
-#define OID_MD2_WITH_RSA					61
-#define OID_MD5_WITH_RSA					62
-#define OID_SHA1_WITH_RSA					63
-#define OID_SHA256_WITH_RSA					64
-#define OID_SHA384_WITH_RSA					65
-#define OID_SHA512_WITH_RSA					66
-#define OID_PKCS7_DATA						68
-#define OID_PKCS7_SIGNED_DATA				69
-#define OID_PKCS7_ENVELOPED_DATA			70
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		71
-#define OID_PKCS7_DIGESTED_DATA				72
-#define OID_PKCS7_ENCRYPTED_DATA			73
-#define OID_PKCS9_EMAIL						75
-#define OID_PKCS9_CONTENT_TYPE				77
-#define OID_PKCS9_MESSAGE_DIGEST			78
-#define OID_PKCS9_SIGNING_TIME				79
-#define OID_MD2								85
-#define OID_MD5								86
-#define OID_3DES_EDE_CBC					88
-#define OID_AUTHORITY_INFO_ACCESS			110
-#define OID_OCSP_SIGNING					120
-#define OID_XMPP_ADDR						122
-#define OID_AUTHENTICATION_INFO				124
-#define OID_ACCESS_IDENTITY					125
-#define OID_CHARGING_IDENTITY				126
-#define OID_GROUP							127
-#define OID_OCSP							129
-#define OID_BASIC							130
-#define OID_NONCE							131
-#define OID_CRL								132
-#define OID_RESPONSE						133
-#define OID_NO_CHECK						134
-#define OID_ARCHIVE_CUTOFF					135
-#define OID_SERVICE_LOCATOR					136
-#define OID_DES_CBC							140
-#define OID_SHA1							141
-#define OID_SHA1_WITH_RSA_OIW				142
-#define OID_SHA256							158
-#define OID_SHA384							159
-#define OID_SHA512							160
-#define OID_NS_REVOCATION_URL				166
-#define OID_NS_CA_REVOCATION_URL			167
-#define OID_NS_CA_POLICY_URL				168
-#define OID_NS_COMMENT						169
-#define OID_PKI_MESSAGE_TYPE				178
-#define OID_PKI_STATUS						179
-#define OID_PKI_FAIL_INFO					180
-#define OID_PKI_SENDER_NONCE				181
-#define OID_PKI_RECIPIENT_NONCE				182
-#define OID_PKI_TRANS_ID					183
+#define OID_RSA_ENCRYPTION					65
+#define OID_MD2_WITH_RSA					66
+#define OID_MD5_WITH_RSA					67
+#define OID_SHA1_WITH_RSA					68
+#define OID_SHA256_WITH_RSA					69
+#define OID_SHA384_WITH_RSA					70
+#define OID_SHA512_WITH_RSA					71
+#define OID_PKCS7_DATA						73
+#define OID_PKCS7_SIGNED_DATA				74
+#define OID_PKCS7_ENVELOPED_DATA			75
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		76
+#define OID_PKCS7_DIGESTED_DATA				77
+#define OID_PKCS7_ENCRYPTED_DATA			78
+#define OID_PKCS9_EMAIL						80
+#define OID_PKCS9_CONTENT_TYPE				82
+#define OID_PKCS9_MESSAGE_DIGEST			83
+#define OID_PKCS9_SIGNING_TIME				84
+#define OID_MD2								90
+#define OID_MD5								91
+#define OID_3DES_EDE_CBC					93
+#define OID_AUTHORITY_INFO_ACCESS			115
+#define OID_OCSP_SIGNING					125
+#define OID_XMPP_ADDR						127
+#define OID_AUTHENTICATION_INFO				129
+#define OID_ACCESS_IDENTITY					130
+#define OID_CHARGING_IDENTITY				131
+#define OID_GROUP							132
+#define OID_OCSP							134
+#define OID_BASIC							135
+#define OID_NONCE							136
+#define OID_CRL								137
+#define OID_RESPONSE						138
+#define OID_NO_CHECK						139
+#define OID_ARCHIVE_CUTOFF					140
+#define OID_SERVICE_LOCATOR					141
+#define OID_DES_CBC							145
+#define OID_SHA1							146
+#define OID_SHA1_WITH_RSA_OIW				147
+#define OID_SHA256							163
+#define OID_SHA384							164
+#define OID_SHA512							165
+#define OID_NS_REVOCATION_URL				171
+#define OID_NS_CA_REVOCATION_URL			172
+#define OID_NS_CA_POLICY_URL				173
+#define OID_NS_COMMENT						174
+#define OID_PKI_MESSAGE_TYPE				183
+#define OID_PKI_STATUS						184
+#define OID_PKI_FAIL_INFO					185
+#define OID_PKI_SENDER_NONCE				186
+#define OID_PKI_RECIPIENT_NONCE				187
+#define OID_PKI_TRANS_ID					188
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 2b3c96ae3..bd5a26e43 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -54,6 +54,11 @@
   0x86                       ""
     0x48                     ""
       0x86                   ""
+        0xF6                 ""
+          0x7D               "NortelNetworks"
+            0x07             "Entrust"
+              0x41           "nsn-ce"
+                0x00         "entrustVersInfo"
         0xF7                 ""
           0x0D               "RSADSI"
             0x01             "PKCS"
diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c
index e88db249d..641805869 100755
--- a/src/libstrongswan/asn1/pem.c
+++ b/src/libstrongswan/asn1/pem.c
@@ -117,8 +117,10 @@ static err_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_s
 	crypter->set_key(crypter, key);
 	if (crypter->decrypt(crypter, *blob, *iv, &decrypted) != SUCCESS)
 	{
+		crypter->destroy(crypter);
 		return "data size is not multiple of block size";
 	}
+	crypter->destroy(crypter);
 	memcpy(blob->ptr, decrypted.ptr, blob->len);
 	chunk_free(&decrypted);
 	
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c
index 07413e805..a78590954 100644
--- a/src/libstrongswan/crypto/ca.c
+++ b/src/libstrongswan/crypto/ca.c
@@ -345,7 +345,7 @@ static void add_crluri(private_ca_info_t *this, chunk_t uri)
 		strncasecmp(uri.ptr, "file", 4) != 0  &&
 		strncasecmp(uri.ptr, "ftp",  3) != 0))
 	{
-		DBG1("  invalid crl uri '%#B'", uri);
+		DBG1("  invalid crl uri '%.*s'", uri.len, uri.ptr);
 		return;
 	}
 	else
@@ -399,7 +399,10 @@ void add_info (private_ca_info_t *this, const private_ca_info_t *that)
 
 		while (iterator->iterate(iterator, (void**)&uri))
 		{
-			add_crluri(this, uri->get_encoding(uri));
+			if (uri->get_type(uri) == ID_DER_ASN1_GN_URI)
+			{
+				add_crluri(this, uri->get_encoding(uri));
+			}
 		}
 		iterator->destroy(iterator);
 	}
@@ -411,7 +414,10 @@ void add_info (private_ca_info_t *this, const private_ca_info_t *that)
 
 		while (iterator->iterate(iterator, (void**)&uri))
 		{
-			add_ocspuri(this, uri->get_encoding(uri));
+			if (uri->get_type(uri) == ID_DER_ASN1_GN_URI)
+			{
+				add_ocspuri(this, uri->get_encoding(uri));
+			}
 		}
 		iterator->destroy(iterator);
 	}
diff --git a/src/libstrongswan/crypto/crypters/des_crypter.c b/src/libstrongswan/crypto/crypters/des_crypter.c
index dc5a8ff55..655cc03ce 100644
--- a/src/libstrongswan/crypto/crypters/des_crypter.c
+++ b/src/libstrongswan/crypto/crypters/des_crypter.c
@@ -871,14 +871,15 @@ static int des_set_key(des_cblock *key, des_key_schedule *schedule)
 	register unsigned char *in;
 	register DES_LONG *k;
 	register int i;
+	des_cblock odd;
 
 	for (i = 0; i < sizeof(des_cblock); i++)
 	{
-		(*key)[i] = odd_parity[(*key)[i]];
+		odd[i] = odd_parity[(*key)[i]];
 	}
 
 	k=(DES_LONG *)schedule;
-	in=(unsigned char *)key;
+	in=(unsigned char *)&odd;
 
 	c2l(in,c);
 	c2l(in,d);
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 673cbb828..ba0a76893 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -759,6 +759,24 @@ static bool equals_dn(private_identification_t *this,
 }
 
 /**
+ * Special implementation of identification_t.equals for RFC822 and FQDN.
+ */
+static bool equals_strcasecmp(private_identification_t *this,
+							  private_identification_t *other)
+{
+	/* we do some extra sanity checks to check for invalid IDs with a 
+	 * terminating null in it. */
+	if (this->encoded.len == other->encoded.len &&
+		memchr(this->encoded.ptr, 0, this->encoded.len) == NULL &&
+		memchr(other->encoded.ptr, 0, other->encoded.len) == NULL &&
+		strncasecmp(this->encoded.ptr, other->encoded.ptr, this->encoded.len) == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Default implementation of identification_t.matches.
  */
 static bool matches_binary(private_identification_t *this, 
@@ -1094,6 +1112,8 @@ identification_t *identification_create_from_string(char *string)
 				this->encoded.len = strlen(string + 1);
 				this->public.matches = (bool (*) 
 						(identification_t*,identification_t*,int*))matches_string;
+				this->public.equals = (bool (*)
+							(identification_t*,identification_t*))equals_strcasecmp;
 				return &(this->public);
 			}
 		}
@@ -1104,6 +1124,8 @@ identification_t *identification_create_from_string(char *string)
 			this->encoded.len = strlen(string);
 			this->public.matches = (bool (*) 
 					(identification_t*,identification_t*,int*))matches_string;
+			this->public.equals = (bool (*)
+						(identification_t*,identification_t*))equals_strcasecmp;
 			return &(this->public);
 		}
 	}
@@ -1123,12 +1145,11 @@ identification_t *identification_create_from_encoding(id_type_t type, chunk_t en
 					(identification_t*,identification_t*,int*))matches_any;
 			break;
 		case ID_FQDN:
-			this->public.matches = (bool (*)
-					(identification_t*,identification_t*,int*))matches_string;
-			break;
 		case ID_RFC822_ADDR:
 			this->public.matches = (bool (*)
 					(identification_t*,identification_t*,int*))matches_string;
+			this->public.equals = (bool (*)
+						(identification_t*,identification_t*))equals_strcasecmp;
 			break;
 		case ID_DER_ASN1_DN:
 			this->public.equals = (bool (*)
@@ -1152,3 +1173,4 @@ identification_t *identification_create_from_encoding(id_type_t type, chunk_t en
 	}
 	return &(this->public);
 }
+
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
index 02a15c534..b4ff85bfb 100644
--- a/src/libstrongswan/utils/iterator.h
+++ b/src/libstrongswan/utils/iterator.h
@@ -26,15 +26,46 @@
 
 #include <library.h>
 
+typedef enum hook_result_t hook_result_t;
+
+/**
+ * @brief Return value of an iterator hook.
+ *
+ * Returning HOOK_AGAIN is useful to "inject" additional elements in an
+ * iteration, HOOK_NEXT is the normal iterator behavior, and HOOK_SKIP may
+ * be used to filter elements out.
+ *
+ * @ingroup utils
+ */
+enum hook_result_t {
+
+	/**
+	 * A value was placed in out, hook is called again with the same "in"
+	 */
+	HOOK_AGAIN,
+	
+	/**
+	 * A value was placed in out, hook is called again with next "in" (if any)
+	 */
+	HOOK_NEXT,
+	
+	/**
+	 * No value in out, call again with next "in" (if any)
+	 */
+	HOOK_SKIP,
+};
+
 /**
  * @brief Iterator hook function prototype.
  *
  * @param param		user supplied parameter
  * @param in		the value the hook receives from the iterator
  * @param out		the value supplied as a result to the iterator
- * @return			TRUE to return "out", FALSE to skip this value
+ * @return			a hook_result_t
+ *
+ * @ingroup utils
  */
-typedef bool (iterator_hook_t)(void *param, void *in, void **out);
+typedef hook_result_t (iterator_hook_t)(void *param, void *in, void **out);
 
 
 typedef struct iterator_t iterator_t;
@@ -45,8 +76,6 @@ typedef struct iterator_t iterator_t;
  * iterator_t defines an interface for iterating over collections.
  * It allows searching, deleting, updating and inserting.
  *
- * Thanks to JMP for iterator lessons :-)
- *
  * @b Constructors:
  * - via linked_list_t.create_iterator, or
  * - any other class which supports the iterator_t interface
@@ -84,8 +113,11 @@ struct iterator_t {
 	 * Sometimes it is useful to hook in an iterator. The hook function is
 	 * called before any successful return of iterate(). It takes the
 	 * iterator value, may manipulate it (or the references object), and returns
-	 * the value that the iterate() function returns.
+	 * the value that the iterate() function returns. Depending on the hook
+	 * return value, the hook is called again, called with next, or skipped.
 	 * A value of NULL deactivates the iterator hook.
+	 * If an iterator is hooked, only the iterate() method is valid,
+	 * all other methods behave undefined.
 	 * 
 	 * @param this 			calling object
 	 * @param hook			iterator hook which manipulates the iterated value
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index b8a023270..a28ebba51 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -410,7 +410,10 @@ void *realloc_hook(void *old, size_t bytes, const void *caller)
  */
 void __attribute__ ((constructor)) leak_detective_init()
 {
-	install_hooks();
+	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
+	{
+		install_hooks();
+	}
 }
 
 /**
@@ -418,8 +421,11 @@ void __attribute__ ((constructor)) leak_detective_init()
  */
 void __attribute__ ((destructor)) leak_detective_cleanup()
 {
-	uninstall_hooks();
-	report_leaks();
+	if (getenv("LEAK_DETECTIVE_DISABLE") == NULL)
+	{
+		uninstall_hooks();
+		report_leaks();
+	}
 }
 
 /**
@@ -431,6 +437,11 @@ void leak_detective_status(FILE *stream)
 	size_t bytes = 0;
 	memory_header_t *hdr = &first_header;
 	
+	if (getenv("LEAK_DETECTIVE_DISABLE"))
+	{
+		return;
+	}
+	
 	pthread_mutex_lock(&mutex);
 	while ((hdr = hdr->next))
 	{
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index de043a02e..de52ea46a 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -151,10 +151,10 @@ static int get_list_count(private_iterator_t *this)
 /**
  * default iterator hook which does nothing
  */
-static bool iterator_hook(void *param, void *in, void **out)
+static hook_result_t iterator_hook(void *param, void *in, void **out)
 {
 	*out = in;
-	return TRUE;
+	return HOOK_NEXT;
 }
 
 /**
@@ -180,40 +180,43 @@ static void set_iterator_hook(private_iterator_t *this, iterator_hook_t *hook,
  */
 static bool iterate(private_iterator_t *this, void** value)
 {
-	if (this->list->count == 0)
-	{
-		return FALSE;
-	}
-	if (this->current == NULL)
+	while (TRUE)
 	{
-		this->current = (this->forward) ? this->list->first : this->list->last;
-		if (!this->hook(this->hook_param, this->current->value, value))
+		if (this->forward)
 		{
-			return iterate(this, value);
+			this->current = this->current ? this->current->next : this->list->first;
 		}
-		return TRUE;
-	}
-	if (this->forward)
-	{
-		if (this->current->next == NULL)
+		else
+		{
+			this->current = this->current ? this->current->previous : this->list->last;
+		}
+
+		if (this->current == NULL)
 		{
 			return FALSE;
 		}
-		this->current = this->current->next;
-		if (!this->hook(this->hook_param, this->current->value, value))
+	
+		switch (this->hook(this->hook_param, this->current->value, value))
 		{
-			return iterate(this, value);
+			case HOOK_AGAIN:
+				/* rewind */
+				if (this->forward)
+				{
+					this->current = this->current->previous;
+				}
+				else
+				{
+					this->current = this->current->next;
+				}
+				break;
+			case HOOK_NEXT:
+				/* normal iteration */
+				break;
+			case HOOK_SKIP:
+				/* advance */
+				continue;
 		}
-		return TRUE;
-	}
-	if (this->current->previous == NULL)
-	{
-		return FALSE;
-	}
-	this->current = this->current->previous;
-	if (!this->hook(this->hook_param, this->current->value, value))
-	{
-		return iterate(this, value);
+		break;
 	}
 	return TRUE;
 }
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 67396085c..fb295075a 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -142,6 +142,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index e164717a9..4cefa58ca 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -179,6 +179,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
@@ -879,16 +880,16 @@ oid.h:	oid.txt oid.pl
 	$(PERL) oid.pl
 
 install-exec-local :
-	mkdir -p -m 755 $(confdir)/ipsec.d
-	mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
-	mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
-	mkdir -p -m 755 $(confdir)/ipsec.d/certs
-	mkdir -p -m 755 $(confdir)/ipsec.d/acerts
-	mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
-	mkdir -p -m 755 $(confdir)/ipsec.d/crls
-	mkdir -p -m 755 $(confdir)/ipsec.d/reqs
-	mkdir -p -m 700 $(confdir)/ipsec.d/private
-	chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/cacerts
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/ocspcerts
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/certs
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/acerts
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/aacerts
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/crls
+	mkdir -p -m 755 $(DESTDIR)$(confdir)/ipsec.d/reqs
+	mkdir -p -m 700 $(DESTDIR)$(confdir)/ipsec.d/private
+	chown -R $(ipsecuid):$(ipsecgid) $(DESTDIR)$(confdir)/ipsec.d
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 0d02b979c..c4d5dae4d 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -122,7 +122,7 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
     for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
     {
 	if (sameaddr(&p->me.addr, myaddr) && p->me.port == myport
-	&& sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
+	&&  sameaddr(&p->him.addr, hisaddr) && p->him.port == hisport)
 	{
 	    if (prev != NULL)
 	    {
@@ -162,15 +162,21 @@ connect_to_host_pair(struct connection *c)
 {
     if (oriented(*c))
     {
-	struct host_pair *hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
-	    , &c->spd.that.host_addr, c->spd.that.host_port);
+	struct host_pair *hp;
+
+	ip_address his_addr = (c->spd.that.allow_any)
+			      ? *aftoinfo(addrtypeof(&c->spd.that.host_addr))->any
+			      : c->spd.that.host_addr;
+
+	hp = find_host_pair(&c->spd.this.host_addr, c->spd.this.host_port
+	    , &his_addr, c->spd.that.host_port);
 
 	if (hp == NULL)
 	{
 	    /* no suitable host_pair -- build one */
 	    hp = alloc_thing(struct host_pair, "host_pair");
 	    hp->me.addr = c->spd.this.host_addr;
-	    hp->him.addr = c->spd.that.host_addr;
+	    hp->him.addr = his_addr;
 	    hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
 	    hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
 	    hp->initial_connection_sent = FALSE;
@@ -632,24 +638,15 @@ format_end(char *buf
 	strcpy(&host_id[len < 0? (ptrdiff_t)sizeof(host_id)-2 : 1 + len], "]");
     }
 
-    /* [---hop] */
-    hop[0] = '\0';
-    hop_sep = "";
-    if (that != NULL && !sameaddr(&this->host_nexthop, &that->host_addr))
-    {
-	addrtot(&this->host_nexthop, 0, hop, sizeof(hop));
-	hop_sep = "---";
-    }
-
     if (is_left)
-	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s"
-	    , open_brackets, client, close_brackets
-	    , client_sep, host, host_port, host_id
-	    , protoport, hop_sep, hop);
+	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
+	    , open_brackets, client, close_brackets, client_sep
+	    , this->allow_any? "%":""
+	    , host, host_port, host_id, protoport);
     else
-	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s%s"
-	    , hop, hop_sep, host, host_port, host_id
-	    , protoport, client_sep
+	snprintf(buf, buf_len, "%s%s%s%s%s%s%s%s%s"
+	    , this->allow_any? "%":""
+	    , host, host_port, host_id, protoport, client_sep
 	    , open_brackets, client, close_brackets);
     return strlen(buf);
 }
@@ -855,6 +852,7 @@ extract_end(struct end *dst, const whack_end_t *src, const char *which)
     dst->has_client_wildcard = src->has_client_wildcard;
     dst->modecfg = src->modecfg;
     dst->hostaccess = src->hostaccess;
+    dst->allow_any = src->allow_any;
     dst->sendcert = src->sendcert;
     dst->updown = src->updown;
     dst->host_port = src->host_port;
@@ -1067,7 +1065,8 @@ add_connection(const whack_message_t *wm)
 	 * or any wildcard ID to that end
 	 */
 	if (isanyaddr(&c->spd.this.host_addr) || c->spd.this.has_client_wildcard
-	|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards)
+	|| c->spd.this.has_port_wildcard || c->spd.this.has_id_wildcards
+	|| c->spd.this.allow_any)
 	{
 	    struct end t = c->spd.this;
 
@@ -1095,7 +1094,7 @@ add_connection(const whack_message_t *wm)
 	}
 	else if ((isanyaddr(&c->spd.that.host_addr) && !NEVER_NEGOTIATE(c->policy))
 	|| c->spd.that.has_client_wildcard || c->spd.that.has_port_wildcard
-	|| c->spd.that.has_id_wildcards)
+	|| c->spd.that.has_id_wildcards || c->spd.that.allow_any)
 	{
 	    /* Opportunistic or Road Warrior or wildcard client subnet
 	     * or wildcard ID */
@@ -1263,6 +1262,8 @@ instantiate(struct connection *c, const ip_address *him
 
     c->instance_serial++;
     d = clone_thing(*c, "temporary connection");
+    d->spd.that.allow_any = FALSE;
+
     if (his_id != NULL)
     {
 	passert(match_id(his_id, &d->spd.that.id, &wildcards));
@@ -1306,6 +1307,10 @@ instantiate(struct connection *c, const ip_address *him
     connect_to_host_pair(d);
 
     return d;
+    if (sameaddr(&d->spd.that.host_addr, &d->spd.this.host_nexthop))
+    {
+	d->spd.this.host_nexthop = *him;
+    }
 }
 
 struct connection *
@@ -1803,7 +1808,7 @@ initiate_connection(const char *name, int whackfd)
 	    loglog(RC_INITSHUNT
 		, "cannot initiate an authby=never connection");
 	}
-	else if (c->kind != CK_PERMANENT)
+	else if (c->kind != CK_PERMANENT && !c->spd.that.allow_any)
 	{
 	    if (isanyaddr(&c->spd.that.host_addr))
 		loglog(RC_NOPEERIP, "cannot initiate connection without knowing peer IP address");
@@ -1812,22 +1817,30 @@ initiate_connection(const char *name, int whackfd)
 	}
 	else
 	{
-	    /* We will only request an IPsec SA if policy isn't empty
-	     * (ignoring Main Mode items).
-	     * This is a fudge, but not yet important.
-	     * If we are to proceed asynchronously, whackfd will be NULL_FD.
-	     */
-	    c->policy |= POLICY_UP;
 	    /* do we have to prompt for a PIN code? */
 	    if (c->spd.this.sc != NULL && !c->spd.this.sc->valid && whackfd != NULL_FD)
+	    {
 		scx_get_pin(c->spd.this.sc, whackfd);
-
+	    }
 	    if (c->spd.this.sc != NULL && !c->spd.this.sc->valid)
 	    {
 		loglog(RC_NOVALIDPIN, "cannot initiate connection without valid PIN");
 	    }
 	    else
 	    {
+
+		if (c->spd.that.allow_any)
+		{
+		    c = instantiate(c, &c->spd.that.host_addr, c->spd.that.host_port
+				  , &c->spd.that.id);
+		}
+
+		/* We will only request an IPsec SA if policy isn't empty
+		 * (ignoring Main Mode items).
+		 * This is a fudge, but not yet important.
+		 * If we are to proceed asynchronously, whackfd will be NULL_FD.
+		 */
+		c->policy |= POLICY_UP;
 		ipsecdoi_initiate(whackfd, c, c->policy, 1, SOS_NOBODY);
 		whackfd = NULL_FD;	/* protect from close */
 	    }
@@ -2975,51 +2988,6 @@ terminate_connection(const char *nm)
     } while (c != NULL);
 }
 
-/* check nexthop safety
- * Our nexthop must not be within a routed client subnet, and vice versa.
- * Note: we don't think this is true.  We think that KLIPS will
- * not process a packet output by an eroute.
- */
-#ifdef NEVER
-//bool
-//check_nexthop(const struct connection *c)
-//{
-//    struct connection *d;
-//
-//    if (addrinsubnet(&c->spd.this.host_nexthop, &c->spd.that.client))
-//    {
-//	loglog(RC_LOG_SERIOUS, "cannot perform routing for connection \"%s\""
-//	    " because nexthop is within peer's client network",
-//	    c->name);
-//	return FALSE;
-//    }
-//
-//    for (d = connections; d != NULL; d = d->next)
-//    {
-//	if (d->routing != RT_UNROUTED)
-//	{
-//	    if (addrinsubnet(&c->spd.this.host_nexthop, &d->spd.that.client))
-//	    {
-//		loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\"
-//		    " because nexthop is contained in"
-//		    " existing routing for connection \"%s\"",
-//		    c->name, d->name);
-//		return FALSE;
-//	    }
-//	    if (addrinsubnet(&d->spd.this.host_nexthop, &c->spd.that.client))
-//	    {
-//		loglog(RC_LOG_SERIOUS, "cannot do routing for connection \"%s\"
-//		    " because it contains nexthop of"
-//		    " existing routing for connection \"%s\"",
-//		    c->name, d->name);
-//		return FALSE;
-//	    }
-//	}
-//    }
-//    return TRUE;
-//}
-#endif /* NEVER */
-
 /* an ISAKMP SA has been established.
  * Note the serial number, and release any connections with
  * the same peer ID but different peer IP address.
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index df3af9dd4..40cbfc497 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -155,6 +155,7 @@ struct end {
 				/* that end: give local addresses to clients */
     bool hostaccess;		/* allow access to host via iptables INPUT/OUTPUT */
 				/* rules if client behind host is a subnet */
+    bool allow_any;		/* IP address is subject to change */
     certpolicy_t sendcert;	/* whether or not to send the certificate */
 };
 
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index d9b2167c8..a5bf82768 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -104,7 +104,8 @@ usage(const char *mess)
 	    " \\\n\t"
 	    "[--adns <pathname>]"
 	    "[--pkcs11module <path>]"
-	    "[--pkcs11keepstate"
+	    "[--pkcs11keepstate]"
+	    "[--pkcs11initargs <string>]"
 #ifdef DEBUG
 	    " \\\n\t"
 	    "[--debug-none]"
@@ -217,6 +218,11 @@ bool pkcs11_keep_state = FALSE;
 /* by default pluto does not allow pkcs11 proxy access via whack */
 bool pkcs11_proxy = FALSE;
 
+/* argument string to pass to PKCS#11 module.
+ * Not used for compliant modules, just for NSS softoken
+ */
+static const char *pkcs11_init_args = NULL;
+
 int
 main(int argc, char **argv)
 {
@@ -263,6 +269,7 @@ main(int argc, char **argv)
 #endif /* !USE_LWRES */
 	    { "pkcs11module", required_argument, NULL, 'm' },
 	    { "pkcs11keepstate", no_argument, NULL, 'k' },
+	    { "pkcs11initargs", required_argument, NULL, 'z' },
 	    { "pkcs11proxy", no_argument, NULL, 'y' },
 	    { "nat_traversal", no_argument, NULL, '1' },
 	    { "keep_alive", required_argument, NULL, '2' },
@@ -432,6 +439,10 @@ main(int argc, char **argv)
 	    pkcs11_proxy = TRUE;
 	    continue;
 
+	case 'z':	/* --pkcs11initargs */
+	    pkcs11_init_args = optarg;
+	    continue;
+
 #ifdef DEBUG
 	case 'N':	/* --debug-none */
 	    base_debugging = DBG_NONE;
@@ -593,7 +604,7 @@ main(int argc, char **argv)
 
     init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
     init_virtual_ip(virtual_private);
-    scx_init(pkcs11_module_path);   /* load and initialize PKCS #11 module */
+    scx_init(pkcs11_module_path, pkcs11_init_args);   /* load and initialize PKCS #11 module */
     xauth_init();		    /* load and initialize XAUTH module */
     init_rnd_pool();
     init_secret();
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index 744f8a6f3..067d0f046 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -690,12 +690,16 @@ scx_find_all_cert_objects(void)
 #endif
 
 /*
- * load and initialize PKCS#11 cryptoki module 
+ * load and initialize PKCS#11 cryptoki module
+ *
+ * init_args should be unused when we have a PKCS#11 compliant module,
+ * but NSS softoken breaks that API.
  */
 void
-scx_init(const char* module)
+scx_init(const char* module, const char *init_args)
 {
 #ifdef SMARTCARD
+    CK_C_INITIALIZE_ARGS args = { .pReserved = init_args, };
     CK_RV rv;
 
     if (scx_initialized)
@@ -726,8 +730,8 @@ scx_init(const char* module)
 
     DBG(DBG_CONTROL | DBG_CRYPT,
 	DBG_log("pkcs11 module initializing...")
-    )   
-    rv = pkcs11_functions->C_Initialize(NULL);
+    )
+    rv = pkcs11_functions->C_Initialize(init_args ? &args : NULL);
     if (rv != CKR_OK)
     {
 	plog("failed to initialize pkcs11 module: %s"
diff --git a/src/pluto/smartcard.h b/src/pluto/smartcard.h
index c004ca7dd..864f630a1 100644
--- a/src/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
@@ -69,7 +69,7 @@ extern bool pkcs11_keep_state;
 extern bool pkcs11_proxy;
 
 extern smartcard_t* scx_parse_number_slot_id(const char *number_slot_id);
-extern void scx_init(const char *module);
+extern void scx_init(const char *module, const char *init_args);
 extern void scx_finalize(void);
 extern bool scx_establish_context(smartcard_t *sc);
 extern bool scx_login(smartcard_t *sc);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index c2ea2b5a0..086cb4dd7 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -205,7 +205,8 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.1.3")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.1.4")
+	DEC_MD5_VID(STRONGSWAN_4_1_3, "strongSwan 4.1.3")
 	DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
 	DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
 	DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
@@ -218,6 +219,8 @@ static struct vid_struct _vid_tab[] = {
 	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
 	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
+	DEC_MD5_VID(STRONGSWAN_2_8_6, "strongSwan 2.8.6")
+	DEC_MD5_VID(STRONGSWAN_2_8_5, "strongSwan 2.8.5")
 	DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
 	DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
 	DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 5ba65ea37..6c7eeafb3 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -89,18 +89,21 @@ enum known_vendorid {
   VID_STRONGSWAN_2_8_2		= 67,
   VID_STRONGSWAN_2_8_3		= 68,
   VID_STRONGSWAN_2_8_4		= 69,
+  VID_STRONGSWAN_2_8_5		= 70,
+  VID_STRONGSWAN_2_8_6		= 71,
 
-  VID_STRONGSWAN_4_0_0		= 70,
-  VID_STRONGSWAN_4_0_1		= 71,
-  VID_STRONGSWAN_4_0_2		= 72,
-  VID_STRONGSWAN_4_0_3		= 73,
-  VID_STRONGSWAN_4_0_4		= 74,
-  VID_STRONGSWAN_4_0_5		= 75,
-  VID_STRONGSWAN_4_0_6		= 76,
-  VID_STRONGSWAN_4_0_7		= 77,
-  VID_STRONGSWAN_4_1_0		= 78,
-  VID_STRONGSWAN_4_1_1		= 79,
-  VID_STRONGSWAN_4_1_2		= 80,
+  VID_STRONGSWAN_4_0_0		= 80,
+  VID_STRONGSWAN_4_0_1		= 81,
+  VID_STRONGSWAN_4_0_2		= 82,
+  VID_STRONGSWAN_4_0_3		= 83,
+  VID_STRONGSWAN_4_0_4		= 84,
+  VID_STRONGSWAN_4_0_5		= 85,
+  VID_STRONGSWAN_4_0_6		= 86,
+  VID_STRONGSWAN_4_0_7		= 87,
+  VID_STRONGSWAN_4_1_0		= 88,
+  VID_STRONGSWAN_4_1_1		= 89,
+  VID_STRONGSWAN_4_1_2		= 90,
+  VID_STRONGSWAN_4_1_3		= 91,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=101,
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 798f09de8..665bda786 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -143,6 +143,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 7d5a4b69a..e2be69c01 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -9,7 +9,7 @@ INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_src
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
 starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
-dist_man_MANS = ipsec.conf.5
+dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 432b3d6d5..a8ccfc626 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -46,7 +46,8 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(man8dir)"
 ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
@@ -72,6 +73,7 @@ LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 SOURCES = $(starter_SOURCES)
 DIST_SOURCES = $(starter_SOURCES)
 man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
 ETAGS = etags
@@ -136,6 +138,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
@@ -230,7 +233,7 @@ INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_src
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
 starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
 EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
-dist_man_MANS = ipsec.conf.5
+dist_man_MANS = ipsec.conf.5 starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR = $(top_srcdir)/src/pluto
 OPENACDIR = $(top_srcdir)/src/openac
@@ -395,6 +398,51 @@ uninstall-man5:
 	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
 	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
 	done
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
@@ -475,7 +523,7 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
 	done
 install: install-am
@@ -530,7 +578,7 @@ install-exec-am: install-exec-local
 
 install-info: install-info-am
 
-install-man: install-man5
+install-man: install-man5 install-man8
 
 installcheck-am:
 
@@ -554,7 +602,7 @@ ps-am:
 
 uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
 
-uninstall-man: uninstall-man5
+uninstall-man: uninstall-man5 uninstall-man8
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
 	clean-ipsecPROGRAMS clean-libtool ctags distclean \
@@ -563,12 +611,12 @@ uninstall-man: uninstall-man5
 	install install-am install-data install-data-am install-exec \
 	install-exec-am install-exec-local install-info \
 	install-info-am install-ipsecPROGRAMS install-man install-man5 \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man \
-	uninstall-man5
+	install-man8 install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-info-am uninstall-ipsecPROGRAMS \
+	uninstall-man uninstall-man5 uninstall-man8
 
 
 lex.yy.c:	y.tab.c parser.l parser.y parser.h
diff --git a/src/starter/args.c b/src/starter/args.c
index fb8424841..605794281 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -173,6 +173,7 @@ static const token_info_t token_info[] =
     { ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
     { ARG_STR,  offsetof(starter_config_t, setup.eapdir), NULL                     },
     { ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
+    { ARG_STR,  offsetof(starter_config_t, setup.pkcs11initargs), NULL             },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
 
@@ -195,7 +196,7 @@ static const token_info_t token_info[] =
     { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
     { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
     { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
-    { ARG_ULNG, offsetof(starter_conn_t, sa_keying_tries), NULL                    },
+    { ARG_MISC, 0, NULL  /* KW_KEYINGTRIES */                                      },
     { ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL                      },
     { ARG_MISC, 0, NULL  /* KW_REKEY */                                            },
     { ARG_MISC, 0, NULL  /* KW_REAUTH */                                           },
@@ -229,6 +230,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_NATIP */                                            },
     { ARG_ENUM, offsetof(starter_end_t, firewall), LST_bool                        },
     { ARG_ENUM, offsetof(starter_end_t, hostaccess), LST_bool                      },
+    { ARG_ENUM, offsetof(starter_end_t, allow_any), LST_bool                       },
     { ARG_STR,  offsetof(starter_end_t, updown), NULL                              },
     { ARG_STR,  offsetof(starter_end_t, id), NULL                                  },
     { ARG_STR,  offsetof(starter_end_t, rsakey), NULL                              },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index e7a4789a9..2fe5b8ca7 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -181,14 +181,42 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 			conn->addr_family = AF_INET6;
 			anyaddr(conn->addr_family, &end->addr);
 		}
+		else if (streq(value, "%group"))
+		{
+			ip_address any;
+
+			conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
+			anyaddr(conn->addr_family, &end->addr);
+			anyaddr(conn->tunnel_addr_family, &any);
+			initsubnet(&any, 0, '0', &end->subnet);
+			end->has_client = TRUE;
+		}
 		else
 		{
+			bool fallback_to_any = FALSE;
+
+			if (value[0] == '%')
+			{
+				fallback_to_any = TRUE;
+				end->allow_any = TRUE;
+				value++;
+			}
 			conn->addr_family = ip_version(value);
 			ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
 			if (ugh != NULL)
 			{
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
-				goto err;
+				if (fallback_to_any)
+				{
+					plog("# fallback to %s=%%any due to '%%' prefix");
+					anyaddr(conn->addr_family, &end->addr);
+					end->allow_any = FALSE;
+					cfg->non_fatal_err++;
+				}
+				else
+				{
+					goto err;
+				}
 			}
 		}
 		break;
@@ -465,11 +493,12 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 		case KW_EAP:
 			/* TODO: a gperf function for all EAP types */
 			if (streq(kw->value, "aka"))
+			{
 				conn->eap = 23;
+			}
 			else if (streq(kw->value, "sim"))
 			{
 				conn->eap = 18;
-			
 			}
 			else
 			{
@@ -481,6 +510,23 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 				}
 			}
 			break;
+		case KW_KEYINGTRIES:
+			if (streq(kw->value, "%forever"))
+			{
+				conn->sa_keying_tries = 0;
+			}
+			else
+			{
+				char *endptr;
+
+				conn->sa_keying_tries = strtoul(kw->value, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
+		    		cfg->err++;
+				}
+			}
+			break;
 		case KW_REKEY:
 			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
 			break;
@@ -695,7 +741,79 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
 	return NULL;
 }
 
+/*
+ * free the memory used by also_t objects
+ */
+static void
+free_also(also_t *head)
+{
+	while (head != NULL)
+	{
+		also_t *also = head;
+
+		head = also->next;
+		pfree(also->name);
+		pfree(also);
+	}
+}
+
+/*
+ * free the memory used by a starter_conn_t object
+ */
+static void
+confread_free_conn(starter_conn_t *conn)
+{
+	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
+	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
+	free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
+	free_also(conn->also);
+}
+
+/*
+ * free the memory used by a starter_ca_t object
+ */
+static void
+confread_free_ca(starter_ca_t *ca)
+{
+	free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
+	free_also(ca->also);
+}
+
+/*
+ * free the memory used by a starter_config_t object
+ */
+void 
+confread_free(starter_config_t *cfg)
+{
+	starter_conn_t *conn = cfg->conn_first;
+	starter_ca_t   *ca   = cfg->ca_first;
+
+	free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
+
+	confread_free_conn(&cfg->conn_default);
+
+	while (conn != NULL)
+	{
+		starter_conn_t *conn_aux = conn;
+
+		conn = conn->next;
+		confread_free_conn(conn_aux);
+		pfree(conn_aux);
+	}
+
+	confread_free_ca(&cfg->ca_default);
+
+	while (ca != NULL)
+	{
+		starter_ca_t *ca_aux = ca;
+
+		ca = ca->next;
+		confread_free_ca(ca_aux);
+		pfree(ca_aux);
+	}
 
+	pfree(cfg);
+}
 
 /*
  * load and parse an IPsec configuration file
@@ -709,6 +827,7 @@ confread_load(const char *file)
 	starter_conn_t   *conn;
 	starter_ca_t     *ca;
 
+	u_int total_err;
 	u_int visit	= 0;
 
 	/* load IPSec configuration file  */
@@ -748,6 +867,8 @@ confread_load(const char *file)
 	/* load other ca sections */
 	for (sca = cfgp->ca_first; sca; sca = sca->next)
 	{
+		u_int previous_err;
+
 		/* skip %default ca section */
 		if (streq(sca->name, "%default"))
 			continue;
@@ -761,13 +882,24 @@ confread_load(const char *file)
 		ca->kw =  sca->kw;
 		ca->next = NULL;
 
-		if (cfg->ca_last)
-			cfg->ca_last->next = ca;
-		cfg->ca_last = ca;
-		if (!cfg->ca_first)
-			cfg->ca_first = ca;
-
+		previous_err = cfg->err;
 		load_ca(ca, ca->kw, cfg);
+		if (cfg->err > previous_err)
+		{
+			/* errors occurred - free the ca */
+			confread_free_ca(ca);
+			cfg->non_fatal_err += cfg->err - previous_err;
+			cfg->err = previous_err;
+		}
+		else
+		{
+			/* success - insert the ca into the chained list */
+			if (cfg->ca_last)
+				cfg->ca_last->next = ca;
+			cfg->ca_last = ca;
+			if (!cfg->ca_first)
+				cfg->ca_first = ca;
+		}
 	}
 
 	for (ca = cfg->ca_first; ca; ca = ca->next)
@@ -806,6 +938,8 @@ confread_load(const char *file)
 	/* load other conn sections */
 	for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
 	{
+		u_int previous_err;
+		
 		/* skip %default conn section */
 		if (streq(sconn->name, "%default"))
 			continue;
@@ -818,14 +952,25 @@ confread_load(const char *file)
 		conn_default(sconn->name, conn, &cfg->conn_default);
 		conn->kw =  sconn->kw;
 		conn->next = NULL;
-
-		if (cfg->conn_last)
-			cfg->conn_last->next = conn;
-		cfg->conn_last = conn;
-		if (!cfg->conn_first)
-			cfg->conn_first = conn;
-
+		
+		previous_err = cfg->err;
 		load_conn(conn, conn->kw, cfg);
+		if (cfg->err > previous_err)
+		{
+			/* error occurred - free the conn */
+			confread_free_conn(conn);
+			cfg->non_fatal_err += cfg->err - previous_err;
+			cfg->err = previous_err;
+		}
+		else
+		{
+			/* success - insert the conn into the chained list */
+			if (cfg->conn_last)
+				cfg->conn_last->next = conn;
+			cfg->conn_last = conn;
+			if (!cfg->conn_first)
+				cfg->conn_first = conn;
+		}
 	}
 
 	/* in the second round do not parse also statements */
@@ -851,86 +996,12 @@ confread_load(const char *file)
 
 	parser_free_conf(cfgp);
 
-	if (cfg->err)
+	total_err = cfg->err + cfg->non_fatal_err;
+	if (total_err > 0)
 	{
-		plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
-		confread_free(cfg);
-		cfg = NULL;
+		plog("### %d parsing error%s (%d fatal) ###"
+			, total_err, (total_err > 1)?"s":"", cfg->err);
 	}
 
 	return cfg;
 }
-
-/*
- * free the memory used by also_t objects
- */
-static void
-free_also(also_t *head)
-{
-	while (head != NULL)
-	{
-		also_t *also = head;
-
-		head = also->next;
-		pfree(also->name);
-		pfree(also);
-	}
-}
-
-/*
- * free the memory used by a starter_conn_t object
- */
-static void
-confread_free_conn(starter_conn_t *conn)
-{
-	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
-	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
-	free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
-	free_also(conn->also);
-}
-
-/*
- * free the memory used by a starter_ca_t object
- */
-static void
-confread_free_ca(starter_ca_t *ca)
-{
-	free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
-	free_also(ca->also);
-}
-
-/*
- * free the memory used by a starter_config_t object
- */
-void 
-confread_free(starter_config_t *cfg)
-{
-	starter_conn_t *conn = cfg->conn_first;
-	starter_ca_t   *ca   = cfg->ca_first;
-
-	free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
-
-	confread_free_conn(&cfg->conn_default);
-
-	while (conn != NULL)
-	{
-		starter_conn_t *conn_aux = conn;
-
-		conn = conn->next;
-		confread_free_conn(conn_aux);
-		pfree(conn_aux);
-	}
-
-	confread_free_ca(&cfg->ca_default);
-
-	while (ca != NULL)
-	{
-		starter_ca_t *ca_aux = ca;
-
-		ca = ca->next;
-		confread_free_ca(ca_aux);
-		pfree(ca_aux);
-	}
-
-	pfree(cfg);
-}
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 2fe75fcc6..970166c90 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -75,6 +75,7 @@ struct starter_end {
 	certpolicy_t	sendcert;
 	bool		firewall;
 	bool		hostaccess;
+	bool		allow_any;
 	char 		*updown;
 	u_int16_t	port;
 	u_int8_t	protocol;
@@ -177,6 +178,7 @@ struct starter_config {
 		char	 *virtual_private;
 		char	 *eapdir;
 		char	 *pkcs11module;
+		char	 *pkcs11initargs;
 		bool	 pkcs11keepstate;
 		bool	 pkcs11proxy;
 
@@ -191,7 +193,8 @@ struct starter_config {
 	defaultroute_t defaultroute;
 
 	/* number of encountered parsing errors */
-	u_int err;	
+	u_int err;
+	u_int non_fatal_err;
 
 	/* do we parse also statements */
 	bool parse_also;
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index a7c8efd44..a4baaa83d 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -33,449 +33,6 @@
 #include "exec.h"
 #include "files.h"
 
-#define MIN(a,b) ( ((a)>(b)) ? (b) : (a) )
-
-#define N_IPSEC_IF      4
-
-struct st_ipsec_if {
-	char name[IFNAMSIZ];
-	char phys[IFNAMSIZ];
-	int up;
-};
-
-static struct st_ipsec_if _ipsec_if[N_IPSEC_IF];
-
-static char *
-_find_physical_iface(int sock, char *iface)
-{
-    static char _if[IFNAMSIZ];
-    char *b;
-    struct ifreq req;
-    FILE *fd;
-    char line[BUF_LEN];
-
-    strncpy(req.ifr_name, iface, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req)==0)
-    {
-	if (req.ifr_flags & IFF_UP)
-	{
-	    strncpy(_if, iface, IFNAMSIZ);
-	    return _if;
-	}
-    }
-    else
-    {
-	/* If there is a file named /var/run/dynip/<iface>, look if we
-	 * can get interface name from there (IP_PHYS)
-	 */
-	b = (char *)alloc_bytes(strlen(DYNIP_DIR) + strlen(iface) + 10, "iface");
-	if (b)
-	{
-	    sprintf(b, "%s/%s", DYNIP_DIR, iface);
-	    fd = fopen(b, "r");
-	    pfree(b);
-	    if (fd)
-	    {
-		memset(_if, 0, sizeof(_if));
-		memset(line, 0, sizeof(line));
-		while (fgets(line, sizeof(line), fd) != 0)
-		{
-		    if ((strncmp(line,"IP_PHYS=\"", 9) == 0)
-		    && (line[strlen(line) - 2] == '"')
-		    && (line[strlen(line) - 1] == '\n'))
-		    {
-			strncpy(_if, line + 9, MIN(strlen(line) - 11, IFNAMSIZ));
-			break;
-		    }
-		    else if ((strncmp(line,"IP_PHYS=", 8) == 0)
-		    && (line[8] != '"')
-		    && (line[strlen(line) - 1] == '\n'))
-		    {
-			strncpy(_if, line + 8, MIN(strlen(line) - 9, IFNAMSIZ));
-			break;
-		    }
-		}
-		fclose(fd);
-
-		if (*_if)
-		{
-		    strncpy(req.ifr_name, _if, IFNAMSIZ);
-		    if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
-		    {
-			if (req.ifr_flags & IFF_UP)
-			    return _if;
-		    }
-		}
-	    }
-	}
-    }
-    return NULL;
-}
-
-int
-starter_iface_find(char *iface, int af, ip_address *dst, ip_address *nh)
-{
-    char *phys;
-    struct ifreq req;
-    struct sockaddr_in *sa = (struct sockaddr_in *)(&req.ifr_addr);
-    int sock;
-
-    if (!iface)
-	return -1;
-
-    sock = socket(af, SOCK_DGRAM, 0);
-    if (sock < 0)
-	return -1;
-
-    phys = _find_physical_iface(sock, iface);
-    if (!phys)
-	goto failed;
-
-    strncpy(req.ifr_name, phys, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req)!=0)
-	goto failed;
-    if (!(req.ifr_flags & IFF_UP))
-	 goto failed;
-
-    if ((req.ifr_flags & IFF_POINTOPOINT)
-    && nh
-    && ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
-    {
-	if (sa->sin_family == af)
-	    initaddr((const void *)&sa->sin_addr, sizeof(struct in_addr), af, nh);
-    }
-    if ((dst) && (ioctl(sock, SIOCGIFADDR, &req) == 0))
-    {
-	if (sa->sin_family == af)
-	    initaddr((const void *)&sa->sin_addr, sizeof(struct in_addr), af, dst);
-    }
-    close(sock);
-    return 0;
-
-failed:
-    close(sock);
-    return -1;
-}
-
-static int
-valid_str(char *str, unsigned int *pn, char **pphys
-, defaultroute_t *defaultroute)
-{
-    if (streq(str, "%defaultroute"))
-    {
-	if (!defaultroute->defined)
-	{
-	    return 0;
-	}
-	*pn = 0;
-	*pphys = defaultroute->iface;
-    }
-    else
-    {
-	if (strlen(str) < 8 
-	|| str[0] != 'i' || str[1] != 'p' || str[2] !='s' || str[3] != 'e'
-	|| str[4] != 'c' || str[5] < '0'  || str[5] > '9' || str[6] != '=')
-	{
-	    return 0;
-	}
-	*pn = str[5] - '0';
-	*pphys = &(str[7]);
-    }
-    return 1;
-}
-
-static int
-_iface_up (int sock,  struct st_ipsec_if *iface, char *phys
-, unsigned int mtu, bool nat_t)
-{
-    struct ifreq req;
-    struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&req.ifr_data;
-    short phys_flags;
-    int ret = 0;
-    /* sscholz@astaro.com: for network mask 32 bit
-    struct sockaddr_in *inp;
-    */
-
-    strncpy(req.ifr_name, phys, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req) !=0 )
-	return ret;
-    phys_flags = req.ifr_flags;
-
-    strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req) != 0)
-	return ret;
-
-    if ((!(req.ifr_flags & IFF_UP)) || (!iface->up))
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("attaching interface %s to %s", iface->name, phys)
-	)
-	ret = 1;
-    }
-
-    if ((*iface->phys) && (strcmp(iface->phys, phys) != 0 ))
-    {
-	/* tncfg --detach if phys has changed */
-	strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-	ioctl(sock, IPSEC_DEL_DEV, &req);
-	ret = 1;
-    }
-
-    /* tncfg --attach */
-    strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-    strncpy(shc->cf_name, phys, sizeof(shc->cf_name));
-    ioctl(sock, IPSEC_SET_DEV, &req);
-
-    /* set ipsec addr = phys addr */
-    strncpy(req.ifr_name, phys, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFADDR, &req) == 0)
-    {
-	strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-	ioctl(sock, SIOCSIFADDR, &req);
-    }
-
-    /* set ipsec mask = phys mask */
-    strncpy(req.ifr_name, phys, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
-    {
-	strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-	/* sscholz@astaro.com: changed netmask to 32 bit
-	 * in order to prevent network routes from being created
-
-	inp = (struct sockaddr_in *)&req.ifr_addr;
-	inp->sin_addr.s_addr = 0xFFFFFFFFL;
-
-         */
-	ioctl(sock, SIOCSIFNETMASK, &req);
-    }
-
-    /* set other flags & addr */
-    strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req)==0)
-    {
-/* removed by sscholz@astaro.com (caused trouble with DSL/ppp0) */
-/*	if (phys_flags & IFF_POINTOPOINT)
-	{
-	    req.ifr_flags |= IFF_POINTOPOINT;
-	    req.ifr_flags &= ~IFF_BROADCAST;
-	    ioctl(sock, SIOCSIFFLAGS, &req);
-	    strncpy(req.ifr_name, phys, IFNAMSIZ);
-	    if (ioctl(sock, SIOCGIFDSTADDR, &req) == 0)
-	    {
-		strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-		ioctl(sock, SIOCSIFDSTADDR, &req);
-	    }
-	}
-	else
- */
-	if (phys_flags & IFF_BROADCAST)
-	{
-	    req.ifr_flags &= ~IFF_POINTOPOINT;
-	    req.ifr_flags |= IFF_BROADCAST;
-	    ioctl(sock, SIOCSIFFLAGS, &req);
-	    strncpy(req.ifr_name, phys, IFNAMSIZ);
-	    if (ioctl(sock, SIOCGIFBRDADDR, &req) == 0)
-	    {
-		strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-		ioctl(sock, SIOCSIFBRDADDR, &req);
-	    }
-	}
-	else
-	{
-	    req.ifr_flags &= ~IFF_POINTOPOINT;
-	    req.ifr_flags &= ~IFF_BROADCAST;
-	    ioctl(sock, SIOCSIFFLAGS, &req);
-	}
-    }
-
-    /*
-     * guess MTU = phys interface MTU - ESP Overhead
-     *
-     * ESP overhead : 10+16+7+2+12=57 -> 60 by security
-     * NAT-T overhead : 20
-     */
-    if (mtu == 0)
-    {
-	strncpy(req.ifr_name, phys, IFNAMSIZ);
-	ioctl(sock, SIOCGIFMTU, &req);
-	mtu = req.ifr_mtu - 60;
-	if (nat_t)
-	    mtu -= 20;
-    }
-    /* set MTU */
-    if (mtu)
-    {
-	strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-	req.ifr_mtu = mtu;
-	ioctl(sock, SIOCSIFMTU, &req);
-    }
-
-    /* ipsec interface UP */
-    strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req) == 0)
-    {
-	req.ifr_flags |= IFF_UP;
-	ioctl(sock, SIOCSIFFLAGS, &req);
-    }
-
-    iface->up = 1;
-    strncpy(iface->phys, phys, IFNAMSIZ);
-    return ret;
-}
-
-static int
-_iface_down(int sock, struct st_ipsec_if *iface)
-{
-    struct ifreq req;
-    int ret = 0;
-
-    iface->up = 0;
-
-    strncpy(req.ifr_name, iface->name, IFNAMSIZ);
-    if (ioctl(sock, SIOCGIFFLAGS, &req)!=0)
-	return ret;
-
-    if (req.ifr_flags & IFF_UP)
-    {
-	DBG(DBG_CONTROL,
-	    DBG_log("shutting down interface %s/%s", iface->name, iface->phys)
-	)
-	req.ifr_flags &= ~IFF_UP;
-	ioctl(sock, SIOCSIFFLAGS, &req);
-	ret = 1;
-    }
-
-    /* unset addr */
-    memset(&req.ifr_addr, 0, sizeof(req.ifr_addr));
-    req.ifr_addr.sa_family = AF_INET;
-    ioctl(sock, SIOCSIFADDR, &req);
-
-    /* tncfg --detach */
-    ioctl(sock, IPSEC_DEL_DEV, &req);
-
-    memset(iface->phys, 0, sizeof(iface->phys));
-
-    return ret;
-}
-
-void
-starter_ifaces_init(void)
-{
-    int i;
-
-    memset(_ipsec_if, 0, sizeof(_ipsec_if));
-    for (i = 0; i < N_IPSEC_IF; i++)
-	snprintf(_ipsec_if[i].name, IFNAMSIZ, "ipsec%d", i);
-}
-
-void
-starter_ifaces_clear (void)
-{
-    int sock;
-    unsigned int i;
-
-    sock = socket(AF_INET, SOCK_DGRAM, 0);
-    if (sock < 0)
-	return;
-
-    for (i = 0; i < N_IPSEC_IF; i++)
-	_iface_down (sock, &(_ipsec_if[i]));
-}
-
-int
-starter_ifaces_load(char **ifaces, unsigned int omtu, bool nat_t
-, defaultroute_t *defaultroute)
-{
-    char *tmp_phys, *phys;
-    int n;
-    char **i;
-    int sock;
-    int j, found;
-    int ret = 0;
-    struct ifreq physreq, ipsecreq; // re-attach interface
-    struct sockaddr_in *inp1, *inp2; // re-attach interface
-
-    DBG(DBG_CONTROL,
-	DBG_log("starter_ifaces_load()")
-    )
-
-    sock = socket(AF_INET, SOCK_DGRAM, 0);
-    if (sock < 0)
-	return -1;
-
-    for (j = 0; j < N_IPSEC_IF; j++)
-    {
-	found = 0;
-
-	for (i = ifaces; i && *i; i++)
-	{
-	    if (valid_str(*i, &n, &tmp_phys, defaultroute)
-	    && tmp_phys
-	    && n >= 0
-	    && n < N_IPSEC_IF)
-	    {
-		if (n==j)
-		{
-		    if (found)
-		    {
-			plog( "ignoring duplicate entry for interface ipsec%d", j);
-		    }
-		    else
-		    {
-			found++;
-			phys = _find_physical_iface(sock, tmp_phys);
-
-			/* Re-attach ipsec interface if IP address changes
-			 * sscholz@astaro.com
-			 */
-			if (phys)
-			{
-			    memset ((void*)&physreq, 0, sizeof(physreq));
-			    memset ((void*)&ipsecreq, 0, sizeof(ipsecreq));
-			    strncpy(physreq.ifr_name, phys, IFNAMSIZ);
-			    sprintf(ipsecreq.ifr_name, "ipsec%d", j);
-			    ioctl(sock, SIOCGIFADDR, &physreq);
-			    ioctl(sock, SIOCGIFADDR, &ipsecreq);
-			    inp1 = (struct sockaddr_in *)&physreq.ifr_addr;
-			    inp2 = (struct sockaddr_in *)&ipsecreq.ifr_addr;
-			    if (inp1->sin_addr.s_addr != inp2->sin_addr.s_addr)
-			    {
-				plog("IP address of physical interface changed "
-				     "-> reinit of ipsec interface");
-				_iface_down (sock, &(_ipsec_if[n]));
-			    }
-			    ret += _iface_up (sock, &(_ipsec_if[n]), phys, omtu, nat_t);
-			}
-			else
-			{
-			    ret += _iface_down (sock, &(_ipsec_if[n]));
-			}
-		    }
-		}
-	    }
-	    else if (j == 0)
-	    {
-		/* Only log in the first loop */
-		plog("ignoring invalid interface '%s'", *i);
-	    }
-	}
-	if (!found)
-	    ret += _iface_down (sock, &(_ipsec_if[j]));
-    }
-
-    close(sock);
-    return ret; /* = number of changes - 'whack --listen' if > 0 */
-}
-
-/*
- * initialize a defaultroute_t struct
- */
-static void
-init_defaultroute(defaultroute_t *defaultroute)
-{
-    memset(defaultroute, 0, sizeof(defaultroute_t));
-}
-
 /*
  * discover the default route via /proc/net/route
  */
@@ -486,7 +43,7 @@ get_defaultroute(defaultroute_t *defaultroute)
     char line[BUF_LEN];
     bool first = TRUE;
 
-    init_defaultroute(defaultroute);
+    memset(defaultroute, 0, sizeof(defaultroute_t));
 
     fd = fopen("/proc/net/route", "r");
 
diff --git a/src/starter/interfaces.h b/src/starter/interfaces.h
index 9898c0516..ed6b0ef57 100644
--- a/src/starter/interfaces.h
+++ b/src/starter/interfaces.h
@@ -28,12 +28,6 @@ typedef struct {
     ip_address nexthop;
 } defaultroute_t;
 
-extern void starter_ifaces_init (void);
-extern int starter_iface_find(char *iface, int af, ip_address *dst
-    , ip_address *nh);
-extern int starter_ifaces_load (char **ifaces, unsigned int omtu, bool nat_t
-    , defaultroute_t *defaultroute);
-extern void starter_ifaces_clear (void);
 extern void get_defaultroute(defaultroute_t *defaultroute);
 
 
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 240d98391..5ea47f69f 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -187,6 +187,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 	arg[argc++] = "--pkcs11module";
 	arg[argc++] = cfg->setup.pkcs11module;
     }
+    if (cfg->setup.pkcs11initargs)
+    {
+	arg[argc++] = "--pkcs11initargs";
+	arg[argc++] = cfg->setup.pkcs11initargs;
+    }
     if (cfg->setup.pkcs11keepstate)
     {
 	arg[argc++] = "--pkcs11keepstate";
diff --git a/src/starter/ipsec.conf b/src/starter/ipsec.conf
index 76b85b23a..b1e5d5e0c 100644
--- a/src/starter/ipsec.conf
+++ b/src/starter/ipsec.conf
@@ -1,14 +1,8 @@
 # ipsec.conf - strongSwan IPsec configuration file
 
-# Manual:    man 5 ipsec.conf
-# Help:      http://www.strongswan.org/docs/readme.htm
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
 # basic configuration
 
 config setup
-	# Debug-logging controls: "none" for (almost) none, "all" for lots.
 	# plutodebug=all
 	# crlcheckinterval=600
 	# strictcrlpolicy=yes
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index c80c5166b..2dbcfcfd7 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "20 Jan 2006"
+.TH IPSEC.CONF 5 "27 Jun 2007"
 .\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
@@ -143,7 +143,7 @@ section specifies general configuration information for IPsec, a
 .B conn
 section specifies an IPsec connection, while a
 .B ca
-section specifies special properties a certification authority.
+section specifies special properties of a certification authority.
 .SH "CONN SECTIONS"
 A
 .B conn
@@ -158,13 +158,12 @@ Here's a simple example:
 .ft B
 .ta 1c
 conn snt
-	left=10.11.11.1
-	leftsubnet=10.0.1.0/24
-	leftnexthop=172.16.55.66
-	right=192.168.22.1
-	rightsubnet=10.0.2.0/24
-	rightnexthop=172.16.88.99
+	left=192.168.0.1
+	leftsubnet=10.1.0.0/16
+	right=192.168.0.2
+	rightsubnet=10.1.0.0/16
 	keyingtries=%forever
+	auto=add
 .ft
 .fi
 .PP
@@ -172,7 +171,7 @@ A note on terminology: There are two kinds of communications going on:
 transmission of user IP packets, and gateway-to-gateway negotiations for
 keying, rekeying, and general control.
 The path to control the connection is called 'ISAKMP SA' in IKEv1 and
-'IKE SA' in the IKEv2 protocol. That what is beeing negotiated, the kernel
+'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
 level data path, is called 'IPsec SA'.
 strongSwan currently uses two separate keying daemons. Pluto handles
 all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol.
@@ -220,151 +219,47 @@ Unless otherwise noted, for a connection to work,
 in general it is necessary for the two ends to agree exactly
 on the values of these parameters.
 .TP 14
-.B type
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
-Charon currently supports only 
-.BR tunnel
-and
-.BR transport
-connection types.
-.TP
-.B left
-(required)
-the IP address of the left participant's public-network interface,
-in any form accepted by
-.IR ipsec_ttoaddr (3)
-or one of several magic values.
-If it is
-.BR %defaultroute ,
-and
-the
-.B config
-.B setup
-section's,
-.B interfaces
-specification contains
-.BR %defaultroute,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time);
-this also overrides any value supplied for
-.BR leftnexthop .
-(Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.)
-The value
-.B %any
-signifies an address to be filled in (by automatic keying) during
-negotiation.
-.TP
-.B leftsubnet
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR
-(actually, any form acceptable to
-.IR ipsec_ttosubnet (3));
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greates common subnet.
-.TP
-.B leftnexthop
-next-hop gateway IP address for the left participant's connection
-to the public network;
-defaults to
-.B %direct
-(meaning
-.IR right ).
-If the value is to be overridden by the
-.B left=%defaultroute
-method (see above),
-an explicit value must
-.I not
-be given.
-If that method is not being used,
-but
-.B leftnexthop
-is
-.BR %defaultroute ,
-and
-.B interfaces=%defaultroute
-is used in the
-.B config
-.B setup
-section,
-the next-hop gateway address of the default-route interface
-will be used.
-The magic value
-.B %direct
-signifies a value to be filled in (by automatic keying)
-with the peer's address.
-Relevant only locally, other end need not agree on it. Currently not supported
-in IKEv2.
+.B ah
+AH authentication algorithm to be used
+for the connection, e.g.
+.B hmac-md5.
 .TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR ipsec_pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only. Routing is not support and will be
-implemented directly into Charon.
+.B auth
+whether authentication should be done as part of
+ESP encryption, or separately using the AH protocol;
+acceptable values are
+.B esp
+(the default) and
+.BR ah .
+The IKEv2 daemon currently supports only ESP.
 .TP
-.B leftfirewall
-whether the left participant is doing forwarding-firewalling
-(including masquerading) for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
+.B authby
+how the two security gateways should authenticate each other;
 acceptable values are
-.B yes
-and (the default)
-.BR no .
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default
-.I updown
-script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default
-.I updown
-script (see
-.IR ipsec_pluto (8)).
-
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
+.B secret
+or
+.B psk
+for shared secrets,
+.B rsasig
+for RSA digital signatures (the default),
+.B secret|rsasig
+for either, and
+.B never
+if negotiation is never to be attempted or accepted (useful for shunt-only conns).
+Digital signatures are superior in every way to shared secrets. In IKEv2, the
+two ends must not agree on this parameter, it is relevant for the
+outbound authentication method only.
+IKEv1 additionally supports the values
+.B xauthpsk
+and
+.B xauthrsasig
+that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
+based on shared secrets  or digital RSA signatures, respectively.
+IKEv2 additionally supports the value
+.B eap,
+which indicates an initiator to request EAP authentication. The EAP method to 
+use is selected by the server (see
+.B eap).
 .TP
 .B auto
 what operation, if any, should be done automatically at IPsec startup;
@@ -375,8 +270,7 @@ currently-accepted values are
 ,
 .B start
 and
-.B ignore
-.
+.BR ignore .
 .B add
 loads a connection without starting it.
 .B route
@@ -396,34 +290,6 @@ both ends should use
 .B auto=start
 to ensure that any reboot causes immediate renegotiation).
 .TP
-.B auth
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-The IKEv2 daemon currently supports only ESP.
-.TP
-.B authby
-how the two security gateways should authenticate each other;
-acceptable values are
-.B secret
-for shared secrets,
-.B rsasig
-for RSA digital signatures (the default),
-.B secret|rsasig
-for either, and
-.B never
-if negotiation is never to be attempted or accepted (useful for shunt-only conns).
-Digital signatures are superior in every way to shared secrets. In IKEv2, the
-two ends must not agree on this parameter, it is relevant for the own
-authentication method only. IKEv2 additionally supports the value
-.B eap,
-which indicates an initiator to request EAP authentication. The EAP method to 
-use is selected by the server (see
-.B eap).
-.TP
 .B compress
 whether IPComp compression of content is proposed on the connection
 (link-level compression does not work on encrypted data,
@@ -447,24 +313,26 @@ controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
 R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
 are periodically sent in order to check the
 liveliness of the IPsec peer. The values
-.B clear
-and
-.B hold
-both activate DPD. If no activity is detected, all connections with a dead peer
+.BR clear ,
+.BR hold ,
+and 
+.B restart
+all activate DPD. If no activity is detected, all connections with a dead peer
 are stopped and unrouted (
 .B clear
-) or put in the hold state (
+), put in the hold state (
 .B hold
-). For
-.B IKEv1
-, the default is
+) or restarted (
+.B restart
+).
+For IKEv1, the default is
 .B none
 which disables the active sending of R_U_THERE notifications.
 Nevertheless pluto will always send the DPD Vendor ID during connection set up
 in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For
-.B IKEv2, none
-does't make sense, as all messages are used to detect dead peers. If specified,
+wants to use DPD. For IKEv2,
+.B none
+does't make sense, since all messages are used to detect dead peers. If specified,
 it has the same meaning as the default (
 .B clear
 ).
@@ -481,16 +349,28 @@ defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
-.B failureshunt
-what to do with packets when negotiation fails.
-The default is
-.BR none :
-no shunt;
-.BR passthrough ,
-.BR drop ,
-and
-.B reject
-have the obvious meanings. Has no effect in IKEv2 yet.
+.B eap
+defines the EAP type to be used if 
+.B authby=eap
+is selected. Acceptable values are
+.B aka
+for EAP-AKA and
+.B sim
+for EAP-SIM.
+.TP
+.B esp
+ESP encryption/authentication algorithm to be used
+for the connection, e.g.
+.B 3des-md5
+(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup
+and rekeying include a separate diffe hellman exchange (IKEv2 only).
+.TP
+.B ike
+IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
+.B aes128-sha1-modp2048
+(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals
+may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .TP
 .B ikelifetime
 how long the keying channel of a connection ('ISAKMP/IKE SA')
@@ -545,6 +425,52 @@ although if they do not,
 there will be some clutter of superseded connections on the end
 which thinks the lifetime is longer.
 .TP
+.B left
+(required)
+the IP address of the left participant's public-network interface,
+in any form accepted by
+.IR ttoaddr (3)
+or one of several magic values.
+If it is
+.BR %defaultroute ,
+.B left
+will be filled in automatically with the local address
+of the default-route interface (as determined at IPsec startup time).
+(Either
+.B left
+or
+.B right
+may be
+.BR %defaultroute ,
+but not both.)
+The value
+.B %any
+signifies an address to be filled in (by automatic keying) during
+negotiation. The prefix
+.B  %
+in front of a fully-qualified domain name or an IP address will implicitly set
+.B leftallowany=yes.
+If the domain name cannot be resolved into an IP address at IPsec startup or update time
+then
+.B left=%any
+and
+.B leftallowany=no
+will be assumed.
+.TP
+.B leftallowany
+a modifier for
+.B left
+, making it behave as
+.B %any
+although a concrete IP address has been assigned.
+Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or
+update time.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
 .B leftca
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
@@ -553,8 +479,7 @@ to the root certification authority.
 .B leftcert
 the path to the left participant's X.509 certificate. The file can be coded either in
 PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to
-.B /etc/ipsec.d/certs
+Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
 are accepted. By default
 .B leftcert
 sets 
@@ -566,14 +491,57 @@ The left participant's ID can be overriden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
 .TP
+.B leftfirewall
+whether the left participant is doing forwarding-firewalling
+(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
+which should be turned off (for traffic to the other subnet)
+once the connection is established;
+acceptable values are
+.B yes
+and
+.B no
+(the default).
+May not be used in the same connection description with
+.BR leftupdown .
+Implemented as a parameter to the default \fBipsec _updown\fR script.
+See notes below.
+Relevant only locally, other end need not agree on it.
+
+If one or both security gateways are doing forwarding firewalling
+(possibly including masquerading),
+and this is specified using the firewall parameters,
+tunnels established with IPsec are exempted from it
+so that packets can flow unchanged through the tunnels.
+(This means that all subnets connected in this manner must have
+distinct, non-overlapping subnet address blocks.)
+This is done by the default \fBipsec _updown\fR script (see
+.IR pluto (8)).
+
+In situations calling for more control,
+it may be preferable for the user to supply his own
+.I updown
+script,
+which makes the appropriate adjustments for his system.
+.TP
 .B leftgroups
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
 of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been
+by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has been
 issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts\fP. Attribute certificates are not supported in IKEv2 yet.
+\fI/etc/ipsec.d/aacerts/\fP. Attribute certificates are not supported in IKEv2 yet.
+.TP
+.B lefthostaccess
+inserts a pair of INPUT and OUTPUT iptables rules using the default
+\fBipsec _updown\fR script, thus allowing access to the host itself
+in the case where the host's internal interface is part of the
+negotiated client subnet.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
 .TP
 .B leftid
 how
@@ -582,24 +550,67 @@ should be identified for authentication;
 defaults to
 .BR left .
 Can be an IP address (in any
-.IR ipsec_ttoaddr (3)
+.IR ttoaddr (3)
 syntax)
 or a fully-qualified domain name preceded by
 .B @
 (which is used as a literal string and not resolved).
+.TP
+.B leftnexthop
+this parameter is not needed any more because the NETKEY IPsec stack does
+not require explicit routing entries for the traffic to be tunneled.
+.TP
+.B leftprotoport
+restrict the traffic selector to a single protocol and/or port.
+Examples:
+.B leftprotoport=tcp/http
+or
+.B leftprotoport=6/80
+or
+.B leftprotoport=udp
+.TP
+.B leftrsasigkey
+the left participant's
+public key for RSA signature authentication,
+in RFC 2537 format using
+.IR ttodata (3)
+encoding.
 The magic value
-.B %myid
-stands for the current setting of \fImyid\fP.
-This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set,
-it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
-it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
+.B %none
+means the same as not specifying a value (useful to override a default).
+The value
+.B %cert
+(the default)
+means that the key is extracted from a certificate.
+The identity used for the left participant
+must be a specific host, not
+.B %any
+or another magic value.
+.B Caution:
+if two connection descriptions
+specify different public keys for the same
+.BR leftid ,
+confusion and madness will ensue.
+.TP
+.B leftsendcert
+Accepted values are
+.B never
+or
+.BR no ,
+.B always
+or
+.BR yes ,
+and
+.BR ifasked .
 .TP
 .B leftsourceip
 The internal source IP to use in a tunnel, also known as virtual IP. If the
 value is
-.B %modeconfig
+.BR %modeconfig ,
+.BR %modecfg ,
+.BR %config ,
 or
-.B %config,
+.B %cfg,
 an address is requested from the peer. In IKEv2, a defined address is requested,
 but the server may change it. If the server does not support it, the address
 is enforced. 
@@ -611,9 +622,47 @@ value is
 on the responder side, the initiator must propose a address which is then echoed
 back.
 .TP
+.B leftsubnet
+private subnet behind the left participant, expressed as
+\fInetwork\fB/\fInetmask\fR
+(actually, any form acceptable to
+.IR ttosubnet (3));
+if omitted, essentially assumed to be \fIleft\fB/32\fR,
+signifying that the left end of the connection goes to the left participant
+only. When using IKEv2, the configured subnet of the peers may differ, the
+protocol narrows it to the greates common subnet.
+.TP
 .B leftsubnetwithin
+the peer can propose any subnet or single IP address that fits within the
+range defined by
+.BR leftsubnetwithin.
 Not relevant for IKEv2, as subnets are narrowed.
 .TP
+.B leftupdown
+what ``updown'' script to run to adjust routing and/or firewalling
+when the status of the connection
+changes (default
+.BR "ipsec _updown" ).
+May include positional parameters separated by white space
+(although this requires enclosing the whole string in quotes);
+including shell metacharacters is unwise.
+See
+.IR pluto (8)
+for details.
+Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+script to insert firewall rules only. Routing is not support and will be
+implemented directly into Charon.
+.TP
+.B modeconfig
+defines which mode is used to assign a virtual IP.
+Accepted values are
+.B push
+and
+.B pull
+(the default).
+Currently relevant for IKEv1 only since IKEv2 always uses the configuration
+payload in pull mode.
+.TP
 .B pfs
 whether Perfect Forward Secrecy of keys is desired on the connection's
 keying channel
@@ -623,9 +672,20 @@ acceptable values are
 .B yes
 (the default)
 and
-.BR no
-. IKEv2 always uses PFS for IKE_SA rekeying. PFS for rekeying IPsec SAs is
-currently not supported.
+.BR no.
+IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
+PFS is enforced by defining a Diffie-Hellman modp group in the
+.B esp
+parameter.
+.TP
+.B reauth
+whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
+reauthentication is always done. In IKEv2, a value of
+.B no
+rekeys without uninstalling the IPsec SAs, a value of
+.B yes
+(the default) creates a new IKE_SA from scratch and tries to recreate
+all IPsec SAs.
 .TP
 .B rekey
 whether a connection should be renegotiated when it is about to expire;
@@ -634,8 +694,7 @@ acceptable values are
 (the default)
 and
 .BR no .
-The two ends need not agree,
-but while a value of
+The two ends need not agree, but while a value of
 .B no
 prevents Pluto/Charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
@@ -643,15 +702,6 @@ so
 .B no
 will be largely ineffective unless both ends agree on it.
 .TP
-.B reauth
-whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
-reauthentication is always done. In IKEv2, a value of
-.B no
-rekeys without uninstalling the IPsec SAs, a value of
-.B yes
-(the default) creates a new IKE_SA from scratch and tries to recreate
-all IPsec SAs.
-.TP
 .B rekeyfuzz
 maximum percentage by which
 .B rekeymargin
@@ -661,7 +711,7 @@ acceptable values are an integer,
 which may exceed 100,
 followed by a `%'
 (default set by
-.IR ipsec_pluto (8),
+.IR pluto (8),
 currently
 .BR 100% ).
 The value of
@@ -684,24 +734,36 @@ begin; acceptable values as for
 .BR 9m ).
 Relevant only locally, other end need not agree on it.
 .TP
-.B ike
-IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
-.B aes128-sha1-modp2048
-(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals
-may be included, such as
-.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
-.TP
-.B esp
-ESP encryption/authentication algorithm to be used
-for the connection, e.g.
-.B 3des-md5
-(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup
-and rekeying include a separate diffe hellman exchange (IKEv2 only).
+.B type
+the type of the connection; currently the accepted values
+are
+.B tunnel
+(the default)
+signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
+.BR transport ,
+signifying host-to-host transport mode;
+.BR passthrough ,
+signifying that no IPsec processing should be done at all;
+.BR drop ,
+signifying that packets should be discarded; and
+.BR reject ,
+signifying that packets should be discarded and a diagnostic ICMP returned.
+Charon currently supports only 
+.BR tunnel
+and
+.BR transport
+connection types.
 .TP
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
+.B xauth
+specifies the role in the XAUTH protocol if activated by
+.B authby=xauthpsk
+or
+.B authby=xauthrsasig.
+Accepted values are
+.B server
+and
+.B client
+(the default).
 .SH "CA SECTIONS"
 This are optional sections that can be used to assign special
 parameters to a Certification Authority (CA). These parameters are not 
@@ -721,14 +783,25 @@ defines a path to the CA certificate either relative to
 .B crluri
 defines a CRL distribution point (ldap, http, or file URI)
 .TP
+.B crluri1
+synonym for
+.B crluri.
+.TP
 .B crluri2
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
 .B ldaphost
-defines an ldap host.
+defines an ldap host. Currently used by IKEv1 only.
 .TP
 .B ocspuri
 defines an OCSP URI.
+.TP
+.B ocspuri1
+synonym for
+.B ocspuri.
+.TP
+.B ocspuri2
+defines an alternative OCSP URI. Currently used by IKEv2 only.
 .SH "CONFIG SECTIONS"
 At present, the only
 .B config
@@ -736,7 +809,7 @@ section known to the IPsec software is the one named
 .BR setup ,
 which contains information used when the software is being started
 (see
-.IR ipsec_setup (8)).
+.IR starter (8)).
 Here's an example:
 .PP
 .ne 8
@@ -744,10 +817,9 @@ Here's an example:
 .ft B
 .ta 1c
 config setup
-	interfaces="ipsec0=eth1 ipsec1=ppp0"
-	klipsdebug=none
 	plutodebug=all
-	manualstart=
+	crlcheckinterval=10m
+	strictcrlpolicy=yes
 .ft
 .fi
 .PP
@@ -759,78 +831,107 @@ names in a
 .B setup
 section are:
 .TP 14
-.B myid
-the identity to be used for
-.BR %myid .
-.B %myid
-is used in the implicit policy group conns and can be used as
-an identity in explicit conns.
-If unspecified,
-.B %myid
-is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
-the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
-An explicit value generally starts with ``\fB@\fP''.
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-If
-.B %defaultroute
-is used (implicitly or explicitly)
-information about the default route and its interface is noted for
-use by
-.IR ipsec_manual (8)
+.B cachecrls
+certificate revocation lists (CRLs) fetched via http or ldap will be cached in
+\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
+authority's public key.
+Accepted values are
+.B yes
 and
-.IR ipsec_auto (8).)
-.TP
-.B forwardcontrol
-whether
-.I setup
-should turn IP forwarding on
-(if it's not already on) as IPsec is started,
-and turn it off again (if it was off) as IPsec is stopped;
-acceptable values are
+.B no
+(the default).
+.TP
+.B charonstart
+whether to start the IKEv2 Charon daemon or not.
+Accepted values are
+.B yes
+(the default)
+or
+.BR no .
+.TP
+.B crlcheckinterval
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
+.B dumpdir
+in what directory should things started by \fBipsec starter\fR
+(notably the Pluto and Charon daemons) be allowed to dump core?
+The empty value (the default) means they are not
+allowed to.
+This feature is currently not yet supported by \fBipsec starter\fR.
+.TP
+.B plutostart
+whether to start the IKEv1 Pluto daemon or not.
+Accepted values are
 .B yes
-and (the default)
+(the default)
+or
 .BR no .
-For this to have full effect, forwarding must be
-disabled before the hardware interfaces are brought
-up (e.g.,
-.B "net.ipv4.ip_forward\ =\ 0"
-in Red Hat 6.x
-.IR /etc/sysctl.conf ),
-because IPsec doesn't get control early enough to do that.
-.TP
-.B rp_filter
-whether and how
-.I setup
-should adjust the reverse path filtering mechanism for the
-physical devices to be used.
-Values are \fB%unchanged\fP (to leave it alone)
-or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to).
-\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP
-is badly documented; it must be \fB0\fP in many cases
-for ipsec to function.
-The default value for the parameter is \fB0\fP.
-.TP
-.B syslog
-the
-.IR syslog (2)
-``facility'' name and priority to use for
-startup/shutdown log messages,
-default
-.BR daemon.error .
+.TP
+.B strictcrlpolicy
+defines if a fresh CRL must be available in order for the peer authentication based
+on RSA signatures to succeed.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+IKEv2 additionally recognizes
+.B ifuri
+which reverts to
+.B yes
+if at least one CRL URI is defined and to
+.B no
+if no URI is known.
+.PP
+The following
+.B config section
+parameters are used by the IKEv1 Pluto daemon only:
+.TP
+.B keep_alive
+interval in seconds between NAT keep alive packets, the default being 20 seconds.
+.TP
+.B nat_traversal
+activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
+being able of floating to udp/4500 if a NAT situation is detected.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.B nocrsend
+no certificate request payloads will be sent.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+Used by IKEv1 only, NAT traversal always being active in IKEv2.
+.TP
+.B pkcs11initargs
+non-standard argument string for PKCS#11 C_Initialize() function;
+required by NSS softoken.
+.TP
+.B pkcs11module
+defines the path to a dynamically loadable PKCS #11 library.
+.TP
+.B pkcs11keepstate
+PKCS #11 login sessions will be kept during the whole lifetime of the keying
+daemon. Useful with pin-pad smart card readers.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B pkcs11proxy
+Pluto will act as a PKCS #11 proxy accessible via the whack interface.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
 .TP
 .B plutodebug
 how much Pluto debugging output should be logged.
@@ -847,57 +948,11 @@ Otherwise only the specified types of output
 prefix,
 separated by white space) are enabled;
 for details on available debugging types, see
-.IR ipsec_pluto (8).
-.TP
-.B charondebug
-how much Charon debugging output should be logged.
-A comma separated list containing type level/pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private)
+.IR pluto (8).
 .TP
-.B plutoopts
-additional options to pass to pluto upon startup. See
-.IR ipsec_pluto (8).
-.TP
-.B plutostderrlog
-do not use syslog, but rather log to stderr, and direct stderr to the
-argument file.
-.TP
-.B dumpdir
-in what directory should things started by
-.I setup
-(notably the Pluto daemon) be allowed to
-dump core?
-The empty value (the default) means they are not
-allowed to.
-.TP
-.B pluto
-whether to start Pluto or not;
-Values are
-.B yes
-(the default)
-or
-.B no
-(useful only in special circumstances).
-.TP
-.B plutowait
-should Pluto wait for each
-negotiation attempt that is part of startup to
-finish before proceeding with the next?
-Values are
-.B yes
-or
-.BR no
-(the default).
-.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
+.B postpluto
+shell command to run after starting Pluto
+(e.g., to remove a decrypted copy of the
 .I ipsec.secrets
 file).
 It's run in a very simple way;
@@ -908,9 +963,9 @@ so running interactive commands is difficult unless they use
 or equivalent for their interaction.
 Default is none.
 .TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
+.B prepluto
+shell command to run before starting Pluto
+(e.g., to decrypt an encrypted copy of the
 .I ipsec.secrets
 file).
 It's run in a very simple way;
@@ -921,6 +976,43 @@ so running interactive commands is difficult unless they use
 or equivalent for their interaction.
 Default is none.
 .TP
+.B virtual_private
+defines private networks using a wildcard notation.
+.TP
+.B uniqueids
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+.PP
+The following
+.B config section
+parameters are used by the IKEv2 Charon daemon only:
+.TP
+.B charondebug
+how much Charon debugging output should be logged.
+A comma separated list containing type level/pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).
+.PP
+The following
+.B config section
+parameters only make sense if the KLIPS IPsec stack
+is used instead of the default NETKEY stack of the Linux 2.6 kernel:
+.TP
 .B fragicmp
 whether a tunnel's need to fragment a packet should be reported
 back with an ICMP message,
@@ -939,37 +1031,26 @@ acceptable values are
 .B yes
 (the default)
 and
-.BR no .
+.BR no
 .TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
+.B interfaces
+virtual and physical interfaces for IPsec to use:
+a single
+\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
+by white space, or
+.BR %none .
+One of the pairs may be written as
+.BR %defaultroute ,
+which means: find the interface \fId\fR that the default route points to,
+and then act as if the value was ``\fBipsec0=\fId\fR''.
+.B %defaultroute
+is the default;
+.B %none
+must be used to denote no interfaces.
 .TP
 .B overridemtu
 value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
 overriding IPsec's (large) default.
-This parameter is needed only in special situations.
-.TP
-.B nat_traversal
-.TP
-.B crlcheckinterval
-.TP
-.B strictcrlpolicy
-.TP
-.B pkcs11module
-.TP
-.B pkcs11keepstate
-
 .SH CHOOSING A CONNECTION
 .PP
 When choosing a connection to apply to an outbound packet caught with a 
@@ -988,87 +1069,20 @@ information about the client subnets to complete the instantiation.
 .SH FILES
 .nf
 /etc/ipsec.conf
+/etc/ipsec.d/aacerts
+/etc/ipsec.d/acerts
 /etc/ipsec.d/cacerts
 /etc/ipsec.d/certs
 /etc/ipsec.d/crls
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
 
 .SH SEE ALSO
-ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8)
+ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3)
 .SH HISTORY
-Written  for  the  FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.  Extended for the strongSwan project
+Written  for  the  FreeS/WAN project by Henry Spencer.
+Extended for the strongSwan project
 <http://www.strongswan.org>
-by Andreas Steffen. Updated to respect IKEv2 specific configuration
-by Martin Willi.
+by Andreas Steffen. IKEv2-specific features by Martin Willi.
 .SH BUGS
 .PP
-When
-.B type
-or 
-.B failureshunt
-is set to
-.B drop
-or
-.BR reject,
-strongSwan blocks outbound packets using eroutes, but assumes inbound
-blocking is handled by the firewall. strongSwan offers firewall hooks 
-via an ``updown'' script.  However, the default 
-.B ipsec _updown
-provides no help in controlling a modern firewall.
-.PP
-Including attributes of the keying channel
-(authentication methods,
-.BR ikelifetime ,
-etc.)
-as an attribute of a connection,
-rather than of a participant pair, is dubious and incurs limitations.
-.PP
-.IR Ipsec_manual
-is not nearly as generous about the syntax of subnets,
-addresses, etc. as the usual strongSwan user interfaces.
-Four-component dotted-decimal must be used for all addresses.
-It
-.I is
-smart enough to translate bit-count netmasks to dotted-decimal form.
-.PP
-It would be good to have a line-continuation syntax,
-especially for the very long lines involved in
-RSA signature keys.
-.PP
-The ability to specify different identities,
-.BR authby ,
-and public keys for different automatic-keyed connections
-between the same participants is misleading;
-this doesn't work dependably because the identity of the participants
-is not known early enough.
-This is especially awkward for the ``Road Warrior'' case,
-where the remote IP address is specified as
-.BR 0.0.0.0 ,
-and that is considered to be the ``participant'' for such connections.
-.PP
-In principle it might be necessary to control MTU on an
-interface-by-interface basis,
-rather than with the single global override that
-.B overridemtu
-provides.
-.PP
-A number of features which \fIcould\fR be implemented in
-both manual and automatic keying
-actually are not yet implemented for manual keying.
-This is unlikely to be fixed any time soon.
-.PP
-If conns are to be added before DNS is available,
-\fBleft=\fP\fIFQDN\fP,
-\fBleftnextop=\fP\fIFQDN\fP,
-and
-.B leftrsasigkey=%dnsonload
+If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
 will fail.
-.IR ipsec_pluto (8)
-does not actually use the public key for our side of a conn but it
-isn't generally known at a add-time which side is ours (Road Warrior
-and Opportunistic conns are currently exceptions).
-.PP
-The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 215b95ad6..f7f24eefb 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -56,12 +56,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 90
+#define TOTAL_KEYWORDS 93
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 15
-#define MAX_HASH_VALUE 188
-/* maximum key range = 174, duplicates = 0 */
+#define MAX_HASH_VALUE 209
+/* maximum key range = 195, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,32 +77,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189,  40,
-       10, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189,  80, 189,  20,
-       75,   5,  95,   0,  30,   0, 189,  55,   0,  45,
-        0,  35,  20, 189,  15,  70,  40,  15,  20, 189,
-        0,  25,   0, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
-      189, 189, 189, 189, 189, 189
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210,  40,
+        5, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210,  90, 210,  25,
+       75,   5,  85,   0,  95,   0, 210,  55,   0,  25,
+        0,  70,  20, 210,  15,  70,  40,  20,   5, 210,
+        5,  65,   0, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210
     };
   return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]];
 }
@@ -116,7 +116,8 @@ static const struct kw_entry wordlist[] =
     {"leftfirewall",      KW_LEFTFIREWALL},
     {""}, {""}, {""},
     {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {""}, {""}, {""}, {""},
+    {""}, {""}, {""},
+    {"virtual_private",   KW_VIRTUAL_PRIVATE},
     {"rightupdown",       KW_RIGHTUPDOWN},
     {""},
     {"rightfirewall",     KW_RIGHTFIREWALL},
@@ -129,30 +130,23 @@ static const struct kw_entry wordlist[] =
     {""},
     {"leftnexthop",       KW_LEFTNEXTHOP},
     {"leftsourceip",      KW_LEFTSOURCEIP},
-    {""}, {""},
-    {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"crluri",            KW_CRLURI},
-    {""},
-    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {""},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""},
     {"rightnatip",        KW_RIGHTNATIP},
-    {""},
+    {"crluri",            KW_CRLURI},
     {"rightnexthop",      KW_RIGHTNEXTHOP},
     {"rightsourceip",     KW_RIGHTSOURCEIP},
     {"left",              KW_LEFT},
-    {"rekey",             KW_REKEY},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {""}, {""},
     {"crluri2",           KW_CRLURI2},
     {"leftcert",          KW_LEFTCERT,},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {""},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"reauth",            KW_REAUTH},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {"leftsendcert",      KW_LEFTSENDCERT},
     {"leftprotoport",     KW_LEFTPROTOPORT},
     {""},
     {"right",             KW_RIGHT},
-    {"charondebug",       KW_CHARONDEBUG},
-    {"ocspuri",           KW_OCSPURI},
+    {""}, {""},
     {"ike",               KW_IKE},
     {"rightcert",         KW_RIGHTCERT},
     {"klipsdebug",        KW_KLIPSDEBUG},
@@ -163,78 +157,95 @@ static const struct kw_entry wordlist[] =
     {"plutostart",        KW_PLUTOSTART},
     {"ikelifetime",       KW_IKELIFETIME},
     {"keylife",           KW_KEYLIFE},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"type",              KW_TYPE},
+    {""}, {""},
     {"keep_alive",        KW_KEEP_ALIVE},
     {"keyexchange",       KW_KEYEXCHANGE},
+    {""}, {""}, {""},
+    {"interfaces",        KW_INTERFACES},
     {""},
-    {"prepluto",          KW_PREPLUTO},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"leftrsasigkey",     KW_LEFTRSASIGKEY},
     {""},
-    {"interfaces",        KW_INTERFACES},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"crluri1",           KW_CRLURI},
-    {""}, {""},
     {"leftgroups",        KW_LEFTGROUPS},
     {"leftid",            KW_LEFTID},
-    {""},
+    {"crluri1",           KW_CRLURI},
     {"ldapbase",          KW_LDAPBASE},
     {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"modeconfig",        KW_MODECONFIG},
-    {"leftca",            KW_LEFTCA},
+    {"rekey",             KW_REKEY},
+    {""},
     {"pkcs11module",      KW_PKCS11MODULE},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
     {"rightgroups",       KW_RIGHTGROUPS},
     {"rightid",           KW_RIGHTID},
     {"esp",               KW_ESP},
-    {"postpluto",         KW_POSTPLUTO},
+    {"uniqueids",         KW_UNIQUEIDS},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"charonstart",       KW_CHARONSTART},
-    {"rightca",           KW_RIGHTCA},
-    {"ocspuri1",          KW_OCSPURI},
+    {"leftca",            KW_LEFTCA},
+    {"ocspuri",           KW_OCSPURI},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
     {"dpdaction",         KW_DPDACTION},
+    {"modeconfig",        KW_MODECONFIG},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {""},
+    {"ocspuri2",          KW_OCSPURI2},
+    {""}, {""}, {""},
+    {"rightca",           KW_RIGHTCA},
+    {"prepluto",          KW_PREPLUTO},
+    {"type",              KW_TYPE},
     {""},
     {"eapdir",            KW_EAPDIR},
-    {"hidetos",           KW_HIDETOS},
-    {"eap",               KW_EAP},
-    {""}, {""},
-    {"pkcs11proxy",       KW_PKCS11PROXY},
     {"dumpdir",           KW_DUMPDIR},
+    {"eap",               KW_EAP},
     {""}, {""},
-    {"xauth",             KW_XAUTH},
-    {""}, {""},
-    {"nocrsend",          KW_NOCRSEND},
-    {"also",              KW_ALSO},
-    {""}, {""}, {""},
-    {"ldaphost",          KW_LDAPHOST},
-    {""}, {""},
-    {"authby",            KW_AUTHBY},
+    {"reauth",            KW_REAUTH},
     {""},
-    {"dpddelay",          KW_DPDDELAY},
-    {"auth",              KW_AUTH},
-    {""}, {""}, {""},
-    {"compress",          KW_COMPRESS},
-    {"auto",              KW_AUTO},
-    {""}, {""}, {""},
+    {"ldaphost",          KW_LDAPHOST},
+    {""}, {""}, {""}, {""},
     {"fragicmp",          KW_FRAGICMP},
     {""}, {""},
-    {"keyingtries",       KW_KEYINGTRIES},
+    {"charondebug",       KW_CHARONDEBUG},
     {""},
     {"pfsgroup",          KW_PFSGROUP},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {""},
+    {"ocspuri1",          KW_OCSPURI},
     {""},
     {"dpdtimeout",        KW_DPDTIMEOUT},
+    {""}, {""}, {""}, {""}, {""},
+    {"pkcs11proxy",       KW_PKCS11PROXY},
+    {""},
+    {"nocrsend",          KW_NOCRSEND},
+    {""}, {""}, {""}, {""}, {""},
+    {"pkcs11initargs",    KW_PKCS11INITARGS},
+    {""},
     {"cacert",            KW_CACERT},
+    {""},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {"also",              KW_ALSO},
     {""}, {""}, {""},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"dpddelay",          KW_DPDDELAY},
+    {"postpluto",         KW_POSTPLUTO},
+    {""},
+    {"charonstart",       KW_CHARONSTART},
+    {"hidetos",           KW_HIDETOS},
+    {"compress",          KW_COMPRESS},
+    {""}, {""}, {""}, {""},
+    {"pfs",               KW_PFS},
     {""}, {""},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"authby",            KW_AUTHBY},
+    {""}, {""},
+    {"auto",              KW_AUTO},
+    {""}, {""}, {""}, {""}, {""},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {""}, {""}, {""},
     {"cachecrls",         KW_CACHECRLS},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"pfs",               KW_PFS}
+    {"xauth",             KW_XAUTH},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {""}, {""}, {""}, {""},
+    {"auth",              KW_AUTH}
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 08d50fea0..8f5108ad8 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -25,9 +25,9 @@ typedef enum {
     KW_CHARONSTART,
     KW_PLUTOSTART,
 
-	/* pluto/charon keywords */
+    /* pluto/charon keywords */
     KW_PLUTODEBUG,
-	KW_CHARONDEBUG,
+    KW_CHARONDEBUG,
     KW_PREPLUTO,
     KW_POSTPLUTO,
     KW_UNIQUEIDS,
@@ -41,6 +41,7 @@ typedef enum {
     KW_VIRTUAL_PRIVATE,
     KW_EAPDIR,
     KW_PKCS11MODULE,
+    KW_PKCS11INITARGS,
     KW_PKCS11KEEPSTATE,
     KW_PKCS11PROXY,
 
@@ -112,6 +113,7 @@ typedef enum {
     KW_NATIP,
     KW_FIREWALL,
     KW_HOSTACCESS,
+    KW_ALLOWANY,
     KW_UPDOWN,
     KW_ID,
     KW_RSASIGKEY,
@@ -134,6 +136,7 @@ typedef enum {
     KW_LEFTNATIP,
     KW_LEFTFIREWALL,
     KW_LEFTHOSTACCESS,
+    KW_LEFTALLOWANY,
     KW_LEFTUPDOWN,
     KW_LEFTID,
     KW_LEFTRSASIGKEY,
@@ -155,6 +158,7 @@ typedef enum {
     KW_RIGHTNATIP,
     KW_RIGHTFIREWALL,
     KW_RIGHTHOSTACCESS,
+    KW_RIGHTALLOWANY,
     KW_RIGHTUPDOWN,
     KW_RIGHTID,
     KW_RIGHTRSASIGKEY,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index 0f943fc3c..573a2389a 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -50,6 +50,7 @@ virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eapdir,            KW_EAPDIR
 pkcs11module,      KW_PKCS11MODULE
+pkcs11initargs,    KW_PKCS11INITARGS
 pkcs11keepstate,   KW_PKCS11KEEPSTATE
 pkcs11proxy,       KW_PKCS11PROXY
 keyexchange,       KW_KEYEXCHANGE
@@ -91,6 +92,7 @@ leftsourceip,      KW_LEFTSOURCEIP
 leftnatip,         KW_LEFTNATIP
 leftfirewall,      KW_LEFTFIREWALL
 lefthostaccess,    KW_LEFTHOSTACCESS
+leftallowany,      KW_LEFTALLOWANY
 leftupdown,        KW_LEFTUPDOWN
 leftid,            KW_LEFTID
 leftrsasigkey,     KW_LEFTRSASIGKEY
@@ -107,6 +109,7 @@ rightsourceip,     KW_RIGHTSOURCEIP
 rightnatip,        KW_RIGHTNATIP
 rightfirewall,     KW_RIGHTFIREWALL
 righthostaccess,   KW_RIGHTHOSTACCESS
+rightallowany,     KW_RIGHTALLOWANY
 rightupdown,       KW_RIGHTUPDOWN
 rightid,           KW_RIGHTID
 rightrsasigkey,    KW_RIGHTRSASIGKEY
diff --git a/src/starter/starter.8 b/src/starter/starter.8
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/src/starter/starter.8
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 0bf1d7a71..3cf7017fd 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -237,9 +237,13 @@ int main (int argc, char **argv)
     }
 
     cfg = confread_load(CONFIG_FILE);
-    if (!cfg)
+    if (cfg == NULL || cfg->err > 0)
     {
-	plog("unable to start strongSwan -- errors in config");
+	plog("unable to start strongSwan -- fatal errors in config");
+	if (cfg)
+	{
+	    confread_free(cfg);
+	}
 	exit(1);
     }
 
@@ -276,6 +280,7 @@ int main (int argc, char **argv)
 		    dup2(fnull, STDERR_FILENO);
 		    close(fnull);
 		}
+		setsid(); 
 	    }
 	    break;
 	    case -1:
@@ -372,7 +377,7 @@ int main (int argc, char **argv)
 	       );
 	    new_cfg = confread_load(CONFIG_FILE);
 
-	    if (new_cfg)
+	    if (new_cfg->err + new_cfg->non_fatal_err == 0)
 	    {
 		/* Switch to new config. New conn will be loaded below */
 		if (!starter_cmp_defaultroute(&new_cfg->defaultroute
@@ -465,7 +470,8 @@ int main (int argc, char **argv)
 	    }
 	    else
 	    {
-		plog("can't reload config file: %s -- keeping old one");
+		plog("can't reload config file due to errors -- keeping old one");
+		confread_free(new_cfg);
 	    }
 	    _action_ &= ~FLAG_ACTION_UPDATE;
 	    last_reload = time(NULL);
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 42328849a..e920fc7ee 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -170,6 +170,7 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
     w->has_natip           = end->has_natip;
     w->modecfg             = end->modecfg;
     w->hostaccess          = end->hostaccess;
+    w->allow_any           = end->allow_any;
     w->sendcert            = end->sendcert;
     w->updown              = end->updown;
     w->host_port           = IKE_UDP_PORT;
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index a32dc8b90..8ca5f0144 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -126,6 +126,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index e9a7af85d..136ebc521 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -126,6 +126,7 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
diff --git a/src/whack/whack.h b/src/whack/whack.h
index 49ef67995..91463b0dd 100644
--- a/src/whack/whack.h
+++ b/src/whack/whack.h
@@ -65,6 +65,7 @@ struct whack_end {
     bool has_natip;
     bool modecfg;
     bool hostaccess;
+    bool allow_any;
     certpolicy_t sendcert;
     char *updown;		/* string */
     u_int16_t host_port;	/* host order */
diff --git a/testing/INSTALL b/testing/INSTALL
index d19c7eafe..a48c5a253 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.5.tar.bz2
 
     * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
       to make the vanilla kernel UML-capable. For older kernels you'll find
@@ -67,11 +67,11 @@ are required for the strongSwan testing environment:
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20061006.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20070702.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.1.3.tar.gz
+      http://download.strongswan.org/strongswan-4.1.4.tar.gz
 
 
 3. Creating the environment
diff --git a/testing/do-tests b/testing/do-tests
index 8cb99410b..72379bda0 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -79,6 +79,8 @@ do
         eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     alice)
+        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     venus)
         ;;
@@ -191,7 +193,7 @@ do
 	echo "    <tr>" >> $INDEX
     echo "      <td>$FIRST</td>">> $INDEX
     echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
-    echo "      <td align=\"right\"></td>" >> $INDEX
+    echo "      <td align=\"right\">x</td>" >> $INDEX
     echo "      <td>&nbsp;</td>" >> $INDEX
     echo "    </tr>" >> $INDEX
 	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
@@ -278,8 +280,10 @@ do
 		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
 		;;
 	    alice)
-		searchandreplace PH_IP_ALICE     $ipv4_alice $TESTDIR
-		searchandreplace PH_IP6_ALICE    $ipv6_alice $TESTDIR
+		searchandreplace PH_IP_ALICE1    $ipv4_alice1 $TESTDIR
+		searchandreplace PH_IP_ALICE     $ipv4_alice  $TESTDIR
+		searchandreplace PH_IP6_ALICE1   $ipv6_alice1 $TESTDIR
+		searchandreplace PH_IP6_ALICE    $ipv6_alice  $TESTDIR
 		;;
 	    venus)
 		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net
index 02494db97..41e8887c4 100644
--- a/testing/hosts/alice/etc/conf.d/net
+++ b/testing/hosts/alice/etc/conf.d/net
@@ -4,6 +4,8 @@
 #
 config_eth0=( "PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0"
               "PH_IP6_ALICE/16" )
+config_eth1=( "PH_IP_ALICE1 broadcast 192.168.0.255 netmask 255.255.255.0"
+              "PH_IP6_ALICE1/16" )
 
 # For setting the default gateway
 #
diff --git a/testing/hosts/alice/etc/init.d/net.eth1 b/testing/hosts/alice/etc/init.d/net.eth1
new file mode 100755
index 000000000..92b3851cf
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/net.eth1
@@ -0,0 +1,1124 @@
+#!/sbin/runscript
+# Copyright (c) 2004-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Contributed by Roy Marples (uberlord@gentoo.org)
+# Many thanks to Aron Griffis (agriffis@gentoo.org)
+# for help, ideas and patches
+
+#NB: Config is in /etc/conf.d/net
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	need localmount
+	after bootmisc hostname
+	use isapnp isdn pcmcia usb wlan
+
+	# Load any custom depend functions for the given interface
+	# For example, br0 may need eth0 and eth1
+	local iface="${SVCNAME#*.}"
+	[[ $(type -t "depend_${iface}") == "function" ]] && depend_${iface}
+
+	if [[ ${iface} != "lo" && ${iface} != "lo0" ]] ; then
+		after net.lo net.lo0
+
+		# Support new style RC_NEED and RC_USE in one net file
+		local x="RC_NEED_${iface}"
+		[[ -n ${!x} ]] && need ${!x}
+		x="RC_USE_${iface}"
+		[[ -n ${!x} ]] && use ${!x}
+	fi
+
+	return 0
+}
+
+# Define where our modules are
+MODULES_DIR="${svclib}/net"
+
+# Make some wrappers to fudge after/before/need/use depend flags.
+# These are callbacks so MODULE will be set.
+after() {
+	eval "${MODULE}_after() { echo \"$*\"; }"
+}
+before() {
+	eval "${MODULE}_before() { echo \"$*\"; }"
+}
+need() {
+	eval "${MODULE}_need() { echo \"$*\"; }"
+}
+installed() {
+	# We deliberately misspell this as _installed will probably be used
+	# at some point
+	eval "${MODULE}_instlled() { echo \"$*\"; }"
+}
+provide() {
+	eval "${MODULE}_provide() { echo \"$*\"; }"
+}
+functions() {
+	eval "${MODULE}_functions() { echo \"$*\"; }"
+}
+variables() {
+	eval "${MODULE}_variables() { echo \"$*\"; }"
+}
+
+is_loopback() {
+	[[ $1 == "lo" || $1 == "lo0" ]]
+}
+
+# char* interface_device(char *iface)
+#
+# Gets the base device of the interface
+# Can handle eth0:1 and eth0.1
+# Which returns eth0 in this case
+interface_device() {
+	local dev="${1%%.*}"
+	[[ ${dev} == "$1" ]] && dev="${1%%:*}"
+	echo "${dev}"
+}
+
+# char* interface_type(char* iface)
+#
+# Returns the base type of the interface
+# eth, ippp, etc
+interface_type() {
+	echo "${1%%[0-9]*}"
+}
+
+# int calculate_metric(char *interface, int base)
+#
+# Calculates the best metric for the interface
+# We use this when we add routes so we can prefer interfaces over each other
+calculate_metric() {
+	local iface="$1" metric="$2"
+
+	# Have we already got a metric?
+	local m=$(awk '$1=="'${iface}'" && $2=="00000000" { print $7 }' \
+		/proc/net/route)
+	if [[ -n ${m} ]] ; then
+		echo "${m}"
+		return 0
+	fi
+
+	local i= dest= gw= flags= ref= u= m= mtu= metrics=
+	while read i dest gw flags ref u m mtu ; do
+		# Ignore lo
+		is_loopback "${i}" && continue
+		# We work out metrics from default routes only
+		[[ ${dest} != "00000000" || ${gw} == "00000000" ]] && continue
+		metrics="${metrics}\n${m}"
+	done < /proc/net/route
+
+	# Now, sort our metrics
+	metrics=$(echo -e "${metrics}" | sort -n)
+
+	# Now, find the lowest we can use
+	local gotbase=false
+	for m in ${metrics} ; do
+		[[ ${m} -lt ${metric} ]] && continue
+		[[ ${m} == ${metric} ]] && ((metric++))
+		[[ ${m} -gt ${metric} ]] && break
+	done
+	
+	echo "${metric}"
+}
+
+# int netmask2cidr(char *netmask)
+#
+# Returns the CIDR of a given netmask
+netmask2cidr() {
+	local binary= i= bin=
+
+	for i in ${1//./ }; do
+		bin=""
+		while [[ ${i} != "0" ]] ; do
+			bin=$[${i}%2]${bin}
+			(( i=i>>1 ))
+		done
+		binary="${binary}${bin}"
+	done
+	binary="${binary%%0*}"
+	echo "${#binary}"
+}
+
+
+# bool is_function(char* name)
+#
+# Returns 0 if the given name is a shell function, otherwise 1
+is_function() {
+	[[ -z $1 ]] && return 1
+	[[ $(type -t "$1") == "function" ]]
+}
+
+# void function_wrap(char* source, char* target)
+#
+# wraps function calls - for example function_wrap(this, that)
+# maps function names this_* to that_*
+function_wrap() {
+	local i=
+
+	is_function "${2}_depend" && return
+
+	for i in $(typeset -f | grep -o '^'"${1}"'_[^ ]*'); do
+		eval "${2}${i#${1}}() { ${i} \"\$@\"; }"
+	done
+}
+
+# char[] * expand_parameters(char *cmd)
+#
+# Returns an array after expanding parameters. For example
+# "192.168.{1..3}.{1..3}/24 brd +"
+# will return
+# "192.168.1.1/24 brd +"
+# "192.168.1.2/24 brd +"
+# "192.168.1.3/24 brd +"
+# "192.168.2.1/24 brd +"
+# "192.168.2.2/24 brd +"
+# "192.168.2.3/24 brd +"
+# "192.168.3.1/24 brd +"
+# "192.168.3.2/24 brd +"
+# "192.168.3.3/24 brd +"
+expand_parameters() {
+	local x=$(eval echo ${@// /_})
+	local -a a=( ${x} )
+
+	a=( "${a[@]/#/\"}" )
+	a=( "${a[@]/%/\"}" )
+	echo "${a[*]//_/ }"
+}
+
+# void configure_variables(char *interface, char *option1, [char *option2])
+#
+# Maps configuration options from <variable>_<option> to <variable>_<iface>
+# option2 takes precedence over option1
+configure_variables() {
+	local iface="$1" option1="$2" option2="$3"
+
+	local mod= func= x= i=
+	local -a ivars=() ovars1=() ovars2=()
+	local ifvar=$(bash_variable "${iface}")
+
+	for mod in ${MODULES[@]}; do
+		is_function ${mod}_variables || continue
+		for v in $(${mod}_variables) ; do
+			x=
+			[[ -n ${option2} ]] && x="${v}_${option2}[@]"
+			[[ -z ${!x} ]] && x="${v}_${option1}[@]"
+			[[ -n ${!x} ]] && eval "${v}_${ifvar}=( \"\${!x}\" )"
+		done
+	done
+
+	return 0
+}
+# bool module_load_minimum(char *module)
+#
+# Does the minimum checking on a module - even when forcing
+module_load_minimum() {
+	local f="$1.sh" MODULE="${1##*/}"
+
+	if [[ ! -f ${f} ]] ; then
+		eerror "${f} does not exist"
+		return 1
+	fi
+
+	if ! source "${f}" ; then
+		eerror "${MODULE} failed a sanity check"
+		return 1
+	fi
+
+	for f in depend; do
+		is_function "${MODULE}_${f}" && continue
+		eerror "${MODULE}.sh does not support the required function ${f}"
+		return 1
+	done
+
+	return 0
+}
+
+# bool modules_load_auto()
+#
+# Load and check each module for sanity
+# If the module is not installed, the functions are to be removed
+modules_load_auto() {
+	local i j inst
+
+	# Populate the MODULES array
+	# Basically we treat evey file in ${MODULES_DIR} as a module
+	MODULES=( $( cd "${MODULES_DIR}" ; ls *.sh ) )
+	j="${#MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		MODULES[i]="${MODULES_DIR}/${MODULES[i]}"
+		[[ ! -f ${MODULES[i]} ]] && unset MODULES[i]
+	done
+	MODULES=( "${MODULES[@]}" )
+
+	# Each of these sources into the global namespace, so it's
+	# important that module functions and variables are prefixed with
+	# the module name, for example iproute2_
+
+	j="${#MODULES[@]}"
+	loaded_interface=false
+	for (( i=0; i<j; i++ )); do
+		MODULES[i]="${MODULES[i]%.sh*}"
+		if [[ ${MODULES[i]##*/} == "interface" ]] ; then
+			eerror "interface is a reserved name - cannot load a module called interface"
+			return 1
+		fi
+		
+		(
+		u=0;
+		module_load_minimum "${MODULES[i]}" || u=1;
+		if [[ ${u} == 0 ]] ; then
+			inst="${MODULES[i]##*/}_check_installed";
+			if is_function "${inst}" ; then
+				${inst} false || u=1;
+			fi
+		fi
+		exit "${u}";
+		)
+
+		if [[ $? == 0 ]] ; then
+			source "${MODULES[i]}.sh"
+			MODULES[i]="${MODULES[i]##*/}"
+		else
+			unset MODULES[i]
+		fi
+	done
+
+	MODULES=( "${MODULES[@]}" )
+	return 0
+}
+
+# bool modules_check_installed(void)
+#
+# Ensure that all modules have the required modules loaded
+# This enables us to remove modules from the MODULES array
+# Whilst other modules can still explicitly call them
+# One example of this is essidnet which configures network
+# settings for the specific ESSID connected to as the user
+# may be using a daemon to configure wireless instead of our
+# iwconfig module
+modules_check_installed() {
+	local i j missingdeps nmods="${#MODULES[@]}"
+
+	for (( i=0; i<nmods; i++ )); do
+		is_function "${MODULES[i]}_instlled" || continue
+		for j in $( ${MODULES[i]}_instlled ); do
+			missingdeps=true
+			if is_function "${j}_check_installed" ; then
+				${j}_check_installed && missingdeps=false
+			elif is_function "${j}_depend" ; then
+				missingdeps=false
+			fi
+			${missingdeps} && unset MODULES[i] && unset PROVIDES[i] && break
+		done
+	done
+
+	MODULES=( "${MODULES[@]}" )
+	PROVIDES=( "${PROVIDES[@]}" )
+}
+
+# bool modules_check_user(void)
+modules_check_user() {
+	local iface="$1" ifvar=$(bash_variable "${IFACE}")
+	local i= j= k= l= nmods="${#MODULES[@]}"
+	local -a umods=()
+
+	# Has the interface got any specific modules?
+	umods="modules_${ifvar}[@]"
+	umods=( "${!umods}" )
+
+	# Global setting follows interface-specific setting
+	umods=( "${umods[@]}" "${modules[@]}" )
+
+	# Add our preferred modules
+	local -a pmods=( "iproute2" "dhcpcd" "iwconfig" "netplugd" )
+	umods=( "${umods[@]}" "${pmods[@]}" )
+
+	# First we strip any modules that conflict from user settings
+	# So if the user specifies pump then we don't use dhcpcd
+	for (( i=0; i<${#umods[@]}; i++ )); do
+		# Some users will inevitably put "dhcp" in their modules
+		# list.  To keep users from screwing up their system this
+		# way, ignore this setting so that the default dhcp
+		# module will be used.
+		[[ ${umods[i]} == "dhcp" ]] && continue
+
+		# We remove any modules we explicitly don't want
+		if [[ ${umods[i]} == "!"* ]] ; then
+			for (( j=0; j<nmods; j++ )); do
+				[[ -z ${MODULES[j]} ]] && continue
+				if [[ ${umods[i]:1} == "${MODULES[j]}" \
+					|| ${umods[i]:1} == "${PROVIDES[j]}" ]] ; then
+					# We may need to setup a class wrapper for it even though
+					# we don't use it directly
+					# However, we put it into an array and wrap later as
+					# another module may provide the same thing
+					${MODULES[j]}_check_installed \
+						&& WRAP_MODULES=(
+							"${WRAP_MODULES[@]}"
+							"${MODULES[j]} ${PROVIDES[j]}"
+						)
+					unset MODULES[j]
+					unset PROVIDES[j]
+				fi
+			done
+			continue
+		fi
+
+		if ! is_function "${umods[i]}_depend" ; then
+			# If the module is one of our preferred modules, then
+			# ignore this error; whatever is available will be
+			# used instead.
+			(( i < ${#umods[@]} - ${#pmods[@]} )) || continue
+
+			# The function may not exist because the modules software is
+			# not installed. Load the module and report its error
+			if [[ -e "${MODULES_DIR}/${umods[i]}.sh" ]] ; then
+				source "${MODULES_DIR}/${umods[i]}.sh"
+				is_function "${umods[i]}_check_installed" \
+					&& ${umods[i]}_check_installed true
+			else
+				eerror "The module \"${umods[i]}\" does not exist"
+			fi
+			return 1
+		fi
+
+		if is_function "${umods[i]}_provide" ; then
+			mod=$(${umods[i]}_provide)
+		else
+			mod="${umods[i]}"
+		fi
+		for (( j=0; j<nmods; j++ )); do
+			[[ -z ${MODULES[j]} ]] && continue
+			if [[ ${PROVIDES[j]} == "${mod}" && ${umods[i]} != "${MODULES[j]}" ]] ; then
+				# We don't have a match - now ensure that we still provide an
+				# alternative. This is to handle our preferred modules.
+				for (( l=0; l<nmods; l++ )); do
+					[[ ${l} == "${j}" || -z ${MODULES[l]} ]] && continue
+					if [[ ${PROVIDES[l]} == "${mod}" ]] ; then
+						unset MODULES[j]
+						unset PROVIDES[j]
+						break
+					fi
+				done
+			fi
+		done
+	done
+
+	# Then we strip conflicting modules.
+	# We only need to do this for 3rd party modules that conflict with
+	# our own modules and the preferred list AND the user modules
+	# list doesn't specify a preference.
+	for (( i=0; i<nmods-1; i++ )); do
+		[[ -z ${MODULES[i]} ]] && continue			
+		for (( j=i+1; j<nmods; j++)); do
+			[[ -z ${MODULES[j]} ]] && continue
+			[[ ${PROVIDES[i]} == "${PROVIDES[j]}" ]] \
+			&& unset MODULES[j] && unset PROVIDES[j]
+		done
+	done
+
+	MODULES=( "${MODULES[@]}" )
+	PROVIDES=( "${PROVIDES[@]}" )
+	return 0
+}
+
+# void modules_sort(void)
+#
+# Sort our modules
+modules_sort() {
+	local i= j= nmods=${#MODULES[@]} m=
+	local -a provide=() provide_list=() after=() dead=() sorted=() sortedp=()
+
+	# Make our provide list
+	for ((i=0; i<nmods; i++)); do
+		dead[i]="false"
+		if [[ ${MODULES[i]} != "${PROVIDES[i]}" ]] ; then
+			local provided=false
+			for ((j=0; j<${#provide[@]}; j++)); do
+				if [[ ${provide[j]} == "${PROVIDES[i]}" ]] ; then
+					provide_list[j]="${provide_list[j]} ${MODULES[i]}"
+					provided=true
+				fi
+			done
+			if ! ${provided}; then
+				provide[j]="${PROVIDES[i]}"
+				provide_list[j]="${MODULES[i]}"
+			fi
+		fi
+	done
+
+	# Create an after array, which holds which modules the module at
+	# index i must be after
+	for ((i=0; i<nmods; i++)); do
+		if is_function "${MODULES[i]}_after" ; then
+			after[i]=" ${after[i]} $(${MODULES[i]}_after) "
+		fi
+		if is_function "${MODULES[i]}_before" ; then
+			for m in $(${MODULES[i]}_before); do
+				for ((j=0; j<nmods; j++)) ; do
+					if [[ ${PROVIDES[j]} == "${m}" ]] ; then
+						after[j]=" ${after[j]} ${MODULES[i]} "
+						break
+					fi
+				done
+			done
+		fi
+	done
+
+	# Replace the after list modules with real modules
+	for ((i=0; i<nmods; i++)); do
+		if [[ -n ${after[i]} ]] ; then
+			for ((j=0; j<${#provide[@]}; j++)); do
+				after[i]="${after[i]// ${provide[j]} / ${provide_list[j]} }"
+			done
+		fi
+	done
+	
+	# We then use the below code to provide a topologial sort
+    module_after_visit() {
+        local name="$1" i= x=
+
+		for ((i=0; i<nmods; i++)); do
+			[[ ${MODULES[i]} == "$1" ]] && break
+		done
+
+        ${dead[i]} && return
+        dead[i]="true"
+
+        for x in ${after[i]} ; do
+            module_after_visit "${x}"
+        done
+
+        sorted=( "${sorted[@]}" "${MODULES[i]}" )
+		sortedp=( "${sortedp[@]}" "${PROVIDES[i]}" )
+    }
+
+	for x in ${MODULES[@]}; do
+		module_after_visit "${x}"
+	done
+
+	MODULES=( "${sorted[@]}" )
+	PROVIDES=( "${sortedp[@]}" )
+}
+
+# bool modules_check_depends(bool showprovides)
+modules_check_depends() {
+	local showprovides="${1:-false}" nmods="${#MODULES[@]}" i= j= needmod=
+	local missingdeps= p= interface=false
+
+	for (( i=0; i<nmods; i++ )); do
+		if is_function "${MODULES[i]}_need" ; then
+			for needmod in $(${MODULES[i]}_need); do
+				missingdeps=true
+				for (( j=0; j<nmods; j++ )); do
+					if [[ ${needmod} == "${MODULES[j]}" \
+						|| ${needmod} == "${PROVIDES[j]}" ]] ; then
+						missingdeps=false
+						break
+					fi
+				done
+				if ${missingdeps} ; then
+					eerror "${MODULES[i]} needs ${needmod} (dependency failure)"
+					return 1
+				fi
+			done
+		fi
+
+		if is_function "${MODULES[i]}_functions" ; then
+			for f in $(${MODULES[i]}_functions); do
+				if ! is_function "${f}" ; then
+					eerror "${MODULES[i]}: missing required function \"${f}\""
+					return 1
+				fi
+			done
+		fi
+
+		[[ ${PROVIDES[i]} == "interface" ]] && interface=true
+
+		if ${showprovides} ; then
+			[[ ${PROVIDES[i]} != "${MODULES[i]}" ]] \
+			&& veinfo "${MODULES[i]} provides ${PROVIDES[i]}"
+		fi
+	done
+
+	if ! ${interface} ; then
+		eerror "no interface module has been loaded"
+		return 1
+	fi
+
+	return 0
+}
+
+# bool modules_load(char *iface, bool starting)
+#
+# Loads the defined handler and modules for the interface
+# Returns 0 on success, otherwise 1
+modules_load()  {
+	local iface="$1" starting="${2:-true}" MODULE= p=false i= j= k=
+	local -a x=()
+	local RC_INDENTATION="${RC_INDENTATION}"
+	local -a PROVIDES=() WRAP_MODULES=()
+
+	if ! is_loopback "${iface}" ; then
+		x="modules_force_${iface}[@]"
+		[[ -n ${!x} ]] && modules_force=( "${!x}" )
+		if [[ -n ${modules_force} ]] ; then
+			ewarn "WARNING: You are forcing modules!"
+			ewarn "Do not complain or file bugs if things start breaking"
+			report=true
+		fi
+	fi
+
+	veinfo "Loading networking modules for ${iface}"
+	eindent
+
+	if [[ -z ${modules_force} ]] ; then
+		modules_load_auto || return 1
+	else
+		j="${#modules_force[@]}"
+		for (( i=0; i<j; i++ )); do
+			module_load_minimum "${MODULES_DIR}/${modules_force[i]}" || return 1
+			if is_function "${modules_force[i]}_check_installed" ; then
+				${modules_force[i]}_check_installed || unset modules_force[i]
+			fi
+		done
+		MODULES=( "${modules_force[@]}" )
+	fi
+
+	j="${#MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		# Now load our dependencies - we need to use the MODULE variable
+		# here as the after/before/need functions use it
+		MODULE="${MODULES[i]}"
+		${MODULE}_depend
+
+		# expose does exactly the same thing as depend
+		# However it is more "correct" as it exposes things to other modules
+		# instead of depending on them ;)
+		is_function "${MODULES[i]}_expose" && ${MODULES[i]}_expose
+
+		# If no provide is given, assume module name
+		if is_function "${MODULES[i]}_provide" ; then
+			PROVIDES[i]=$(${MODULES[i]}_provide)
+		else
+			PROVIDES[i]="${MODULES[i]}"
+		fi
+	done
+
+	if [[ -n ${modules_force[@]} ]] ; then
+		# Strip any duplicate modules providing the same thing
+		j="${#MODULES[@]}"
+		for (( i=0; i<j-1; i++ )); do
+			[[ -z ${MODULES[i]} ]] && continue
+			for (( k=i+1; k<j; k++ )); do
+				if [[ ${PROVIDES[i]} == ${PROVIDES[k]} ]] ; then
+					unset MODULES[k]
+					unset PROVIDES[k]
+				fi
+			done
+		done
+		MODULES=( "${MODULES[@]}" )
+		PROVIDES=( "${PROVIDES[@]}" )
+	else
+		if ${starting}; then
+			modules_check_user "${iface}" || return 1
+		else
+			# Always prefer iproute2 for taking down interfaces
+			if is_function iproute2_provide ; then
+				function_wrap iproute2 "$(iproute2_provide)"
+			fi
+		fi
+	fi
+	
+	# Wrap our modules
+	j="${#MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		function_wrap "${MODULES[i]}" "${PROVIDES[i]}"
+	done
+	j="${#WRAP_MODULES[@]}"
+	for (( i=0; i<j; i++ )); do
+		function_wrap ${WRAP_MODULES[i]}
+	done
+	
+	if [[ -z ${modules_force[@]} ]] ; then
+		modules_check_installed || return 1
+		modules_sort || return 1
+	fi
+
+	veinfo "modules: ${MODULES[@]}"
+	eindent
+
+	${starting} && p=true
+	modules_check_depends "${p}" || return 1
+	return 0
+}
+
+# bool iface_start(char *interface)
+#
+# iface_start is called from start.  It's expected to start the base
+# interface (for example "eth0"), aliases (for example "eth0:1") and to start
+# VLAN interfaces (for example eth0.0, eth0.1).  VLAN setup is accomplished by
+# calling itself recursively.
+iface_start() {
+	local iface="$1" mod config_counter="-1" x config_worked=false
+	local RC_INDENTATION="${RC_INDENTATION}"
+	local -a config=() fallback=() fallback_route=() conf=() a=() b=()
+	local ifvar=$(bash_variable "$1") i= j= metric=0
+
+	# pre Start any modules with
+	for mod in ${MODULES[@]}; do
+		if is_function "${mod}_pre_start" ; then
+			${mod}_pre_start "${iface}" || { eend 1; return 1; }
+		fi
+	done
+
+	x="metric_${ifvar}"
+	# If we don't have a metric then calculate one
+	# Our modules will set the metric variable to a suitable base
+	# in their pre starts.
+	if [[ -z ${!x} ]] ; then
+		eval "metric_${ifvar}=\"$(calculate_metric "${iface}" "${metric}")\""
+	fi
+
+	# We now expand the configuration parameters and pray that the
+	# fallbacks expand to the same number as config or there will be
+	# trouble!
+	a="config_${ifvar}[@]"
+	a=( "${!a}" )
+	for (( i=0; i<${#a[@]}; i++ )); do 
+		eval b=( $(expand_parameters "${a[i]}") )
+		config=( "${config[@]}" "${b[@]}" )
+	done
+
+	a="fallback_${ifvar}[@]"
+	a=( "${!a}" )
+	for (( i=0; i<${#a[@]}; i++ )); do 
+		eval b=( $(expand_parameters "${a[i]}") )
+		fallback=( "${fallback[@]}" "${b[@]}" )
+	done
+
+	# We don't expand routes
+	fallback_route="fallback_route_${ifvar}[@]"
+	fallback_route=( "${!fallback_route}" )
+	
+	# We must support old configs
+	if [[ -z ${config} ]] ; then
+		interface_get_old_config "${iface}" || return 1
+		if [[ -n ${config} ]] ; then
+			ewarn "You are using a deprecated configuration syntax for ${iface}"
+			ewarn "You are advised to read /etc/conf.d/net.example and upgrade it accordingly"
+		fi
+	fi
+
+	# Handle "noop" correctly
+	if [[ ${config[0]} == "noop" ]] ; then
+		if interface_is_up "${iface}" true ; then
+			einfo "Keeping current configuration for ${iface}"
+			eend 0
+			return 0
+		fi
+
+		# Remove noop from the config var
+		config=( "${config[@]:1}" )
+	fi
+
+	# Provide a default of DHCP if no configuration is set and we're auto
+	# Otherwise a default of NULL
+	if [[ -z ${config} ]] ; then
+		ewarn "Configuration not set for ${iface} - assuming DHCP"
+		if is_function "dhcp_start" ; then
+			config=( "dhcp" )
+		else
+			eerror "No DHCP client installed"
+			return 1
+		fi
+	fi
+
+	einfo "Bringing up ${iface}"
+	eindent
+	for (( config_counter=0; config_counter<${#config[@]}; config_counter++ )); do
+		# Handle null and noop correctly
+		if [[ ${config[config_counter]} == "null" \
+			|| ${config[config_counter]} == "noop" ]] ; then
+			eend 0
+			config_worked=true
+			continue
+		fi
+
+		# We convert it to an array - this has the added
+		# bonus of trimming spaces!
+		conf=( ${config[config_counter]} )
+		einfo "${conf[0]}"
+
+		# Do we have a function for our config?
+		if is_function "${conf[0]}_start" ; then
+			eindent
+			${conf[0]}_start "${iface}" ; x=$?
+			eoutdent
+			[[ ${x} == 0 ]] && config_worked=true && continue
+			# We need to test to see if it's an IP address or a function
+			# We do this by testing if the 1st character is a digit
+		elif [[ ${conf[0]:0:1} == [[:digit:]] || ${conf[0]} == *:* ]] ; then
+			x="0"
+			if ! is_loopback "${iface}" ; then
+				if [[ " ${MODULES[@]} " == *" arping "* ]] ; then
+					if arping_address_exists "${iface}" "${conf[0]}" ; then
+						eerror "${conf[0]%%/*} already taken on ${iface}"
+						x="1"
+					fi
+				fi
+			fi
+			[[ ${x} == "0" ]] && interface_add_address "${iface}" ${conf[@]}; x="$?"
+			eend "${x}" && config_worked=true && continue
+		else
+			if [[ ${conf[0]} == "dhcp" ]] ; then
+				eerror "No DHCP client installed"
+			else
+				eerror "No loaded modules provide \"${conf[0]}\" (${conf[0]}_start)"
+			fi
+		fi
+
+		if [[ -n ${fallback[config_counter]} ]] ; then
+			einfo "Trying fallback configuration"
+			config[config_counter]="${fallback[config_counter]}"
+			fallback[config_counter]=""
+
+			# Do we have a fallback route?
+			if [[ -n ${fallback_route[config_counter]} ]] ; then
+				x="fallback_route[config_counter]"
+				eval "routes_${ifvar}=( \"\${!x}\" )"
+				fallback_route[config_counter]=""
+			fi
+
+			(( config_counter-- )) # since the loop will increment it
+			continue
+		fi
+	done
+	eoutdent
+
+	# We return failure if no configuration parameters worked
+	${config_worked} || return 1
+
+	# Start any modules with _post_start
+	for mod in ${MODULES[@]}; do
+		if is_function "${mod}_post_start" ; then
+			${mod}_post_start "${iface}" || return 1
+		fi
+	done
+
+	return 0
+}
+
+# bool iface_stop(char *interface)
+#
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local iface="$1" i= aliases= need_begin=false mod=
+	local RC_INDENTATION="${RC_INDENTATION}"
+
+	# pre Stop any modules
+	for mod in ${MODULES[@]}; do
+		if is_function "${mod}_pre_stop" ; then
+			${mod}_pre_stop "${iface}" || return 1
+		fi
+	done
+
+	einfo "Bringing down ${iface}"
+	eindent
+
+	# Collect list of aliases for this interface.
+	# List will be in reverse order.
+	if interface_exists "${iface}" ; then
+		aliases=$(interface_get_aliases_rev "${iface}")
+	fi
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${iface}; do
+		# Stop all our modules
+		for mod in ${MODULES[@]}; do
+			if is_function "${mod}_stop" ; then
+				${mod}_stop "${i}" || return 1
+			fi
+		done
+
+		# A module may have removed the interface
+		if ! interface_exists "${iface}" ; then
+			eend 0
+			continue
+		fi
+
+		# We don't delete ppp assigned addresses
+		if ! is_function pppd_exists || ! pppd_exists "${i}" ; then
+			# Delete all the addresses for this alias
+			interface_del_addresses "${i}"
+		fi
+
+		# Do final shut down of this alias
+		if [[ ${IN_BACKGROUND} != "true" \
+			&& ${RC_DOWN_INTERFACE} == "yes" ]] ; then
+			ebegin "Shutting down ${i}"
+			interface_iface_stop "${i}"
+			eend "$?"
+		fi
+	done
+
+	# post Stop any modules
+	for mod in ${MODULES[@]}; do
+		# We have already taken down the interface, so no need to error
+		is_function "${mod}_post_stop" && ${mod}_post_stop "${iface}"
+	done
+
+	return 0
+}
+
+# bool run_start(char *iface)
+#
+# Brings up ${IFACE}.  Calls preup, iface_start, then postup.
+# Returns 0 (success) unless preup or iface_start returns 1 (failure).
+# Ignores the return value from postup.
+# We cannot check that the device exists ourselves as modules like
+# tuntap make create it.
+run_start() {
+	local iface="$1" IFVAR=$(bash_variable "$1")
+
+	# We do this so users can specify additional addresses for lo if they
+	# need too - additional routes too
+	# However, no extra modules are loaded as they are just not needed
+	if [[ ${iface} == "lo" ]] ; then
+		metric_lo="0"
+		config_lo=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
+		routes_lo=( "127.0.0.0/8" "${routes_lo[@]}" )
+	elif [[ ${iface} == "lo0" ]] ; then
+		metric_lo0="0"
+		config_lo0=( "127.0.0.1/8 brd 127.255.255.255" "${config_lo[@]}" )
+		routes_lo0=( "127.0.0.0/8" "${routes_lo[@]}" )
+	fi
+
+	# We may not have a loaded module for ${iface}
+	# Some users may have "alias natsemi eth0" in /etc/modules.d/foo
+	# so we can work with this
+	# However, if they do the same with eth1 and try to start it
+	# but eth0 has not been loaded then the module gets loaded as
+	# eth0.
+	# Not much we can do about this :(
+	# Also, we cannot error here as some modules - such as bridge
+	# create interfaces
+	if ! interface_exists "${iface}" ; then
+		/sbin/modprobe "${iface}" &>/dev/null
+	fi
+
+	# Call user-defined preup function if it exists
+	if is_function preup ; then
+		einfo "Running preup function"
+		eindent
+		( preup "${iface}" )
+		eend "$?" "preup ${iface} failed" || return 1
+		eoutdent
+	fi
+
+	# If config is set to noop and the interface is up with an address
+	# then we don't start it
+	local config=
+	config="config_${IFVAR}[@]"
+	config=( "${!config}" )
+	if [[ ${config[0]} == "noop" ]] && interface_is_up "${iface}" true ; then
+		einfo "Keeping current configuration for ${iface}"
+		eend 0
+	else
+		# Remove noop from the config var
+		[[ ${config[0]} == "noop" ]] \
+			&& eval "config_${IFVAR}=( "\"\$\{config\[@\]:1\}\"" )"
+
+		# There may be existing ip address info - so we strip it
+		if [[ ${RC_INTERFACE_KEEP_CONFIG} != "yes" \
+			&& ${IN_BACKGROUND} != "true" ]] ; then
+			interface_del_addresses "${iface}"
+		fi
+
+		# Start the interface
+		if ! iface_start "${iface}" ; then
+			if [[ ${IN_BACKGROUND} != "true" ]] ; then
+				interface_exists "${iface}" && interface_down "${iface}"
+			fi
+			eend 1
+			return 1
+		fi
+	fi
+
+	# Call user-defined postup function if it exists
+	if is_function postup ; then
+		# We need to mark the service as started incase a
+		# postdown function wants to restart services that depend on us
+		mark_service_started "net.${iface}"
+		end_service "net.${iface}" 0
+		einfo "Running postup function"
+		eindent
+		( postup "${iface}" )
+		eoutdent
+	fi
+
+	return 0
+}
+
+# bool run_stop(char *iface) {
+#
+# Brings down ${iface}.  If predown call returns non-zero, then
+# stop returns non-zero to indicate failure bringing down device.
+# In all other cases stop returns 0 to indicate success.
+run_stop() {
+	local iface="$1" IFVAR=$(bash_variable "$1") x
+
+	# Load our ESSID variable so users can use it in predown() instead
+	# of having to write code.
+	local ESSID=$(get_options ESSID) ESSIDVAR=
+	[[ -n ${ESSID} ]] && ESSIDVAR=$(bash_variable "${ESSID}")
+
+	# Call user-defined predown function if it exists
+	if is_function predown ; then
+		einfo "Running predown function"
+		eindent
+		( predown "${iface}" )
+		eend $? "predown ${iface} failed" || return 1
+		eoutdent
+	elif is_net_fs / ; then
+		eerror "root filesystem is network mounted -- can't stop ${iface}"
+		return 1
+	elif is_union_fs / ; then
+		for x in $(unionctl "${dir}" --list \
+		| sed -e 's/^\(.*\) .*/\1/') ; do
+			if is_net_fs "${x}" ; then
+				eerror "Part of the root filesystem is network mounted - cannot stop ${iface}"
+				return 1
+			fi
+		done
+	fi
+
+	iface_stop "${iface}" || return 1  # always succeeds, btw
+
+	# Release resolv.conf information.
+	[[ -x /sbin/resolvconf ]] && resolvconf -d "${iface}"
+	
+	# Mark us as inactive if called from the background
+	[[ ${IN_BACKGROUND} == "true" ]] && mark_service_inactive "net.${iface}"
+
+	# Call user-defined postdown function if it exists
+	if is_function postdown ; then
+		# We need to mark the service as stopped incase a
+		# postdown function wants to restart services that depend on us
+		[[ ${IN_BACKGROUND} != "true" ]] && mark_service_stopped "net.${iface}"
+		end_service "net.${iface}" 0
+		einfo "Running postdown function"
+		eindent
+		( postdown "${iface}" )
+		eoutdent
+	fi
+
+
+	return 0
+}
+
+# bool run(char *iface, char *cmd)
+#
+# Main start/stop entry point
+# We load modules here and remove any functions that they
+# added as we may be called inside the same shell scope for another interface
+run() {
+	local iface="$1" cmd="$2" r=1 RC_INDENTATION="${RC_INDENTATION}"
+	local starting=true
+	local -a MODULES=() mods=()
+	local IN_BACKGROUND="${IN_BACKGROUND}"
+
+	if [[ ${IN_BACKGROUND} == "true" || ${IN_BACKGROUND} == "1" ]] ; then
+		IN_BACKGROUND=true
+	else
+		IN_BACKGROUND=false
+	fi
+
+	# We need to override the exit function as runscript.sh now checks
+	# for it. We need it so we can mark the service as inactive ourselves.
+	unset -f exit
+
+	eindent
+	[[ ${cmd} == "stop" ]] && starting=false
+
+	# We force lo to only use these modules for a major speed boost
+	if is_loopback "${iface}" ; then	
+		modules_force=( "iproute2" "ifconfig" "system" )
+	fi
+
+	if modules_load "${iface}" "${starting}" ; then
+		if [[ ${cmd} == "stop" ]] ; then
+			# Reverse the module list for stopping
+			mods=( "${MODULES[@]}" )
+			for ((i = 0; i < ${#mods[@]}; i++)); do
+				MODULES[i]=${mods[((${#mods[@]} - i - 1))]}
+			done
+
+			run_stop "${iface}" && r=0
+		else
+			# Only hotplug on ethernet interfaces
+			if [[ ${IN_HOTPLUG} == 1 ]] ; then
+				if ! interface_is_ethernet "${iface}" ; then
+					eerror "We only hotplug for ethernet interfaces"
+					return 1
+				fi
+			fi
+
+			run_start "${iface}" && r=0
+		fi
+	fi
+
+	if [[ ${r} != "0" ]] ; then
+		if [[ ${cmd} == "start" ]] ; then
+			# Call user-defined failup if it exists
+			if is_function failup ; then
+				einfo "Running failup function"
+				eindent
+				( failup "${iface}" )
+				eoutdent
+			fi
+		else
+			# Call user-defined faildown if it exists
+			if is_function faildown ; then
+				einfo "Running faildown function"
+				eindent
+				( faildown "${iface}" )
+				eoutdent
+			fi
+		fi
+		[[ ${IN_BACKGROUND} == "true" ]] \
+			&& mark_service_inactive "net.${iface}"
+	fi
+
+	return "${r}"
+}
+
+# bool start(void)
+#
+# Start entry point so that we only have one function
+# which localises variables and unsets functions
+start() {
+	declare -r IFACE="${SVCNAME#*.}"
+	einfo "Starting ${IFACE}"
+	run "${IFACE}" start
+}
+
+# bool stop(void)
+#
+# Stop entry point so that we only have one function
+# which localises variables and unsets functions
+stop() {
+	declare -r IFACE="${SVCNAME#*.}"
+	einfo "Stopping ${IFACE}"
+	run "${IFACE}" stop
+}
+
+# vim:ts=4
diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables
index cd7ba23ff..6ff11a424 100755
--- a/testing/hosts/carol/etc/init.d/iptables
+++ b/testing/hosts/carol/etc/init.d/iptables
@@ -25,6 +25,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index 6f1097e9e..af5c71b32 100755
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
index cd7ba23ff..6ff11a424 100755
--- a/testing/hosts/dave/etc/init.d/iptables
+++ b/testing/hosts/dave/etc/init.d/iptables
@@ -25,6 +25,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts
index 25c18ad5e..7d343d857 100644
--- a/testing/hosts/default/etc/hosts
+++ b/testing/hosts/default/etc/hosts
@@ -16,6 +16,7 @@
 10.1.0.20	venus.strongswan.org	venus
 10.1.0.1	moon1.strongswan.org	moon1
 192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
 192.168.0.100	carol.strongswan.org	carol
 10.3.0.1	carol1.strongswan.org	carol1
 192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
@@ -41,6 +42,7 @@ ff02::1:ff00:15	ip6-mcast-15
 ff02::1:ff00:20	ip6-mcast-20
 
 # IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
 fec1::10	ip6-alice.strongswan.org    ip6-alice
 fec1::20	ip6-venus.strongswan.org    ip6-venus
 fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables
index 7f46267c2..f5fa80b26 100755
--- a/testing/hosts/moon/etc/init.d/iptables
+++ b/testing/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index b26f81911..9512fb7e5 100755
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
index 1dd268719..0c2afd2c2 100755
--- a/testing/scripts/build-hostconfig
+++ b/testing/scripts/build-hostconfig
@@ -83,8 +83,12 @@ do
         searchandreplace PH_IP6_SUN  $ipv6_sun  $HOSTCONFIGDIR
         ;;
     alice)
-        searchandreplace PH_IP_ALICE  $ipv4_alice $HOSTCONFIGDIR
-        searchandreplace PH_IP6_ALICE $ipv6_alice $HOSTCONFIGDIR
+        eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP_ALICE1 $ipv4_alice1 $HOSTCONFIGDIR
+        searchandreplace PH_IP_ALICE  $ipv4_alice  $HOSTCONFIGDIR
+        eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $HOSTCONFIGDIR
+        searchandreplace PH_IP6_ALICE  $ipv6_alice  $HOSTCONFIGDIR
         ;;
     venus)
         searchandreplace PH_IP_VENUS  $ipv4_venus $HOSTCONFIGDIR
diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches
index c9cafafc1..aab82b8ff 100755
--- a/testing/scripts/start-switches
+++ b/testing/scripts/start-switches
@@ -31,7 +31,7 @@ do
 	cecho " * Great, umlswitch$n is already running!"
     else
 	cecho-n " * Starting umlswitch$n.."
-	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
+	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null 2>&1 </dev/null &
 	sleep 2
 	eval ifconfig "tap$n \$IFCONFIG_$n up"
 	cecho "\033[1;32mdone"
diff --git a/testing/testing.conf b/testing/testing.conf
index 85807d0a6..8c97cc3a4 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -17,11 +17,11 @@
 # RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $
 
 # Root directory of testing
-UMLTESTDIR=/home/strongswan-testing
+UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.21.1.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.21.5.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@@ -30,10 +30,11 @@ KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 KERNELCONFIG=$UMLTESTDIR/.config-2.6.21
 
 # Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
+# (not needed anymore for 2.6.9 kernel or higher)
+#UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.1.3.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.1.4.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -41,7 +42,7 @@ USE_LDAP="yes"
 USE_LEAK_DETECTIVE="no"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20061006.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20070702.tar.bz2
 
 # Size of the finished root filesystem in MB
 ROOTFSSIZE=544
@@ -55,7 +56,7 @@ MEM=96
 BUILDDIR=$UMLTESTDIR/umlbuild
 
 # Filename of the built UML Kernel
-UMLKERNEL=$UMLTESTDIR/linux
+UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
 
 # Directory where test results will be stored
 TESTRESULTSDIR=$UMLTESTDIR/testresults
@@ -72,22 +73,22 @@ TZUML="Europe/Zurich"
 # Enable particular steps in the make-testing and
 # start-testing scripts
 #
-ENABLE_BUILD_UMLKERNEL="no"
+ENABLE_BUILD_UMLKERNEL="yes"
 ENABLE_BUILD_SSHKEYS="yes"
 ENABLE_BUILD_HOSTCONFIG="yes"
 ENABLE_BUILD_UMLROOTFS="yes"
 ENABLE_BUILD_UMLHOSTFS="yes"
-ENABLE_START_TESTING="no"
-ENABLE_DO_TESTS="no"
+ENABLE_START_TESTING="yes"
+ENABLE_DO_TESTS="yes"
 ENABLE_STOP_TESTING="no"
 
 ##############################################################
 # How to start the UMLs?
 #
 # Start the UML instance in KDE konsole (requires KDE)
-#UMLSTARTMODE="gnome-terminal"
+UMLSTARTMODE="konsole"
 # Start the UML instance in an xterm (requires X11R6)
-UMLSTARTMODE="xterm"
+# UMLSTARTMODE="xterm"
 # Start the UML instance without a terminal window
 # but screen -r <host> can open a window anytime
 # UMLSTARTMODE="screen"
@@ -100,7 +101,7 @@ SELECTEDTESTSONLY="no"
 
 # Tests to do if $SELECTEDTESTSONLY is set "yes".
 #
-SELECTEDTESTS="ikev2-net2net ikev2-rw"
+SELECTEDTESTS="ikev2/rw-cert"
 
 ##############################################################
 # hostname and corresponding IPv4 and IPv6 addresses
@@ -109,7 +110,7 @@ SELECTEDTESTS="ikev2-net2net ikev2-rw"
 # Also don't use IPs ending with 254, they are reserved!
 #
 HOSTNAMEIPV4="\
-alice,10.1.0.10 \
+alice,10.1.0.10,192.168.0.50 \
 venus,10.1.0.20 \
 moon,192.168.0.1,10.1.0.1 \
 carol,192.168.0.100,10.3.0.1 \
@@ -119,7 +120,7 @@ sun,192.168.0.2,10.2.0.1 \
 bob,10.2.0.10"
 
 HOSTNAMEIPV6="\
-alice,fec1::10 \
+alice,fec1::10,fec0::5 \
 venus,fec1::20 \
 moon,fec0::1,fec1::1 \
 carol,fec0::10,fec3::1 \
@@ -153,7 +154,8 @@ IFCONFIG_2="10.2.0.254 netmask 255.255.0.0"
 ##############################################################
 # Network interfaces of the UML instances
 #
-SWITCH_alice="eth0=daemon,fe:fd:0a:01:00:0a,unix,/tmp/umlswitch1"
+SWITCH_alice="eth0=daemon,fe:fd:0a:01:00:0a,unix,/tmp/umlswitch1 \
+              eth1=daemon,fe:fd:c0:a8:00:32,unix,/tmp/umlswitch0"
 SWITCH_venus="eth0=daemon,fe:fd:0a:01:00:14,unix,/tmp/umlswitch1"
 SWITCH_moon="eth0=daemon,fe:fd:c0:a8:00:01,unix,/tmp/umlswitch0 \
              eth1=daemon,fe:fd:0a:01:00:01,unix,/tmp/umlswitch1"
@@ -163,7 +165,3 @@ SWITCH_dave="eth0=daemon,fe:fd:c0:a8:00:c8,unix,/tmp/umlswitch0"
 SWITCH_sun="eth0=daemon,fe:fd:c0:a8:00:02,unix,/tmp/umlswitch0 \
             eth1=daemon,fe:fd:0a:02:00:01,unix,/tmp/umlswitch2"
 SWITCH_bob="eth0=daemon,fe:fd:0a:02:00:0a,unix,/tmp/umlswitch2"
-
-
-
-
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index 5d78605e9..a42c7a5bd 100755
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index 841a67491..340b1a176 100755
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
index b72a3e939..57c41b521 100755
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,6 @@ conn %default
 	ikelifetime=60m
 	keylife=20m
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 04d5b977b..175349c41 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 80163ffcd..89dbee0af 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_256!
 
diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 09cd583b4..b050f022a 100755
--- a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index ca1eb7b19..75830f043 100755
--- a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_256!
 
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
index 7c1ee3bb5..40d31c0ac 100755
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
index 7d00b538f..1461f7933 100755
--- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha1-modp1536!
 	esp=aes128-sha!
 
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
index b10fb08b9..0c5980ed3 100755
--- a/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=aes128-sha2_256-modp1536!
 	esp=aes128-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
index de832729b..1770e5313 100755
--- a/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha2_256-modp1536!
 	esp=aes128-sha2_256!
 
diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 95ddeb2b8..71ed47519 100755
--- a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_256!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index 2d7904563..ba739f887 100755
--- a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_256!
 
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
index eae669641..cdd6929ff 100755
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
index 989784124..285dc7234 100755
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
index 6c16db587..a0250f597 100755
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index abf3049d8..45118094b 100755
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index 855718f5d..a370ca458 100755
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	compress=yes
 
 conn rw
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
index 59cbe67ba..98e7df65f 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
index 9a2efb73d..25906e890 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
index 40e32f14a..1bc6cf4fb 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
index eaaaa3f42..fdfff13f0 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
index 6b4650fb8..e0c758e74 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
index 143bace9a..d3603b7aa 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
index 93bd80758..d240302b6 100755
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
index 143bace9a..d3603b7aa 100755
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
index e64a8fb5a..6c2de2e1e 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
index 666fc0698..8d07e42ba 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
index 0ec9d47ed..307d0b6b4 100755
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
index ed1b40549..ce7afbaf3 100755
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn carol
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index 281293545..a50275d98 100755
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	dpdaction=clear
 	dpddelay=10
 	dpdtimeout=30
diff --git a/testing/tests/ikev1/dynamic-initiator/description.txt b/testing/tests/ikev1/dynamic-initiator/description.txt
new file mode 100644
index 000000000..319ed631d
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/description.txt
@@ -0,0 +1,12 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
+suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
+old tunnel first (simulated by iptables blocking IKE packets to and from
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). 
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
new file mode 100644
index 000000000..3105ae38c
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
+moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5a41744f6
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+
+MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
+DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
+sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
+waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
+QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
+zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
+iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
+1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
+cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
+OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
+kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
+QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
+MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
+iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
+zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
+6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
+DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
+IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
+mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
+GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
+LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
+CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
+r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
+YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
+tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2658293ac
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=%defaultroute
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=carol.strongswan.org
+	rightallowany=yes
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
new file mode 100644
index 000000000..c30a35edd
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -0,0 +1,11 @@
+dave::ipsec stop
+carol::ipsec stop
+dave::sleep 1
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
new file mode 100644
index 000000000..acb432172
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+carol::sleep 1
+carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::ipsec up moon
+dave::sleep 1
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-responder/description.txt b/testing/tests/ikev1/dynamic-responder/description.txt
new file mode 100644
index 000000000..76471a973
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/description.txt
@@ -0,0 +1,13 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
+the responder <b>carol</b> suddenly changes her IP address and restarts the connection to
+<b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets
+to and from <b>carol</b> and starting the connection from host <b>dave</b> using
+<b>carol</b>'s identity). 
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat
new file mode 100644
index 000000000..391afaa42
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::moon.*STATE_QUICK_R2.*IPsec SA established::YES
+dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
+moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
+moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ba6f7bfe9
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightallowany=yes
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5a41744f6
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,1E1991A43D0778B7
+
+MAsd1YBlHz54KjvBvhpwDBewinBkxBo/NmdsMetLIcV8Ag87YcKtTXYju+fbW21y
+DI12iPDQeS9tk17tS8qE5ubWmx/8n0fa5VCdLZ06JK6eeASXNoomXZh5rGsd42It
+sj0irWAnbIA3nFFWQl+Uz5pGZMse7aDSNyk1zs3xtywFIaditYIBsRhrTVmJ/bCK
+waVr++S2pwUHJ/phKoZQ8pwgF5KtYOZxdNtYIzfOZNMoplESR3+WYBYSuW8BKuOc
+QAign/BL2JVJLD4OpHQ68D8Su2sbh6ZYA5jslZLDgG9O7eiMbkCE+N8DmKO6wNAr
+zB5ILb4u5dIyTqun32tOENEhpZqDdMQtZZ34fRBze4IoMx9LrEOAHdZAQyyERP80
+iJCnH8BNf6FerA+XeDs4LVd1yrCklXKFINatqSRP/tNY3kruKw2Q7cAi2AFf+Rv6
+1lrvwK4MiLSHFtzcgEJuxm2bxeceIwXLJ2AVlfLBJvK/yJlq0MPedFbl6E6UwKfw
+cMLokF3sa1XrfwpJ93enGLqdpJrkR3dTzrsshjIhjQqfc8lqLwRlbMGc9u+V0ZsK
+OJ8e26wc/4l5D7CQ1vmgT/R/tuydBtUskgH96anhNJj1M95odkoh4Zicmm5iLgy2
+kluVYiEk0Fs7hc5Qtv8ZLN7ZoBRvZfJZWhXHDXmh71g1aoVYacIkFwiTMX4NoDy5
+QVq9tFUZ1TW4VrNIzfq++rLoz4XlgVy0Yz8jNWKuB0KRuHPNSsQUY2NHkDX+wOjq
+MP1SfNDxqPoqrmCqbgMw/9DmeOj9gyiTyjZhPZTxFOp67FYEYzYtR6bLQKEhdgf6
+iOVROZyrFHMZdBiUgV8GECds1th6ZYWmNRGdvxYjSjExIYgkDrcWbowTqD0bFC9b
+zClaSqrxR6GHUzbUVOBuCP+RmUx4j6gPvMRLUcIn5RmpbGtPE0ixeB5sFB0IuRRW
+6u2YToCiuq3EG1iJRmxjnBa/zj1aBO6OlsE/aPc0Sx+Jhm+MUbDioxUAriX96bJ+
+DEB4zgDhC0vIvkkUVAzQMkWPX479nPDmiZLpMqUIfqUh75WDpHbCladyGMgSkEo0
+IKq96oAWHJC8WLH0UMxMNuf8Ut+TsSpIO6G0RPl/cx3+hQqSUC5oUB7R3ZAWYx+6
+mawjkNJEx72yeJmQtGiZYEfeMt0Svm10PypMXFu0+2JjiS2eRj2K1yqrUnuL6AnY
+GYYmTmR74dnVAd35bRYJjY1XHGC9MyqBn4jLqKZm1BKO3sFsctGDy6vybnvAgPD7
+LioGQHPiOZmQe9Q5mMLedE9NAUCzlR8BHRbWtlnajQWcC0JcVu/mBQsjOt/KHh/V
+CY4aFXE56lRH2OpqZQxFpBFOSFDcuVX+zcEBGmKfk65n2MFL4McAJUhVRZL561Zx
+r9BvILv1Ld6/hECbodq0sUqvbDYHzv25zxAVKSIk1xy85mP5aNbk8xuGHmm860wg
+YOqdePwBEcDHoio+ov/uFYB7+4gt40vV90EzSiyfdq8x9RFMViJU430IkIBcvByo
+tFFcbN8ucBozxtl4AX495GVSRI7V0XXBtEdOIwJIzPBylZOHxCuTnA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2658293ac
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=%defaultroute
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=carol.strongswan.org
+	rightallowany=yes
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
new file mode 100644
index 000000000..c30a35edd
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -0,0 +1,11 @@
+dave::ipsec stop
+carol::ipsec stop
+dave::sleep 1
+moon::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
new file mode 100644
index 000000000..a330b1074
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+moon::sleep 2
+moon::ipsec up carol
+moon::sleep 1
+carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::ipsec up moon
+dave::sleep 1
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt
new file mode 100644
index 000000000..56a1c0754
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/description.txt
@@ -0,0 +1,15 @@
+The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
+so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
+The ipsec starter resolves the fully-qualified hostname into the current IP address
+via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
+expected to change over time, the prefix '%' is used as an implicit alternative to the
+explicit <b>rightallowany=yes</b> option which will allow an IKE
+main mode rekeying to arrive from an arbitrary IP address under the condition that
+the peer identity remains unchanged. When this happens the old tunnel is replaced
+by an IPsec connection to the new origin.
+<p>
+In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
+<b>moon</b> which has a named connection definition for each peer. Although
+the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
+the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
+
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
new file mode 100644
index 000000000..f46a6a20b
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..41123c9d6
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon 
+	left=%defaultroute
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..2ba4db724
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn moon
+	left=%defaultroute
+	leftsourceip=PH_IP_DAVE1
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale
new file mode 100644
index 000000000..ebff4ec25
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/hosts.stale
@@ -0,0 +1,67 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.110	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.220	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50c3a6a69
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=%defaultroute
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn carol
+	right=%carol.strongswan.org
+	rightid=carol@strongswan.org
+	rightsubnet=PH_IP_CAROL1/32
+	auto=add
+
+conn dave
+	right=%dave.strongswan.org
+	rightid=dave@strongswan.org
+	rightsubnet=PH_IP_DAVE1/32
+	auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
new file mode 100644
index 000000000..65292daae
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -0,0 +1,10 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::sleep 1
+moon::ipsec stop
+moon::mv /etc/hosts.ori /etc/hosts
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
new file mode 100644
index 000000000..6596a2527
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -0,0 +1,12 @@
+moon::mv /etc/hosts /etc/hosts.ori
+moon::mv /etc/hosts.stale /etc/hosts
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+dave::ipsec up moon
+carol::sleep 1
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
index 21f56705c..6af3a88ac 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
index 274a1aa18..e1bc08ee4 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
index 8c72a7b7f..8a9f033f1 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
index ccf8e91fa..fb0e59d86 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
index b8ef03cfe..feeef7901 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
index 3ac0bf4cf..be4c9aced 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index 7a8ae37c9..b939e4fda 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=aes-128-sha
 	esp=null-sha1!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 187a3fb17..9ca761cb5 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha!
 	esp=null-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 4ed2fb645..f61cfc6bb 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-sha
 	esp=3des-sha1
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index f8c27ad7c..5bf53b8bc 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index da86d14df..0ae6b0693 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-sha,aes-128-sha
 	esp=3des-sha1,aes-128-sha1
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index f8c27ad7c..5bf53b8bc 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
index b8ef03cfe..feeef7901 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -13,9 +13,9 @@ conn %default
 	keyingtries=1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
index 691b6b74f..147d8ffaa 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
index 10597bc58..b984b8d14 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_MOON
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
index 45121d967..bb409adcc 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_SUN
-	rightnexthop=%direct
 	rightcert=sunCert.pem
 	rightfirewall=yes
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index 44ac885ce..49c84d894 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn host-host
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index a89e799bd..e517b39cd 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn host-host
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
index 2bf2f8740..52fc94b51 100755
--- a/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	esp=aes192-sha2_256!
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
index 5baf8f1d9..97e552a6a 100755
--- a/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes192-sha2_384-modp4096!
 	esp=aes192-sha2_256!
 
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
index 8b1052f91..cf9309223 100755
--- a/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	esp=aes256-sha2_256!
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
index 62b93c428..d47ad7696 100755
--- a/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes256-sha2_512-modp8192!
 	esp=aes256-sha2_256!
 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 4ed2fb645..cbe5469f0 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -13,12 +13,12 @@ conn %default
 	keyingtries=1
 	ike=3des-sha
 	esp=3des-sha1
+
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 1a8b0b966..42e5f8404 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index da86d14df..b8e2257c4 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	esp=3des-sha1,aes-128-sha1
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 1a8b0b966..42e5f8404 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	ike=aes128-sha!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index db8cfd5c4..36a4e2fb1 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
index cc330b47f..469145fb8 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
index 3de856642..79be57226 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
index 3bcc0ff25..b019c5a33 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_CAROL
 	rightsourceip=%modeconfig
-	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
index 7933ef15a..5b38a2041 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_DAVE
 	rightsourceip=%modeconfig
-	rightnexthop=%direct
 	rightcert=daveCert.pem
 	rightid=dave@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
index 53b81a534..911531edb 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightsourceip=PH_IP_MOON1
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
index 2fd734579..57ec7040e 100755
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
index 128c4aa29..3179faa05 100755
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index 3367544eb..10ae2261b 100755
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 2917edd8a..cfdc692d7 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index 3c8227f19..fecce5efa 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 9b1d03320..994792f7d 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 2c645ead6..04a512eb7 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index dcf3c94c7..a9e648f5e 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index 93bd80758..d240302b6 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index ab336c3c8..fdca83e18 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index d6d32a39d..d4ce57333 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index 6156fadba..ea445522e 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index 6b4e37b35..cf952be47 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index 316cdaecc..0adb2593d 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 5838f5f2f..0e8e413e6 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index e47d453e4..1e00096c8 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftsendcert=ifasked
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
index 9637dcf06..82576bb2b 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-net
 	left=192.168.0.1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index 573069f75..ebd735a11 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn nat-t
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
index eb72ed85f..a54482489 100755
--- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
index 205f235c8..419adc2f2 100755
--- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index e095c0b7b..7302a423b 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index b21f863f5..7633f5c8b 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index a3536e2b2..5eedd9f28 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index 12e38962e..24bd66f53 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
index 466235099..eabb76bf7 100755
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
index e4c0614a1..18b18f3ea 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -9,7 +9,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
index d0c8752a3..3f2bc48c0 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -9,7 +9,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
index 95abd046a..e2e43cecd 100755
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 5b32ef007..9a1f0934b 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
index d9da3f78a..9b0c9b534 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
index fd950ecd5..5624f4fcf 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
index d9da3f78a..9b0c9b534 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/passthrough/description.txt b/testing/tests/ikev1/passthrough/description.txt
new file mode 100644
index 000000000..145c5b79c
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/description.txt
@@ -0,0 +1,6 @@
+All IP traffic from the subnet behind the gateway <b>moon</b> is tunneled
+to the gateway  <b>sun</b> using the 0.0.0.0/0 network mask. In order
+to prevent local subnet traffic from escaping through the tunnel, a
+passthrough policy for the 10.1.0.0/16 network is inserted on <b>moon</b>.
+A series of internal and external pings verifies the correct
+functioning of the setup.
diff --git a/testing/tests/ikev1/passthrough/evaltest.dat b/testing/tests/ikev1/passthrough/evaltest.dat
new file mode 100644
index 000000000..942222f08
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..557fb62eb
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+
+conn net-net
+	rightsubnet=0.0.0.0/0
+	rightid=@sun.strongswan.org
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftsourceip=10.1.0.1
+	leftfirewall=yes
+	lefthostaccess=yes
+	auto=add
+        
+conn pass
+	rightsubnet=10.1.0.0/16
+	type=passthrough
+	authby=never
+	auto=route
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..9276f1f90
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=0.0.0.0/0
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/passthrough/posttest.dat b/testing/tests/ikev1/passthrough/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/passthrough/pretest.dat b/testing/tests/ikev1/passthrough/pretest.dat
new file mode 100644
index 000000000..2606db192
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables -I INPUT  -i eth1 -s 10.1.0.0/16 -j ACCEPT
+moon::iptables -I OUTPUT -o eth1 -d 10.1.0.0/16 -j ACCEPT
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/passthrough/test.conf b/testing/tests/ikev1/passthrough/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev1/passthrough/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 0dc25b7bb..3adfdc0b8 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index 3b01128c2..e1ce14973 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
index 093f9b1fc..913e6d91a 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home-icmp
 	left=PH_IP_CAROL
-	leftnexthop=%direct
         leftid=carol@strongswan.org
 	leftcert=carolCert.pem
 	leftprotoport=icmp
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
index e64b3be7a..d941e81ef 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw-icmp
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftprotoport=icmp
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat
index 94a400606..d6f014882 100644
--- a/testing/tests/ikev1/protoport-pass/posttest.dat
+++ b/testing/tests/ikev1/protoport-pass/posttest.dat
@@ -1,4 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
+carol::ip route del 10.1.0.0/16 via PH_IP_MOON
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat
index 13b4ad4a0..37f545062 100644
--- a/testing/tests/ikev1/protoport-pass/pretest.dat
+++ b/testing/tests/ikev1/protoport-pass/pretest.dat
@@ -4,6 +4,7 @@ moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT
 carol::/etc/init.d/iptables start 2> /dev/null
 carol::iptables -I INPUT  -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT
 carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT
+carol::ip route add 10.1.0.0/16 via PH_IP_MOON
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
index 99b410c32..dfc0143ed 100755
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
index 3b01128c2..e1ce14973 100755
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
index e32aca0b9..6db69096b 100755
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=myCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
index 1e9a27129..f0e4036c0 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
index 05d209c44..864d014de 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn rw-carol 
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index 1e9a27129..f0e4036c0 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index beda12b3c..f3a6db107 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 8e27a9ecd..d76337996 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index f8ce5569c..025f335b2 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	authby=secret
-	leftnexthop=%direct
 	
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
index c62605bd0..980523a5e 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 conn home
 	authby=secret
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
index 4584e1408..d57d790d1 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index b142c75bb..08a41e612 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 conn home
 	authby=secret
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index 5916d8fd8..b8900c082 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
index 2abe3c147..dbfac50e2 100755
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 conn rw-psk
 	authby=secret
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
index 93ea3a80e..db281ef80 100755
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
index 98b0030d8..f3c2be9a1 100755
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn carol
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.der
 	leftid=@moon.strongswan.org
 	leftsendcert=never
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
index b58d1deb7..cd751df3d 100755
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -30,7 +30,6 @@ conn rw
 
 conn moon
 	left=PH_IP_MOON
-        leftnexthop=%direct
         leftcert=moonCert.pem
         leftid=@moon.strongswan.org
         leftfirewall=yes
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
index 09f3bb94d..e78231f0c 100755
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
@@ -30,7 +30,6 @@ conn rw
 
 conn moon
 	left=PH_IP_MOON
-        leftnexthop=%direct
         leftcert=moonCert.pem
         leftid=@moon.strongswan.org
         leftfirewall=yes
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
index 2fd734579..57ec7040e 100755
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
index 128c4aa29..3179faa05 100755
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
index 81d1ae8b6..a2af4e9f8 100755
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-sha384.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
index 468be8afb..e48b1a78c 100755
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert-sha512.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index 7aed142a4..b9710cb14 100755
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert-sha256.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
index f4f2dedd0..b4ad3c011 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_CAROL
 	rightsourceip=PH_IP_CAROL1
-	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
index de7f07eb9..eafcf5e55 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn rw
 	right=PH_IP_MOON
 	rightsourceip=PH_IP_MOON1
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index a863df33e..71aa4decf 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=PH_IP_CAROL1
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index c0310692a..471e9e833 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn rw
 	left=PH_IP_MOON
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
index d6d32a39d..d4ce57333 100755
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
index 6156fadba..ea445522e 100755
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
index 162e22c43..8952bc92f 100755
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
index 665ce592f..30b657662 100755
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn system
 	left=PH_IP_ALICE
 	leftprotoport=tcp/ssh
-	leftnexthop=%direct
 	authby=never
 	type=passthrough
 	right=10.1.0.254
@@ -25,7 +24,6 @@ conn system
 
 conn wlan 
 	left=PH_IP_ALICE
-	leftnexthop=%direct
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
index 44f980422..ab3287aee 100755
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn venus
 
 conn wlan
         left=PH_IP_MOON1
-	leftnexthop=%direct
 	leftsubnet=0.0.0.0/0
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
index 5d861548d..bb9897c79 100755
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn system
 	left=PH_IP_VENUS
 	leftprotoport=tcp/ssh
-	leftnexthop=%direct
 	authby=never
 	type=passthrough
 	right=10.1.0.254
@@ -25,7 +24,6 @@ conn system
 
 conn wlan 
 	left=PH_IP_VENUS
-	leftnexthop=%direct
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
index 3fd0ebf85..747f4b6bf 100644
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn home
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
index 8d20a5d20..0193c0512 100644
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
index 66f705e79..98598b04c 100644
--- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 	xauth=server
 	left=PH_IP_MOON
 	leftid=@moon.strongswan.org
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 3e8ddf0fe..b5ec4c4af 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 9aee88cfe..a353e3f12 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index dfaa44521..c92ad8748 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
index d49bc1490..47bf1dafc 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
index 6a48cf6ee..f79a81a6f 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
index 90539650f..47928181f 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
index 19618145d..8c8cb4a2d 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%modeconfig
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
index eccdc2b70..1c48e13e7 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	authby=xauthrsasig
 	xauth=server
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index d49bc1490..47bf1dafc 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index 6a48cf6ee..f79a81a6f 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index d49bc1490..47bf1dafc 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 5c1de3372..1fcf71d5c 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index a997fb73f..ffbb13ec5 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
index 6e2cbd153..6894a952c 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_CAROL
 	rightsourceip=%config
-	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
index f148757db..cefbc8270 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	right=PH_IP_DAVE
 	rightsourceip=%config
-	rightnexthop=%direct
 	rightcert=daveCert.pem
 	rightid=dave@strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
index 5cb49cfc8..8458724c6 100755
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightsourceip=PH_IP_MOON1
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
index 4ea2b22f7..a19f6cfae 100755
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%config
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
index dad3f3440..1a89f4e5d 100755
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%config
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
index a4c4b3553..bafd1b155 100755
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
index cea581bc2..4d47c831c 100755
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
index fe2179885..9488a6822 100755
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
index 571459bae..999d0d183 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
@@ -25,6 +25,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow ldap crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
index 8b37ec6b8..26d34de47 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
index 8de514a2e..4f4f3228b 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow ldap crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
index 47a52b60b..1d2a68528 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
index 29b3c2a65..cbab29414 100755
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
index a1a9587dd..dd50c335b 100755
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
index 52e5c291d..fbb9cd7e9 100755
--- a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
index a9f6a4bb4..072c57c5b 100755
--- a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
index cea581bc2..4d47c831c 100755
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
index fe2179885..9488a6822 100755
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
index a4668d9ae..9574f18bb 100755
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
index 13ad3063f..5a262c084 100755
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
index b6a0e4990..5b2c4e3f4 100755
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn carol
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
index e5d9ad476..bcdb8641b 100755
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
index 97b5411bd..cdb40d72d 100755
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 	dpdaction=clear
 	dpddelay=10
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
index dff90e563..bfc8ac34c 100755
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
index 97b5411bd..cdb40d72d 100755
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 	dpdaction=clear
 	dpddelay=10
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
index 7c5b88a2c..631eac9b6 100755
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
index 97b5411bd..cdb40d72d 100755
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 	dpdaction=clear
 	dpddelay=10
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
index d00d8762d..25f8ce8b2 100755
--- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
index fca2cbdab..303a49152 100755
--- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
index 2d41690cc..ec9ac5b80 100755
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
index 7ffbf64ac..484eb995f 100755
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_SUN
-	leftnexthop=%direct
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
index 0c3dd7abe..981c7f073 100755
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_MOON
-	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
index bd510cc73..e3fc2b728 100755
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	right=PH_IP_SUN
-	rightnexthop=%direct
 	rightcert=sunCert.pem
 	rightid=@sun.strongswan.org
 	rightfirewall=yes
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
index f957e5fb3..b80aa80c4 100755
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
index 52b605024..dd1811083 100755
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn host-host
 	left=PH_IP_SUN
-	leftnexthop=%direct
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/mobike-nat/description.txt b/testing/tests/ikev2/mobike-nat/description.txt
new file mode 100644
index 000000000..dd8a3a11a
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> is sitting behind the NAT router <b>moon</b> but
+at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
+in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
+goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
+via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. <b>alice</b> sets
+a virtual IP of PH_IP_ALICE, so that the IPsec policies don't have to be changed.
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
new file mode 100644
index 000000000..f6259cfb6
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -0,0 +1,16 @@
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::sleep 1::No output expected::NO
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP::YES
+bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice.strongswan.org.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..db18182a3
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e05356b39
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_ALICE1
+	leftsourceip=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..6944749be
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsourceip=%config
+	rightid=alice@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
new file mode 100644
index 000000000..cd0d4df25
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -0,0 +1,6 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
new file mode 100644
index 000000000..08c2be95c
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -0,0 +1,12 @@
+alice::/etc/init.d/net.eth1 start
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::conntrack -F
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up mobike
+alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
new file mode 100644
index 000000000..6467631e5
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="bob moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike-virtual-ip/description.txt b/testing/tests/ikev2/mobike-virtual-ip/description.txt
new file mode 100644
index 000000000..997c7f3e8
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> is sitting behind the router <b>moon</b> but
+at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
+in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
+goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
+via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. <b>alice</b> sets
+a virtual IP of PH_IP_ALICE, so that the IPsec policies don't have to be changed.
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..482cef866
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -0,0 +1,16 @@
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::sleep 1::No output expected::NO
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES
+moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES
+bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice.strongswan.org.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..db18182a3
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e05356b39
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_ALICE1
+	leftsourceip=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..64a659f4f
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_ALICE1
+	rightsourceip=%config
+	rightid=alice@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
new file mode 100644
index 000000000..32fdf0053
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
new file mode 100644
index 000000000..6666e7794
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -0,0 +1,10 @@
+alice::/etc/init.d/net.eth1 start
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+alice::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up mobike
+alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
new file mode 100644
index 000000000..6467631e5
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="bob moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike/description.txt b/testing/tests/ikev2/mobike/description.txt
new file mode 100644
index 000000000..3c780be9e
--- /dev/null
+++ b/testing/tests/ikev2/mobike/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> is sitting behind the router <b>moon</b> but
+at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network
+via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b>
+in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface
+goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change 
+via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. Since <b>alice</b> has
+not configured a virtual IP address the IPsec policies must be updated.
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
new file mode 100644
index 000000000..10bb37e42
--- /dev/null
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall::PH_IP_ALICE1/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE1/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::sleep 1::No output expected::NO
+alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES
+moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES
+bob::tcpdump::alice1.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice1.strongswan.org.*ICMP echo reply::YES
+bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org.*alice.strongswan.org.*ICMP echo reply::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..db18182a3
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..37e92cf5b
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_ALICE1
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..1367e784f
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn mobike
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_ALICE1
+	rightid=alice@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat
new file mode 100644
index 000000000..32fdf0053
--- /dev/null
+++ b/testing/tests/ikev2/mobike/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
new file mode 100644
index 000000000..6666e7794
--- /dev/null
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -0,0 +1,10 @@
+alice::/etc/init.d/net.eth1 start
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+alice::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up mobike
+alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
new file mode 100644
index 000000000..6467631e5
--- /dev/null
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="bob moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 466b08eae..39996cf42 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index d4b20453d..e25636a7d 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
index 8de514a2e..4f4f3228b 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
@@ -28,6 +28,10 @@ start() {
 	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
 	# allow ldap crl fetch from winnetou
 	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
 	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index c342625af..46f1030cd 100755
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 11dce322e..5c34528a4 100755
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index 52e5cd8cd..96e493719 100755
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index 9350d121e..a042da6d5 100755
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index 61574d1f0..9b331f0a9 100755
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
index 3f95ed506..174e248c2 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
index 082ed2974..5c90dd4a2 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftsendcert=ifasked
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
index 4561a52db..e1ee6e8d6 100755
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftsendcert=ifasked
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/nat-one-rw/pretest.dat b/testing/tests/ikev2/nat-one-rw/pretest.dat
index ebd0c19e2..a4f5ecd79 100644
--- a/testing/tests/ikev2/nat-one-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-one-rw/pretest.dat
@@ -1,5 +1,6 @@
 alice::/etc/init.d/iptables start 2> /dev/null
 sun::/etc/init.d/iptables start 2> /dev/null
+moon::conntrack -F
 moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index c76e7ce92..d6b5d4d6f 100755
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn nat-t
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftfirewall=yes
-	leftnexthop=%direct
 	right=%any
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
index da51fa46a..55fe84bc3 100755
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
index bea0eeb08..063f23b29 100755
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -16,7 +16,6 @@ conn net-net
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
-	leftnexthop=%direct
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
index 8b8548815..fe75ede89 100755
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
@@ -10,7 +10,6 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	leftnexthop=%direct
 	keyexchange=ikev2
 
 conn net-net
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
index 091871e49..77abdcdd1 100755
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
index b2e41894c..ea55d2edb 100755
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn net-net
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
index 0209111ba..e2602f08a 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
index 21b48ef0c..119d14a42 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
index 86c9dca75..259997f5c 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
index 1613e72cf..0763d1734 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
index 98a0e9b81..b0e8336e6 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
@@ -27,7 +27,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
index 3c685a839..ba9779cb5 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
index e2fabe0f5..b79c056ab 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
index be15f6ec5..0425d7cf4 100755
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-revoked.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 21b48ef0c..119d14a42 100755
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
index 0209111ba..e2602f08a 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
index 21b48ef0c..119d14a42 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
index f49fa9204..f8abd6b59 100755
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-ocsp.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
index a8a9f1e30..ce653cf08 100755
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
index cfde9714e..bce685c53 100755
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-ifuri.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
index 1cea9f47c..1ab63e84b 100755
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert-ifuri.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
index be96bd957..401e9b567 100755
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
index b53de16e4..d95a322bd 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -17,7 +17,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-ocsp.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
index f3b19d292..394d94160 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
@@ -19,7 +19,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
index cdc1560ae..ef24ea191 100755
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
index e759d1d79..fe657b4a6 100755
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
@@ -20,7 +20,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
index 3c685a839..ba9779cb5 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
index e2fabe0f5..b79c056ab 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
@@ -18,7 +18,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
index eda0ddf38..51971a13c 100755
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
index 0bc03380b..0d7e8db3f 100755
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
index 7f4e37bc2..d76a6ee17 100755
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
index 0bc03380b..0d7e8db3f 100755
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index e5d9ad476..bcdb8641b 100755
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 3c0014965..ea8bc92a7 100755
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index b8bc990cd..274521386 100755
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index 9a5087fff..6c821010a 100755
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
index 7b6e448b3..1af9be7f7 100755
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index a6270a67e..97edc9047 100755
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 0e3fe6962..5990f6875 100755
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
index 368c3c6fb..bdd50899a 100755
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index c38a2a59b..b99f43ef4 100755
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
index b23046668..150687104 100755
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
index 66734b543..2397d6d6d 100755
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
index a6270a67e..97edc9047 100755
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 10eeee9c1..78c33df12 100755
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
index ac99ac66c..e533b4b4e 100755
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index 7419be98a..004993d94 100755
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
         left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
         right=%any
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index 6a8253dc4..dc6f82923 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index 3c9e9a009..b09427d4c 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -15,7 +15,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index b62ab4156..a3bf042d4 100755
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
index 4ddd99280..a7b55db24 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert-sha384.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
index 2b5407387..080073cd3 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert-sha512.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
index 9c0a14c9b..64d160f12 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,6 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert-sha256.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index e5d9ad476..bcdb8641b 100755
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
index 3c0014965..ea8bc92a7 100755
--- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
@@ -13,7 +13,6 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index 86be51824..eb6feb6e2 100755
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
index 59d41eb27..043160a0f 100755
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
index 81e86e823..a01676be3 100755
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_DAVE
-	leftnexthop=%direct
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
index 366e1fa9a..0523d56dd 100755
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
@@ -12,7 +12,6 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org