[svn-upgrade] new version strongswan (4.5.0)

1373 files changed, 55131 insertions, 14820 deletions

diff --git a/Android.mk b/Android.mk
index 0a9fc5387..d6c83367f 100644
--- a/Android.mk
+++ b/Android.mk
@@ -53,7 +53,7 @@ strongswan_CFLAGS := \
 	-DUSE_VSTR \
 	-DROUTING_TABLE=0 \
 	-DROUTING_TABLE_PRIO=220 \
-	-DVERSION=\"4.4.1\" \
+	-DVERSION=\"4.5.0\" \
 	-DPLUGINS='"$(strongswan_PLUGINS)"' \
 	-DIPSEC_DIR=\"/system/bin\" \
 	-DIPSEC_PIDDIR=\"/data/misc/vpn\" \
diff --git a/ChangeLog b/ChangeLog
index 41f530506..5ddeff5f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,3 @@
 A summary of changes is available in the NEWS file. For a more 
 detailed Changelog, use the repository (see HACKING) or the
-online interface available at http://trac.strongswan.org.
+online interface available at http://git.strongswan.org.
diff --git a/Doxyfile.in b/Doxyfile.in
index b79c9909d..e7f5b50a4 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -531,6 +531,7 @@ INPUT                  = @SRC_DIR@/src/libstrongswan \
                          @SRC_DIR@/src/libhydra \
                          @SRC_DIR@/src/libcharon \
                          @SRC_DIR@/src/libsimaka \
+                         @SRC_DIR@/src/libtls \
                          @SRC_DIR@/src/libfast \
                          @SRC_DIR@/src/manager
 
@@ -575,7 +576,7 @@ EXCLUDE_SYMLINKS       = NO
 # against the file with absolute path, so to exclude all test directories
 # for example use the pattern */test/*
 
-EXCLUDE_PATTERNS       = */.svn/*
+EXCLUDE_PATTERNS       = */.git/*
 
 # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
 # (namespaces, classes, functions, etc.) that should be excluded from the
@@ -699,7 +700,7 @@ VERBATIM_HEADERS       = YES
 # of all compounds will be generated. Enable this if the project
 # contains a lot of classes, structs, unions or interfaces.
 
-ALPHABETICAL_INDEX     = NO
+ALPHABETICAL_INDEX     = YES
 
 # If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
 # the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
@@ -843,7 +844,7 @@ TOC_EXPAND             = NO
 # top of each HTML page. The value NO (the default) enables the index and
 # the value YES disables it.
 
-DISABLE_INDEX          = YES
+DISABLE_INDEX          = NO
 
 # This tag can be used to set the number of enum values (range [1..20])
 # that doxygen will group on one line in the generated HTML documentation.
diff --git a/Makefile.am b/Makefile.am
index af0465fee..cba5048b1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = src testing
+SUBDIRS = src man testing
 
 if USE_SCRIPTS
   SUBDIRS += scripts
diff --git a/Makefile.in b/Makefile.in
index 522683ab1..56c31b104 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -48,6 +48,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -72,7 +73,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir dist dist-all distcheck
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = src testing scripts
+DIST_SUBDIRS = src man testing scripts
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -174,6 +175,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -205,14 +208,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -227,24 +233,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -252,7 +265,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -264,7 +280,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-SUBDIRS = src testing $(am__append_1)
+SUBDIRS = src man testing $(am__append_1)
 ACLOCAL_AMFLAGS = -I m4/config
 EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk
 CLEANFILES = Doxyfile
diff --git a/NEWS b/NEWS
index a5f4a16ff..ed0d18211 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,74 @@
+
+strongswan-4.5.0
+----------------
+
+- IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
+  from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
+  IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
+  come for IKEv1 to go into retirement and to cede its place to the much more
+  robust, powerful and versatile IKEv2 protocol!
+
+- Added new ctr, ccm and gcm plugins providing Counter, Counter with CBC-MAC
+  and Galois/Counter Modes based on existing CBC implementations. These
+  new plugins bring support for AES and Camellia Counter and CCM algorithms
+  and the AES GCM algorithms for use in IKEv2.
+
+- The new pkcs11 plugin brings full Smartcard support to the IKEv2 daemon and
+  the pki utility using one or more PKCS#11 libraries. It currently supports
+  RSA private and public key operations and loads X.509 certificates from
+  tokens.
+
+- Implemented a general purpose TLS stack based on crypto and credential
+  primitives of libstrongswan. libtls supports TLS versions 1.0, 1.1 and 1.2,
+  ECDHE-ECDSA/RSA, DHE-RSA and RSA key exchange algorithms and RSA/ECDSA based
+  client authentication.
+
+- Based on libtls, the eap-tls plugin brings certificate based EAP
+  authentication for client and server. It is compatible to Windows 7 IKEv2
+  Smartcard authentication and the OpenSSL based FreeRADIUS EAP-TLS backend.
+
+- Implemented the TNCCS 1.1 Trusted Network Connect protocol using the
+  libtnc library on the strongSwan client and server side via the tnccs_11
+  plugin and optionally connecting to a TNC@FHH-enhanced FreeRADIUS AAA server.
+  Depending on the resulting TNC Recommendation, strongSwan clients are granted
+  access to a network behind a strongSwan gateway (allow), are put into a
+  remediation zone (isolate) or are blocked (none), respectively. Any number
+  of Integrity Measurement Collector/Verifier pairs can be attached
+  via the tnc-imc and tnc-imv charon plugins.
+
+- The IKEv1 daemon pluto now uses the same kernel interfaces as the IKEv2
+  daemon charon. As a result of this, pluto now supports xfrm marks which
+  were introduced in charon with 4.4.1.
+
+- Applets for Maemo 5 (Nokia) allow to easily configure and control IKEv2
+  based VPN connections with EAP authentication on supported devices.
+
+- The RADIUS plugin eap-radius now supports multiple RADIUS servers for
+  redundant setups. Servers are selected by a defined priority, server load and
+  availability.
+
+- The simple led plugin controls hardware LEDs through the Linux LED subsystem.
+  It currently shows activity of the IKE daemon and is a good example how to
+  implement a simple event listener.
+
+- Improved MOBIKE behavior in several corner cases, for instance, if the
+  initial responder moves to a different address.
+
+- Fixed left-/rightnexthop option, which was broken since 4.4.0.
+
+- Fixed a bug not releasing a virtual IP address to a pool if the XAUTH
+  identity was different from the IKE identity.
+
+- Fixed the alignment of ModeConfig messages on 4-byte boundaries in the
+  case where the attributes are not a multiple of 4 bytes (e.g. Cisco's
+  UNITY_BANNER).
+
+- Fixed the interoperability of the socket_raw and socket_default
+  charon plugins.
+
+- Added man page for strongswan.conf
+
+
 strongswan-4.4.1
 ----------------
 
@@ -761,7 +832,7 @@ strongswan-4.1.7
 
 - Preview of strongSwan Manager, a web based configuration and monitoring
   application. It uses a new XML control interface to query the IKEv2 daemon
-  (see http://trac.strongswan.org/wiki/Manager).
+  (see http://wiki.strongswan.org/wiki/Manager).
 
 - Experimental SQLite configuration backend which will provide the configuration
   interface for strongSwan Manager in future releases.
diff --git a/README b/README
index 101e4838c..1d186afd9 100644
--- a/README
+++ b/README
@@ -81,7 +81,7 @@ Contents
 strongSwan is an OpenSource IPsec solution for the Linux operating system
 and currently supports the following features:
 
-  * runs both on Linux 2.4 (KLIPS) and Linux 2.6 (native IPsec) kernels.
+  * runs on Linux 2.6 (native IPsec) kernels.
 
   * strong 3DES, AES, Serpent, Twofish, or Blowfish encryption.
 
@@ -2656,9 +2656,6 @@ with the line
 
 and can be used when the following prerequisites are fulfilled:
 
-  - Linux 2.4.x kernel, KLIPS IPsec stack, and arbitrary iptables version.
-    Filtering of tunneled traffic is based on ipsecN interfaces.
-
   - Linux 2.6.16 kernel or newer, native NETKEY IPsec stack, and
     iptables-1.3.5 or newer. Filtering of tunneled traffic is based on
     IPsec policy matching rules.
diff --git a/TODO b/TODO
index c398ebab8..6b626e9ff 100644
--- a/TODO
+++ b/TODO
@@ -5,7 +5,7 @@
 This is a TODO list we should keep in mind. A roadmap of the strongSwan
 project is available online at:
 
-             http://trac.strongswan.org/roadmap
+        http://wiki.strongswan.org/projects/strongswan/roadmap
 
 Certificate support
 -------------------
diff --git a/aclocal.m4 b/aclocal.m4
index 23b7e59ee..9d68d0d80 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -13,14 +13,14 @@
 
 m4_ifndef([AC_AUTOCONF_VERSION],
   [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
-m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],,
-[m4_warning([this file was generated for autoconf 2.65.
+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
+[m4_warning([this file was generated for autoconf 2.67.
 You have another version of autoconf.  It may work, but is not guaranteed to.
 If you have problems, you may need to regenerate the build system entirely.
 To do so, use the procedure documented by the package, typically `autoreconf'.])])
 
-# lib-prefix.m4 serial 5 (gettext-0.15)
-dnl Copyright (C) 2001-2005 Free Software Foundation, Inc.
+# lib-prefix.m4 serial 7 (gettext-0.18)
+dnl Copyright (C) 2001-2005, 2008-2010 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
@@ -174,38 +174,78 @@ AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX],
   prefix="$acl_save_prefix"
 ])
 
-dnl AC_LIB_PREPARE_MULTILIB creates a variable acl_libdirstem, containing
-dnl the basename of the libdir, either "lib" or "lib64".
+dnl AC_LIB_PREPARE_MULTILIB creates
+dnl - a variable acl_libdirstem, containing the basename of the libdir, either
+dnl   "lib" or "lib64" or "lib/64",
+dnl - a variable acl_libdirstem2, as a secondary possible value for
+dnl   acl_libdirstem, either the same as acl_libdirstem or "lib/sparcv9" or
+dnl   "lib/amd64".
 AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
 [
-  dnl There is no formal standard regarding lib and lib64. The current
-  dnl practice is that on a system supporting 32-bit and 64-bit instruction
-  dnl sets or ABIs, 64-bit libraries go under $prefix/lib64 and 32-bit
-  dnl libraries go under $prefix/lib. We determine the compiler's default
-  dnl mode by looking at the compiler's library search path. If at least
-  dnl of its elements ends in /lib64 or points to a directory whose absolute
-  dnl pathname ends in /lib64, we assume a 64-bit ABI. Otherwise we use the
-  dnl default, namely "lib".
+  dnl There is no formal standard regarding lib and lib64.
+  dnl On glibc systems, the current practice is that on a system supporting
+  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
+  dnl $prefix/lib64 and 32-bit libraries go under $prefix/lib. We determine
+  dnl the compiler's default mode by looking at the compiler's library search
+  dnl path. If at least one of its elements ends in /lib64 or points to a
+  dnl directory whose absolute pathname ends in /lib64, we assume a 64-bit ABI.
+  dnl Otherwise we use the default, namely "lib".
+  dnl On Solaris systems, the current practice is that on a system supporting
+  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
+  dnl $prefix/lib/64 (which is a symlink to either $prefix/lib/sparcv9 or
+  dnl $prefix/lib/amd64) and 32-bit libraries go under $prefix/lib.
+  AC_REQUIRE([AC_CANONICAL_HOST])
   acl_libdirstem=lib
-  searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
-  if test -n "$searchpath"; then
-    acl_save_IFS="${IFS= 	}"; IFS=":"
-    for searchdir in $searchpath; do
-      if test -d "$searchdir"; then
-        case "$searchdir" in
-          */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
-          *) searchdir=`cd "$searchdir" && pwd`
-             case "$searchdir" in
-               */lib64 ) acl_libdirstem=lib64 ;;
-             esac ;;
+  acl_libdirstem2=
+  case "$host_os" in
+    solaris*)
+      dnl See Solaris 10 Software Developer Collection > Solaris 64-bit Developer's Guide > The Development Environment
+      dnl <http://docs.sun.com/app/docs/doc/816-5138/dev-env?l=en&a=view>.
+      dnl "Portable Makefiles should refer to any library directories using the 64 symbolic link."
+      dnl But we want to recognize the sparcv9 or amd64 subdirectory also if the
+      dnl symlink is missing, so we set acl_libdirstem2 too.
+      AC_CACHE_CHECK([for 64-bit host], [gl_cv_solaris_64bit],
+        [AC_EGREP_CPP([sixtyfour bits], [
+#ifdef _LP64
+sixtyfour bits
+#endif
+           ], [gl_cv_solaris_64bit=yes], [gl_cv_solaris_64bit=no])
+        ])
+      if test $gl_cv_solaris_64bit = yes; then
+        acl_libdirstem=lib/64
+        case "$host_cpu" in
+          sparc*)        acl_libdirstem2=lib/sparcv9 ;;
+          i*86 | x86_64) acl_libdirstem2=lib/amd64 ;;
         esac
       fi
-    done
-    IFS="$acl_save_IFS"
-  fi
+      ;;
+    *)
+      searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+      if test -n "$searchpath"; then
+        acl_save_IFS="${IFS= 	}"; IFS=":"
+        for searchdir in $searchpath; do
+          if test -d "$searchdir"; then
+            case "$searchdir" in
+              */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
+              */../ | */.. )
+                # Better ignore directories of this form. They are misleading.
+                ;;
+              *) searchdir=`cd "$searchdir" && pwd`
+                 case "$searchdir" in
+                   */lib64 ) acl_libdirstem=lib64 ;;
+                 esac ;;
+            esac
+          fi
+        done
+        IFS="$acl_save_IFS"
+      fi
+      ;;
+  esac
+  test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
 ])
 
 # pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
+# serial 1 (pkg-config-0.24)
 # 
 # Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
 #
@@ -233,7 +273,10 @@ AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
 AC_DEFUN([PKG_PROG_PKG_CONFIG],
 [m4_pattern_forbid([^_?PKG_[A-Z_]+$])
 m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
-AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
+AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
+AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
+
 if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
 fi
@@ -246,7 +289,6 @@ if test -n "$PKG_CONFIG"; then
 		AC_MSG_RESULT([no])
 		PKG_CONFIG=""
 	fi
-		
 fi[]dnl
 ])# PKG_PROG_PKG_CONFIG
 
@@ -255,34 +297,31 @@ fi[]dnl
 # Check to see whether a particular set of modules exists.  Similar
 # to PKG_CHECK_MODULES(), but does not set variables or print errors.
 #
-#
-# Similar to PKG_CHECK_MODULES, make sure that the first instance of
-# this or PKG_CHECK_MODULES is called, or make sure to call
-# PKG_CHECK_EXISTS manually
+# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+# only at the first occurence in configure.ac, so if the first place
+# it's called might be skipped (such as if it is within an "if", you
+# have to call PKG_CHECK_EXISTS manually
 # --------------------------------------------------------------
 AC_DEFUN([PKG_CHECK_EXISTS],
 [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
 if test -n "$PKG_CONFIG" && \
     AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
-  m4_ifval([$2], [$2], [:])
+  m4_default([$2], [:])
 m4_ifvaln([$3], [else
   $3])dnl
 fi])
 
-
 # _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
 # ---------------------------------------------
 m4_define([_PKG_CONFIG],
-[if test -n "$PKG_CONFIG"; then
-    if test -n "$$1"; then
-        pkg_cv_[]$1="$$1"
-    else
-        PKG_CHECK_EXISTS([$3],
-                         [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
-			 [pkg_failed=yes])
-    fi
-else
-	pkg_failed=untried
+[if test -n "$$1"; then
+    pkg_cv_[]$1="$$1"
+ elif test -n "$PKG_CONFIG"; then
+    PKG_CHECK_EXISTS([$3],
+                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+		     [pkg_failed=yes])
+ else
+    pkg_failed=untried
 fi[]dnl
 ])# _PKG_CONFIG
 
@@ -324,16 +363,17 @@ and $1[]_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.])
 
 if test $pkg_failed = yes; then
+   	AC_MSG_RESULT([no])
         _PKG_SHORT_ERRORS_SUPPORTED
         if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1`
         else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
 
-	ifelse([$4], , [AC_MSG_ERROR(dnl
+	m4_default([$4], [AC_MSG_ERROR(
 [Package requirements ($2) were not met:
 
 $$1_PKG_ERRORS
@@ -341,25 +381,24 @@ $$1_PKG_ERRORS
 Consider adjusting the PKG_CONFIG_PATH environment variable if you
 installed software in a non-standard prefix.
 
-_PKG_TEXT
-])],
-		[AC_MSG_RESULT([no])
-                $4])
+_PKG_TEXT])dnl
+        ])
 elif test $pkg_failed = untried; then
-	ifelse([$4], , [AC_MSG_FAILURE(dnl
+     	AC_MSG_RESULT([no])
+	m4_default([$4], [AC_MSG_FAILURE(
 [The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
 _PKG_TEXT
 
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])],
-		[$4])
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])dnl
+        ])
 else
 	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
 	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
         AC_MSG_RESULT([yes])
-	ifelse([$3], , :, [$3])
+	$3
 fi[]dnl
 ])# PKG_CHECK_MODULES
 
diff --git a/config.guess b/config.guess
index e3a2116a7..c2246a4f7 100755
--- a/config.guess
+++ b/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
 #   Free Software Foundation, Inc.
 
-timestamp='2009-06-10'
+timestamp='2009-12-30'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -27,16 +27,16 @@ timestamp='2009-06-10'
 # the same distribution terms that you use for the rest of that program.
 
 
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
+# Originally written by Per Bothner.  Please send patches (context
+# diff format) to <config-patches@gnu.org> and include a ChangeLog
+# entry.
 #
 # This script attempts to guess a canonical system name similar to
 # config.sub.  If it succeeds, it prints the system name on stdout, and
 # exits with 0.  Otherwise, it exits with 1.
 #
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
+# You can get the latest version of this script from:
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
 
 me=`echo "$0" | sed -e 's,.*/,,'`
 
@@ -56,8 +56,9 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
+Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -333,6 +334,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
 	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
 	exit ;;
+    i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*)
+	echo i386-pc-auroraux${UNAME_RELEASE}
+	exit ;;
     i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
 	eval $set_cc_for_build
 	SUN_ARCH="i386"
@@ -807,12 +811,12 @@ EOF
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
-    *:Interix*:[3456]*)
+    *:Interix*:*)
     	case ${UNAME_MACHINE} in
 	    x86)
 		echo i586-pc-interix${UNAME_RELEASE}
 		exit ;;
-	    EM64T | authenticamd | genuineintel)
+	    authenticamd | genuineintel | EM64T)
 		echo x86_64-unknown-interix${UNAME_RELEASE}
 		exit ;;
 	    IA64)
@@ -854,6 +858,20 @@ EOF
     i*86:Minix:*:*)
 	echo ${UNAME_MACHINE}-pc-minix
 	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep -q ld.so.1
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
     arm*:Linux:*:*)
 	eval $set_cc_for_build
 	if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
@@ -876,6 +894,17 @@ EOF
     frv:Linux:*:*)
     	echo frv-unknown-linux-gnu
 	exit ;;
+    i*86:Linux:*:*)
+	LIBC=gnu
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
+	echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+	exit ;;
     ia64:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
@@ -901,39 +930,18 @@ EOF
 	#endif
 	#endif
 EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^CPU/{
-		s: ::g
-		p
-	    }'`"
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
 	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
 	;;
     or32:Linux:*:*)
 	echo or32-unknown-linux-gnu
 	exit ;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep -q ld.so.1
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit ;;
     padre:Linux:*:*)
 	echo sparc-unknown-linux-gnu
 	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
     parisc:Linux:*:* | hppa:Linux:*:*)
 	# Look for CPU level
 	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
@@ -942,8 +950,11 @@ EOF
 	  *)    echo hppa-unknown-linux-gnu ;;
 	esac
 	exit ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
 	exit ;;
     s390:Linux:*:* | s390x:Linux:*:*)
 	echo ${UNAME_MACHINE}-ibm-linux
@@ -966,58 +977,6 @@ EOF
     xtensa*:Linux:*:*)
     	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
-	    /^LIBC/{
-		s: ::g
-		p
-	    }'`"
-	test x"${LIBC}" != x && {
-		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
-		exit
-	}
-	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
-	;;
     i*86:DYNIX/ptx:4*:*)
 	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
 	# earlier versions are messed up and put the nodename in both
@@ -1247,6 +1206,16 @@ EOF
     *:Darwin:*:*)
 	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
 	case $UNAME_PROCESSOR in
+	    i386)
+		eval $set_cc_for_build
+		if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+		  if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
+		      (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+		      grep IS_64BIT_ARCH >/dev/null
+		  then
+		      UNAME_PROCESSOR="x86_64"
+		  fi
+		fi ;;
 	    unknown) UNAME_PROCESSOR=powerpc ;;
 	esac
 	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
diff --git a/config.sub b/config.sub
index eb0389a69..c2d125724 100755
--- a/config.sub
+++ b/config.sub
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
 #   Free Software Foundation, Inc.
 
-timestamp='2009-06-11'
+timestamp='2010-01-22'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -32,13 +32,16 @@ timestamp='2009-06-11'
 
 
 # Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
+# diff and a properly formatted GNU ChangeLog entry.
 #
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
 # If it is invalid, we print an error message on stderr and exit with code 1.
 # Otherwise, we print the canonical config type on stdout and succeed.
 
+# You can get the latest version of this script from:
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+
 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
 # that are meaningful with *any* GNU software.
@@ -72,8 +75,9 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free
+Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -149,7 +153,7 @@ case $os in
 	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
 	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
 	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
+	-apple | -axis | -knuth | -cray | -microblaze)
 		os=
 		basic_machine=$1
 		;;
@@ -284,6 +288,7 @@ case $basic_machine in
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
+	| rx \
 	| score \
 	| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
@@ -291,13 +296,14 @@ case $basic_machine in
 	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
 	| spu | strongarm \
 	| tahoe | thumb | tic4x | tic80 | tron \
+	| ubicom32 \
 	| v850 | v850e \
 	| we32k \
 	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
 	| z8k | z80)
 		basic_machine=$basic_machine-unknown
 		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
+	m6811 | m68hc11 | m6812 | m68hc12 | picochip)
 		# Motorola 68HC11/12.
 		basic_machine=$basic_machine-unknown
 		os=-none
@@ -340,7 +346,7 @@ case $basic_machine in
 	| lm32-* \
 	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
 	| mips16-* \
 	| mips64-* | mips64el-* \
@@ -368,15 +374,17 @@ case $basic_machine in
 	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
 	| pyramid-* \
-	| romp-* | rs6000-* \
+	| romp-* | rs6000-* | rx-* \
 	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
 	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
 	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
 	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tile-* | tilegx-* \
 	| tron-* \
+	| ubicom32-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
 	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
@@ -726,6 +734,9 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
+        microblaze)
+		basic_machine=microblaze-xilinx
+		;;
 	mingw32)
 		basic_machine=i386-pc
 		os=-mingw32
@@ -1076,6 +1087,11 @@ case $basic_machine in
 		basic_machine=tic6x-unknown
 		os=-coff
 		;;
+        # This must be matched before tile*.
+        tilegx*)
+		basic_machine=tilegx-unknown
+		os=-linux-gnu
+		;;
 	tile*)
 		basic_machine=tile-unknown
 		os=-linux-gnu
@@ -1247,6 +1263,9 @@ case $os in
         # First match some system type aliases
         # that might get confused with valid system types.
 	# -solaris* is a basic system type, with this one exception.
+        -auroraux)
+	        os=-auroraux
+		;;
 	-solaris1 | -solaris1.*)
 		os=`echo $os | sed -e 's|solaris1|sunos4|'`
 		;;
@@ -1268,8 +1287,8 @@ case $os in
 	# -sysv* is not here because it comes later, after sysvr4.
 	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
 	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -kopensolaris* \
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
+	      | -sym* | -kopensolaris* \
 	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
 	      | -aos* | -aros* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
@@ -1290,7 +1309,7 @@ case $os in
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1423,6 +1442,8 @@ case $os in
 	-dicos*)
 		os=-dicos
 		;;
+        -nacl*)
+	        ;;
 	-none)
 		;;
 	*)
diff --git a/configure b/configure
index 64ecd2c57..d823c3045 100755
--- a/configure
+++ b/configure
@@ -1,11 +1,11 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.65 for strongSwan 4.4.1.
+# Generated by GNU Autoconf 2.67 for strongSwan 4.5.0.
 #
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
-# Inc.
+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software
+# Foundation, Inc.
 #
 #
 # This configure script is free software; the Free Software Foundation
@@ -316,7 +316,7 @@ $as_echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir"
+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
 
 
 } # as_fn_mkdir_p
@@ -356,19 +356,19 @@ else
 fi # as_fn_arith
 
 
-# as_fn_error ERROR [LINENO LOG_FD]
-# ---------------------------------
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
 # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
 # provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-# script with status $?, using 1 if that was 0.
+# script with STATUS, using 1 if that was 0.
 as_fn_error ()
 {
-  as_status=$?; test $as_status -eq 0 && as_status=1
-  if test "$3"; then
-    as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-    $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3
+  as_status=$1; test $as_status -eq 0 && as_status=1
+  if test "$4"; then
+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
   fi
-  $as_echo "$as_me: error: $1" >&2
+  $as_echo "$as_me: error: $2" >&2
   as_fn_exit $as_status
 } # as_fn_error
 
@@ -679,7 +679,7 @@ test -n "$DJDIR" || exec 7<&0 </dev/null
 exec 6>&1
 
 # Name of the host.
-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
 # so uname gets run too.
 ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
 
@@ -698,8 +698,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.4.1'
-PACKAGE_STRING='strongSwan 4.4.1'
+PACKAGE_VERSION='4.5.0'
+PACKAGE_STRING='strongSwan 4.5.0'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -745,6 +745,8 @@ LTLIBOBJS
 LIBOBJS
 MONOLITHIC_FALSE
 MONOLITHIC_TRUE
+USE_TLS_FALSE
+USE_TLS_TRUE
 USE_SIMAKA_FALSE
 USE_SIMAKA_TRUE
 USE_VSTR_FALSE
@@ -797,6 +799,14 @@ USE_XAUTH_FALSE
 USE_XAUTH_TRUE
 USE_RESOLVE_FALSE
 USE_RESOLVE_TRUE
+USE_KERNEL_PFROUTE_FALSE
+USE_KERNEL_PFROUTE_TRUE
+USE_KERNEL_PFKEY_FALSE
+USE_KERNEL_PFKEY_TRUE
+USE_KERNEL_NETLINK_FALSE
+USE_KERNEL_NETLINK_TRUE
+USE_KERNEL_KLIPS_FALSE
+USE_KERNEL_KLIPS_TRUE
 USE_ATTR_SQL_FALSE
 USE_ATTR_SQL_TRUE
 USE_ATTR_FALSE
@@ -811,16 +821,22 @@ USE_SOCKET_RAW_FALSE
 USE_SOCKET_RAW_TRUE
 USE_SOCKET_DEFAULT_FALSE
 USE_SOCKET_DEFAULT_TRUE
-USE_KERNEL_KLIPS_FALSE
-USE_KERNEL_KLIPS_TRUE
-USE_KERNEL_PFROUTE_FALSE
-USE_KERNEL_PFROUTE_TRUE
-USE_KERNEL_PFKEY_FALSE
-USE_KERNEL_PFKEY_TRUE
-USE_KERNEL_NETLINK_FALSE
-USE_KERNEL_NETLINK_TRUE
+USE_TNCCS_20_FALSE
+USE_TNCCS_20_TRUE
+USE_TNCCS_11_FALSE
+USE_TNCCS_11_TRUE
+USE_TNC_IMV_FALSE
+USE_TNC_IMV_TRUE
+USE_TNC_IMC_FALSE
+USE_TNC_IMC_TRUE
 USE_EAP_RADIUS_FALSE
 USE_EAP_RADIUS_TRUE
+USE_EAP_TNC_FALSE
+USE_EAP_TNC_TRUE
+USE_EAP_TTLS_FALSE
+USE_EAP_TTLS_TRUE
+USE_EAP_TLS_FALSE
+USE_EAP_TLS_TRUE
 USE_EAP_MSCHAPV2_FALSE
 USE_EAP_MSCHAPV2_TRUE
 USE_EAP_AKA_3GPP2_FALSE
@@ -843,6 +859,8 @@ USE_EAP_SIM_FILE_FALSE
 USE_EAP_SIM_FILE_TRUE
 USE_EAP_SIM_FALSE
 USE_EAP_SIM_TRUE
+USE_LED_FALSE
+USE_LED_TRUE
 USE_HA_FALSE
 USE_HA_TRUE
 USE_LOAD_TESTER_FALSE
@@ -857,6 +875,8 @@ USE_SQL_FALSE
 USE_SQL_TRUE
 USE_SMP_FALSE
 USE_SMP_TRUE
+USE_MAEMO_FALSE
+USE_MAEMO_TRUE
 USE_ANDROID_FALSE
 USE_ANDROID_TRUE
 USE_UCI_FALSE
@@ -869,6 +889,14 @@ USE_MEDSRV_FALSE
 USE_MEDSRV_TRUE
 USE_STROKE_FALSE
 USE_STROKE_TRUE
+USE_GCM_FALSE
+USE_GCM_TRUE
+USE_CCM_FALSE
+USE_CCM_TRUE
+USE_CTR_FALSE
+USE_CTR_TRUE
+USE_PKCS11_FALSE
+USE_PKCS11_TRUE
 USE_AGENT_FALSE
 USE_AGENT_TRUE
 USE_GCRYPT_FALSE
@@ -925,11 +953,24 @@ USE_CURL_FALSE
 USE_CURL_TRUE
 USE_TEST_VECTORS_FALSE
 USE_TEST_VECTORS_TRUE
+s_plugins
+h_plugins
+p_plugins
+c_plugins
+medsrv_plugins
+manager_plugins
+scripts_plugins
+pki_plugins
+scepclient_plugins
+openac_plugins
+pool_plugins
 pluto_plugins
-libhydra_plugins
-libstrongswan_plugins
+libcharon_plugins
 nm_LIBS
 nm_CFLAGS
+dbusservicedir
+maemo_LIBS
+maemo_CFLAGS
 MYSQLCFLAG
 MYSQLLIB
 MYSQLCONFIG
@@ -1012,6 +1053,8 @@ strongswan_conf
 urandom_device
 random_device
 default_pkcs11
+PKG_CONFIG_LIBDIR
+PKG_CONFIG_PATH
 PKG_CONFIG
 am__untar
 am__tar
@@ -1140,7 +1183,14 @@ enable_eap_gtc
 enable_eap_aka
 enable_eap_aka_3gpp2
 enable_eap_mschapv2
+enable_eap_tls
+enable_eap_ttls
+enable_eap_tnc
 enable_eap_radius
+enable_tnc_imc
+enable_tnc_imv
+enable_tnccs_11
+enable_tnccs_20
 enable_kernel_netlink
 enable_kernel_pfkey
 enable_kernel_pfroute
@@ -1173,11 +1223,17 @@ enable_padlock
 enable_openssl
 enable_gcrypt
 enable_agent
+enable_pkcs11
+enable_ctr
+enable_ccm
+enable_gcm
 enable_addrblock
 enable_uci
 enable_android
+enable_maemo
 enable_nm
 enable_ha
+enable_led
 enable_vstr
 enable_monolithic
 enable_dependency_tracking
@@ -1193,6 +1249,8 @@ enable_libtool_lock
 host_alias
 target_alias
 PKG_CONFIG
+PKG_CONFIG_PATH
+PKG_CONFIG_LIBDIR
 CC
 CFLAGS
 LDFLAGS
@@ -1205,6 +1263,8 @@ xml_CFLAGS
 xml_LIBS
 gtk_CFLAGS
 gtk_LIBS
+maemo_CFLAGS
+maemo_LIBS
 nm_CFLAGS
 nm_LIBS'
 
@@ -1269,8 +1329,9 @@ do
   fi
 
   case $ac_option in
-  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
-  *)	ac_optarg=yes ;;
+  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *=)   ac_optarg= ;;
+  *)    ac_optarg=yes ;;
   esac
 
   # Accept the important Cygnus configure options, so we can diagnose typos.
@@ -1315,7 +1376,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid feature name: $ac_useropt"
+      as_fn_error $? "invalid feature name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1341,7 +1402,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid feature name: $ac_useropt"
+      as_fn_error $? "invalid feature name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1545,7 +1606,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid package name: $ac_useropt"
+      as_fn_error $? "invalid package name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1561,7 +1622,7 @@ do
     ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
     expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      as_fn_error "invalid package name: $ac_useropt"
+      as_fn_error $? "invalid package name: $ac_useropt"
     ac_useropt_orig=$ac_useropt
     ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
     case $ac_user_opts in
@@ -1591,8 +1652,8 @@ do
   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
     x_libraries=$ac_optarg ;;
 
-  -*) as_fn_error "unrecognized option: \`$ac_option'
-Try \`$0 --help' for more information."
+  -*) as_fn_error $? "unrecognized option: \`$ac_option'
+Try \`$0 --help' for more information"
     ;;
 
   *=*)
@@ -1600,7 +1661,7 @@ Try \`$0 --help' for more information."
     # Reject names that are not valid shell variable names.
     case $ac_envvar in #(
       '' | [0-9]* | *[!_$as_cr_alnum]* )
-      as_fn_error "invalid variable name: \`$ac_envvar'" ;;
+      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
     esac
     eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
@@ -1618,13 +1679,13 @@ done
 
 if test -n "$ac_prev"; then
   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  as_fn_error "missing argument to $ac_option"
+  as_fn_error $? "missing argument to $ac_option"
 fi
 
 if test -n "$ac_unrecognized_opts"; then
   case $enable_option_checking in
     no) ;;
-    fatal) as_fn_error "unrecognized options: $ac_unrecognized_opts" ;;
+    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
     *)     $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
   esac
 fi
@@ -1647,7 +1708,7 @@ do
     [\\/$]* | ?:[\\/]* )  continue;;
     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
-  as_fn_error "expected an absolute directory name for --$ac_var: $ac_val"
+  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
 done
 
 # There might be people who depend on the old broken behavior: `$host'
@@ -1661,8 +1722,8 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used." >&2
+    $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used" >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
   fi
@@ -1677,9 +1738,9 @@ test "$silent" = yes && exec 6>/dev/null
 ac_pwd=`pwd` && test -n "$ac_pwd" &&
 ac_ls_di=`ls -di .` &&
 ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-  as_fn_error "working directory cannot be determined"
+  as_fn_error $? "working directory cannot be determined"
 test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-  as_fn_error "pwd does not report name of working directory"
+  as_fn_error $? "pwd does not report name of working directory"
 
 
 # Find the source files, if location was not specified.
@@ -1718,11 +1779,11 @@ else
 fi
 if test ! -r "$srcdir/$ac_unique_file"; then
   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-  as_fn_error "cannot find sources ($ac_unique_file) in $srcdir"
+  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
 fi
 ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
 ac_abs_confdir=`(
-	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error "$ac_msg"
+	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
 	pwd)`
 # When building in place, set srcdir=.
 if test "$ac_abs_confdir" = "$ac_pwd"; then
@@ -1748,7 +1809,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.4.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.5.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1762,7 +1823,7 @@ Configuration:
       --help=short        display options specific to this package
       --help=recursive    display the short help of all the included packages
   -V, --version           display version information and exit
-  -q, --quiet, --silent   do not print \`checking...' messages
+  -q, --quiet, --silent   do not print \`checking ...' messages
       --cache-file=FILE   cache test results in FILE [disabled]
   -C, --config-cache      alias for \`--cache-file=config.cache'
   -n, --no-create         do not create output files
@@ -1818,7 +1879,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.4.1:";;
+     short | recursive ) echo "Configuration of strongSwan 4.5.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1870,7 +1931,7 @@ Optional Features:
   --enable-lock-profiler  enable lock/mutex profiling code.
   --enable-unit-tests     enable unit tests on IKEv2 daemon startup.
   --enable-load-tester    enable load testing plugin for IKEv2 daemon.
-  --enable-eap-sim        enable SIM authenication module for EAP.
+  --enable-eap-sim        enable SIM authentication module for EAP.
   --enable-eap-sim-file   enable EAP-SIM backend based on a triplet file.
   --enable-eap-simaka-sql enable EAP-SIM/AKA backend based on a
                           triplet/quintuplet SQL database.
@@ -1880,13 +1941,20 @@ Optional Features:
                           enable EAP-SIM/AKA reauthentication data storage
                           plugin.
   --enable-eap-identity   enable EAP module providing EAP-Identity helper.
-  --enable-eap-md5        enable EAP MD5 (CHAP) authenication module.
-  --enable-eap-gtc        enable PAM based EAP GTC authenication module.
+  --enable-eap-md5        enable EAP MD5 (CHAP) authentication module.
+  --enable-eap-gtc        enable PAM based EAP GTC authentication module.
   --enable-eap-aka        enable EAP AKA authentication module.
   --enable-eap-aka-3gpp2  enable EAP AKA backend implementing 3GPP2 algorithms
                           in software. Requires libgmp.
-  --enable-eap-mschapv2   enable EAP MS-CHAPv2 authenication module.
-  --enable-eap-radius     enable RADIUS proxy authenication module.
+  --enable-eap-mschapv2   enable EAP MS-CHAPv2 authentication module.
+  --enable-eap-tls        enable EAP TLS authentication module.
+  --enable-eap-ttls       enable EAP TTLS authentication module.
+  --enable-eap-tnc        enable EAP TNC trusted network connect module.
+  --enable-eap-radius     enable RADIUS proxy authentication module.
+  --enable-tnc-imc        enable TNC IMC module.
+  --enable-tnc-imv        enable TNC IMV module.
+  --enable-tnccs-11       enable TNCCS 1.1 protocol module.
+  --enable-tnccs-20       enable TNCCS 2.0 protocol module.
   --disable-kernel-netlink
                           disable the netlink kernel interface.
   --enable-kernel-pfkey   enable the PF_KEY kernel interface.
@@ -1932,11 +2000,18 @@ Optional Features:
   --enable-openssl        enables the OpenSSL crypto plugin.
   --enable-gcrypt         enables the libgcrypt plugin.
   --enable-agent          enables the ssh-agent signing plugin.
+  --enable-pkcs11         enables the PKCS11 token support plugin.
+  --enable-ctr            enables the Counter Mode wrapper crypto plugin.
+  --enable-ccm            enables the CCM AEAD wrapper crypto plugin.
+  --enable-gcm            enables the GCM AEAD wrapper crypto plugin.
   --enable-addrblock      enables RFC 3779 address block constraint support.
   --enable-uci            enable OpenWRT UCI configuration plugin.
   --enable-android        enable Android specific plugin.
+  --enable-maemo          enable Maemo specific plugin.
   --enable-nm             enable NetworkManager plugin.
   --enable-ha             enable high availability cluster plugin.
+  --enable-led            enable plugin to control LEDs on IKEv2 activity
+                          using the Linux kernel LED subsystem.
   --enable-vstr           enforce using the Vstr string library to replace
                           glibc-like printf hooks.
   --enable-monolithic     build monolithic version of libstrongswan that
@@ -2000,6 +2075,10 @@ Optional Packages:
 
 Some influential environment variables:
   PKG_CONFIG  path to pkg-config utility
+  PKG_CONFIG_PATH
+              directories to add to pkg-config's search path
+  PKG_CONFIG_LIBDIR
+              path overriding pkg-config's built-in search path
   CC          C compiler command
   CFLAGS      C compiler flags
   LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
@@ -2017,6 +2096,9 @@ Some influential environment variables:
   xml_LIBS    linker flags for xml, overriding pkg-config
   gtk_CFLAGS  C compiler flags for gtk, overriding pkg-config
   gtk_LIBS    linker flags for gtk, overriding pkg-config
+  maemo_CFLAGS
+              C compiler flags for maemo, overriding pkg-config
+  maemo_LIBS  linker flags for maemo, overriding pkg-config
   nm_CFLAGS   C compiler flags for nm, overriding pkg-config
   nm_LIBS     linker flags for nm, overriding pkg-config
 
@@ -2086,10 +2168,10 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.4.1
-generated by GNU Autoconf 2.65
+strongSwan configure 4.5.0
+generated by GNU Autoconf 2.67
 
-Copyright (C) 2009 Free Software Foundation, Inc.
+Copyright (C) 2010 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -2138,6 +2220,43 @@ fi
 
 } # ac_fn_c_try_compile
 
+# ac_fn_c_try_cpp LINENO
+# ----------------------
+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_cpp ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  if { { ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
+  ac_status=$?
+  if test -s conftest.err; then
+    grep -v '^ *+' conftest.err >conftest.er1
+    cat conftest.er1 >&5
+    mv -f conftest.er1 conftest.err
+  fi
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } > conftest.i && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then :
+  ac_retval=0
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+    ac_retval=1
+fi
+  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
+  as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_cpp
+
 # ac_fn_c_try_run LINENO
 # ----------------------
 # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes
@@ -2180,43 +2299,6 @@ fi
 
 } # ac_fn_c_try_run
 
-# ac_fn_c_try_cpp LINENO
-# ----------------------
-# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
-ac_fn_c_try_cpp ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if { { ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
-  ac_status=$?
-  if test -s conftest.err; then
-    grep -v '^ *+' conftest.err >conftest.er1
-    cat conftest.er1 >&5
-    mv -f conftest.er1 conftest.err
-  fi
-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then :
-  ac_retval=0
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-    ac_retval=1
-fi
-  eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;}
-  as_fn_set_status $ac_retval
-
-} # ac_fn_c_try_cpp
-
 # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES
 # -------------------------------------------------------
 # Tests whether HEADER exists and can be compiled using the include files in
@@ -2226,7 +2308,7 @@ ac_fn_c_check_header_compile ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2302,7 +2384,7 @@ ac_fn_c_check_func ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2370,7 +2452,7 @@ ac_fn_c_check_type ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=no"
@@ -2423,10 +2505,10 @@ $as_echo "$ac_res" >&6; }
 ac_fn_c_check_header_mongrel ()
 {
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+  if eval "test \"\${$3+set}\"" = set; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 fi
 eval ac_res=\$$3
@@ -2462,7 +2544,7 @@ if ac_fn_c_try_cpp "$LINENO"; then :
 else
   ac_header_preproc=no
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5
 $as_echo "$ac_header_preproc" >&6; }
 
@@ -2489,7 +2571,7 @@ $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
 esac
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
 $as_echo_n "checking for $2... " >&6; }
-if { as_var=$3; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$3+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   eval "$3=\$ac_header_compiler"
@@ -2511,7 +2593,7 @@ ac_fn_c_check_member ()
   as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
 $as_echo_n "checking for $2.$3... " >&6; }
-if { as_var=$4; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${$4+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -2562,8 +2644,8 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.4.1, which was
-generated by GNU Autoconf 2.65.  Invocation command line was
+It was created by strongSwan $as_me 4.5.0, which was
+generated by GNU Autoconf 2.67.  Invocation command line was
 
   $ $0 $@
 
@@ -2673,11 +2755,9 @@ trap 'exit_status=$?
   {
     echo
 
-    cat <<\_ASBOX
-## ---------------- ##
+    $as_echo "## ---------------- ##
 ## Cache variables. ##
-## ---------------- ##
-_ASBOX
+## ---------------- ##"
     echo
     # The following way of writing the cache mishandles newlines in values,
 (
@@ -2711,11 +2791,9 @@ $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
 )
     echo
 
-    cat <<\_ASBOX
-## ----------------- ##
+    $as_echo "## ----------------- ##
 ## Output variables. ##
-## ----------------- ##
-_ASBOX
+## ----------------- ##"
     echo
     for ac_var in $ac_subst_vars
     do
@@ -2728,11 +2806,9 @@ _ASBOX
     echo
 
     if test -n "$ac_subst_files"; then
-      cat <<\_ASBOX
-## ------------------- ##
+      $as_echo "## ------------------- ##
 ## File substitutions. ##
-## ------------------- ##
-_ASBOX
+## ------------------- ##"
       echo
       for ac_var in $ac_subst_files
       do
@@ -2746,11 +2822,9 @@ _ASBOX
     fi
 
     if test -s confdefs.h; then
-      cat <<\_ASBOX
-## ----------- ##
+      $as_echo "## ----------- ##
 ## confdefs.h. ##
-## ----------- ##
-_ASBOX
+## ----------- ##"
       echo
       cat confdefs.h
       echo
@@ -2805,7 +2879,12 @@ _ACEOF
 ac_site_file1=NONE
 ac_site_file2=NONE
 if test -n "$CONFIG_SITE"; then
-  ac_site_file1=$CONFIG_SITE
+  # We do not want a PATH search for config.site.
+  case $CONFIG_SITE in #((
+    -*)  ac_site_file1=./$CONFIG_SITE;;
+    */*) ac_site_file1=$CONFIG_SITE;;
+    *)   ac_site_file1=./$CONFIG_SITE;;
+  esac
 elif test "x$prefix" != xNONE; then
   ac_site_file1=$prefix/share/config.site
   ac_site_file2=$prefix/etc/config.site
@@ -2820,7 +2899,11 @@ do
     { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
 $as_echo "$as_me: loading site script $ac_site_file" >&6;}
     sed 's/^/| /' "$ac_site_file" >&5
-    . "$ac_site_file"
+    . "$ac_site_file" \
+      || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "failed to load site script $ac_site_file
+See \`config.log' for more details" "$LINENO" 5 ; }
   fi
 done
 
@@ -2896,7 +2979,7 @@ if $ac_cache_corrupted; then
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
   { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  as_fn_error "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
+  as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
 fi
 ## -------------------- ##
 ## Main body of script. ##
@@ -2913,16 +2996,22 @@ am__api_version='1.11'
 
 ac_aux_dir=
 for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
-  for ac_t in install-sh install.sh shtool; do
-    if test -f "$ac_dir/$ac_t"; then
-      ac_aux_dir=$ac_dir
-      ac_install_sh="$ac_aux_dir/$ac_t -c"
-      break 2
-    fi
-  done
+  if test -f "$ac_dir/install-sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f "$ac_dir/install.sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f "$ac_dir/shtool"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
 done
 if test -z "$ac_aux_dir"; then
-  as_fn_error "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
+  as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5
 fi
 
 # These three variables are undocumented and unsupported,
@@ -3038,11 +3127,11 @@ am_lf='
 '
 case `pwd` in
   *[\\\"\#\$\&\'\`$am_lf]*)
-    as_fn_error "unsafe absolute working directory name" "$LINENO" 5;;
+    as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5 ;;
 esac
 case $srcdir in
   *[\\\"\#\$\&\'\`$am_lf\ \	]*)
-    as_fn_error "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;;
+    as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5 ;;
 esac
 
 # Do `set' in a subshell so we don't clobber the current shell's
@@ -3064,7 +3153,7 @@ if (
       # if, for instance, CONFIG_SHELL is bash and it inherits a
       # broken ls alias from the environment.  This has actually
       # happened.  Such a system could not be considered "sane".
-      as_fn_error "ls -t appears to fail.  Make sure there is not a broken
+      as_fn_error $? "ls -t appears to fail.  Make sure there is not a broken
 alias in your environment" "$LINENO" 5
    fi
 
@@ -3074,7 +3163,7 @@ then
    # Ok.
    :
 else
-   as_fn_error "newly created file is older than distributed files!
+   as_fn_error $? "newly created file is older than distributed files!
 Check your system clock" "$LINENO" 5
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
@@ -3312,7 +3401,7 @@ done
 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
 set x ${MAKE-make}
 ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
-if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then :
+if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\"" = set; then :
   $as_echo_n "(cached) " >&6
 else
   cat >conftest.make <<\_ACEOF
@@ -3320,7 +3409,7 @@ SHELL = /bin/sh
 all:
 	@echo '@@@%%%=$(MAKE)=@@@%%%'
 _ACEOF
-# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+# GNU make sometimes prints "make[1]: Entering ...", which would confuse us.
 case `${MAKE-make} -f conftest.make 2>/dev/null` in
   *@@@%%%=?*=@@@%%%*)
     eval ac_cv_prog_make_${ac_make}_set=yes;;
@@ -3354,7 +3443,7 @@ if test "`cd $srcdir && pwd`" != "`pwd`"; then
   am__isrc=' -I$(srcdir)'
   # test to see if srcdir already configured
   if test -f $srcdir/config.status; then
-    as_fn_error "source directory already configured; run \"make distclean\" there first" "$LINENO" 5
+    as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5
   fi
 fi
 
@@ -3370,7 +3459,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.4.1'
+ VERSION='4.5.0'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -3494,6 +3583,10 @@ $as_echo "$am_cv_prog_tar_ustar" >&6; }
 
 
 
+
+
+
+
 if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 	if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
@@ -3606,7 +3699,6 @@ $as_echo "yes" >&6; }
 $as_echo "no" >&6; }
 		PKG_CONFIG=""
 	fi
-
 fi
 
 
@@ -4530,6 +4622,51 @@ else
 fi
 
 
+# Check whether --enable-eap-tls was given.
+if test "${enable_eap_tls+set}" = set; then :
+  enableval=$enable_eap_tls; eap_tls_given=true
+		if test x$enableval = xyes; then
+			eap_tls=true
+		 else
+			eap_tls=false
+		fi
+else
+  eap_tls=false
+		eap_tls_given=false
+
+fi
+
+
+# Check whether --enable-eap-ttls was given.
+if test "${enable_eap_ttls+set}" = set; then :
+  enableval=$enable_eap_ttls; eap_ttls_given=true
+		if test x$enableval = xyes; then
+			eap_ttls=true
+		 else
+			eap_ttls=false
+		fi
+else
+  eap_ttls=false
+		eap_ttls_given=false
+
+fi
+
+
+# Check whether --enable-eap-tnc was given.
+if test "${enable_eap_tnc+set}" = set; then :
+  enableval=$enable_eap_tnc; eap_tnc_given=true
+		if test x$enableval = xyes; then
+			eap_tnc=true
+		 else
+			eap_tnc=false
+		fi
+else
+  eap_tnc=false
+		eap_tnc_given=false
+
+fi
+
+
 # Check whether --enable-eap-radius was given.
 if test "${enable_eap_radius+set}" = set; then :
   enableval=$enable_eap_radius; eap_radius_given=true
@@ -4545,6 +4682,66 @@ else
 fi
 
 
+# Check whether --enable-tnc-imc was given.
+if test "${enable_tnc_imc+set}" = set; then :
+  enableval=$enable_tnc_imc; tnc_imc_given=true
+		if test x$enableval = xyes; then
+			tnc_imc=true
+		 else
+			tnc_imc=false
+		fi
+else
+  tnc_imc=false
+		tnc_imc_given=false
+
+fi
+
+
+# Check whether --enable-tnc-imv was given.
+if test "${enable_tnc_imv+set}" = set; then :
+  enableval=$enable_tnc_imv; tnc_imv_given=true
+		if test x$enableval = xyes; then
+			tnc_imv=true
+		 else
+			tnc_imv=false
+		fi
+else
+  tnc_imv=false
+		tnc_imv_given=false
+
+fi
+
+
+# Check whether --enable-tnccs-11 was given.
+if test "${enable_tnccs_11+set}" = set; then :
+  enableval=$enable_tnccs_11; tnccs_11_given=true
+		if test x$enableval = xyes; then
+			tnccs_11=true
+		 else
+			tnccs_11=false
+		fi
+else
+  tnccs_11=false
+		tnccs_11_given=false
+
+fi
+
+
+# Check whether --enable-tnccs-20 was given.
+if test "${enable_tnccs_20+set}" = set; then :
+  enableval=$enable_tnccs_20; tnccs_20_given=true
+		if test x$enableval = xyes; then
+			tnccs_20=true
+		 else
+			tnccs_20=false
+		fi
+else
+  tnccs_20=false
+		tnccs_20_given=false
+
+fi
+
+
 # Check whether --enable-kernel-netlink was given.
 if test "${enable_kernel_netlink+set}" = set; then :
   enableval=$enable_kernel_netlink; kernel_netlink_given=true
@@ -5025,6 +5222,66 @@ else
 fi
 
 
+# Check whether --enable-pkcs11 was given.
+if test "${enable_pkcs11+set}" = set; then :
+  enableval=$enable_pkcs11; pkcs11_given=true
+		if test x$enableval = xyes; then
+			pkcs11=true
+		 else
+			pkcs11=false
+		fi
+else
+  pkcs11=false
+		pkcs11_given=false
+
+fi
+
+
+# Check whether --enable-ctr was given.
+if test "${enable_ctr+set}" = set; then :
+  enableval=$enable_ctr; ctr_given=true
+		if test x$enableval = xyes; then
+			ctr=true
+		 else
+			ctr=false
+		fi
+else
+  ctr=false
+		ctr_given=false
+
+fi
+
+
+# Check whether --enable-ccm was given.
+if test "${enable_ccm+set}" = set; then :
+  enableval=$enable_ccm; ccm_given=true
+		if test x$enableval = xyes; then
+			ccm=true
+		 else
+			ccm=false
+		fi
+else
+  ccm=false
+		ccm_given=false
+
+fi
+
+
+# Check whether --enable-gcm was given.
+if test "${enable_gcm+set}" = set; then :
+  enableval=$enable_gcm; gcm_given=true
+		if test x$enableval = xyes; then
+			gcm=true
+		 else
+			gcm=false
+		fi
+else
+  gcm=false
+		gcm_given=false
+
+fi
+
+
 # Check whether --enable-addrblock was given.
 if test "${enable_addrblock+set}" = set; then :
   enableval=$enable_addrblock; addrblock_given=true
@@ -5070,6 +5327,21 @@ else
 fi
 
 
+# Check whether --enable-maemo was given.
+if test "${enable_maemo+set}" = set; then :
+  enableval=$enable_maemo; maemo_given=true
+		if test x$enableval = xyes; then
+			maemo=true
+		 else
+			maemo=false
+		fi
+else
+  maemo=false
+		maemo_given=false
+
+fi
+
+
 # Check whether --enable-nm was given.
 if test "${enable_nm+set}" = set; then :
   enableval=$enable_nm; nm_given=true
@@ -5100,6 +5372,21 @@ else
 fi
 
 
+# Check whether --enable-led was given.
+if test "${enable_led+set}" = set; then :
+  enableval=$enable_led; led_given=true
+		if test x$enableval = xyes; then
+			led=true
+		 else
+			led=false
+		fi
+else
+  led=false
+		led_given=false
+
+fi
+
+
 # Check whether --enable-vstr was given.
 if test "${enable_vstr+set}" = set; then :
   enableval=$enable_vstr; vstr_given=true
@@ -5435,8 +5722,8 @@ fi
 
 test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "no acceptable C compiler found in \$PATH
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "no acceptable C compiler found in \$PATH
+See \`config.log' for more details" "$LINENO" 5 ; }
 
 # Provide some information about the compiler.
 $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
@@ -5550,9 +5837,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-{ as_fn_set_status 77
-as_fn_error "C compiler cannot create executables
-See \`config.log' for more details." "$LINENO" 5; }; }
+as_fn_error 77 "C compiler cannot create executables
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -5594,8 +5880,8 @@ done
 else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 rm -f conftest conftest$ac_cv_exeext
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
@@ -5652,9 +5938,9 @@ $as_echo "$ac_try_echo"; } >&5
     else
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot run C compiled programs.
+as_fn_error $? "cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
     fi
   fi
 fi
@@ -5705,8 +5991,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "cannot compute suffix of object files: cannot compile
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
@@ -6117,7 +6403,7 @@ fi
 
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  as_fn_error "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
+  as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5
 $as_echo_n "checking build system type... " >&6; }
@@ -6128,16 +6414,16 @@ else
 test "x$ac_build_alias" = x &&
   ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
 test "x$ac_build_alias" = x &&
-  as_fn_error "cannot guess build type; you must specify one" "$LINENO" 5
+  as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5
 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  as_fn_error "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
+  as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5
 
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5
 $as_echo "$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) as_fn_error "invalid value of canonical build" "$LINENO" 5;;
+*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5 ;;
 esac
 build=$ac_cv_build
 ac_save_IFS=$IFS; IFS='-'
@@ -6162,7 +6448,7 @@ else
   ac_cv_host=$ac_cv_build
 else
   ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    as_fn_error "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
+    as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5
 fi
 
 fi
@@ -6170,7 +6456,7 @@ fi
 $as_echo "$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) as_fn_error "invalid value of canonical host" "$LINENO" 5;;
+*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5 ;;
 esac
 host=$ac_cv_host
 ac_save_IFS=$IFS; IFS='-'
@@ -6187,155 +6473,6 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 
-                  acl_libdirstem=lib
-  searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
-  if test -n "$searchpath"; then
-    acl_save_IFS="${IFS= 	}"; IFS=":"
-    for searchdir in $searchpath; do
-      if test -d "$searchdir"; then
-        case "$searchdir" in
-          */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
-          *) searchdir=`cd "$searchdir" && pwd`
-             case "$searchdir" in
-               */lib64 ) acl_libdirstem=lib64 ;;
-             esac ;;
-        esac
-      fi
-    done
-    IFS="$acl_save_IFS"
-  fi
-
-
-      if test "X$prefix" = "XNONE"; then
-    acl_final_prefix="$ac_default_prefix"
-  else
-    acl_final_prefix="$prefix"
-  fi
-  if test "X$exec_prefix" = "XNONE"; then
-    acl_final_exec_prefix='${prefix}'
-  else
-    acl_final_exec_prefix="$exec_prefix"
-  fi
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
-  prefix="$acl_save_prefix"
-
-
-
-
-
-
-
-    use_additional=yes
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-
-    eval additional_includedir=\"$includedir\"
-    eval additional_libdir=\"$libdir\"
-
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-
-# Check whether --with-lib-prefix was given.
-if test "${with_lib_prefix+set}" = set; then :
-  withval=$with_lib_prefix;
-    if test "X$withval" = "Xno"; then
-      use_additional=no
-    else
-      if test "X$withval" = "X"; then
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-
-          eval additional_includedir=\"$includedir\"
-          eval additional_libdir=\"$libdir\"
-
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-      else
-        additional_includedir="$withval/include"
-        additional_libdir="$withval/$acl_libdirstem"
-      fi
-    fi
-
-fi
-
-  if test $use_additional = yes; then
-                            if test "X$additional_includedir" != "X/usr/include"; then
-      haveit=
-      for x in $CPPFLAGS; do
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-  eval x=\"$x\"
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-        if test "X$x" = "X-I$additional_includedir"; then
-          haveit=yes
-          break
-        fi
-      done
-      if test -z "$haveit"; then
-        if test "X$additional_includedir" = "X/usr/local/include"; then
-          if test -n "$GCC"; then
-            case $host_os in
-              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
-            esac
-          fi
-        fi
-        if test -z "$haveit"; then
-          if test -d "$additional_includedir"; then
-                        CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
-          fi
-        fi
-      fi
-    fi
-                            if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
-      haveit=
-      for x in $LDFLAGS; do
-
-  acl_save_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_save_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-  eval x=\"$x\"
-  exec_prefix="$acl_save_exec_prefix"
-  prefix="$acl_save_prefix"
-
-        if test "X$x" = "X-L$additional_libdir"; then
-          haveit=yes
-          break
-        fi
-      done
-      if test -z "$haveit"; then
-        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
-          if test -n "$GCC"; then
-            case $host_os in
-              linux*) haveit=yes;;
-            esac
-          fi
-        fi
-        if test -z "$haveit"; then
-          if test -d "$additional_libdir"; then
-                        LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
-          fi
-        fi
-      fi
-    fi
-  fi
-
-
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -6378,7 +6515,7 @@ else
   # Broken: fails on valid input.
 continue
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
   # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
@@ -6394,11 +6531,11 @@ else
 ac_preproc_ok=:
 break
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
 done
 # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.i conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then :
   break
 fi
@@ -6437,7 +6574,7 @@ else
   # Broken: fails on valid input.
 continue
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
   # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
@@ -6453,18 +6590,18 @@ else
 ac_preproc_ok=:
 break
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.err conftest.i conftest.$ac_ext
 
 done
 # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.i conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then :
 
 else
   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." "$LINENO" 5; }
+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details" "$LINENO" 5 ; }
 fi
 
 ac_ext=c
@@ -6525,7 +6662,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_GREP"; then
-    as_fn_error "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_GREP=$GREP
@@ -6591,7 +6728,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_EGREP"; then
-    as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_EGREP=$EGREP
@@ -6604,6 +6741,199 @@ $as_echo "$ac_cv_path_EGREP" >&6; }
  EGREP="$ac_cv_path_EGREP"
 
 
+
+
+  acl_libdirstem=lib
+  acl_libdirstem2=
+  case "$host_os" in
+    solaris*)
+                                    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for 64-bit host" >&5
+$as_echo_n "checking for 64-bit host... " >&6; }
+if test "${gl_cv_solaris_64bit+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#ifdef _LP64
+sixtyfour bits
+#endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "sixtyfour bits" >/dev/null 2>&1; then :
+  gl_cv_solaris_64bit=yes
+else
+  gl_cv_solaris_64bit=no
+fi
+rm -f conftest*
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gl_cv_solaris_64bit" >&5
+$as_echo "$gl_cv_solaris_64bit" >&6; }
+      if test $gl_cv_solaris_64bit = yes; then
+        acl_libdirstem=lib/64
+        case "$host_cpu" in
+          sparc*)        acl_libdirstem2=lib/sparcv9 ;;
+          i*86 | x86_64) acl_libdirstem2=lib/amd64 ;;
+        esac
+      fi
+      ;;
+    *)
+      searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
+      if test -n "$searchpath"; then
+        acl_save_IFS="${IFS= 	}"; IFS=":"
+        for searchdir in $searchpath; do
+          if test -d "$searchdir"; then
+            case "$searchdir" in
+              */lib64/ | */lib64 ) acl_libdirstem=lib64 ;;
+              */../ | */.. )
+                # Better ignore directories of this form. They are misleading.
+                ;;
+              *) searchdir=`cd "$searchdir" && pwd`
+                 case "$searchdir" in
+                   */lib64 ) acl_libdirstem=lib64 ;;
+                 esac ;;
+            esac
+          fi
+        done
+        IFS="$acl_save_IFS"
+      fi
+      ;;
+  esac
+  test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
+
+
+      if test "X$prefix" = "XNONE"; then
+    acl_final_prefix="$ac_default_prefix"
+  else
+    acl_final_prefix="$prefix"
+  fi
+  if test "X$exec_prefix" = "XNONE"; then
+    acl_final_exec_prefix='${prefix}'
+  else
+    acl_final_exec_prefix="$exec_prefix"
+  fi
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
+  prefix="$acl_save_prefix"
+
+
+
+
+
+
+
+    use_additional=yes
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+
+    eval additional_includedir=\"$includedir\"
+    eval additional_libdir=\"$libdir\"
+
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+
+# Check whether --with-lib-prefix was given.
+if test "${with_lib_prefix+set}" = set; then :
+  withval=$with_lib_prefix;
+    if test "X$withval" = "Xno"; then
+      use_additional=no
+    else
+      if test "X$withval" = "X"; then
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+
+          eval additional_includedir=\"$includedir\"
+          eval additional_libdir=\"$libdir\"
+
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+      else
+        additional_includedir="$withval/include"
+        additional_libdir="$withval/$acl_libdirstem"
+      fi
+    fi
+
+fi
+
+  if test $use_additional = yes; then
+                            if test "X$additional_includedir" != "X/usr/include"; then
+      haveit=
+      for x in $CPPFLAGS; do
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  eval x=\"$x\"
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+        if test "X$x" = "X-I$additional_includedir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_includedir" = "X/usr/local/include"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_includedir"; then
+                        CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
+          fi
+        fi
+      fi
+    fi
+                            if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
+      haveit=
+      for x in $LDFLAGS; do
+
+  acl_save_prefix="$prefix"
+  prefix="$acl_final_prefix"
+  acl_save_exec_prefix="$exec_prefix"
+  exec_prefix="$acl_final_exec_prefix"
+  eval x=\"$x\"
+  exec_prefix="$acl_save_exec_prefix"
+  prefix="$acl_save_prefix"
+
+        if test "X$x" = "X-L$additional_libdir"; then
+          haveit=yes
+          break
+        fi
+      done
+      if test -z "$haveit"; then
+        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
+          if test -n "$GCC"; then
+            case $host_os in
+              linux*) haveit=yes;;
+            esac
+          fi
+        fi
+        if test -z "$haveit"; then
+          if test -d "$additional_libdir"; then
+                        LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
+          fi
+        fi
+      fi
+    fi
+  fi
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then :
@@ -6723,8 +7053,7 @@ do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
 "
-eval as_val=\$$as_ac_Header
-   if test "x$as_val" = x""yes; then :
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
@@ -6954,8 +7283,8 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
 
      ;; #(
    *)
-     as_fn_error "unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;;
+     as_fn_error $? "unknown endianness
+ presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5  ;;
  esac
 
 
@@ -7043,7 +7372,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_SED"; then
-    as_fn_error "no acceptable sed could be found in \$PATH" "$LINENO" 5
+    as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5
   fi
 else
   ac_cv_path_SED=$SED
@@ -7122,7 +7451,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_FGREP"; then
-    as_fn_error "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_FGREP=$FGREP
@@ -7238,7 +7567,7 @@ else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 fi
-test -z "$LD" && as_fn_error "no acceptable ld found in \$PATH" "$LINENO" 5
+test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5
 $as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then :
@@ -7440,13 +7769,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:7443: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:7772: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7446: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:7775: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:7449: output\"" >&5)
+  (eval echo "\"\$as_me:7778: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -8651,7 +8980,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8654 "configure"' > conftest.$ac_ext
+  echo '#line 8983 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9913,11 +10242,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9916: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10245: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9920: \$? = $ac_status" >&5
+   echo "$as_me:10249: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10252,11 +10581,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10255: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10584: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10259: \$? = $ac_status" >&5
+   echo "$as_me:10588: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -10357,11 +10686,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10360: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10689: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10364: \$? = $ac_status" >&5
+   echo "$as_me:10693: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10412,11 +10741,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10415: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10744: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10419: \$? = $ac_status" >&5
+   echo "$as_me:10748: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12796,7 +13125,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12799 "configure"
+#line 13128 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12892,7 +13221,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12895 "configure"
+#line 13224 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13173,7 +13502,7 @@ esac
   done
 IFS=$as_save_IFS
   if test -z "$ac_cv_path_EGREP"; then
-    as_fn_error "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
+    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
   fi
 else
   ac_cv_path_EGREP=$EGREP
@@ -13313,7 +13642,7 @@ if test -f lex.yy.c; then
 elif test -f lexyy.c; then
   ac_cv_prog_lex_root=lexyy
 else
-  as_fn_error "cannot find output from $LEX; giving up" "$LINENO" 5
+  as_fn_error $? "cannot find output from $LEX; giving up" "$LINENO" 5
 fi
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_root" >&5
@@ -13534,7 +13863,7 @@ if test -n "$ipsecuid"; then
 $as_echo "$ipsecuid" >&6; }
 
 else
-	as_fn_error "not found" "$LINENO" 5
+	as_fn_error $? "not found" "$LINENO" 5
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5
 $as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; }
@@ -13544,7 +13873,7 @@ if test -n "$ipsecgid"; then
 $as_echo "$ipsecgid" >&6; }
 
 else
-	as_fn_error "not found" "$LINENO" 5
+	as_fn_error $? "not found" "$LINENO" 5
 fi
 
 
@@ -13562,6 +13891,10 @@ if test x$eap_sim = xtrue; then
 	simaka=true;
 fi
 
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+	tls=true;
+fi
+
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -13834,8 +14167,7 @@ if test $ac_cv_os_cray = yes; then
   for ac_func in _getb67 GETB67 getb67; do
     as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-eval as_val=\$$as_ac_var
-   if test "x$as_val" = x""yes; then :
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
 
 cat >>confdefs.h <<_ACEOF
 #define CRAY_STACKSEG_END $ac_func
@@ -14414,8 +14746,7 @@ for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-eval as_val=\$$as_ac_Header
-   if test "x$as_val" = x""yes; then :
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
@@ -14672,7 +15003,7 @@ $as_echo "$ac_cv_lib_vstr_main" >&6; }
 if test "x$ac_cv_lib_vstr_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "Vstr string library not found" "$LINENO" 5
+  as_fn_error $? "Vstr string library not found" "$LINENO" 5
 fi
 ac_cv_lib_vstr=ac_cv_lib_vstr_main
 
@@ -14720,7 +15051,7 @@ _ACEOF
   LIBS="-lgmp $LIBS"
 
 else
-  as_fn_error "GNU Multi Precision library gmp not found" "$LINENO" 5
+  as_fn_error $? "GNU Multi Precision library gmp not found" "$LINENO" 5
 fi
 ac_cv_lib_gmp=ac_cv_lib_gmp_main
 
@@ -14777,7 +15108,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }; as_fn_error "No usable gmp.h found!" "$LINENO" 5
+$as_echo "no" >&6; }; as_fn_error $? "No usable gmp.h found!" "$LINENO" 5
 
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
@@ -14817,7 +15148,7 @@ $as_echo "$ac_cv_lib_ldap_main" >&6; }
 if test "x$ac_cv_lib_ldap_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "LDAP library ldap not found" "$LINENO" 5
+  as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
 fi
 ac_cv_lib_ldap=ac_cv_lib_ldap_main
 
@@ -14854,7 +15185,7 @@ $as_echo "$ac_cv_lib_lber_main" >&6; }
 if test "x$ac_cv_lib_lber_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "LDAP library lber not found" "$LINENO" 5
+  as_fn_error $? "LDAP library lber not found" "$LINENO" 5
 fi
 ac_cv_lib_lber=ac_cv_lib_lber_main
 
@@ -14862,7 +15193,7 @@ ac_cv_lib_lber=ac_cv_lib_lber_main
 if test "x$ac_cv_header_ldap_h" = x""yes; then :
 
 else
-  as_fn_error "LDAP header ldap.h not found!" "$LINENO" 5
+  as_fn_error $? "LDAP header ldap.h not found!" "$LINENO" 5
 fi
 
 
@@ -14902,7 +15233,7 @@ $as_echo "$ac_cv_lib_curl_main" >&6; }
 if test "x$ac_cv_lib_curl_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "CURL library curl not found" "$LINENO" 5
+  as_fn_error $? "CURL library curl not found" "$LINENO" 5
 fi
 ac_cv_lib_curl=ac_cv_lib_curl_main
 
@@ -14910,7 +15241,7 @@ ac_cv_lib_curl=ac_cv_lib_curl_main
 if test "x$ac_cv_header_curl_curl_h" = x""yes; then :
 
 else
-  as_fn_error "CURL header curl/curl.h not found!" "$LINENO" 5
+  as_fn_error $? "CURL header curl/curl.h not found!" "$LINENO" 5
 fi
 
 
@@ -14922,11 +15253,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for xml" >&5
 $as_echo_n "checking for xml... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$xml_CFLAGS"; then
-        pkg_cv_xml_CFLAGS="$xml_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$xml_CFLAGS"; then
+    pkg_cv_xml_CFLAGS="$xml_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\""; } >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
@@ -14936,15 +15266,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$xml_LIBS"; then
-        pkg_cv_xml_LIBS="$xml_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$xml_LIBS"; then
+    pkg_cv_xml_LIBS="$xml_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\""; } >&5
   ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
   ac_status=$?
@@ -14954,14 +15282,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -14969,14 +15298,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libxml-2.0"`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libxml-2.0" 2>&1`
         else
-	        xml_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libxml-2.0"`
+	        xml_PKG_ERRORS=`$PKG_CONFIG --print-errors "libxml-2.0" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$xml_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (libxml-2.0) were not met:
+	as_fn_error $? "Package requirements (libxml-2.0) were not met:
 
 $xml_PKG_ERRORS
 
@@ -14985,12 +15314,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables xml_CFLAGS
 and xml_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -14999,13 +15329,13 @@ and xml_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	xml_CFLAGS=$pkg_cv_xml_CFLAGS
 	xml_LIBS=$pkg_cv_xml_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 
 
@@ -15017,11 +15347,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gtk" >&5
 $as_echo_n "checking for gtk... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$gtk_CFLAGS"; then
-        pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$gtk_CFLAGS"; then
+    pkg_cv_gtk_CFLAGS="$gtk_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
@@ -15031,15 +15360,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$gtk_LIBS"; then
-        pkg_cv_gtk_LIBS="$gtk_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$gtk_LIBS"; then
+    pkg_cv_gtk_LIBS="$gtk_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gtk+-2.0 vte\""; } >&5
   ($PKG_CONFIG --exists --print-errors "gtk+-2.0 vte") 2>&5
   ac_status=$?
@@ -15049,14 +15376,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -15064,14 +15392,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gtk+-2.0 vte"`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "gtk+-2.0 vte" 2>&1`
         else
-	        gtk_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gtk+-2.0 vte"`
+	        gtk_PKG_ERRORS=`$PKG_CONFIG --print-errors "gtk+-2.0 vte" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$gtk_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (gtk+-2.0 vte) were not met:
+	as_fn_error $? "Package requirements (gtk+-2.0 vte) were not met:
 
 $gtk_PKG_ERRORS
 
@@ -15080,12 +15408,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables gtk_CFLAGS
 and gtk_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -15094,13 +15423,13 @@ and gtk_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	gtk_CFLAGS=$pkg_cv_gtk_CFLAGS
 	gtk_LIBS=$pkg_cv_gtk_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 
 
@@ -15162,14 +15491,14 @@ $as_echo "$i" >&6; }
 				fi
 			done
 			if test x"$RUBYINCLUDE" = xnone; then
-				as_fn_error "ruby.h not found" "$LINENO" 5
+				as_fn_error $? "ruby.h not found" "$LINENO" 5
 			fi
 
 		else
-			as_fn_error "unable to determine ruby configuration" "$LINENO" 5
+			as_fn_error $? "unable to determine ruby configuration" "$LINENO" 5
 		fi
 	else
-		as_fn_error "don't know how to run ruby" "$LINENO" 5
+		as_fn_error $? "don't know how to run ruby" "$LINENO" 5
 	fi
 fi
 
@@ -15207,7 +15536,7 @@ $as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
 if test "x$ac_cv_lib_neo_cgi_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "ClearSilver library neo_cgi not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
 fi
 ac_cv_lib_neo_cgi=ac_cv_lib_neo_cgi_main
 
@@ -15244,7 +15573,7 @@ $as_echo "$ac_cv_lib_neo_utl_main" >&6; }
 if test "x$ac_cv_lib_neo_utl_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "ClearSilver library neo_utl not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
 fi
 ac_cv_lib_neo_utl=ac_cv_lib_neo_utl_main
 
@@ -15281,7 +15610,7 @@ $as_echo "$ac_cv_lib_z_main" >&6; }
 if test "x$ac_cv_lib_z_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "ClearSilver dependency zlib not found!" "$LINENO" 5
+  as_fn_error $? "ClearSilver dependency zlib not found!" "$LINENO" 5
 fi
 ac_cv_lib_z=ac_cv_lib_z_main
 
@@ -15319,7 +15648,7 @@ $as_echo "$ac_cv_lib_fcgi_main" >&6; }
 if test "x$ac_cv_lib_fcgi_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "FastCGI library fcgi not found!" "$LINENO" 5
+  as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
 fi
 ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 
@@ -15327,7 +15656,7 @@ ac_cv_lib_fcgi=ac_cv_lib_fcgi_main
 if test "x$ac_cv_header_fcgiapp_h" = x""yes; then :
 
 else
-  as_fn_error "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
+  as_fn_error $? "FastCGI header file fcgiapp.h not found!" "$LINENO" 5
 fi
 
 
@@ -15376,7 +15705,7 @@ fi
 
 
 	if test x$MYSQLCONFIG = x; then
-		as_fn_error "mysql_config not found!" "$LINENO" 5
+		as_fn_error $? "mysql_config not found!" "$LINENO" 5
 	fi
 	MYSQLLIB=`$MYSQLCONFIG --libs_r`
 
@@ -15418,7 +15747,7 @@ $as_echo "$ac_cv_lib_sqlite3_main" >&6; }
 if test "x$ac_cv_lib_sqlite3_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "SQLite library sqlite3 not found" "$LINENO" 5
+  as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
 fi
 ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 
@@ -15426,7 +15755,7 @@ ac_cv_lib_sqlite3=ac_cv_lib_sqlite3_main
 if test "x$ac_cv_header_sqlite3_h" = x""yes; then :
 
 else
-  as_fn_error "SQLite header sqlite3.h not found!" "$LINENO" 5
+  as_fn_error $? "SQLite header sqlite3.h not found!" "$LINENO" 5
 fi
 
 
@@ -15478,7 +15807,7 @@ if ac_fn_c_try_compile "$LINENO"; then :
 $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }; as_fn_error "SQLite version >= 3.3.1 required!" "$LINENO" 5
+$as_echo "no" >&6; }; as_fn_error $? "SQLite version >= 3.3.1 required!" "$LINENO" 5
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
@@ -15517,7 +15846,7 @@ $as_echo "$ac_cv_lib_crypto_main" >&6; }
 if test "x$ac_cv_lib_crypto_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "OpenSSL crypto library not found" "$LINENO" 5
+  as_fn_error $? "OpenSSL crypto library not found" "$LINENO" 5
 fi
 ac_cv_lib_crypto=ac_cv_lib_crypto_main
 
@@ -15525,7 +15854,7 @@ ac_cv_lib_crypto=ac_cv_lib_crypto_main
 if test "x$ac_cv_header_openssl_evp_h" = x""yes; then :
 
 else
-  as_fn_error "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
+  as_fn_error $? "OpenSSL header openssl/evp.h not found!" "$LINENO" 5
 fi
 
 
@@ -15565,7 +15894,7 @@ $as_echo "$ac_cv_lib_gcrypt_main" >&6; }
 if test "x$ac_cv_lib_gcrypt_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "gcrypt library not found" "$LINENO" 5
+  as_fn_error $? "gcrypt library not found" "$LINENO" 5
 fi
 ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 
@@ -15573,7 +15902,7 @@ ac_cv_lib_gcrypt=ac_cv_lib_gcrypt_main
 if test "x$ac_cv_header_gcrypt_h" = x""yes; then :
 
 else
-  as_fn_error "gcrypt header gcrypt.h not found!" "$LINENO" 5
+  as_fn_error $? "gcrypt header gcrypt.h not found!" "$LINENO" 5
 fi
 
 
@@ -15602,6 +15931,17 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
+if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
+	ac_fn_c_check_header_mongrel "$LINENO" "libtnc.h" "ac_cv_header_libtnc_h" "$ac_includes_default"
+if test "x$ac_cv_header_libtnc_h" = x""yes; then :
+
+else
+  as_fn_error $? "libtnc header libtnc.h not found!" "$LINENO" 5
+fi
+
+
+fi
+
 if test x$uci = xtrue; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
 $as_echo_n "checking for main in -luci... " >&6; }
@@ -15636,7 +15976,7 @@ $as_echo "$ac_cv_lib_uci_main" >&6; }
 if test "x$ac_cv_lib_uci_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "UCI library libuci not found" "$LINENO" 5
+  as_fn_error $? "UCI library libuci not found" "$LINENO" 5
 fi
 ac_cv_lib_uci=ac_cv_lib_uci_main
 
@@ -15644,7 +15984,7 @@ ac_cv_lib_uci=ac_cv_lib_uci_main
 if test "x$ac_cv_header_uci_h" = x""yes; then :
 
 else
-  as_fn_error "UCI header uci.h not found!" "$LINENO" 5
+  as_fn_error $? "UCI header uci.h not found!" "$LINENO" 5
 fi
 
 
@@ -15684,7 +16024,7 @@ $as_echo "$ac_cv_lib_cutils_main" >&6; }
 if test "x$ac_cv_lib_cutils_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "Android library libcutils not found" "$LINENO" 5
+  as_fn_error $? "Android library libcutils not found" "$LINENO" 5
 fi
 ac_cv_lib_cutils=ac_cv_lib_cutils_main
 
@@ -15692,7 +16032,7 @@ ac_cv_lib_cutils=ac_cv_lib_cutils_main
 if test "x$ac_cv_header_cutils_properties_h" = x""yes; then :
 
 else
-  as_fn_error "Android header cutils/properties.h not found!" "$LINENO" 5
+  as_fn_error $? "Android header cutils/properties.h not found!" "$LINENO" 5
 fi
 
 
@@ -15700,6 +16040,102 @@ fi
 
 fi
 
+if test x$maemo = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for maemo" >&5
+$as_echo_n "checking for maemo... " >&6; }
+
+if test -n "$maemo_CFLAGS"; then
+    pkg_cv_maemo_CFLAGS="$maemo_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0 gthread-2.0 libosso osso-af-settings\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_maemo_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+if test -n "$maemo_LIBS"; then
+    pkg_cv_maemo_LIBS="$maemo_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0 gthread-2.0 libosso osso-af-settings\""; } >&5
+  ($PKG_CONFIG --exists --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings") 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; then
+  pkg_cv_maemo_LIBS=`$PKG_CONFIG --libs "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+ else
+    pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+        else
+	        maemo_PKG_ERRORS=`$PKG_CONFIG --print-errors "glib-2.0 gthread-2.0 libosso osso-af-settings" 2>&1`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$maemo_PKG_ERRORS" >&5
+
+	as_fn_error $? "Package requirements (glib-2.0 gthread-2.0 libosso osso-af-settings) were not met:
+
+$maemo_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables maemo_CFLAGS
+and maemo_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables maemo_CFLAGS
+and maemo_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5 ; }
+else
+	maemo_CFLAGS=$pkg_cv_maemo_CFLAGS
+	maemo_LIBS=$pkg_cv_maemo_LIBS
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+	dbusservicedir="/usr/share/dbus-1/system-services"
+
+fi
+
 if test x$nm = xtrue; then
 	if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnm-glib\""; } >&5
@@ -15712,11 +16148,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
 $as_echo_n "checking for nm... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_CFLAGS"; then
-        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$nm_CFLAGS"; then
+    pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
   ac_status=$?
@@ -15726,15 +16161,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_LIBS"; then
-        pkg_cv_nm_LIBS="$nm_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$nm_LIBS"; then
+    pkg_cv_nm_LIBS="$nm_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn\""; } >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn") 2>&5
   ac_status=$?
@@ -15744,14 +16177,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -15759,14 +16193,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn) were not met:
+	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn) were not met:
 
 $nm_PKG_ERRORS
 
@@ -15775,12 +16209,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables nm_CFLAGS
 and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -15789,13 +16224,13 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 else
 
@@ -15803,11 +16238,10 @@ pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5
 $as_echo_n "checking for nm... " >&6; }
 
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_CFLAGS"; then
-        pkg_cv_nm_CFLAGS="$nm_CFLAGS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$nm_CFLAGS"; then
+    pkg_cv_nm_CFLAGS="$nm_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
@@ -15817,15 +16251,13 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
-if test -n "$PKG_CONFIG"; then
-    if test -n "$nm_LIBS"; then
-        pkg_cv_nm_LIBS="$nm_LIBS"
-    else
-        if test -n "$PKG_CONFIG" && \
+if test -n "$nm_LIBS"; then
+    pkg_cv_nm_LIBS="$nm_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+    if test -n "$PKG_CONFIG" && \
     { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn\""; } >&5
   ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn") 2>&5
   ac_status=$?
@@ -15835,14 +16267,15 @@ if test -n "$PKG_CONFIG"; then
 else
   pkg_failed=yes
 fi
-    fi
-else
-	pkg_failed=untried
+ else
+    pkg_failed=untried
 fi
 
 
 
 if test $pkg_failed = yes; then
+   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
         _pkg_short_errors_supported=yes
@@ -15850,14 +16283,14 @@ else
         _pkg_short_errors_supported=no
 fi
         if test $_pkg_short_errors_supported = yes; then
-	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>&1`
         else
-	        nm_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn"`
+	        nm_PKG_ERRORS=`$PKG_CONFIG --print-errors "NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn" 2>&1`
         fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$nm_PKG_ERRORS" >&5
 
-	as_fn_error "Package requirements (NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn) were not met:
+	as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm_glib libnm_glib_vpn) were not met:
 
 $nm_PKG_ERRORS
 
@@ -15866,12 +16299,13 @@ installed software in a non-standard prefix.
 
 Alternatively, you may set the environment variables nm_CFLAGS
 and nm_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.
-" "$LINENO" 5
+See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
+     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error "The pkg-config script could not be found or is too old.  Make sure it
+as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 is in your PATH or set the PKG_CONFIG environment variable to the full
 path to pkg-config.
 
@@ -15880,13 +16314,13 @@ and nm_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details.
 
 To get pkg-config, see <http://pkg-config.freedesktop.org/>.
-See \`config.log' for more details." "$LINENO" 5; }
+See \`config.log' for more details" "$LINENO" 5 ; }
 else
 	nm_CFLAGS=$pkg_cv_nm_CFLAGS
 	nm_LIBS=$pkg_cv_nm_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-	:
+
 fi
 
 fi
@@ -15928,7 +16362,7 @@ $as_echo "$ac_cv_lib_pam_main" >&6; }
 if test "x$ac_cv_lib_pam_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "PAM library not found" "$LINENO" 5
+  as_fn_error $? "PAM library not found" "$LINENO" 5
 fi
 ac_cv_lib_pam=ac_cv_lib_pam_main
 
@@ -15936,7 +16370,7 @@ ac_cv_lib_pam=ac_cv_lib_pam_main
 if test "x$ac_cv_header_security_pam_appl_h" = x""yes; then :
 
 else
-  as_fn_error "PAM header security/pam_appl.h not found!" "$LINENO" 5
+  as_fn_error $? "PAM header security/pam_appl.h not found!" "$LINENO" 5
 fi
 
 
@@ -15961,7 +16395,7 @@ done
 if test "x$ac_cv_func_capset" = x""yes; then :
 
 else
-  as_fn_error "capset() not found!" "$LINENO" 5
+  as_fn_error $? "capset() not found!" "$LINENO" 5
 fi
 
 	$as_echo "#define CAPABILITIES_NATIVE 1" >>confdefs.h
@@ -16002,7 +16436,7 @@ $as_echo "$ac_cv_lib_cap_main" >&6; }
 if test "x$ac_cv_lib_cap_main" = x""yes; then :
   LIBS="$LIBS"
 else
-  as_fn_error "libcap library not found" "$LINENO" 5
+  as_fn_error $? "libcap library not found" "$LINENO" 5
 fi
 ac_cv_lib_cap=ac_cv_lib_cap_main
 
@@ -16011,7 +16445,7 @@ if test "x$ac_cv_header_sys_capability_h" = x""yes; then :
   $as_echo "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h
 
 else
-  as_fn_error "libcap header sys/capability.h not found!" "$LINENO" 5
+  as_fn_error $? "libcap header sys/capability.h not found!" "$LINENO" 5
 fi
 
 
@@ -16040,7 +16474,7 @@ $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; };
-		 as_fn_error "dladdr() not supported, required by integrity-test!" "$LINENO" 5
+		 as_fn_error $? "dladdr() not supported, required by integrity-test!" "$LINENO" 5
 
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
@@ -16064,135 +16498,633 @@ $as_echo "yes" >&6; }
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; };
-		 as_fn_error "dl_iterate_phdr() not supported, required by integrity-test!" "$LINENO" 5
+		 as_fn_error $? "dl_iterate_phdr() not supported, required by integrity-test!" "$LINENO" 5
 
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-libstrongswan_plugins=
-libhydra_plugins=
+# ADD_PLUGIN(plugin, category list)
+# -----------------------------------
+# Append the plugin name $1 to the category list variable $2_plugin
+
+
+
+# plugin lists for all components
+libcharon_plugins=
 pluto_plugins=
+pool_plugins=
+openac_plugins=
+scepclient_plugins=
+pki_plugins=
+scripts_plugins=
+manager_plugins=
+medsrv_plugins=
+
+# location specific lists for checksumming,
+# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
+c_plugins=
+p_plugins=
+h_plugins=
+s_plugins=
 
 if test x$test_vectors = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" test-vectors"
-	pluto_plugins=${pluto_plugins}" test-vectors"
-fi
+		s_plugins=${s_plugins}" test-vectors"
+		libcharon_plugins=${libcharon_plugins}" test-vectors"
+		pluto_plugins=${pluto_plugins}" test-vectors"
+		openac_plugins=${openac_plugins}" test-vectors"
+		scepclient_plugins=${scepclient_plugins}" test-vectors"
+		pki_plugins=${pki_plugins}" test-vectors"
+
+	fi
+
 if test x$curl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" curl"
-	pluto_plugins=${pluto_plugins}" curl"
-fi
+		s_plugins=${s_plugins}" curl"
+		libcharon_plugins=${libcharon_plugins}" curl"
+		pluto_plugins=${pluto_plugins}" curl"
+		scepclient_plugins=${scepclient_plugins}" curl"
+
+	fi
+
 if test x$ldap = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
-	pluto_plugins=${pluto_plugins}" ldap"
-fi
+		s_plugins=${s_plugins}" ldap"
+		libcharon_plugins=${libcharon_plugins}" ldap"
+		pluto_plugins=${pluto_plugins}" ldap"
+		scepclient_plugins=${scepclient_plugins}" ldap"
+
+	fi
+
+if test x$mysql = xtrue; then
+		s_plugins=${s_plugins}" mysql"
+		libcharon_plugins=${libcharon_plugins}" mysql"
+		pluto_plugins=${pluto_plugins}" mysql"
+		pool_plugins=${pool_plugins}" mysql"
+		manager_plugins=${manager_plugins}" mysql"
+		medsrv_plugins=${medsrv_plugins}" mysql"
+
+	fi
+
+if test x$sqlite = xtrue; then
+		s_plugins=${s_plugins}" sqlite"
+		libcharon_plugins=${libcharon_plugins}" sqlite"
+		pluto_plugins=${pluto_plugins}" sqlite"
+		pool_plugins=${pool_plugins}" sqlite"
+		manager_plugins=${manager_plugins}" sqlite"
+		medsrv_plugins=${medsrv_plugins}" sqlite"
+
+	fi
+
 if test x$aes = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" aes"
-	pluto_plugins=${pluto_plugins}" aes"
-fi
+		s_plugins=${s_plugins}" aes"
+		libcharon_plugins=${libcharon_plugins}" aes"
+		pluto_plugins=${pluto_plugins}" aes"
+		openac_plugins=${openac_plugins}" aes"
+		scepclient_plugins=${scepclient_plugins}" aes"
+		pki_plugins=${pki_plugins}" aes"
+		scripts_plugins=${scripts_plugins}" aes"
+
+	fi
+
 if test x$des = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" des"
-	pluto_plugins=${pluto_plugins}" des"
-fi
+		s_plugins=${s_plugins}" des"
+		libcharon_plugins=${libcharon_plugins}" des"
+		pluto_plugins=${pluto_plugins}" des"
+		openac_plugins=${openac_plugins}" des"
+		scepclient_plugins=${scepclient_plugins}" des"
+		pki_plugins=${pki_plugins}" des"
+		scripts_plugins=${scripts_plugins}" des"
+
+	fi
+
 if test x$blowfish = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
-	pluto_plugins=${pluto_plugins}" blowfish"
-fi
+		s_plugins=${s_plugins}" blowfish"
+		libcharon_plugins=${libcharon_plugins}" blowfish"
+		pluto_plugins=${pluto_plugins}" blowfish"
+		openac_plugins=${openac_plugins}" blowfish"
+		scepclient_plugins=${scepclient_plugins}" blowfish"
+		pki_plugins=${pki_plugins}" blowfish"
+		scripts_plugins=${scripts_plugins}" blowfish"
+
+	fi
+
 if test x$sha1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
-	pluto_plugins=${pluto_plugins}" sha1"
-fi
+		s_plugins=${s_plugins}" sha1"
+		libcharon_plugins=${libcharon_plugins}" sha1"
+		pluto_plugins=${pluto_plugins}" sha1"
+		openac_plugins=${openac_plugins}" sha1"
+		scepclient_plugins=${scepclient_plugins}" sha1"
+		pki_plugins=${pki_plugins}" sha1"
+		scripts_plugins=${scripts_plugins}" sha1"
+		medsrv_plugins=${medsrv_plugins}" sha1"
+
+	fi
+
 if test x$sha2 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
-	pluto_plugins=${pluto_plugins}" sha2"
-fi
+		s_plugins=${s_plugins}" sha2"
+		libcharon_plugins=${libcharon_plugins}" sha2"
+		pluto_plugins=${pluto_plugins}" sha2"
+		openac_plugins=${openac_plugins}" sha2"
+		scepclient_plugins=${scepclient_plugins}" sha2"
+		pki_plugins=${pki_plugins}" sha2"
+		scripts_plugins=${scripts_plugins}" sha2"
+		medsrv_plugins=${medsrv_plugins}" sha2"
+
+	fi
+
 if test x$md4 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md4"
-fi
+		s_plugins=${s_plugins}" md4"
+		libcharon_plugins=${libcharon_plugins}" md4"
+		openac_plugins=${openac_plugins}" md4"
+		manager_plugins=${manager_plugins}" md4"
+		scepclient_plugins=${scepclient_plugins}" md4"
+		pki_plugins=${pki_plugins}" md4"
+
+	fi
+
 if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-	pluto_plugins=${pluto_plugins}" md5"
-fi
+		s_plugins=${s_plugins}" md5"
+		libcharon_plugins=${libcharon_plugins}" md5"
+		pluto_plugins=${pluto_plugins}" md5"
+		openac_plugins=${openac_plugins}" md5"
+		scepclient_plugins=${scepclient_plugins}" md5"
+		pki_plugins=${pki_plugins}" md5"
+
+	fi
+
 if test x$random = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" random"
-	pluto_plugins=${pluto_plugins}" random"
-fi
+		s_plugins=${s_plugins}" random"
+		libcharon_plugins=${libcharon_plugins}" random"
+		pluto_plugins=${pluto_plugins}" random"
+		openac_plugins=${openac_plugins}" random"
+		scepclient_plugins=${scepclient_plugins}" random"
+		pki_plugins=${pki_plugins}" random"
+		scripts_plugins=${scripts_plugins}" random"
+		medsrv_plugins=${medsrv_plugins}" random"
+
+	fi
+
 if test x$x509 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" x509"
-	pluto_plugins=${pluto_plugins}" x509"
-fi
+		s_plugins=${s_plugins}" x509"
+		libcharon_plugins=${libcharon_plugins}" x509"
+		pluto_plugins=${pluto_plugins}" x509"
+		openac_plugins=${openac_plugins}" x509"
+		scepclient_plugins=${scepclient_plugins}" x509"
+		pki_plugins=${pki_plugins}" x509"
+		scripts_plugins=${scripts_plugins}" x509"
+
+	fi
+
 if test x$revocation = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" revocation"
-fi
+		s_plugins=${s_plugins}" revocation"
+		libcharon_plugins=${libcharon_plugins}" revocation"
+
+	fi
+
 if test x$pubkey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-	pluto_plugins=${pluto_plugins}" pubkey"
-fi
+		s_plugins=${s_plugins}" pubkey"
+		libcharon_plugins=${libcharon_plugins}" pubkey"
+
+	fi
+
 if test x$pkcs1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pkcs1"
-	pluto_plugins=${pluto_plugins}" pkcs1"
-fi
+		s_plugins=${s_plugins}" pkcs1"
+		libcharon_plugins=${libcharon_plugins}" pkcs1"
+		pluto_plugins=${pluto_plugins}" pkcs1"
+		openac_plugins=${openac_plugins}" pkcs1"
+		scepclient_plugins=${scepclient_plugins}" pkcs1"
+		pki_plugins=${pki_plugins}" pkcs1"
+		scripts_plugins=${scripts_plugins}" pkcs1"
+		manager_plugins=${manager_plugins}" pkcs1"
+		medsrv_plugins=${medsrv_plugins}" pkcs1"
+
+	fi
+
 if test x$pgp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pgp"
-	pluto_plugins=${pluto_plugins}" pgp"
-fi
+		s_plugins=${s_plugins}" pgp"
+		libcharon_plugins=${libcharon_plugins}" pgp"
+		pluto_plugins=${pluto_plugins}" pgp"
+
+	fi
+
 if test x$dnskey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
-	pluto_plugins=${pluto_plugins}" dnskey"
-fi
+		s_plugins=${s_plugins}" dnskey"
+		pluto_plugins=${pluto_plugins}" dnskey"
+
+	fi
+
 if test x$pem = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pem"
-	pluto_plugins=${pluto_plugins}" pem"
-fi
-if test x$mysql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
-	pluto_plugins=${pluto_plugins}" mysql"
-fi
-if test x$sqlite = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
-	pluto_plugins=${pluto_plugins}" sqlite"
-fi
+		s_plugins=${s_plugins}" pem"
+		libcharon_plugins=${libcharon_plugins}" pem"
+		pluto_plugins=${pluto_plugins}" pem"
+		openac_plugins=${openac_plugins}" pem"
+		scepclient_plugins=${scepclient_plugins}" pem"
+		pki_plugins=${pki_plugins}" pem"
+		scripts_plugins=${scripts_plugins}" pem"
+		manager_plugins=${manager_plugins}" pem"
+		medsrv_plugins=${medsrv_plugins}" pem"
+
+	fi
+
 if test x$padlock = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
-fi
+		s_plugins=${s_plugins}" padlock"
+		libcharon_plugins=${libcharon_plugins}" padlock"
+
+	fi
+
 if test x$openssl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
-	pluto_plugins=${pluto_plugins}" openssl"
-fi
+		s_plugins=${s_plugins}" openssl"
+		libcharon_plugins=${libcharon_plugins}" openssl"
+		pluto_plugins=${pluto_plugins}" openssl"
+		openac_plugins=${openac_plugins}" openssl"
+		scepclient_plugins=${scepclient_plugins}" openssl"
+		pki_plugins=${pki_plugins}" openssl"
+		scripts_plugins=${scripts_plugins}" openssl"
+		manager_plugins=${manager_plugins}" openssl"
+		medsrv_plugins=${medsrv_plugins}" openssl"
+
+	fi
+
 if test x$gcrypt = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
-	pluto_plugins=${pluto_plugins}" gcrypt"
-fi
+		s_plugins=${s_plugins}" gcrypt"
+		libcharon_plugins=${libcharon_plugins}" gcrypt"
+		pluto_plugins=${pluto_plugins}" gcrypt"
+		openac_plugins=${openac_plugins}" gcrypt"
+		scepclient_plugins=${scepclient_plugins}" gcrypt"
+		pki_plugins=${pki_plugins}" gcrypt"
+		scripts_plugins=${scripts_plugins}" gcrypt"
+		manager_plugins=${manager_plugins}" gcrypt"
+		medsrv_plugins=${medsrv_plugins}" gcrypt"
+
+	fi
+
 if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
+		s_plugins=${s_plugins}" fips-prf"
+		libcharon_plugins=${libcharon_plugins}" fips-prf"
+
+	fi
+
+if test x$gmp = xtrue; then
+		s_plugins=${s_plugins}" gmp"
+		libcharon_plugins=${libcharon_plugins}" gmp"
+		pluto_plugins=${pluto_plugins}" gmp"
+		openac_plugins=${openac_plugins}" gmp"
+		scepclient_plugins=${scepclient_plugins}" gmp"
+		pki_plugins=${pki_plugins}" gmp"
+		scripts_plugins=${scripts_plugins}" gmp"
+		manager_plugins=${manager_plugins}" gmp"
+		medsrv_plugins=${medsrv_plugins}" gmp"
+
+	fi
+
+if test x$agent = xtrue; then
+		s_plugins=${s_plugins}" agent"
+		libcharon_plugins=${libcharon_plugins}" agent"
+
+	fi
+
+if test x$pkcs11 = xtrue; then
+		s_plugins=${s_plugins}" pkcs11"
+		libcharon_plugins=${libcharon_plugins}" pkcs11"
+		pki_plugins=${pki_plugins}" pkcs11"
+
+	fi
+
 if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
+		s_plugins=${s_plugins}" xcbc"
+		libcharon_plugins=${libcharon_plugins}" xcbc"
+
+	fi
+
 if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-	pluto_plugins=${pluto_plugins}" hmac"
-fi
-if test x$agent = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" agent"
-fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-	pluto_plugins=${pluto_plugins}" gmp"
-fi
+		s_plugins=${s_plugins}" hmac"
+		libcharon_plugins=${libcharon_plugins}" hmac"
+		pluto_plugins=${pluto_plugins}" hmac"
+		scripts_plugins=${scripts_plugins}" hmac"
+
+	fi
+
+if test x$ctr = xtrue; then
+		s_plugins=${s_plugins}" ctr"
+		libcharon_plugins=${libcharon_plugins}" ctr"
+		scripts_plugins=${scripts_plugins}" ctr"
+
+	fi
+
+if test x$ccm = xtrue; then
+		s_plugins=${s_plugins}" ccm"
+		libcharon_plugins=${libcharon_plugins}" ccm"
+		scripts_plugins=${scripts_plugins}" ccm"
+
+	fi
+
+if test x$gcm = xtrue; then
+		s_plugins=${s_plugins}" gcm"
+		libcharon_plugins=${libcharon_plugins}" gcm"
+		scripts_plugins=${scripts_plugins}" gcm"
+
+	fi
+
 if test x$xauth = xtrue; then
-	pluto_plugins=${pluto_plugins}" xauth"
-fi
+		p_plugins=${p_plugins}" xauth"
+		pluto_plugins=${pluto_plugins}" xauth"
+
+	fi
+
 if test x$attr = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr"
-fi
-if test x$attr_sql = xtrue -o x$sql = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr-sql"
-fi
+		h_plugins=${h_plugins}" attr"
+		libcharon_plugins=${libcharon_plugins}" attr"
+		pluto_plugins=${pluto_plugins}" attr"
+
+	fi
+
+if test x$attr_sql = xtrue; then
+		h_plugins=${h_plugins}" attr-sql"
+		libcharon_plugins=${libcharon_plugins}" attr-sql"
+		pluto_plugins=${pluto_plugins}" attr-sql"
+
+	fi
+
+if test x$kernel_pfkey = xtrue; then
+		h_plugins=${h_plugins}" kernel-pfkey"
+		libcharon_plugins=${libcharon_plugins}" kernel-pfkey"
+		pluto_plugins=${pluto_plugins}" kernel-pfkey"
+
+	fi
+
+if test x$kernel_pfroute = xtrue; then
+		h_plugins=${h_plugins}" kernel-pfroute"
+		libcharon_plugins=${libcharon_plugins}" kernel-pfroute"
+		pluto_plugins=${pluto_plugins}" kernel-pfroute"
+
+	fi
+
+if test x$kernel_klips = xtrue; then
+		h_plugins=${h_plugins}" kernel-klips"
+		libcharon_plugins=${libcharon_plugins}" kernel-klips"
+		pluto_plugins=${pluto_plugins}" kernel-klips"
+
+	fi
+
+if test x$kernel_netlink = xtrue; then
+		h_plugins=${h_plugins}" kernel-netlink"
+		libcharon_plugins=${libcharon_plugins}" kernel-netlink"
+		pluto_plugins=${pluto_plugins}" kernel-netlink"
+
+	fi
+
 if test x$resolve = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" resolve"
-fi
+		h_plugins=${h_plugins}" resolve"
+		libcharon_plugins=${libcharon_plugins}" resolve"
+		pluto_plugins=${pluto_plugins}" resolve"
+
+	fi
+
+if test x$load_tester = xtrue; then
+		c_plugins=${c_plugins}" load-tester"
+		libcharon_plugins=${libcharon_plugins}" load-tester"
+
+	fi
+
+if test x$socket_default = xtrue; then
+		c_plugins=${c_plugins}" socket-default"
+		libcharon_plugins=${libcharon_plugins}" socket-default"
+
+	fi
+
+if test x$socket_raw = xtrue; then
+		c_plugins=${c_plugins}" socket-raw"
+		libcharon_plugins=${libcharon_plugins}" socket-raw"
+
+	fi
+
+if test x$socket_dynamic = xtrue; then
+		c_plugins=${c_plugins}" socket-dynamic"
+		libcharon_plugins=${libcharon_plugins}" socket-dynamic"
+
+	fi
+
+if test x$farp = xtrue; then
+		c_plugins=${c_plugins}" farp"
+		libcharon_plugins=${libcharon_plugins}" farp"
+
+	fi
+
+if test x$stroke = xtrue; then
+		c_plugins=${c_plugins}" stroke"
+		libcharon_plugins=${libcharon_plugins}" stroke"
+
+	fi
+
+if test x$smp = xtrue; then
+		c_plugins=${c_plugins}" smp"
+		libcharon_plugins=${libcharon_plugins}" smp"
+
+	fi
+
+if test x$sql = xtrue; then
+		c_plugins=${c_plugins}" sql"
+		libcharon_plugins=${libcharon_plugins}" sql"
+
+	fi
+
+if test x$updown = xtrue; then
+		c_plugins=${c_plugins}" updown"
+		libcharon_plugins=${libcharon_plugins}" updown"
+
+	fi
+
+if test x$eap_identity = xtrue; then
+		c_plugins=${c_plugins}" eap-identity"
+		libcharon_plugins=${libcharon_plugins}" eap-identity"
+
+	fi
+
+if test x$eap_sim = xtrue; then
+		c_plugins=${c_plugins}" eap-sim"
+		libcharon_plugins=${libcharon_plugins}" eap-sim"
+
+	fi
+
+if test x$eap_sim_file = xtrue; then
+		c_plugins=${c_plugins}" eap-sim-file"
+		libcharon_plugins=${libcharon_plugins}" eap-sim-file"
+
+	fi
+
+if test x$eap_simaka_sql = xtrue; then
+		c_plugins=${c_plugins}" eap-simaka-sql"
+		libcharon_plugins=${libcharon_plugins}" eap-simaka-sql"
+
+	fi
+
+if test x$eap_simaka_pseudonym = xtrue; then
+		c_plugins=${c_plugins}" eap-simaka-pseudonym"
+		libcharon_plugins=${libcharon_plugins}" eap-simaka-pseudonym"
+
+	fi
+
+if test x$eap_simaka_reauth = xtrue; then
+		c_plugins=${c_plugins}" eap-simaka-reauth"
+		libcharon_plugins=${libcharon_plugins}" eap-simaka-reauth"
+
+	fi
+
+if test x$eap_aka = xtrue; then
+		c_plugins=${c_plugins}" eap-aka"
+		libcharon_plugins=${libcharon_plugins}" eap-aka"
+
+	fi
+
+if test x$eap_aka_3gpp2 = xtrue; then
+		c_plugins=${c_plugins}" eap-aka-3gpp2"
+		libcharon_plugins=${libcharon_plugins}" eap-aka-3gpp2"
+
+	fi
+
+if test x$eap_md5 = xtrue; then
+		c_plugins=${c_plugins}" eap-md5"
+		libcharon_plugins=${libcharon_plugins}" eap-md5"
+
+	fi
+
+if test x$eap_gtc = xtrue; then
+		c_plugins=${c_plugins}" eap-gtc"
+		libcharon_plugins=${libcharon_plugins}" eap-gtc"
+
+	fi
+
+if test x$eap_mschapv2 = xtrue; then
+		c_plugins=${c_plugins}" eap-mschapv2"
+		libcharon_plugins=${libcharon_plugins}" eap-mschapv2"
+
+	fi
+
+if test x$eap_radius = xtrue; then
+		c_plugins=${c_plugins}" eap-radius"
+		libcharon_plugins=${libcharon_plugins}" eap-radius"
+
+	fi
+
+if test x$eap_tls = xtrue; then
+		c_plugins=${c_plugins}" eap-tls"
+		libcharon_plugins=${libcharon_plugins}" eap-tls"
+
+	fi
+
+if test x$eap_ttls = xtrue; then
+		c_plugins=${c_plugins}" eap-ttls"
+		libcharon_plugins=${libcharon_plugins}" eap-ttls"
+
+	fi
+
+if test x$eap_tnc = xtrue; then
+		c_plugins=${c_plugins}" eap-tnc"
+		libcharon_plugins=${libcharon_plugins}" eap-tnc"
+
+	fi
+
+if test x$tnc_imc = xtrue; then
+		c_plugins=${c_plugins}" tnc-imc"
+		libcharon_plugins=${libcharon_plugins}" tnc-imc"
+
+	fi
+
+if test x$tnc_imv = xtrue; then
+		c_plugins=${c_plugins}" tnc-imv"
+		libcharon_plugins=${libcharon_plugins}" tnc-imv"
+
+	fi
+
+if test x$tnccs_11 = xtrue; then
+		c_plugins=${c_plugins}" tnccs-11"
+		libcharon_plugins=${libcharon_plugins}" tnccs-11"
+
+	fi
+
+if test x$tnccs_20 = xtrue; then
+		c_plugins=${c_plugins}" tnccs-20"
+		libcharon_plugins=${libcharon_plugins}" tnccs-20"
+
+	fi
+
+if test x$medsrv = xtrue; then
+		c_plugins=${c_plugins}" medsrv"
+		libcharon_plugins=${libcharon_plugins}" medsrv"
+
+	fi
+
+if test x$medcli = xtrue; then
+		c_plugins=${c_plugins}" medcli"
+		libcharon_plugins=${libcharon_plugins}" medcli"
+
+	fi
+
+if test x$nm = xtrue; then
+		c_plugins=${c_plugins}" nm"
+		libcharon_plugins=${libcharon_plugins}" nm"
+
+	fi
+
+if test x$dhcp = xtrue; then
+		c_plugins=${c_plugins}" dhcp"
+		libcharon_plugins=${libcharon_plugins}" dhcp"
+
+	fi
+
+if test x$android = xtrue; then
+		c_plugins=${c_plugins}" android"
+		libcharon_plugins=${libcharon_plugins}" android"
+
+	fi
+
+if test x$ha = xtrue; then
+		c_plugins=${c_plugins}" ha"
+		libcharon_plugins=${libcharon_plugins}" ha"
+
+	fi
+
+if test x$led = xtrue; then
+		c_plugins=${c_plugins}" led"
+		libcharon_plugins=${libcharon_plugins}" led"
+
+	fi
+
+if test x$maemo = xtrue; then
+		c_plugins=${c_plugins}" maemo"
+		libcharon_plugins=${libcharon_plugins}" maemo"
+
+	fi
+
+if test x$uci = xtrue; then
+		c_plugins=${c_plugins}" uci"
+		libcharon_plugins=${libcharon_plugins}" uci"
+
+	fi
+
+if test x$addrblock = xtrue; then
+		c_plugins=${c_plugins}" addrblock"
+		libcharon_plugins=${libcharon_plugins}" addrblock"
+
+	fi
+
+if test x$unit_tester = xtrue; then
+		c_plugins=${c_plugins}" unit-tester"
+		libcharon_plugins=${libcharon_plugins}" unit-tester"
+
+	fi
+
+
+
+
+
+
+
+
+
+
+
+
 
 
 
@@ -16423,6 +17355,38 @@ else
   USE_AGENT_FALSE=
 fi
 
+ if test x$pkcs11 = xtrue; then
+  USE_PKCS11_TRUE=
+  USE_PKCS11_FALSE='#'
+else
+  USE_PKCS11_TRUE='#'
+  USE_PKCS11_FALSE=
+fi
+
+ if test x$ctr = xtrue; then
+  USE_CTR_TRUE=
+  USE_CTR_FALSE='#'
+else
+  USE_CTR_TRUE='#'
+  USE_CTR_FALSE=
+fi
+
+ if test x$ccm = xtrue; then
+  USE_CCM_TRUE=
+  USE_CCM_FALSE='#'
+else
+  USE_CCM_TRUE='#'
+  USE_CCM_FALSE=
+fi
+
+ if test x$gcm = xtrue; then
+  USE_GCM_TRUE=
+  USE_GCM_FALSE='#'
+else
+  USE_GCM_TRUE='#'
+  USE_GCM_FALSE=
+fi
+
 
  if test x$stroke = xtrue; then
   USE_STROKE_TRUE=
@@ -16472,6 +17436,14 @@ else
   USE_ANDROID_FALSE=
 fi
 
+ if test x$maemo = xtrue; then
+  USE_MAEMO_TRUE=
+  USE_MAEMO_FALSE='#'
+else
+  USE_MAEMO_TRUE='#'
+  USE_MAEMO_FALSE=
+fi
+
  if test x$smp = xtrue; then
   USE_SMP_TRUE=
   USE_SMP_FALSE='#'
@@ -16528,6 +17500,14 @@ else
   USE_HA_FALSE=
 fi
 
+ if test x$led = xtrue; then
+  USE_LED_TRUE=
+  USE_LED_FALSE='#'
+else
+  USE_LED_TRUE='#'
+  USE_LED_FALSE=
+fi
+
  if test x$eap_sim = xtrue; then
   USE_EAP_SIM_TRUE=
   USE_EAP_SIM_FALSE='#'
@@ -16616,6 +17596,30 @@ else
   USE_EAP_MSCHAPV2_FALSE=
 fi
 
+ if test x$eap_tls = xtrue; then
+  USE_EAP_TLS_TRUE=
+  USE_EAP_TLS_FALSE='#'
+else
+  USE_EAP_TLS_TRUE='#'
+  USE_EAP_TLS_FALSE=
+fi
+
+ if test x$eap_ttls = xtrue; then
+  USE_EAP_TTLS_TRUE=
+  USE_EAP_TTLS_FALSE='#'
+else
+  USE_EAP_TTLS_TRUE='#'
+  USE_EAP_TTLS_FALSE=
+fi
+
+ if test x$eap_tnc = xtrue; then
+  USE_EAP_TNC_TRUE=
+  USE_EAP_TNC_FALSE='#'
+else
+  USE_EAP_TNC_TRUE='#'
+  USE_EAP_TNC_FALSE=
+fi
+
  if test x$eap_radius = xtrue; then
   USE_EAP_RADIUS_TRUE=
   USE_EAP_RADIUS_FALSE='#'
@@ -16624,36 +17628,36 @@ else
   USE_EAP_RADIUS_FALSE=
 fi
 
- if test x$kernel_netlink = xtrue; then
-  USE_KERNEL_NETLINK_TRUE=
-  USE_KERNEL_NETLINK_FALSE='#'
+ if test x$tnc_imc = xtrue; then
+  USE_TNC_IMC_TRUE=
+  USE_TNC_IMC_FALSE='#'
 else
-  USE_KERNEL_NETLINK_TRUE='#'
-  USE_KERNEL_NETLINK_FALSE=
+  USE_TNC_IMC_TRUE='#'
+  USE_TNC_IMC_FALSE=
 fi
 
- if test x$kernel_pfkey = xtrue; then
-  USE_KERNEL_PFKEY_TRUE=
-  USE_KERNEL_PFKEY_FALSE='#'
+ if test x$tnc_imv = xtrue; then
+  USE_TNC_IMV_TRUE=
+  USE_TNC_IMV_FALSE='#'
 else
-  USE_KERNEL_PFKEY_TRUE='#'
-  USE_KERNEL_PFKEY_FALSE=
+  USE_TNC_IMV_TRUE='#'
+  USE_TNC_IMV_FALSE=
 fi
 
- if test x$kernel_pfroute = xtrue; then
-  USE_KERNEL_PFROUTE_TRUE=
-  USE_KERNEL_PFROUTE_FALSE='#'
+ if test x$tnccs_11 = xtrue; then
+  USE_TNCCS_11_TRUE=
+  USE_TNCCS_11_FALSE='#'
 else
-  USE_KERNEL_PFROUTE_TRUE='#'
-  USE_KERNEL_PFROUTE_FALSE=
+  USE_TNCCS_11_TRUE='#'
+  USE_TNCCS_11_FALSE=
 fi
 
- if test x$kernel_klips = xtrue; then
-  USE_KERNEL_KLIPS_TRUE=
-  USE_KERNEL_KLIPS_FALSE='#'
+ if test x$tnccs_20 = xtrue; then
+  USE_TNCCS_20_TRUE=
+  USE_TNCCS_20_FALSE='#'
 else
-  USE_KERNEL_KLIPS_TRUE='#'
-  USE_KERNEL_KLIPS_FALSE=
+  USE_TNCCS_20_TRUE='#'
+  USE_TNCCS_20_FALSE=
 fi
 
  if test x$socket_default = xtrue; then
@@ -16713,6 +17717,38 @@ else
   USE_ATTR_SQL_FALSE=
 fi
 
+ if test x$kernel_klips = xtrue; then
+  USE_KERNEL_KLIPS_TRUE=
+  USE_KERNEL_KLIPS_FALSE='#'
+else
+  USE_KERNEL_KLIPS_TRUE='#'
+  USE_KERNEL_KLIPS_FALSE=
+fi
+
+ if test x$kernel_netlink = xtrue; then
+  USE_KERNEL_NETLINK_TRUE=
+  USE_KERNEL_NETLINK_FALSE='#'
+else
+  USE_KERNEL_NETLINK_TRUE='#'
+  USE_KERNEL_NETLINK_FALSE=
+fi
+
+ if test x$kernel_pfkey = xtrue; then
+  USE_KERNEL_PFKEY_TRUE=
+  USE_KERNEL_PFKEY_FALSE='#'
+else
+  USE_KERNEL_PFKEY_TRUE='#'
+  USE_KERNEL_PFKEY_FALSE=
+fi
+
+ if test x$kernel_pfroute = xtrue; then
+  USE_KERNEL_PFROUTE_TRUE=
+  USE_KERNEL_PFROUTE_FALSE='#'
+else
+  USE_KERNEL_PFROUTE_TRUE='#'
+  USE_KERNEL_PFROUTE_FALSE=
+fi
+
  if test x$resolve = xtrue; then
   USE_RESOLVE_TRUE=
   USE_RESOLVE_FALSE='#'
@@ -16923,6 +17959,14 @@ else
   USE_SIMAKA_FALSE=
 fi
 
+ if test x$tls = xtrue; then
+  USE_TLS_TRUE=
+  USE_TLS_FALSE='#'
+else
+  USE_TLS_TRUE='#'
+  USE_TLS_FALSE=
+fi
+
  if test x$monolithic = xtrue; then
   MONOLITHIC_TRUE=
   MONOLITHIC_FALSE='#'
@@ -16948,7 +17992,7 @@ fi
 
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -17069,6 +18113,7 @@ DEFS=`sed -n "$ac_script" confdefs.h`
 
 ac_libobjs=
 ac_ltlibobjs=
+U=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
@@ -17092,376 +18137,432 @@ else
 fi
 
 if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
-  as_fn_error "conditional \"AMDEP\" was never defined.
+  as_fn_error $? "conditional \"AMDEP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
-  as_fn_error "conditional \"am__fastdepCC\" was never defined.
+  as_fn_error $? "conditional \"am__fastdepCC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
 if test -z "${USE_TEST_VECTORS_TRUE}" && test -z "${USE_TEST_VECTORS_FALSE}"; then
-  as_fn_error "conditional \"USE_TEST_VECTORS\" was never defined.
+  as_fn_error $? "conditional \"USE_TEST_VECTORS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
-  as_fn_error "conditional \"USE_CURL\" was never defined.
+  as_fn_error $? "conditional \"USE_CURL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then
-  as_fn_error "conditional \"USE_LDAP\" was never defined.
+  as_fn_error $? "conditional \"USE_LDAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_AES_TRUE}" && test -z "${USE_AES_FALSE}"; then
-  as_fn_error "conditional \"USE_AES\" was never defined.
+  as_fn_error $? "conditional \"USE_AES\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DES_TRUE}" && test -z "${USE_DES_FALSE}"; then
-  as_fn_error "conditional \"USE_DES\" was never defined.
+  as_fn_error $? "conditional \"USE_DES\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_BLOWFISH_TRUE}" && test -z "${USE_BLOWFISH_FALSE}"; then
-  as_fn_error "conditional \"USE_BLOWFISH\" was never defined.
+  as_fn_error $? "conditional \"USE_BLOWFISH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MD4_TRUE}" && test -z "${USE_MD4_FALSE}"; then
-  as_fn_error "conditional \"USE_MD4\" was never defined.
+  as_fn_error $? "conditional \"USE_MD4\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MD5_TRUE}" && test -z "${USE_MD5_FALSE}"; then
-  as_fn_error "conditional \"USE_MD5\" was never defined.
+  as_fn_error $? "conditional \"USE_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SHA1_TRUE}" && test -z "${USE_SHA1_FALSE}"; then
-  as_fn_error "conditional \"USE_SHA1\" was never defined.
+  as_fn_error $? "conditional \"USE_SHA1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SHA2_TRUE}" && test -z "${USE_SHA2_FALSE}"; then
-  as_fn_error "conditional \"USE_SHA2\" was never defined.
+  as_fn_error $? "conditional \"USE_SHA2\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FIPS_PRF_TRUE}" && test -z "${USE_FIPS_PRF_FALSE}"; then
-  as_fn_error "conditional \"USE_FIPS_PRF\" was never defined.
+  as_fn_error $? "conditional \"USE_FIPS_PRF\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
-  as_fn_error "conditional \"USE_GMP\" was never defined.
+  as_fn_error $? "conditional \"USE_GMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_RANDOM_TRUE}" && test -z "${USE_RANDOM_FALSE}"; then
-  as_fn_error "conditional \"USE_RANDOM\" was never defined.
+  as_fn_error $? "conditional \"USE_RANDOM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then
-  as_fn_error "conditional \"USE_X509\" was never defined.
+  as_fn_error $? "conditional \"USE_X509\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then
-  as_fn_error "conditional \"USE_REVOCATION\" was never defined.
+  as_fn_error $? "conditional \"USE_REVOCATION\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then
-  as_fn_error "conditional \"USE_PUBKEY\" was never defined.
+  as_fn_error $? "conditional \"USE_PUBKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PKCS1_TRUE}" && test -z "${USE_PKCS1_FALSE}"; then
-  as_fn_error "conditional \"USE_PKCS1\" was never defined.
+  as_fn_error $? "conditional \"USE_PKCS1\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PGP_TRUE}" && test -z "${USE_PGP_FALSE}"; then
-  as_fn_error "conditional \"USE_PGP\" was never defined.
+  as_fn_error $? "conditional \"USE_PGP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DNSKEY_TRUE}" && test -z "${USE_DNSKEY_FALSE}"; then
-  as_fn_error "conditional \"USE_DNSKEY\" was never defined.
+  as_fn_error $? "conditional \"USE_DNSKEY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PEM_TRUE}" && test -z "${USE_PEM_FALSE}"; then
-  as_fn_error "conditional \"USE_PEM\" was never defined.
+  as_fn_error $? "conditional \"USE_PEM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_HMAC_TRUE}" && test -z "${USE_HMAC_FALSE}"; then
-  as_fn_error "conditional \"USE_HMAC\" was never defined.
+  as_fn_error $? "conditional \"USE_HMAC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XCBC_TRUE}" && test -z "${USE_XCBC_FALSE}"; then
-  as_fn_error "conditional \"USE_XCBC\" was never defined.
+  as_fn_error $? "conditional \"USE_XCBC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MYSQL_TRUE}" && test -z "${USE_MYSQL_FALSE}"; then
-  as_fn_error "conditional \"USE_MYSQL\" was never defined.
+  as_fn_error $? "conditional \"USE_MYSQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then
-  as_fn_error "conditional \"USE_SQLITE\" was never defined.
+  as_fn_error $? "conditional \"USE_SQLITE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then
-  as_fn_error "conditional \"USE_PADLOCK\" was never defined.
+  as_fn_error $? "conditional \"USE_PADLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_OPENSSL_TRUE}" && test -z "${USE_OPENSSL_FALSE}"; then
-  as_fn_error "conditional \"USE_OPENSSL\" was never defined.
+  as_fn_error $? "conditional \"USE_OPENSSL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_GCRYPT_TRUE}" && test -z "${USE_GCRYPT_FALSE}"; then
-  as_fn_error "conditional \"USE_GCRYPT\" was never defined.
+  as_fn_error $? "conditional \"USE_GCRYPT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_AGENT_TRUE}" && test -z "${USE_AGENT_FALSE}"; then
-  as_fn_error "conditional \"USE_AGENT\" was never defined.
+  as_fn_error $? "conditional \"USE_AGENT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PKCS11_TRUE}" && test -z "${USE_PKCS11_FALSE}"; then
+  as_fn_error $? "conditional \"USE_PKCS11\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_CTR_TRUE}" && test -z "${USE_CTR_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CTR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_CCM_TRUE}" && test -z "${USE_CCM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_CCM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_GCM_TRUE}" && test -z "${USE_GCM_FALSE}"; then
+  as_fn_error $? "conditional \"USE_GCM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
-  as_fn_error "conditional \"USE_STROKE\" was never defined.
+  as_fn_error $? "conditional \"USE_STROKE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MEDSRV_TRUE}" && test -z "${USE_MEDSRV_FALSE}"; then
-  as_fn_error "conditional \"USE_MEDSRV\" was never defined.
+  as_fn_error $? "conditional \"USE_MEDSRV\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MEDCLI_TRUE}" && test -z "${USE_MEDCLI_FALSE}"; then
-  as_fn_error "conditional \"USE_MEDCLI\" was never defined.
+  as_fn_error $? "conditional \"USE_MEDCLI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_NM_TRUE}" && test -z "${USE_NM_FALSE}"; then
-  as_fn_error "conditional \"USE_NM\" was never defined.
+  as_fn_error $? "conditional \"USE_NM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UCI_TRUE}" && test -z "${USE_UCI_FALSE}"; then
-  as_fn_error "conditional \"USE_UCI\" was never defined.
+  as_fn_error $? "conditional \"USE_UCI\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ANDROID_TRUE}" && test -z "${USE_ANDROID_FALSE}"; then
-  as_fn_error "conditional \"USE_ANDROID\" was never defined.
+  as_fn_error $? "conditional \"USE_ANDROID\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_MAEMO_TRUE}" && test -z "${USE_MAEMO_FALSE}"; then
+  as_fn_error $? "conditional \"USE_MAEMO\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SMP_TRUE}" && test -z "${USE_SMP_FALSE}"; then
-  as_fn_error "conditional \"USE_SMP\" was never defined.
+  as_fn_error $? "conditional \"USE_SMP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SQL_TRUE}" && test -z "${USE_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_SQL\" was never defined.
+  as_fn_error $? "conditional \"USE_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then
-  as_fn_error "conditional \"USE_UPDOWN\" was never defined.
+  as_fn_error $? "conditional \"USE_UPDOWN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then
-  as_fn_error "conditional \"USE_DHCP\" was never defined.
+  as_fn_error $? "conditional \"USE_DHCP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
-  as_fn_error "conditional \"USE_UNIT_TESTS\" was never defined.
+  as_fn_error $? "conditional \"USE_UNIT_TESTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then
-  as_fn_error "conditional \"USE_LOAD_TESTER\" was never defined.
+  as_fn_error $? "conditional \"USE_LOAD_TESTER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_HA_TRUE}" && test -z "${USE_HA_FALSE}"; then
-  as_fn_error "conditional \"USE_HA\" was never defined.
+  as_fn_error $? "conditional \"USE_HA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_LED_TRUE}" && test -z "${USE_LED_FALSE}"; then
+  as_fn_error $? "conditional \"USE_LED\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIM_TRUE}" && test -z "${USE_EAP_SIM_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIM\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIM_FILE\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIM_FILE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIMAKA_SQL_TRUE}" && test -z "${USE_EAP_SIMAKA_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIMAKA_SQL\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIMAKA_SQL\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIMAKA_PSEUDONYM_TRUE}" && test -z "${USE_EAP_SIMAKA_PSEUDONYM_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_SIMAKA_REAUTH_TRUE}" && test -z "${USE_EAP_SIMAKA_REAUTH_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_SIMAKA_REAUTH\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_SIMAKA_REAUTH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_IDENTITY_TRUE}" && test -z "${USE_EAP_IDENTITY_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_IDENTITY\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_IDENTITY\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_MD5_TRUE}" && test -z "${USE_EAP_MD5_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_MD5\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_MD5\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_GTC_TRUE}" && test -z "${USE_EAP_GTC_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_GTC\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_GTC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_AKA_TRUE}" && test -z "${USE_EAP_AKA_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_AKA\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_AKA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_AKA_3GPP2_TRUE}" && test -z "${USE_EAP_AKA_3GPP2_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_AKA_3GPP2\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_AKA_3GPP2\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_MSCHAPV2_TRUE}" && test -z "${USE_EAP_MSCHAPV2_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_MSCHAPV2\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_MSCHAPV2\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_TLS_TRUE}" && test -z "${USE_EAP_TLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_TLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_TTLS_TRUE}" && test -z "${USE_EAP_TTLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_TTLS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_EAP_TNC_TRUE}" && test -z "${USE_EAP_TNC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_EAP_TNC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_EAP_RADIUS_TRUE}" && test -z "${USE_EAP_RADIUS_FALSE}"; then
-  as_fn_error "conditional \"USE_EAP_RADIUS\" was never defined.
+  as_fn_error $? "conditional \"USE_EAP_RADIUS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_NETLINK\" was never defined.
+if test -z "${USE_TNC_IMC_TRUE}" && test -z "${USE_TNC_IMC_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNC_IMC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_PFKEY\" was never defined.
+if test -z "${USE_TNC_IMV_TRUE}" && test -z "${USE_TNC_IMV_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNC_IMV\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_PFROUTE\" was never defined.
+if test -z "${USE_TNCCS_11_TRUE}" && test -z "${USE_TNCCS_11_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNCCS_11\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
-if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
-  as_fn_error "conditional \"USE_KERNEL_KLIPS\" was never defined.
+if test -z "${USE_TNCCS_20_TRUE}" && test -z "${USE_TNCCS_20_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TNCCS_20\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then
-  as_fn_error "conditional \"USE_SOCKET_DEFAULT\" was never defined.
+  as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SOCKET_RAW_TRUE}" && test -z "${USE_SOCKET_RAW_FALSE}"; then
-  as_fn_error "conditional \"USE_SOCKET_RAW\" was never defined.
+  as_fn_error $? "conditional \"USE_SOCKET_RAW\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SOCKET_DYNAMIC_TRUE}" && test -z "${USE_SOCKET_DYNAMIC_FALSE}"; then
-  as_fn_error "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
+  as_fn_error $? "conditional \"USE_SOCKET_DYNAMIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
-  as_fn_error "conditional \"USE_FARP\" was never defined.
+  as_fn_error $? "conditional \"USE_FARP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ADDRBLOCK_TRUE}" && test -z "${USE_ADDRBLOCK_FALSE}"; then
-  as_fn_error "conditional \"USE_ADDRBLOCK\" was never defined.
+  as_fn_error $? "conditional \"USE_ADDRBLOCK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
-  as_fn_error "conditional \"USE_ATTR\" was never defined.
+  as_fn_error $? "conditional \"USE_ATTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then
-  as_fn_error "conditional \"USE_ATTR_SQL\" was never defined.
+  as_fn_error $? "conditional \"USE_ATTR_SQL\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_KLIPS_TRUE}" && test -z "${USE_KERNEL_KLIPS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_KLIPS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_NETLINK_TRUE}" && test -z "${USE_KERNEL_NETLINK_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_NETLINK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_PFKEY_TRUE}" && test -z "${USE_KERNEL_PFKEY_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_PFKEY\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"; then
+  as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
-  as_fn_error "conditional \"USE_RESOLVE\" was never defined.
+  as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XAUTH_TRUE}" && test -z "${USE_XAUTH_FALSE}"; then
-  as_fn_error "conditional \"USE_XAUTH\" was never defined.
+  as_fn_error $? "conditional \"USE_XAUTH\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
-  as_fn_error "conditional \"USE_SMARTCARD\" was never defined.
+  as_fn_error $? "conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
-  as_fn_error "conditional \"USE_CISCO_QUIRKS\" was never defined.
+  as_fn_error $? "conditional \"USE_CISCO_QUIRKS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
-  as_fn_error "conditional \"USE_LEAK_DETECTIVE\" was never defined.
+  as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOCK_PROFILER_TRUE}" && test -z "${USE_LOCK_PROFILER_FALSE}"; then
-  as_fn_error "conditional \"USE_LOCK_PROFILER\" was never defined.
+  as_fn_error $? "conditional \"USE_LOCK_PROFILER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
-  as_fn_error "conditional \"USE_NAT_TRANSPORT\" was never defined.
+  as_fn_error $? "conditional \"USE_NAT_TRANSPORT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
-  as_fn_error "conditional \"USE_VENDORID\" was never defined.
+  as_fn_error $? "conditional \"USE_VENDORID\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_XAUTH_VID_TRUE}" && test -z "${USE_XAUTH_VID_FALSE}"; then
-  as_fn_error "conditional \"USE_XAUTH_VID\" was never defined.
+  as_fn_error $? "conditional \"USE_XAUTH_VID\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_DUMM_TRUE}" && test -z "${USE_DUMM_FALSE}"; then
-  as_fn_error "conditional \"USE_DUMM\" was never defined.
+  as_fn_error $? "conditional \"USE_DUMM\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FAST_TRUE}" && test -z "${USE_FAST_FALSE}"; then
-  as_fn_error "conditional \"USE_FAST\" was never defined.
+  as_fn_error $? "conditional \"USE_FAST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_MANAGER_TRUE}" && test -z "${USE_MANAGER_FALSE}"; then
-  as_fn_error "conditional \"USE_MANAGER\" was never defined.
+  as_fn_error $? "conditional \"USE_MANAGER\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_ME_TRUE}" && test -z "${USE_ME_FALSE}"; then
-  as_fn_error "conditional \"USE_ME\" was never defined.
+  as_fn_error $? "conditional \"USE_ME\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}"; then
-  as_fn_error "conditional \"USE_INTEGRITY_TEST\" was never defined.
+  as_fn_error $? "conditional \"USE_INTEGRITY_TEST\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LOAD_WARNING_TRUE}" && test -z "${USE_LOAD_WARNING_FALSE}"; then
-  as_fn_error "conditional \"USE_LOAD_WARNING\" was never defined.
+  as_fn_error $? "conditional \"USE_LOAD_WARNING\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then
-  as_fn_error "conditional \"USE_PLUTO\" was never defined.
+  as_fn_error $? "conditional \"USE_PLUTO\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_THREADS_TRUE}" && test -z "${USE_THREADS_FALSE}"; then
-  as_fn_error "conditional \"USE_THREADS\" was never defined.
+  as_fn_error $? "conditional \"USE_THREADS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_CHARON_TRUE}" && test -z "${USE_CHARON_FALSE}"; then
-  as_fn_error "conditional \"USE_CHARON\" was never defined.
+  as_fn_error $? "conditional \"USE_CHARON\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_TOOLS_TRUE}" && test -z "${USE_TOOLS_FALSE}"; then
-  as_fn_error "conditional \"USE_TOOLS\" was never defined.
+  as_fn_error $? "conditional \"USE_TOOLS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then
-  as_fn_error "conditional \"USE_SCRIPTS\" was never defined.
+  as_fn_error $? "conditional \"USE_SCRIPTS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then
-  as_fn_error "conditional \"USE_LIBSTRONGSWAN\" was never defined.
+  as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then
-  as_fn_error "conditional \"USE_LIBHYDRA\" was never defined.
+  as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then
-  as_fn_error "conditional \"USE_FILE_CONFIG\" was never defined.
+  as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then
-  as_fn_error "conditional \"USE_LIBCAP\" was never defined.
+  as_fn_error $? "conditional \"USE_LIBCAP\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then
-  as_fn_error "conditional \"USE_VSTR\" was never defined.
+  as_fn_error $? "conditional \"USE_VSTR\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${USE_SIMAKA_TRUE}" && test -z "${USE_SIMAKA_FALSE}"; then
-  as_fn_error "conditional \"USE_SIMAKA\" was never defined.
+  as_fn_error $? "conditional \"USE_SIMAKA\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_TLS_TRUE}" && test -z "${USE_TLS_FALSE}"; then
+  as_fn_error $? "conditional \"USE_TLS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 if test -z "${MONOLITHIC_TRUE}" && test -z "${MONOLITHIC_FALSE}"; then
-  as_fn_error "conditional \"MONOLITHIC\" was never defined.
+  as_fn_error $? "conditional \"MONOLITHIC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
 
@@ -17611,19 +18712,19 @@ export LANGUAGE
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
 
-# as_fn_error ERROR [LINENO LOG_FD]
-# ---------------------------------
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
 # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
 # provided, also output the error to LOG_FD, referencing LINENO. Then exit the
-# script with status $?, using 1 if that was 0.
+# script with STATUS, using 1 if that was 0.
 as_fn_error ()
 {
-  as_status=$?; test $as_status -eq 0 && as_status=1
-  if test "$3"; then
-    as_lineno=${as_lineno-"$2"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-    $as_echo "$as_me:${as_lineno-$LINENO}: error: $1" >&$3
+  as_status=$1; test $as_status -eq 0 && as_status=1
+  if test "$4"; then
+    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+    $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
   fi
-  $as_echo "$as_me: error: $1" >&2
+  $as_echo "$as_me: error: $2" >&2
   as_fn_exit $as_status
 } # as_fn_error
 
@@ -17819,7 +18920,7 @@ $as_echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || as_fn_error "cannot create directory $as_dir"
+  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
 
 
 } # as_fn_mkdir_p
@@ -17872,8 +18973,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.4.1, which was
-generated by GNU Autoconf 2.65.  Invocation command line was
+This file was extended by strongSwan $as_me 4.5.0, which was
+generated by GNU Autoconf 2.67.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -17929,11 +19030,11 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 4.4.1
-configured by $0, generated by GNU Autoconf 2.65,
+strongSwan config.status 4.5.0
+configured by $0, generated by GNU Autoconf 2.67,
   with options \\"\$ac_cs_config\\"
 
-Copyright (C) 2009 Free Software Foundation, Inc.
+Copyright (C) 2010 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
@@ -17951,11 +19052,16 @@ ac_need_defaults=:
 while test $# != 0
 do
   case $1 in
-  --*=*)
+  --*=?*)
     ac_option=`expr "X$1" : 'X\([^=]*\)='`
     ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
     ac_shift=:
     ;;
+  --*=)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=
+    ac_shift=:
+    ;;
   *)
     ac_option=$1
     ac_optarg=$2
@@ -17977,6 +19083,7 @@ do
     $ac_shift
     case $ac_optarg in
     *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    '') as_fn_error $? "missing file argument" ;;
     esac
     as_fn_append CONFIG_FILES " '$ac_optarg'"
     ac_need_defaults=false;;
@@ -17987,7 +19094,7 @@ do
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) as_fn_error "unrecognized option: \`$1'
+  -*) as_fn_error $? "unrecognized option: \`$1'
 Try \`$0 --help' for more information." ;;
 
   *) as_fn_append ac_config_targets " $1"
@@ -18299,6 +19406,7 @@ do
     "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
     "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
     "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
     "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
     "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
@@ -18329,13 +19437,22 @@ do
     "src/libstrongswan/plugins/openssl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/openssl/Makefile" ;;
     "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;;
     "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;;
+    "src/libstrongswan/plugins/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs11/Makefile" ;;
+    "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;;
+    "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;;
+    "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
     "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
     "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
     "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
     "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
+    "src/libhydra/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_klips/Makefile" ;;
+    "src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;;
+    "src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
+    "src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
     "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
     "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
+    "src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
     "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
     "src/pluto/plugins/xauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/plugins/xauth/Makefile" ;;
     "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
@@ -18352,11 +19469,14 @@ do
     "src/libcharon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_pseudonym/Makefile" ;;
     "src/libcharon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_reauth/Makefile" ;;
     "src/libcharon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_mschapv2/Makefile" ;;
+    "src/libcharon/plugins/eap_tls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tls/Makefile" ;;
+    "src/libcharon/plugins/eap_ttls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_ttls/Makefile" ;;
+    "src/libcharon/plugins/eap_tnc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_tnc/Makefile" ;;
     "src/libcharon/plugins/eap_radius/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_radius/Makefile" ;;
-    "src/libcharon/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_netlink/Makefile" ;;
-    "src/libcharon/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfkey/Makefile" ;;
-    "src/libcharon/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_pfroute/Makefile" ;;
-    "src/libcharon/plugins/kernel_klips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/kernel_klips/Makefile" ;;
+    "src/libcharon/plugins/tnc_imc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imc/Makefile" ;;
+    "src/libcharon/plugins/tnc_imv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imv/Makefile" ;;
+    "src/libcharon/plugins/tnccs_11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_11/Makefile" ;;
+    "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;;
     "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
     "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;;
     "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
@@ -18369,7 +19489,9 @@ do
     "src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;;
     "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;;
     "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;;
+    "src/libcharon/plugins/led/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/led/Makefile" ;;
     "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;;
+    "src/libcharon/plugins/maemo/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/maemo/Makefile" ;;
     "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
     "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
     "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
@@ -18393,7 +19515,7 @@ do
     "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;;
     "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;;
 
-  *) as_fn_error "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
+  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;;
   esac
 done
 
@@ -18430,7 +19552,7 @@ $debug ||
 {
   tmp=./conf$$-$RANDOM
   (umask 077 && mkdir "$tmp")
-} || as_fn_error "cannot create a temporary directory in ." "$LINENO" 5
+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
 
 # Set up the scripts for CONFIG_FILES section.
 # No need to generate them if there are no CONFIG_FILES.
@@ -18447,7 +19569,7 @@ if test "x$ac_cr" = x; then
 fi
 ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
 if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-  ac_cs_awk_cr='\r'
+  ac_cs_awk_cr='\\r'
 else
   ac_cs_awk_cr=$ac_cr
 fi
@@ -18461,18 +19583,18 @@ _ACEOF
   echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
   echo "_ACEOF"
 } >conf$$subs.sh ||
-  as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
-ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'`
+  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   . ./conf$$subs.sh ||
-    as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
 
   ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
   if test $ac_delim_n = $ac_delim_num; then
     break
   elif $ac_last_try; then
-    as_fn_error "could not make $CONFIG_STATUS" "$LINENO" 5
+    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
   else
     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
@@ -18561,20 +19683,28 @@ if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
 else
   cat
 fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-  || as_fn_error "could not setup config files machinery" "$LINENO" 5
+  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
 _ACEOF
 
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
 # trailing colons and then remove the whole line if VPATH becomes empty
 # (actually we leave an empty line to preserve line numbers).
 if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/
-s/:*\${srcdir}:*/:/
-s/:*@srcdir@:*/:/
-s/^\([^=]*=[	 ]*\):*/\1/
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
+h
+s///
+s/^/:/
+s/[	 ]*$/:/
+s/:\$(srcdir):/:/g
+s/:\${srcdir}:/:/g
+s/:@srcdir@:/:/g
+s/^:*//
 s/:*$//
+x
+s/\(=[	 ]*\).*/\1/
+G
+s/\n//
 s/^[^=]*=[	 ]*$//
 }'
 fi
@@ -18592,7 +19722,7 @@ do
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) as_fn_error "invalid tag \`$ac_tag'" "$LINENO" 5;;
+  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5 ;;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
   esac
@@ -18620,7 +19750,7 @@ do
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   as_fn_error "cannot find input file: \`$ac_f'" "$LINENO" 5;;
+	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5 ;;
       esac
       case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
       as_fn_append ac_file_inputs " '$ac_f'"
@@ -18647,7 +19777,7 @@ $as_echo "$as_me: creating $ac_file" >&6;}
 
     case $ac_tag in
     *:-:* | *:-) cat >"$tmp/stdin" \
-      || as_fn_error "could not create $ac_file" "$LINENO" 5 ;;
+      || as_fn_error $? "could not create $ac_file" "$LINENO" 5  ;;
     esac
     ;;
   esac
@@ -18784,22 +19914,22 @@ s&@MKDIR_P@&$ac_MKDIR_P&;t t
 $ac_datarootdir_hack
 "
 eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$tmp/subs.awk" >$tmp/out \
-  || as_fn_error "could not create $ac_file" "$LINENO" 5
+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&5
+which seems to be undefined.  Please make sure it is defined" >&5
 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
-which seems to be undefined.  Please make sure it is defined." >&2;}
+which seems to be undefined.  Please make sure it is defined" >&2;}
 
   rm -f "$tmp/stdin"
   case $ac_file in
   -) cat "$tmp/out" && rm -f "$tmp/out";;
   *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
   esac \
-  || as_fn_error "could not create $ac_file" "$LINENO" 5
+  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
  ;;
 
 
@@ -19550,7 +20680,7 @@ _ACEOF
 ac_clean_files=$ac_clean_files_save
 
 test $ac_write_fail = 0 ||
-  as_fn_error "write failure creating $CONFIG_STATUS" "$LINENO" 5
+  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
 
 
 # configure is writing to config.log, and then calls config.status.
@@ -19571,7 +20701,7 @@ if test "$no_create" != yes; then
   exec 5>>config.log
   # Use ||, not &&, to avoid exiting from the if with $? = 1, which
   # would make configure fail if this is the last instruction.
-  $ac_cs_success || as_fn_exit $?
+  $ac_cs_success || as_fn_exit 1
 fi
 if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
   { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
diff --git a/configure.in b/configure.in
index d829071ea..83c35d614 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.4.1)
+AC_INIT(strongSwan,4.5.0)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_CONFIG_MACRO_DIR([m4/config])
 PKG_PROG_PKG_CONFIG
@@ -100,18 +100,25 @@ ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
 ARG_ENABL_SET([lock-profiler],  [enable lock/mutex profiling code.])
 ARG_ENABL_SET([unit-tests],     [enable unit tests on IKEv2 daemon startup.])
 ARG_ENABL_SET([load-tester],    [enable load testing plugin for IKEv2 daemon.])
-ARG_ENABL_SET([eap-sim],        [enable SIM authenication module for EAP.])
+ARG_ENABL_SET([eap-sim],        [enable SIM authentication module for EAP.])
 ARG_ENABL_SET([eap-sim-file],   [enable EAP-SIM backend based on a triplet file.])
 ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.])
 ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.])
 ARG_ENABL_SET([eap-simaka-reauth],    [enable EAP-SIM/AKA reauthentication data storage plugin.])
 ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper.])
-ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authenication module.])
-ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authenication module.])
+ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authentication module.])
+ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authentication module.])
 ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
 ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
-ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authenication module.])
-ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authenication module.])
+ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authentication module.])
+ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
+ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
+ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
+ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
+ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
+ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
@@ -144,11 +151,17 @@ ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
+ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
+ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
+ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
+ARG_ENABL_SET([maemo],          [enable Maemo specific plugin.])
 ARG_ENABL_SET([nm],             [enable NetworkManager plugin.])
 ARG_ENABL_SET([ha],             [enable high availability cluster plugin.])
+ARG_ENABL_SET([led],            [enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem.])
 ARG_ENABL_SET([vstr],           [enforce using the Vstr string library to replace glibc-like printf hooks.])
 ARG_ENABL_SET([monolithic],     [build monolithic version of libstrongswan that includes all enabled plugins. Similarly, the plugins of charon are assembled in libcharon.])
 
@@ -224,6 +237,10 @@ if test x$eap_sim = xtrue; then
 	simaka=true;
 fi
 
+if test x$eap_tls = xtrue -o x$eap_ttls = xtrue; then
+	tls=true;
+fi
+
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -590,6 +607,10 @@ if test x$gcrypt = xtrue; then
 	)
 fi
 
+if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
+	AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])])
+fi
+
 if test x$uci = xtrue; then
 	AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
@@ -604,6 +625,14 @@ if test x$android = xtrue; then
 	AC_SUBST(DLLIB)
 fi
 
+if test x$maemo = xtrue; then
+	PKG_CHECK_MODULES(maemo, [glib-2.0 gthread-2.0 libosso osso-af-settings])
+	AC_SUBST(maemo_CFLAGS)
+	AC_SUBST(maemo_LIBS)
+	dbusservicedir="/usr/share/dbus-1/system-services"
+	AC_SUBST(dbusservicedir)
+fi
+
 if test x$nm = xtrue; then
 	PKG_CHECK_EXISTS([libnm-glib],
 		[PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-glib libnm-glib-vpn])],
@@ -654,136 +683,124 @@ if test x$integrity_test = xtrue; then
 	)
 fi
 
-dnl ==========================================================
-dnl  collect all plugins for libstrongswan, libhydra and pluto
-dnl ==========================================================
+dnl ==============================================
+dnl  collect plugin list for strongSwan components
+dnl ==============================================
 
-libstrongswan_plugins=
-libhydra_plugins=
-pluto_plugins=
+m4_include(m4/macros/add-plugin.m4)
 
-if test x$test_vectors = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" test-vectors"
-	pluto_plugins=${pluto_plugins}" test-vectors"
-fi
-if test x$curl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" curl"
-	pluto_plugins=${pluto_plugins}" curl"
-fi
-if test x$ldap = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" ldap"
-	pluto_plugins=${pluto_plugins}" ldap"
-fi
-if test x$aes = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" aes"
-	pluto_plugins=${pluto_plugins}" aes"
-fi
-if test x$des = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" des"
-	pluto_plugins=${pluto_plugins}" des"
-fi
-if test x$blowfish = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" blowfish"
-	pluto_plugins=${pluto_plugins}" blowfish"
-fi
-if test x$sha1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha1"
-	pluto_plugins=${pluto_plugins}" sha1"
-fi
-if test x$sha2 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sha2"
-	pluto_plugins=${pluto_plugins}" sha2"
-fi
-if test x$md4 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md4"
-fi
-if test x$md5 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" md5"
-	pluto_plugins=${pluto_plugins}" md5"
-fi
-if test x$random = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" random"
-	pluto_plugins=${pluto_plugins}" random"
-fi
-if test x$x509 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" x509"
-	pluto_plugins=${pluto_plugins}" x509"
-fi
-if test x$revocation = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" revocation"
-fi
-if test x$pubkey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pubkey"
-	pluto_plugins=${pluto_plugins}" pubkey"
-fi
-if test x$pkcs1 = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pkcs1"
-	pluto_plugins=${pluto_plugins}" pkcs1"
-fi
-if test x$pgp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pgp"
-	pluto_plugins=${pluto_plugins}" pgp"
-fi
-if test x$dnskey = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" dnskey"
-	pluto_plugins=${pluto_plugins}" dnskey"
-fi
-if test x$pem = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" pem"
-	pluto_plugins=${pluto_plugins}" pem"
-fi
-if test x$mysql = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" mysql"
-	pluto_plugins=${pluto_plugins}" mysql"
-fi
-if test x$sqlite = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" sqlite"
-	pluto_plugins=${pluto_plugins}" sqlite"
-fi
-if test x$padlock = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" padlock"
-fi
-if test x$openssl = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" openssl"
-	pluto_plugins=${pluto_plugins}" openssl"
-fi
-if test x$gcrypt = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gcrypt"
-	pluto_plugins=${pluto_plugins}" gcrypt"
-fi
-if test x$fips_prf = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" fips-prf"
-fi
-if test x$xcbc = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" xcbc"
-fi
-if test x$hmac = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" hmac"
-	pluto_plugins=${pluto_plugins}" hmac"
-fi
-if test x$agent = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" agent"
-fi
-if test x$gmp = xtrue; then
-	libstrongswan_plugins=${libstrongswan_plugins}" gmp"
-	pluto_plugins=${pluto_plugins}" gmp"
-fi
-if test x$xauth = xtrue; then
-	pluto_plugins=${pluto_plugins}" xauth"
-fi
-if test x$attr = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr"
-fi
-if test x$attr_sql = xtrue -o x$sql = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" attr-sql"
-fi
-if test x$resolve = xtrue; then
-	libhydra_plugins=${libhydra_plugins}" resolve"
-fi
-
-AC_SUBST(libstrongswan_plugins)
-AC_SUBST(libhydra_plugins)
+# plugin lists for all components
+libcharon_plugins=
+pluto_plugins=
+pool_plugins=
+openac_plugins=
+scepclient_plugins=
+pki_plugins=
+scripts_plugins=
+manager_plugins=
+medsrv_plugins=
+
+# location specific lists for checksumming,
+# for src/libcharon, src/pluto, src/libhydra and src/libstrongswan
+c_plugins=
+p_plugins=
+h_plugins=
+s_plugins=
+
+ADD_PLUGIN([test-vectors],         [s libcharon pluto openac scepclient pki])
+ADD_PLUGIN([curl],                 [s libcharon pluto scepclient])
+ADD_PLUGIN([ldap],                 [s libcharon pluto scepclient])
+ADD_PLUGIN([mysql],                [s libcharon pluto pool manager medsrv])
+ADD_PLUGIN([sqlite],               [s libcharon pluto pool manager medsrv])
+ADD_PLUGIN([aes],                  [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([des],                  [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([blowfish],             [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([sha1],                 [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([sha2],                 [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([md4],                  [s libcharon openac manager scepclient pki])
+ADD_PLUGIN([md5],                  [s libcharon pluto openac scepclient pki])
+ADD_PLUGIN([random],               [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([x509],                 [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([revocation],           [s libcharon])
+ADD_PLUGIN([pubkey],               [s libcharon])
+ADD_PLUGIN([pkcs1],                [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([pgp],                  [s libcharon pluto])
+ADD_PLUGIN([dnskey],               [s pluto])
+ADD_PLUGIN([pem],                  [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([padlock],              [s libcharon])
+ADD_PLUGIN([openssl],              [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([gcrypt],               [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([fips-prf],             [s libcharon])
+ADD_PLUGIN([gmp],                  [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([agent],                [s libcharon])
+ADD_PLUGIN([pkcs11],               [s libcharon pki])
+ADD_PLUGIN([xcbc],                 [s libcharon])
+ADD_PLUGIN([hmac],                 [s libcharon pluto scripts])
+ADD_PLUGIN([ctr],                  [s libcharon scripts])
+ADD_PLUGIN([ccm],                  [s libcharon scripts])
+ADD_PLUGIN([gcm],                  [s libcharon scripts])
+ADD_PLUGIN([xauth],                [p pluto])
+ADD_PLUGIN([attr],                 [h libcharon pluto])
+ADD_PLUGIN([attr-sql],             [h libcharon pluto])
+ADD_PLUGIN([kernel-pfkey],         [h libcharon pluto])
+ADD_PLUGIN([kernel-pfroute],       [h libcharon pluto])
+ADD_PLUGIN([kernel-klips],         [h libcharon pluto])
+ADD_PLUGIN([kernel-netlink],       [h libcharon pluto])
+ADD_PLUGIN([resolve],              [h libcharon pluto])
+ADD_PLUGIN([load-tester],          [c libcharon])
+ADD_PLUGIN([socket-default],       [c libcharon])
+ADD_PLUGIN([socket-raw],           [c libcharon])
+ADD_PLUGIN([socket-dynamic],       [c libcharon])
+ADD_PLUGIN([farp],                 [c libcharon])
+ADD_PLUGIN([stroke],               [c libcharon])
+ADD_PLUGIN([smp],                  [c libcharon])
+ADD_PLUGIN([sql],                  [c libcharon])
+ADD_PLUGIN([updown],               [c libcharon])
+ADD_PLUGIN([eap-identity],         [c libcharon])
+ADD_PLUGIN([eap-sim],              [c libcharon])
+ADD_PLUGIN([eap-sim-file],         [c libcharon])
+ADD_PLUGIN([eap-simaka-sql],       [c libcharon])
+ADD_PLUGIN([eap-simaka-pseudonym], [c libcharon])
+ADD_PLUGIN([eap-simaka-reauth],    [c libcharon])
+ADD_PLUGIN([eap-aka],              [c libcharon])
+ADD_PLUGIN([eap-aka-3gpp2],        [c libcharon])
+ADD_PLUGIN([eap-md5],              [c libcharon])
+ADD_PLUGIN([eap-gtc],              [c libcharon])
+ADD_PLUGIN([eap-mschapv2],         [c libcharon])
+ADD_PLUGIN([eap-radius],           [c libcharon])
+ADD_PLUGIN([eap-tls],              [c libcharon])
+ADD_PLUGIN([eap-ttls],             [c libcharon])
+ADD_PLUGIN([eap-tnc],              [c libcharon])
+ADD_PLUGIN([tnc-imc],              [c libcharon])
+ADD_PLUGIN([tnc-imv],              [c libcharon])
+ADD_PLUGIN([tnccs-11],             [c libcharon])
+ADD_PLUGIN([tnccs-20],             [c libcharon])
+ADD_PLUGIN([medsrv],               [c libcharon])
+ADD_PLUGIN([medcli],               [c libcharon])
+ADD_PLUGIN([nm],                   [c libcharon])
+ADD_PLUGIN([dhcp],                 [c libcharon])
+ADD_PLUGIN([android],              [c libcharon])
+ADD_PLUGIN([ha],                   [c libcharon])
+ADD_PLUGIN([led],                  [c libcharon])
+ADD_PLUGIN([maemo],                [c libcharon])
+ADD_PLUGIN([uci],                  [c libcharon])
+ADD_PLUGIN([addrblock],            [c libcharon])
+ADD_PLUGIN([unit-tester],          [c libcharon])
+
+AC_SUBST(libcharon_plugins)
 AC_SUBST(pluto_plugins)
+AC_SUBST(pool_plugins)
+AC_SUBST(openac_plugins)
+AC_SUBST(scepclient_plugins)
+AC_SUBST(pki_plugins)
+AC_SUBST(scripts_plugins)
+AC_SUBST(manager_plugins)
+AC_SUBST(medsrv_plugins)
+
+AC_SUBST(c_plugins)
+AC_SUBST(p_plugins)
+AC_SUBST(h_plugins)
+AC_SUBST(s_plugins)
 
 dnl =========================
 dnl  set Makefile.am vars
@@ -819,6 +836,10 @@ AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue)
 AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue)
 AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
+AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
+AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
+AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
+AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -828,6 +849,7 @@ AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_NM, test x$nm = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue)
+AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
 AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
 AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
 AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
@@ -835,6 +857,7 @@ AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
 AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue)
 AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
 AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
+AM_CONDITIONAL(USE_LED, test x$led = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue)
 AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue)
 AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue)
@@ -846,11 +869,14 @@ AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
 AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
+AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
+AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
+AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
-AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
-AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
+AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
+AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
+AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
@@ -861,6 +887,10 @@ dnl hydra plugins
 dnl =============
 AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue)
+AM_CONDITIONAL(USE_KERNEL_KLIPS, test x$kernel_klips = xtrue)
+AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
+AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
 AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
 
 dnl pluto plugins
@@ -893,6 +923,7 @@ AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue)
 AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
+AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
 dnl ==============================
@@ -916,6 +947,7 @@ dnl ==============================
 
 AC_OUTPUT(
 	Makefile
+	man/Makefile
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
@@ -946,13 +978,22 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/openssl/Makefile
 	src/libstrongswan/plugins/gcrypt/Makefile
 	src/libstrongswan/plugins/agent/Makefile
+	src/libstrongswan/plugins/pkcs11/Makefile
+	src/libstrongswan/plugins/ctr/Makefile
+	src/libstrongswan/plugins/ccm/Makefile
+	src/libstrongswan/plugins/gcm/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile
 	src/libhydra/plugins/attr_sql/Makefile
+	src/libhydra/plugins/kernel_klips/Makefile
+	src/libhydra/plugins/kernel_netlink/Makefile
+	src/libhydra/plugins/kernel_pfkey/Makefile
+	src/libhydra/plugins/kernel_pfroute/Makefile
 	src/libhydra/plugins/resolve/Makefile
 	src/libfreeswan/Makefile
 	src/libsimaka/Makefile
+	src/libtls/Makefile
 	src/pluto/Makefile
 	src/pluto/plugins/xauth/Makefile
 	src/whack/Makefile
@@ -969,11 +1010,14 @@ AC_OUTPUT(
 	src/libcharon/plugins/eap_simaka_pseudonym/Makefile
 	src/libcharon/plugins/eap_simaka_reauth/Makefile
 	src/libcharon/plugins/eap_mschapv2/Makefile
+	src/libcharon/plugins/eap_tls/Makefile
+	src/libcharon/plugins/eap_ttls/Makefile
+	src/libcharon/plugins/eap_tnc/Makefile
 	src/libcharon/plugins/eap_radius/Makefile
-	src/libcharon/plugins/kernel_netlink/Makefile
-	src/libcharon/plugins/kernel_pfkey/Makefile
-	src/libcharon/plugins/kernel_pfroute/Makefile
-	src/libcharon/plugins/kernel_klips/Makefile
+	src/libcharon/plugins/tnc_imc/Makefile
+	src/libcharon/plugins/tnc_imv/Makefile
+	src/libcharon/plugins/tnccs_11/Makefile
+	src/libcharon/plugins/tnccs_20/Makefile
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_raw/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile
@@ -986,7 +1030,9 @@ AC_OUTPUT(
 	src/libcharon/plugins/addrblock/Makefile
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
+	src/libcharon/plugins/led/Makefile
 	src/libcharon/plugins/android/Makefile
+	src/libcharon/plugins/maemo/Makefile
 	src/libcharon/plugins/stroke/Makefile
 	src/libcharon/plugins/updown/Makefile
 	src/libcharon/plugins/dhcp/Makefile
diff --git a/m4/macros/add-plugin.m4 b/m4/macros/add-plugin.m4
new file mode 100644
index 000000000..4986a5449
--- /dev/null
+++ b/m4/macros/add-plugin.m4
@@ -0,0 +1,10 @@
+# ADD_PLUGIN(plugin, category list)
+# -----------------------------------
+# Append the plugin name $1 to the category list variable $2_plugin
+AC_DEFUN([ADD_PLUGIN],
+	if test [patsubst(x$$1, [-], [_])] = xtrue; then
+		[m4_foreach_w([category], [$2],
+			[m4_format([%s_plugins=${%s_plugins}" $1"], category, category)]
+		)]
+	fi
+)
diff --git a/man/Makefile.am b/man/Makefile.am
new file mode 100644
index 000000000..a74a901b8
--- /dev/null
+++ b/man/Makefile.am
@@ -0,0 +1,11 @@
+dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
+CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+
+SUFFIXES = .in
+
+.in:
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
diff --git a/man/Makefile.in b/man/Makefile.in
new file mode 100644
index 000000000..4388e318b
--- /dev/null
+++ b/man/Makefile.in
@@ -0,0 +1,507 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = man
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+SOURCES =
+DIST_SOURCES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+man5dir = $(mandir)/man5
+am__installdirs = "$(DESTDIR)$(man5dir)"
+NROFF = nroff
+MANS = $(dist_man_MANS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
+CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+SUFFIXES = .in
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .in
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu man/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu man/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-man5: $(dist_man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+	  fi; \
+	done; \
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+	done; }
+
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(man5dir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man: install-man5
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man
+
+uninstall-man: uninstall-man5
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-man5 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	uninstall uninstall-am uninstall-man uninstall-man5
+
+
+.in:
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	$(srcdir)/$@.in > $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/starter/ipsec.conf.5 b/man/ipsec.conf.5
index b1ae15825..b1e60b280 100644
--- a/src/starter/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan"
+.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -227,13 +227,17 @@ Parameters are optional unless marked '(required)'.
 Unless otherwise noted, for a connection to work,
 in general it is necessary for the two ends to agree exactly
 on the values of these parameters.
-.TP 14
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
 .TP
-.B auth
+.BR aaa_identity " = <id>"
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
+.BR also " = <name>"
+includes conn section
+.BR <name> .
+.TP
+.BR auth " = " esp " | ah"
 whether authentication should be done as part of
 ESP encryption, or separately using the AH protocol;
 acceptable values are
@@ -243,12 +247,12 @@ acceptable values are
 .br
 The IKEv2 daemon currently supports ESP only.
 .TP
-.B authby
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
 how the two security gateways should authenticate each other;
 acceptable values are
-.B secret
-or
 .B psk
+or
+.B secret
 for pre-shared secrets,
 .B pubkey
 (the default) for public key signatures as well as the synonyms
@@ -276,7 +280,7 @@ to agree on an authentication method. Use the
 .B leftauth
 parameter instead to define authentication methods in IKEv2.
 .TP
-.B auto
+.BR auto " = " ignore " | add | route | start"
 what operation, if any, should be done automatically at IPsec startup;
 currently-accepted values are
 .BR add ,
@@ -304,7 +308,7 @@ both ends should use
 .B auto=start
 to ensure that any reboot causes immediate renegotiation).
 .TP
-.B compress
+.BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
 (link-level compression does not work on encrypted data,
 so to be effective, compression must be done \fIbefore\fR encryption);
@@ -321,7 +325,7 @@ A value of
 prevents IPsec from proposing compression;
 a proposal to compress will still be accepted.
 .TP
-.B dpdaction
+.BR dpdaction " = " none " | clear | hold | restart"
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
 R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
 are periodically sent in order to check the
@@ -348,23 +352,26 @@ does't make sense, since all messages are used to detect dead peers. If specifie
 it has the same meaning as the default
 .RB ( clear ).
 .TP
-.B dpddelay
+.BR dpddelay " = " 30s " | <time>"
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
 exchanges are sent to the peer. These are only sent if no other traffic is
 received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
 messages and uses only standard messages (such as those to rekey) to detect
 dead peers.
 .TP
-.B dpdtimeout
+.BR dpdtimeout " = " 150s " | <time>"
 defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
+See
+.IR strongswan.conf (5)
+for a description of the IKEv2 retransmission timeout.
 .TP
-.B inactivity
+.BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
 not send or receive any traffic. Currently supported in IKEv2 connections only.
 .TP
-.B eap
+.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
 defines the EAP type to propose as server if the client requests EAP
 authentication. Currently supported values are
 .B aka
@@ -389,7 +396,7 @@ To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
 set
 .BR eap=radius .
 .TP
-.B eap_identity
+.BR eap_identity " = <id>"
 defines the identity the client uses to reply to a EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
@@ -397,10 +404,10 @@ identity during EAP authentication. The special value
 uses the EAP Identity method to ask the client for an EAP identity. If not
 defined, the IKEv2 identity will be used as EAP identity.
 .TP
-.B esp
+.BR esp " = <cipher suites>"
 comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
-.BR 3des-md5 .
+.BR aes128-sha256 .
 The notation is
 .BR encryption-integrity-[dh-group] .
 .br
@@ -409,12 +416,12 @@ If
 is specified, CHILD_SA setup and rekeying include a separate diffe hellman
 exchange (IKEv2 only).
 .TP
-.B forceencaps
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
+.BR forceencaps " = yes | " no
+force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked (IKEv2 only).
 .TP
-.B ike
+.BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
@@ -423,11 +430,11 @@ The notation is
 In IKEv2, multiple algorithms and proposals may be included, such as
 .B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .TP
-.B ikelifetime
+.BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated.
+should last before being renegotiated. Also see EXPIRY/REKEY below.
 .TP
-.B installpolicy
+.BR installpolicy " = " yes " | no"
 decides whether IPsec policies are installed in the kernel by the IKEv2
 charon daemon for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
@@ -436,7 +443,7 @@ Acceptable values are
 (the default) and
 .BR no .
 .TP
-.B keyexchange
+.BR keyexchange " = " ike " | ikev1 | ikev2"
 method of key exchange;
 which protocol should be used to initialize the connection. Connections marked with
 .B ikev1
@@ -445,12 +452,15 @@ are initiated with pluto, those marked with
 with charon. An incoming request from the remote peer is handled by the correct
 daemon, unaffected from the
 .B keyexchange
-setting. The default value
+setting. Starting with strongSwan 4.5 the default value
 .B ike
-currently is a synonym for
-.BR ikev1 .
+is a synonym for
+.BR ikev2 ,
+whereas in older strongSwan releases
+.B ikev1
+was assumed.
 .TP
-.B keyingtries
+.BR keyingtries " = " %forever " | <number>"
 how many attempts (a whole number or \fB%forever\fP) should be made to
 negotiate a connection, or a replacement for one, before giving up
 (default
@@ -463,7 +473,7 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.B left
+.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
 (required)
 the IP address of the left participant's public-network interface
 or one of several magic values.
@@ -511,7 +521,7 @@ Please note that with the usage of wildcards multiple connection descriptions
 might match a given incoming connection attempt. The most specific description
 is used in that case.
 .TP
-.B leftallowany
+.BR leftallowany " = yes | " no
 a modifier for
 .B left
 , making it behave as
@@ -525,7 +535,7 @@ and
 .B no
 (the default).
 .TP
-.B leftauth
+.BR leftauth " = <auth method>"
 Authentication method to use locally (left) or require from the remote (right)
 side.
 This parameter is supported in IKEv2 only. Acceptable values are
@@ -541,6 +551,7 @@ an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-gtc ,
 .BR eap-md5 ,
+.BR eap-tls ,
 .B eap-mschapv2
 and
 .BR eap-sim .
@@ -549,7 +560,7 @@ EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
 .TP
-.B leftauth2
+.BR leftauth2 " = <auth method>"
 Same as
 .BR leftauth ,
 but defines an additional authentication exchange. IKEv2 supports multiple
@@ -557,17 +568,17 @@ authentication rounds using "Multiple Authentication Exchanges" defined
 in RFC4739. This allows, for example, separated authentication
 of host and user (IKEv2 only).
 .TP
-.B leftca
+.BR leftca " = <issuer dn> | %same"
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority.
 .TP
-.B leftca2
+.BR leftca2 " = <issuer dn> | %same"
 Same as
-.B leftca,
+.BR leftca ,
 but for the second authentication round (IKEv2 only).
 .TP
-.B leftcert
+.BR leftcert " = <path>"
 the path to the left participant's X.509 certificate. The file can be encoded
 either in PEM or DER format. OpenPGP certificates are supported as well.
 Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
@@ -582,12 +593,12 @@ The left participant's ID can be overriden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
 .TP
-.B leftcert2
+.BR leftcert2 " = <path>"
 Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
-.B leftfirewall
+.BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
 which should be turned off (for traffic to the other subnet)
@@ -619,7 +630,7 @@ it may be preferable for the user to supply his own
 script,
 which makes the appropriate adjustments for his system.
 .TP
-.B leftgroups
+.BR leftgroups " = <group list>"
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
@@ -630,7 +641,7 @@ been issued to the peer by a trusted Authorization Authority stored in
 .br
 Attribute certificates are not supported in IKEv2 yet.
 .TP
-.B lefthostaccess
+.BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
 \fBipsec _updown\fR script, thus allowing access to the host itself
 in the case where the host's internal interface is part of the
@@ -641,7 +652,7 @@ and
 .B no
 (the default).
 .TP
-.B leftid
+.BR leftid " = <id>"
 how the left participant should be identified for authentication;
 defaults to
 .BR left .
@@ -649,19 +660,19 @@ Can be an IP address or a fully-qualified domain name preceded by
 .B @
 (which is used as a literal string and not resolved).
 .TP
-.B leftid2
+.BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
 (IKEv2 only); defaults to
 .BR leftid .
 .TP
-.B leftikeport
+.BR leftikeport " = <port>"
 UDP port the left participant uses for IKE communication. Currently supported in
 IKEv2 connections only. If unspecified, port 500 is used with the port floating
 to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
 listens to this port.
 .TP
-.B leftnexthop
+.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
 this parameter is usually not needed any more because the NETKEY IPsec stack
 does not require explicit routing entries for the traffic to be tunneled. If
 .B leftsourceip
@@ -669,7 +680,7 @@ is used with IKEv1 then
 .B leftnexthop
 must still be set in order for the source routes to work properly.
 .TP
-.B leftprotoport
+.BR leftprotoport " = <protocol>/<port>"
 restrict the traffic selector to a single protocol and/or port.
 Examples:
 .B leftprotoport=tcp/http
@@ -678,7 +689,7 @@ or
 or
 .B leftprotoport=udp
 .TP
-.B leftrsasigkey
+.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
 the left participant's
 public key for RSA signature authentication,
 in RFC 2537 format using
@@ -701,7 +712,7 @@ specify different public keys for the same
 .BR leftid ,
 confusion and madness will ensue.
 .TP
-.B leftsendcert
+.BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
 .B never
 or
@@ -710,22 +721,22 @@ or
 or
 .BR yes ,
 and
-.BR ifasked ,
+.BR ifasked " (the default),"
 the latter meaning that the peer must send a certificate request payload in
 order to get a certificate in return.
 .TP
-.B leftsourceip
+.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
 The internal source IP to use in a tunnel, also known as virtual IP. If the
 value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
 .BR %config ,
-or
 .BR %cfg ,
+.BR %modeconfig ,
+or
+.BR %modecfg ,
 an address is requested from the peer. In IKEv2, a statically defined address
 is also requested, since the server may change it.
 .TP
-.B rightsourceip
+.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
 The internal source IP to use in a tunnel for the remote peer. If the
 value is
 .B %config
@@ -735,7 +746,7 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.B leftsubnet
+.BR leftsubnet " = <ip subnet>"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
@@ -745,13 +756,13 @@ protocol narrows it to the greatest common subnet. Further, IKEv2 supports
 multiple subnets separated by commas. IKEv1 only interprets the first subnet
 of such a definition.
 .TP
-.B leftsubnetwithin
+.BR leftsubnetwithin " = <ip subnet>"
 the peer can propose any subnet or single IP address that fits within the
 range defined by
 .BR leftsubnetwithin.
 Not relevant for IKEv2, as subnets are narrowed.
 .TP
-.B leftupdown
+.BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
 when the status of the connection
 changes (default
@@ -766,15 +777,15 @@ Relevant only locally, other end need not agree on it. IKEv2 uses the updown
 script to insert firewall rules only, since routing has been implemented
 directly into charon.
 .TP
-.B lifebytes
+.BR lifebytes " = <number>"
 the number of bytes transmitted over an IPsec SA before it expires (IKEv2
 only).
 .TP
-.B lifepackets
+.BR lifepackets " = <number>"
 the number of packets transmitted over an IPsec SA before it expires (IKEv2
 only).
 .TP
-.B lifetime
+.BR lifetime " = " 1h " | <time>"
 how long a particular instance of a connection
 (a set of encryption/authentication keys for user packets) should last,
 from successful negotiation to expiry;
@@ -799,19 +810,19 @@ The two ends need not exactly agree on
 .BR lifetime ,
 although if they do not,
 there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
+which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
 .TP
-.B marginbytes
+.BR marginbytes " = <number>"
 how many bytes before IPsec SA expiry (see
 .BR lifebytes )
 should attempts to negotiate a replacement begin (IKEv2 only).
 .TP
-.B marginpackets
+.BR marginpackets " = <number>"
 how many packets before IPsec SA expiry (see
 .BR lifepackets )
 should attempts to negotiate a replacement begin (IKEv2 only).
 .TP
-.B margintime
+.BR margintime " = " 9m " | <time>"
 how long before connection expiry or keying-channel expiry
 should attempts to
 negotiate a replacement
@@ -819,28 +830,29 @@ begin; acceptable values as for
 .B lifetime
 (default
 .BR 9m ).
-Relevant only locally, other end need not agree on it.
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
 .TP
-.B mark
-sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
-IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
+.BR mark " = <value>[/<mask>]"
+sets an XFRM mark in the inbound and outbound
+IPsec SAs and policies. If the mask is missing then a default
 mask of
 .B 0xffffffff
 is assumed.
 .TP
-.B mark_in
-sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
+.BR mark_in " = <value>[/<mask>]"
+sets an XFRM mark in the inbound IPsec SA and
+policy. If the mask is missing then a default mask of
 .B 0xffffffff
 is assumed.
 .TP
-.B mark_out
-sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
+.BR mark_out " = <value>[/<mask>]"
+sets an XFRM mark in the outbound IPsec SA and
+policy. If the mask is missing then a default mask of
 .B 0xffffffff
 is assumed.
 .TP
-.B mobike
+.BR mobike " = " yes " | no"
 enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .B yes
 (the default) and
@@ -850,7 +862,7 @@ If set to
 the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
 ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
-.B modeconfig
+.BR modeconfig " = push | " pull
 defines which mode is used to assign a virtual IP.
 Accepted values are
 .B push
@@ -862,7 +874,7 @@ payload in pull mode. Cisco VPN gateways usually operate in
 .B push
 mode.
 .TP
-.B pfs
+.BR pfs " = " yes " | no"
 whether Perfect Forward Secrecy of keys is desired on the connection's
 keying channel
 (with PFS, penetration of the key-exchange protocol
@@ -877,11 +889,11 @@ PFS is enforced by defining a Diffie-Hellman modp group in the
 .B esp
 parameter.
 .TP
-.B pfsgroup
+.BR pfsgroup " = <modp group>"
 defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
 differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
 .TP
-.B reauth
+.BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
 reauthentication is always done. In IKEv2, a value of
 .B no
@@ -890,7 +902,7 @@ rekeys without uninstalling the IPsec SAs, a value of
 (the default) creates a new IKE_SA from scratch and tries to recreate
 all IPsec SAs.
 .TP
-.B rekey
+.BR rekey " = " yes " | no"
 whether a connection should be renegotiated when it is about to expire;
 acceptable values are
 .B yes
@@ -905,7 +917,7 @@ so
 .B no
 will be largely ineffective unless both ends agree on it.
 .TP
-.B rekeyfuzz
+.BR rekeyfuzz " = " 100% " | <percentage>"
 maximum percentage by which
 .BR marginbytes ,
 .B marginpackets
@@ -931,16 +943,17 @@ or
 The value
 .B 0%
 will suppress randomization.
-Relevant only locally, other end need not agree on it.
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
 .TP
 .B rekeymargin
 synonym for
 .BR margintime .
 .TP
-.B reqid
-sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
+.BR reqid " = <number>"
+sets the reqid for a given connection to a pre-configured fixed value.
 .TP
-.B type
+.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
 .B tunnel
@@ -955,15 +968,17 @@ signifying that no IPsec processing should be done at all;
 .BR drop ,
 signifying that packets should be discarded; and
 .BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
+signifying that packets should be discarded and a diagnostic ICMP returned
+.RB ( reject
+is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
 The IKEv2 daemon charon currently supports
 .BR tunnel ,
 .BR transport ,
 and
-.BR tunnel_proxy
+.BR transport_proxy
 connection types, only.
 .TP
-.B xauth
+.BR xauth " = " client " | server"
 specifies the role in the XAUTH protocol if activated by
 .B authby=xauthpsk
 or
@@ -977,8 +992,8 @@ and
 .SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
 The following parameters are relevant to IKEv2 Mediation Extension
 operation only.
-.TP 14
-.B mediation
+.TP
+.BR mediation " = yes | " no
 whether this connection is a mediation connection, ie. whether this
 connection is used to mediate other connections.  Mediation connections
 create no child SA. Acceptable values are
@@ -986,13 +1001,13 @@ create no child SA. Acceptable values are
 (the default) and
 .BR yes .
 .TP
-.B mediated_by
+.BR mediated_by " = <name>"
 the name of the connection to mediate this connection through.  If given,
 the connection will be mediated through the named mediation connection.
 The mediation connection must set
 .BR mediation=yes .
 .TP
-.B me_peerid
+.BR me_peerid " = <id>"
 ID as which the peer is known to the mediation server, ie. which the other
 end of this connection uses as its
 .B leftid
@@ -1006,42 +1021,45 @@ of this connection will be used as peer ID.
 .SH "CA SECTIONS"
 This are optional sections that can be used to assign special
 parameters to a Certification Authority (CA).
-.TP 10
-.B auto
+.TP
+.BR also " = <name>"
+includes ca section
+.BR <name> .
+.TP
+.BR auto " = " ignore " | add"
 currently can have either the value
 .B ignore
-or
-.B add
-.
+(the default) or
+.BR add .
 .TP
-.B cacert
+.BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
 .TP
-.B crluri
+.BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
 .TP
 .B crluri1
 synonym for
 .B crluri.
 .TP
-.B crluri2
+.BR crluri2 " = <uri>"
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
-.B ldaphost
+.BR ldaphost " = <hostname>"
 defines an ldap host. Currently used by IKEv1 only.
 .TP
-.B ocspuri
+.BR ocspuri " = <uri>"
 defines an OCSP URI.
 .TP
 .B ocspuri1
 synonym for
 .B ocspuri.
 .TP
-.B ocspuri2
+.BR ocspuri2 " = <uri>"
 defines an alternative OCSP URI. Currently used by IKEv2 only.
 .TP
-.B certuribase
+.BR certuribase " = <uri>"
 defines the base URI for the Hash and URL feature supported by IKEv2.
 Instead of exchanging complete certificates, IKEv2 allows to send an URI
 that resolves to the DER encoded certificate. The certificate URIs are built
@@ -1072,8 +1090,8 @@ names in a
 .B config
 .B setup
 section affecting both daemons are:
-.TP 14
-.B cachecrls
+.TP
+.BR cachecrls " = yes | " no
 certificate revocation lists (CRLs) fetched via http or ldap will be cached in
 \fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
 authority's public key.
@@ -1081,43 +1099,23 @@ Accepted values are
 .B yes
 and
 .B no
-(the default).
+(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
 .TP
-.B charonstart
-whether to start the IKEv2 Charon daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
+.BR charonstart " = " yes " | no"
+whether to start the IKEv2 charon daemon or not.
 The default is
 .B yes
 if starter was compiled with IKEv2 support.
 .TP
-.B dumpdir
-in what directory should things started by \fBipsec starter\fR
-(notably the Pluto and Charon daemons) be allowed to dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not yet supported by \fBipsec starter\fR.
-.TP
-.B plutostart
-whether to start the IKEv1 Pluto daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
+.BR plutostart " = " yes " | no"
+whether to start the IKEv1 pluto daemon or not.
 The default is
 .B yes
 if starter was compiled with IKEv1 support.
 .TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
+.BR strictcrlpolicy " = yes | ifuri | " no
+defines if a fresh CRL must be available in order for the peer authentication
+based on RSA signatures to succeed.
 IKEv2 additionally recognizes
 .B ifuri
 which reverts to
@@ -1126,7 +1124,7 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.B uniqueids
+.BR uniqueids " = " yes " | no | replace | keep"
 whether a particular participant ID should be kept unique,
 with any new (automatically keyed)
 connection using an ID from a different IP address
@@ -1151,15 +1149,15 @@ The following
 .B config section
 parameters are used by the IKEv1 Pluto daemon only:
 .TP
-.B crlcheckinterval
+.BR crlcheckinterval " = " 0s " | <time>"
 interval in seconds. CRL fetching is enabled if the value is greater than zero.
 Asynchronous, periodic checking for fresh CRLs is currently done by the
 IKEv1 Pluto daemon only.
 .TP
-.B keep_alive
+.BR keep_alive " = " 20s " | <time>"
 interval in seconds between NAT keep alive packets, the default being 20 seconds.
 .TP
-.B nat_traversal
+.BR nat_traversal " = yes | " no
 activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
 being able of floating to udp/4500 if a NAT situation is detected.
 Accepted values are
@@ -1167,24 +1165,19 @@ Accepted values are
 and
 .B no
 (the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
+Used by IKEv1 only, NAT traversal is always being active in IKEv2.
 .TP
-.B nocrsend
+.BR nocrsend " = yes | " no
 no certificate request payloads will be sent.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
 .TP
-.B pkcs11initargs
+.BR pkcs11initargs " = <args>"
 non-standard argument string for PKCS#11 C_Initialize() function;
 required by NSS softoken.
 .TP
-.B pkcs11module
+.BR pkcs11module " = <args>"
 defines the path to a dynamically loadable PKCS #11 library.
 .TP
-.B pkcs11keepstate
+.BR pkcs11keepstate " = yes | " no
 PKCS #11 login sessions will be kept during the whole lifetime of the keying
 daemon. Useful with pin-pad smart card readers.
 Accepted values are
@@ -1193,7 +1186,7 @@ and
 .B no
 (the default).
 .TP
-.B pkcs11proxy
+.BR pkcs11proxy " = yes | " no
 Pluto will act as a PKCS #11 proxy accessible via the whack interface.
 Accepted values are
 .B yes
@@ -1201,8 +1194,8 @@ and
 .B no
 (the default).
 .TP
-.B plutodebug
-how much Pluto debugging output should be logged.
+.BR plutodebug " = " none " | <debug list> | all"
+how much pluto debugging output should be logged.
 An empty value,
 or the magic value
 .BR none ,
@@ -1218,12 +1211,12 @@ separated by white space) are enabled;
 for details on available debugging types, see
 .IR pluto (8).
 .TP
-.B plutostderrlog
+.BR plutostderrlog " = <file>"
 Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to the argument file.
+to <file>.
 .TP
-.B postpluto
-shell command to run after starting Pluto
+.BR postpluto " = <command>"
+shell command to run after starting pluto
 (e.g., to remove a decrypted copy of the
 .I ipsec.secrets
 file).
@@ -1235,8 +1228,8 @@ so running interactive commands is difficult unless they use
 or equivalent for their interaction.
 Default is none.
 .TP
-.B prepluto
-shell command to run before starting Pluto
+.BR prepluto " = <command>"
+shell command to run before starting pluto
 (e.g., to decrypt an encrypted copy of the
 .I ipsec.secrets
 file).
@@ -1248,15 +1241,15 @@ so running interactive commands is difficult unless they use
 or equivalent for their interaction.
 Default is none.
 .TP
-.B virtual_private
+.BR virtual_private " = <networks>"
 defines private networks using a wildcard notation.
 .PP
 The following
 .B config section
-parameters are used by the IKEv2 Charon daemon only:
+parameters are used by the IKEv2 charon daemon only:
 .TP
-.B charondebug
-how much Charon debugging output should be logged.
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
 A comma separated list containing type level/pairs may
 be specified, e.g:
 .B dmn 3, ike 1, net -1.
@@ -1265,50 +1258,85 @@ Acceptable values for types are
 and the level is one of
 .B -1, 0, 1, 2, 3, 4
 (for silent, audit, control, controlmore, raw, private).
+For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
+
+.SH IKEv2 EXPIRY/REKEY
+The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
+after a specific amount of time. For IPsec SAs this can also happen after a
+specified number of transmitted packets or transmitted bytes. The following
+settings can be used to configure this:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE SA	IPsec SA
+ikelifetime	3h	lifebytes	-
+		lifepackets	-
+		lifetime	1h
+.TE
+.SS Rekeying
+IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be
+configured using the following settings:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE and IPsec SA	IPsec SA
+margintime	9m	marginbytes	-
+		marginpackets	-
+.TE
+.SS Randomization
+To avoid collisions the specified margins are increased randomly before
+subtracting them from the expiration limits (see formula below). This is
+controlled by the
+.B rekeyfuzz
+setting:
+.TS
+l r,- -,lB s,a r.
+Setting	Default
+IKE and IPsec SA
+rekeyfuzz	100%
+.TE
 .PP
-The following
-.B config section
-parameters only make sense if the KLIPS IPsec stack
-is used instead of the default NETKEY stack of the Linux 2.6 kernel:
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
+Randomization can be disabled by setting
+.BR rekeyfuzz " to " 0% .
+.SS Formula
+The following formula is used to calculate the rekey time of IPsec SAs:
+.PP
+.EX
+ rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
+.EE
+.PP
+It applies equally to IKE SAs and byte and packet limits for IPsec SAs.
+.SS Example
+Let's consider the default configuration:
+.PP
+.EX
+	lifetime = 1h
+	margintime = 9m
+	rekeyfuzz = 100%
+.EE
+.PP
+From the formula above follows that the rekey time lies between:
+.PP
+.EX
+	rekeytime_min = 1h - (9m + 9m) = 42m
+	rekeytime_max = 1h - (9m + 0m) = 51m
+.EE
+.PP
+Thus, the daemon will attempt to rekey the IPsec SA at a random time
+between 42 and 51 minutes after establishing the SA. Or, in other words,
+between 9 and 18 minutes before the SA expires.
+.SS Notes
+.IP \[bu]
+Since the rekeying of an SA needs some time, the margin values must not be
+too low.
+.IP \[bu]
+The value
+.B margin... + margin... * rekeyfuzz
+must not exceed the original limit. For example, specifying
+.B margintime = 30m
+in the default configuration is a bad idea as there is a chance that the rekey
+time equals zero and, thus, rekeying gets disabled.
 .SH FILES
 .nf
 /etc/ipsec.conf
@@ -1319,7 +1347,7 @@ overriding IPsec's (large) default.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-ipsec(8), pluto(8), starter(8)
+strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
 .SH HISTORY
 Originally written for the FreeS/WAN project by Henry Spencer.
 Updated and extended for the strongSwan project <http://www.strongswan.org> by
diff --git a/src/starter/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 3d2940a66..187f36957 100644
--- a/src/starter/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.CONF 5 "2010-10-19" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -227,13 +227,17 @@ Parameters are optional unless marked '(required)'.
 Unless otherwise noted, for a connection to work,
 in general it is necessary for the two ends to agree exactly
 on the values of these parameters.
-.TP 14
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
 .TP
-.B auth
+.BR aaa_identity " = <id>"
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
+.BR also " = <name>"
+includes conn section
+.BR <name> .
+.TP
+.BR auth " = " esp " | ah"
 whether authentication should be done as part of
 ESP encryption, or separately using the AH protocol;
 acceptable values are
@@ -243,12 +247,12 @@ acceptable values are
 .br
 The IKEv2 daemon currently supports ESP only.
 .TP
-.B authby
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
 how the two security gateways should authenticate each other;
 acceptable values are
-.B secret
-or
 .B psk
+or
+.B secret
 for pre-shared secrets,
 .B pubkey
 (the default) for public key signatures as well as the synonyms
@@ -276,7 +280,7 @@ to agree on an authentication method. Use the
 .B leftauth
 parameter instead to define authentication methods in IKEv2.
 .TP
-.B auto
+.BR auto " = " ignore " | add | route | start"
 what operation, if any, should be done automatically at IPsec startup;
 currently-accepted values are
 .BR add ,
@@ -304,7 +308,7 @@ both ends should use
 .B auto=start
 to ensure that any reboot causes immediate renegotiation).
 .TP
-.B compress
+.BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
 (link-level compression does not work on encrypted data,
 so to be effective, compression must be done \fIbefore\fR encryption);
@@ -321,7 +325,7 @@ A value of
 prevents IPsec from proposing compression;
 a proposal to compress will still be accepted.
 .TP
-.B dpdaction
+.BR dpdaction " = " none " | clear | hold | restart"
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
 R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
 are periodically sent in order to check the
@@ -348,23 +352,26 @@ does't make sense, since all messages are used to detect dead peers. If specifie
 it has the same meaning as the default
 .RB ( clear ).
 .TP
-.B dpddelay
+.BR dpddelay " = " 30s " | <time>"
 defines the period time interval with which R_U_THERE messages/INFORMATIONAL
 exchanges are sent to the peer. These are only sent if no other traffic is
 received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
 messages and uses only standard messages (such as those to rekey) to detect
 dead peers.
 .TP
-.B dpdtimeout
+.BR dpdtimeout " = " 150s " | <time>"
 defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
+See
+.IR strongswan.conf (5)
+for a description of the IKEv2 retransmission timeout.
 .TP
-.B inactivity
+.BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
 not send or receive any traffic. Currently supported in IKEv2 connections only.
 .TP
-.B eap
+.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
 defines the EAP type to propose as server if the client requests EAP
 authentication. Currently supported values are
 .B aka
@@ -389,7 +396,7 @@ To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
 set
 .BR eap=radius .
 .TP
-.B eap_identity
+.BR eap_identity " = <id>"
 defines the identity the client uses to reply to a EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
 identity during EAP authentication. The special value
@@ -397,10 +404,10 @@ identity during EAP authentication. The special value
 uses the EAP Identity method to ask the client for an EAP identity. If not
 defined, the IKEv2 identity will be used as EAP identity.
 .TP
-.B esp
+.BR esp " = <cipher suites>"
 comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
-.BR 3des-md5 .
+.BR aes128-sha256 .
 The notation is
 .BR encryption-integrity-[dh-group] .
 .br
@@ -409,12 +416,12 @@ If
 is specified, CHILD_SA setup and rekeying include a separate diffe hellman
 exchange (IKEv2 only).
 .TP
-.B forceencaps
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
+.BR forceencaps " = yes | " no
+force UDP encapsulation for ESP packets even if no NAT situation is detected.
 This may help to surmount restrictive firewalls. In order to force the peer to
 encapsulate packets, NAT detection payloads are faked (IKEv2 only).
 .TP
-.B ike
+.BR ike " = <cipher suites>"
 comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
 to be used, e.g.
 .BR aes128-sha1-modp2048 .
@@ -423,11 +430,11 @@ The notation is
 In IKEv2, multiple algorithms and proposals may be included, such as
 .B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .TP
-.B ikelifetime
+.BR ikelifetime " = " 3h " | <time>"
 how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated.
+should last before being renegotiated. Also see EXPIRY/REKEY below.
 .TP
-.B installpolicy
+.BR installpolicy " = " yes " | no"
 decides whether IPsec policies are installed in the kernel by the IKEv2
 charon daemon for a given connection. Allows peaceful cooperation e.g. with
 the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
@@ -436,7 +443,7 @@ Acceptable values are
 (the default) and
 .BR no .
 .TP
-.B keyexchange
+.BR keyexchange " = " ike " | ikev1 | ikev2"
 method of key exchange;
 which protocol should be used to initialize the connection. Connections marked with
 .B ikev1
@@ -445,12 +452,15 @@ are initiated with pluto, those marked with
 with charon. An incoming request from the remote peer is handled by the correct
 daemon, unaffected from the
 .B keyexchange
-setting. The default value
+setting. Starting with strongSwan 4.5 the default value
 .B ike
-currently is a synonym for
-.BR ikev1 .
+is a synonym for
+.BR ikev2 ,
+whereas in older strongSwan releases
+.B ikev1
+was assumed.
 .TP
-.B keyingtries
+.BR keyingtries " = " %forever " | <number>"
 how many attempts (a whole number or \fB%forever\fP) should be made to
 negotiate a connection, or a replacement for one, before giving up
 (default
@@ -463,7 +473,7 @@ Relevant only locally, other end need not agree on it.
 synonym for
 .BR lifetime .
 .TP
-.B left
+.BR left " = <ip address> | <fqdn> | %defaultroute | " %any
 (required)
 the IP address of the left participant's public-network interface
 or one of several magic values.
@@ -511,7 +521,7 @@ Please note that with the usage of wildcards multiple connection descriptions
 might match a given incoming connection attempt. The most specific description
 is used in that case.
 .TP
-.B leftallowany
+.BR leftallowany " = yes | " no
 a modifier for
 .B left
 , making it behave as
@@ -525,7 +535,7 @@ and
 .B no
 (the default).
 .TP
-.B leftauth
+.BR leftauth " = <auth method>"
 Authentication method to use locally (left) or require from the remote (right)
 side.
 This parameter is supported in IKEv2 only. Acceptable values are
@@ -541,6 +551,7 @@ an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-gtc ,
 .BR eap-md5 ,
+.BR eap-tls ,
 .B eap-mschapv2
 and
 .BR eap-sim .
@@ -549,7 +560,7 @@ EAP methods are defined in the form
 .B eap-type-vendor
 .RB "(e.g. " eap-7-12345 ).
 .TP
-.B leftauth2
+.BR leftauth2 " = <auth method>"
 Same as
 .BR leftauth ,
 but defines an additional authentication exchange. IKEv2 supports multiple
@@ -557,17 +568,17 @@ authentication rounds using "Multiple Authentication Exchanges" defined
 in RFC4739. This allows, for example, separated authentication
 of host and user (IKEv2 only).
 .TP
-.B leftca
+.BR leftca " = <issuer dn> | %same"
 the distinguished name of a certificate authority which is required to
 lie in the trust path going from the left participant's certificate up
 to the root certification authority.
 .TP
-.B leftca2
+.BR leftca2 " = <issuer dn> | %same"
 Same as
-.B leftca,
+.BR leftca ,
 but for the second authentication round (IKEv2 only).
 .TP
-.B leftcert
+.BR leftcert " = <path>"
 the path to the left participant's X.509 certificate. The file can be encoded
 either in PEM or DER format. OpenPGP certificates are supported as well.
 Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
@@ -582,12 +593,12 @@ The left participant's ID can be overriden by specifying a
 .B leftid
 value which must be certified by the certificate, though.
 .TP
-.B leftcert2
+.BR leftcert2 " = <path>"
 Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
-.B leftfirewall
+.BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
 which should be turned off (for traffic to the other subnet)
@@ -619,7 +630,7 @@ it may be preferable for the user to supply his own
 script,
 which makes the appropriate adjustments for his system.
 .TP
-.B leftgroups
+.BR leftgroups " = <group list>"
 a comma separated list of group names. If the
 .B leftgroups
 parameter is present then the peer must be a member of at least one
@@ -630,7 +641,7 @@ been issued to the peer by a trusted Authorization Authority stored in
 .br
 Attribute certificates are not supported in IKEv2 yet.
 .TP
-.B lefthostaccess
+.BR lefthostaccess " = yes | " no
 inserts a pair of INPUT and OUTPUT iptables rules using the default
 \fBipsec _updown\fR script, thus allowing access to the host itself
 in the case where the host's internal interface is part of the
@@ -641,7 +652,7 @@ and
 .B no
 (the default).
 .TP
-.B leftid
+.BR leftid " = <id>"
 how the left participant should be identified for authentication;
 defaults to
 .BR left .
@@ -649,19 +660,19 @@ Can be an IP address or a fully-qualified domain name preceded by
 .B @
 (which is used as a literal string and not resolved).
 .TP
-.B leftid2
+.BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
 (IKEv2 only); defaults to
 .BR leftid .
 .TP
-.B leftikeport
+.BR leftikeport " = <port>"
 UDP port the left participant uses for IKE communication. Currently supported in
 IKEv2 connections only. If unspecified, port 500 is used with the port floating
 to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
 different from the default additionally requires a socket implementation that
 listens to this port.
 .TP
-.B leftnexthop
+.BR leftnexthop " = %direct | %defaultroute | <ip address> | <fqdn>"
 this parameter is usually not needed any more because the NETKEY IPsec stack
 does not require explicit routing entries for the traffic to be tunneled. If
 .B leftsourceip
@@ -669,7 +680,7 @@ is used with IKEv1 then
 .B leftnexthop
 must still be set in order for the source routes to work properly.
 .TP
-.B leftprotoport
+.BR leftprotoport " = <protocol>/<port>"
 restrict the traffic selector to a single protocol and/or port.
 Examples:
 .B leftprotoport=tcp/http
@@ -678,7 +689,7 @@ or
 or
 .B leftprotoport=udp
 .TP
-.B leftrsasigkey
+.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
 the left participant's
 public key for RSA signature authentication,
 in RFC 2537 format using
@@ -701,7 +712,7 @@ specify different public keys for the same
 .BR leftid ,
 confusion and madness will ensue.
 .TP
-.B leftsendcert
+.BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
 .B never
 or
@@ -710,22 +721,22 @@ or
 or
 .BR yes ,
 and
-.BR ifasked ,
+.BR ifasked " (the default),"
 the latter meaning that the peer must send a certificate request payload in
 order to get a certificate in return.
 .TP
-.B leftsourceip
+.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
 The internal source IP to use in a tunnel, also known as virtual IP. If the
 value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
 .BR %config ,
-or
 .BR %cfg ,
+.BR %modeconfig ,
+or
+.BR %modecfg ,
 an address is requested from the peer. In IKEv2, a statically defined address
 is also requested, since the server may change it.
 .TP
-.B rightsourceip
+.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
 The internal source IP to use in a tunnel for the remote peer. If the
 value is
 .B %config
@@ -735,7 +746,7 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.B leftsubnet
+.BR leftsubnet " = <ip subnet>"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
@@ -745,13 +756,13 @@ protocol narrows it to the greatest common subnet. Further, IKEv2 supports
 multiple subnets separated by commas. IKEv1 only interprets the first subnet
 of such a definition.
 .TP
-.B leftsubnetwithin
+.BR leftsubnetwithin " = <ip subnet>"
 the peer can propose any subnet or single IP address that fits within the
 range defined by
 .BR leftsubnetwithin.
 Not relevant for IKEv2, as subnets are narrowed.
 .TP
-.B leftupdown
+.BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
 when the status of the connection
 changes (default
@@ -766,15 +777,15 @@ Relevant only locally, other end need not agree on it. IKEv2 uses the updown
 script to insert firewall rules only, since routing has been implemented
 directly into charon.
 .TP
-.B lifebytes
+.BR lifebytes " = <number>"
 the number of bytes transmitted over an IPsec SA before it expires (IKEv2
 only).
 .TP
-.B lifepackets
+.BR lifepackets " = <number>"
 the number of packets transmitted over an IPsec SA before it expires (IKEv2
 only).
 .TP
-.B lifetime
+.BR lifetime " = " 1h " | <time>"
 how long a particular instance of a connection
 (a set of encryption/authentication keys for user packets) should last,
 from successful negotiation to expiry;
@@ -799,19 +810,19 @@ The two ends need not exactly agree on
 .BR lifetime ,
 although if they do not,
 there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
+which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
 .TP
-.B marginbytes
+.BR marginbytes " = <number>"
 how many bytes before IPsec SA expiry (see
 .BR lifebytes )
 should attempts to negotiate a replacement begin (IKEv2 only).
 .TP
-.B marginpackets
+.BR marginpackets " = <number>"
 how many packets before IPsec SA expiry (see
 .BR lifepackets )
 should attempts to negotiate a replacement begin (IKEv2 only).
 .TP
-.B margintime
+.BR margintime " = " 9m " | <time>"
 how long before connection expiry or keying-channel expiry
 should attempts to
 negotiate a replacement
@@ -819,28 +830,29 @@ begin; acceptable values as for
 .B lifetime
 (default
 .BR 9m ).
-Relevant only locally, other end need not agree on it.
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
 .TP
-.B mark
-sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
-IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
+.BR mark " = <value>[/<mask>]"
+sets an XFRM mark in the inbound and outbound
+IPsec SAs and policies. If the mask is missing then a default
 mask of
 .B 0xffffffff
 is assumed.
 .TP
-.B mark_in
-sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
+.BR mark_in " = <value>[/<mask>]"
+sets an XFRM mark in the inbound IPsec SA and
+policy. If the mask is missing then a default mask of
 .B 0xffffffff
 is assumed.
 .TP
-.B mark_out
-sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
+.BR mark_out " = <value>[/<mask>]"
+sets an XFRM mark in the outbound IPsec SA and
+policy. If the mask is missing then a default mask of
 .B 0xffffffff
 is assumed.
 .TP
-.B mobike
+.BR mobike " = " yes " | no"
 enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
 .B yes
 (the default) and
@@ -850,7 +862,7 @@ If set to
 the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
 ignore the MOBIKE_SUPPORTED notify as responder.
 .TP
-.B modeconfig
+.BR modeconfig " = push | " pull
 defines which mode is used to assign a virtual IP.
 Accepted values are
 .B push
@@ -862,7 +874,7 @@ payload in pull mode. Cisco VPN gateways usually operate in
 .B push
 mode.
 .TP
-.B pfs
+.BR pfs " = " yes " | no"
 whether Perfect Forward Secrecy of keys is desired on the connection's
 keying channel
 (with PFS, penetration of the key-exchange protocol
@@ -877,11 +889,11 @@ PFS is enforced by defining a Diffie-Hellman modp group in the
 .B esp
 parameter.
 .TP
-.B pfsgroup
+.BR pfsgroup " = <modp group>"
 defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
 differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
 .TP
-.B reauth
+.BR reauth " = " yes " | no"
 whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
 reauthentication is always done. In IKEv2, a value of
 .B no
@@ -890,7 +902,7 @@ rekeys without uninstalling the IPsec SAs, a value of
 (the default) creates a new IKE_SA from scratch and tries to recreate
 all IPsec SAs.
 .TP
-.B rekey
+.BR rekey " = " yes " | no"
 whether a connection should be renegotiated when it is about to expire;
 acceptable values are
 .B yes
@@ -905,7 +917,7 @@ so
 .B no
 will be largely ineffective unless both ends agree on it.
 .TP
-.B rekeyfuzz
+.BR rekeyfuzz " = " 100% " | <percentage>"
 maximum percentage by which
 .BR marginbytes ,
 .B marginpackets
@@ -931,16 +943,17 @@ or
 The value
 .B 0%
 will suppress randomization.
-Relevant only locally, other end need not agree on it.
+Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
+below.
 .TP
 .B rekeymargin
 synonym for
 .BR margintime .
 .TP
-.B reqid
-sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
+.BR reqid " = <number>"
+sets the reqid for a given connection to a pre-configured fixed value.
 .TP
-.B type
+.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
 .B tunnel
@@ -955,15 +968,17 @@ signifying that no IPsec processing should be done at all;
 .BR drop ,
 signifying that packets should be discarded; and
 .BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
+signifying that packets should be discarded and a diagnostic ICMP returned
+.RB ( reject
+is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
 The IKEv2 daemon charon currently supports
 .BR tunnel ,
 .BR transport ,
 and
-.BR tunnel_proxy
+.BR transport_proxy
 connection types, only.
 .TP
-.B xauth
+.BR xauth " = " client " | server"
 specifies the role in the XAUTH protocol if activated by
 .B authby=xauthpsk
 or
@@ -977,8 +992,8 @@ and
 .SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
 The following parameters are relevant to IKEv2 Mediation Extension
 operation only.
-.TP 14
-.B mediation
+.TP
+.BR mediation " = yes | " no
 whether this connection is a mediation connection, ie. whether this
 connection is used to mediate other connections.  Mediation connections
 create no child SA. Acceptable values are
@@ -986,13 +1001,13 @@ create no child SA. Acceptable values are
 (the default) and
 .BR yes .
 .TP
-.B mediated_by
+.BR mediated_by " = <name>"
 the name of the connection to mediate this connection through.  If given,
 the connection will be mediated through the named mediation connection.
 The mediation connection must set
 .BR mediation=yes .
 .TP
-.B me_peerid
+.BR me_peerid " = <id>"
 ID as which the peer is known to the mediation server, ie. which the other
 end of this connection uses as its
 .B leftid
@@ -1006,42 +1021,45 @@ of this connection will be used as peer ID.
 .SH "CA SECTIONS"
 This are optional sections that can be used to assign special
 parameters to a Certification Authority (CA).
-.TP 10
-.B auto
+.TP
+.BR also " = <name>"
+includes ca section
+.BR <name> .
+.TP
+.BR auto " = " ignore " | add"
 currently can have either the value
 .B ignore
-or
-.B add
-.
+(the default) or
+.BR add .
 .TP
-.B cacert
+.BR cacert " = <path>"
 defines a path to the CA certificate either relative to
 \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
 .TP
-.B crluri
+.BR crluri " = <uri>"
 defines a CRL distribution point (ldap, http, or file URI)
 .TP
 .B crluri1
 synonym for
 .B crluri.
 .TP
-.B crluri2
+.BR crluri2 " = <uri>"
 defines an alternative CRL distribution point (ldap, http, or file URI)
 .TP
-.B ldaphost
+.BR ldaphost " = <hostname>"
 defines an ldap host. Currently used by IKEv1 only.
 .TP
-.B ocspuri
+.BR ocspuri " = <uri>"
 defines an OCSP URI.
 .TP
 .B ocspuri1
 synonym for
 .B ocspuri.
 .TP
-.B ocspuri2
+.BR ocspuri2 " = <uri>"
 defines an alternative OCSP URI. Currently used by IKEv2 only.
 .TP
-.B certuribase
+.BR certuribase " = <uri>"
 defines the base URI for the Hash and URL feature supported by IKEv2.
 Instead of exchanging complete certificates, IKEv2 allows to send an URI
 that resolves to the DER encoded certificate. The certificate URIs are built
@@ -1072,8 +1090,8 @@ names in a
 .B config
 .B setup
 section affecting both daemons are:
-.TP 14
-.B cachecrls
+.TP
+.BR cachecrls " = yes | " no
 certificate revocation lists (CRLs) fetched via http or ldap will be cached in
 \fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
 authority's public key.
@@ -1081,43 +1099,23 @@ Accepted values are
 .B yes
 and
 .B no
-(the default).
+(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
 .TP
-.B charonstart
-whether to start the IKEv2 Charon daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
+.BR charonstart " = " yes " | no"
+whether to start the IKEv2 charon daemon or not.
 The default is
 .B yes
 if starter was compiled with IKEv2 support.
 .TP
-.B dumpdir
-in what directory should things started by \fBipsec starter\fR
-(notably the Pluto and Charon daemons) be allowed to dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not yet supported by \fBipsec starter\fR.
-.TP
-.B plutostart
-whether to start the IKEv1 Pluto daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
+.BR plutostart " = " yes " | no"
+whether to start the IKEv1 pluto daemon or not.
 The default is
 .B yes
 if starter was compiled with IKEv1 support.
 .TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
+.BR strictcrlpolicy " = yes | ifuri | " no
+defines if a fresh CRL must be available in order for the peer authentication
+based on RSA signatures to succeed.
 IKEv2 additionally recognizes
 .B ifuri
 which reverts to
@@ -1126,7 +1124,7 @@ if at least one CRL URI is defined and to
 .B no
 if no URI is known.
 .TP
-.B uniqueids
+.BR uniqueids " = " yes " | no | replace | keep"
 whether a particular participant ID should be kept unique,
 with any new (automatically keyed)
 connection using an ID from a different IP address
@@ -1151,15 +1149,15 @@ The following
 .B config section
 parameters are used by the IKEv1 Pluto daemon only:
 .TP
-.B crlcheckinterval
+.BR crlcheckinterval " = " 0s " | <time>"
 interval in seconds. CRL fetching is enabled if the value is greater than zero.
 Asynchronous, periodic checking for fresh CRLs is currently done by the
 IKEv1 Pluto daemon only.
 .TP
-.B keep_alive
+.BR keep_alive " = " 20s " | <time>"
 interval in seconds between NAT keep alive packets, the default being 20 seconds.
 .TP
-.B nat_traversal
+.BR nat_traversal " = yes | " no
 activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
 being able of floating to udp/4500 if a NAT situation is detected.
 Accepted values are
@@ -1167,24 +1165,19 @@ Accepted values are
 and
 .B no
 (the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
+Used by IKEv1 only, NAT traversal is always being active in IKEv2.
 .TP
-.B nocrsend
+.BR nocrsend " = yes | " no
 no certificate request payloads will be sent.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
 .TP
-.B pkcs11initargs
+.BR pkcs11initargs " = <args>"
 non-standard argument string for PKCS#11 C_Initialize() function;
 required by NSS softoken.
 .TP
-.B pkcs11module
+.BR pkcs11module " = <args>"
 defines the path to a dynamically loadable PKCS #11 library.
 .TP
-.B pkcs11keepstate
+.BR pkcs11keepstate " = yes | " no
 PKCS #11 login sessions will be kept during the whole lifetime of the keying
 daemon. Useful with pin-pad smart card readers.
 Accepted values are
@@ -1193,7 +1186,7 @@ and
 .B no
 (the default).
 .TP
-.B pkcs11proxy
+.BR pkcs11proxy " = yes | " no
 Pluto will act as a PKCS #11 proxy accessible via the whack interface.
 Accepted values are
 .B yes
@@ -1201,8 +1194,8 @@ and
 .B no
 (the default).
 .TP
-.B plutodebug
-how much Pluto debugging output should be logged.
+.BR plutodebug " = " none " | <debug list> | all"
+how much pluto debugging output should be logged.
 An empty value,
 or the magic value
 .BR none ,
@@ -1218,12 +1211,12 @@ separated by white space) are enabled;
 for details on available debugging types, see
 .IR pluto (8).
 .TP
-.B plutostderrlog
+.BR plutostderrlog " = <file>"
 Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to the argument file.
+to <file>.
 .TP
-.B postpluto
-shell command to run after starting Pluto
+.BR postpluto " = <command>"
+shell command to run after starting pluto
 (e.g., to remove a decrypted copy of the
 .I ipsec.secrets
 file).
@@ -1235,8 +1228,8 @@ so running interactive commands is difficult unless they use
 or equivalent for their interaction.
 Default is none.
 .TP
-.B prepluto
-shell command to run before starting Pluto
+.BR prepluto " = <command>"
+shell command to run before starting pluto
 (e.g., to decrypt an encrypted copy of the
 .I ipsec.secrets
 file).
@@ -1248,15 +1241,15 @@ so running interactive commands is difficult unless they use
 or equivalent for their interaction.
 Default is none.
 .TP
-.B virtual_private
+.BR virtual_private " = <networks>"
 defines private networks using a wildcard notation.
 .PP
 The following
 .B config section
-parameters are used by the IKEv2 Charon daemon only:
+parameters are used by the IKEv2 charon daemon only:
 .TP
-.B charondebug
-how much Charon debugging output should be logged.
+.BR charondebug " = <debug list>"
+how much charon debugging output should be logged.
 A comma separated list containing type level/pairs may
 be specified, e.g:
 .B dmn 3, ike 1, net -1.
@@ -1265,50 +1258,85 @@ Acceptable values for types are
 and the level is one of
 .B -1, 0, 1, 2, 3, 4
 (for silent, audit, control, controlmore, raw, private).
+For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
+
+.SH IKEv2 EXPIRY/REKEY
+The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
+after a specific amount of time. For IPsec SAs this can also happen after a
+specified number of transmitted packets or transmitted bytes. The following
+settings can be used to configure this:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE SA	IPsec SA
+ikelifetime	3h	lifebytes	-
+		lifepackets	-
+		lifetime	1h
+.TE
+.SS Rekeying
+IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be
+configured using the following settings:
+.TS
+l r l r,- - - -,lB s lB s,a r a r.
+Setting	Default	Setting	Default
+IKE and IPsec SA	IPsec SA
+margintime	9m	marginbytes	-
+		marginpackets	-
+.TE
+.SS Randomization
+To avoid collisions the specified margins are increased randomly before
+subtracting them from the expiration limits (see formula below). This is
+controlled by the
+.B rekeyfuzz
+setting:
+.TS
+l r,- -,lB s,a r.
+Setting	Default
+IKE and IPsec SA
+rekeyfuzz	100%
+.TE
 .PP
-The following
-.B config section
-parameters only make sense if the KLIPS IPsec stack
-is used instead of the default NETKEY stack of the Linux 2.6 kernel:
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
+Randomization can be disabled by setting
+.BR rekeyfuzz " to " 0% .
+.SS Formula
+The following formula is used to calculate the rekey time of IPsec SAs:
+.PP
+.EX
+ rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
+.EE
+.PP
+It applies equally to IKE SAs and byte and packet limits for IPsec SAs.
+.SS Example
+Let's consider the default configuration:
+.PP
+.EX
+	lifetime = 1h
+	margintime = 9m
+	rekeyfuzz = 100%
+.EE
+.PP
+From the formula above follows that the rekey time lies between:
+.PP
+.EX
+	rekeytime_min = 1h - (9m + 9m) = 42m
+	rekeytime_max = 1h - (9m + 0m) = 51m
+.EE
+.PP
+Thus, the daemon will attempt to rekey the IPsec SA at a random time
+between 42 and 51 minutes after establishing the SA. Or, in other words,
+between 9 and 18 minutes before the SA expires.
+.SS Notes
+.IP \[bu]
+Since the rekeying of an SA needs some time, the margin values must not be
+too low.
+.IP \[bu]
+The value
+.B margin... + margin... * rekeyfuzz
+must not exceed the original limit. For example, specifying
+.B margintime = 30m
+in the default configuration is a bad idea as there is a chance that the rekey
+time equals zero and, thus, rekeying gets disabled.
 .SH FILES
 .nf
 /etc/ipsec.conf
@@ -1319,7 +1347,7 @@ overriding IPsec's (large) default.
 /etc/ipsec.d/crls
 
 .SH SEE ALSO
-ipsec(8), pluto(8), starter(8)
+strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
 .SH HISTORY
 Originally written for the FreeS/WAN project by Henry Spencer.
 Updated and extended for the strongSwan project <http://www.strongswan.org> by
diff --git a/src/pluto/ipsec.secrets.5 b/man/ipsec.secrets.5
index 6c39f86e1..1e586a491 100644
--- a/src/pluto/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.4.1rc3" "strongSwan"
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
@@ -22,9 +22,9 @@ Here is an example.
 
 alice@strongswan.org : EAP "x3.dEhgN"
 
-: XAUTH carol "4iChxLT3"
+carol : XAUTH "4iChxLT3"
 
-: XAUTH dave "ryftzG4A"
+dave  : XAUTH "ryftzG4A"
 
 # get secrets from other files
 include ipsec.*.secrets
@@ -147,24 +147,25 @@ delimited by double-quote characters (\fB"\fP).
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
-.B : XAUTH <username> <password>
+.B [ <servername> ] <username> : XAUTH <password>
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
 .B : PIN <smartcard selector> <pin code> | %prompt
-The format
+IKEv1 uses the format
 .B "%smartcard[<slot nr>[:<key id>]]"
-is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
-instead of specifying the pin code statically,
+to specify the smartcard selector (e.g. %smartcard1:50).
+The IKEv2 daemon supports multiple modules with the format
+.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
+, but always requires a keyid to uniquely select the correct key. Instead of
+specifying the pin code statically,
 .B %prompt
-can be specified, which causes the pluto daemon to ask the user for the pin
-code.
+can be specified, which causes the daemons to ask the user for the pin code.
 .LP
 
 .SH FILES
 /etc/ipsec.secrets
 .SH SEE ALSO
-\fIipsec.conf\fP(5),
-\fIipsec\fP(8)
+ipsec.conf(5), strongswan.conf(5), ipsec(8)
 .br
 .SH HISTORY
 Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
diff --git a/src/pluto/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index adb915e4d..875b8e219 100644
--- a/src/pluto/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -22,9 +22,9 @@ Here is an example.
 
 alice@strongswan.org : EAP "x3.dEhgN"
 
-: XAUTH carol "4iChxLT3"
+carol : XAUTH "4iChxLT3"
 
-: XAUTH dave "ryftzG4A"
+dave  : XAUTH "ryftzG4A"
 
 # get secrets from other files
 include ipsec.*.secrets
@@ -147,24 +147,25 @@ delimited by double-quote characters (\fB"\fP).
 .br
 \fBEAP\fP secrets are IKEv2 only.
 .TP
-.B : XAUTH <username> <password>
+.B [ <servername> ] <username> : XAUTH <password>
 \fBXAUTH\fP secrets are IKEv1 only.
 .TP
 .B : PIN <smartcard selector> <pin code> | %prompt
-The format
+IKEv1 uses the format
 .B "%smartcard[<slot nr>[:<key id>]]"
-is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1,
-instead of specifying the pin code statically,
+to specify the smartcard selector (e.g. %smartcard1:50).
+The IKEv2 daemon supports multiple modules with the format
+.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
+, but always requires a keyid to uniquely select the correct key. Instead of
+specifying the pin code statically,
 .B %prompt
-can be specified, which causes the pluto daemon to ask the user for the pin
-code.
+can be specified, which causes the daemons to ask the user for the pin code.
 .LP
 
 .SH FILES
 /etc/ipsec.secrets
 .SH SEE ALSO
-\fIipsec.conf\fP(5),
-\fIipsec\fP(8)
+ipsec.conf(5), strongswan.conf(5), ipsec(8)
 .br
 .SH HISTORY
 Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
new file mode 100644
index 000000000..2a8703503
--- /dev/null
+++ b/man/strongswan.conf.5
@@ -0,0 +1,910 @@
+.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan"
+.SH NAME
+strongswan.conf \- strongSwan configuration file
+.SH DESCRIPTION
+While the
+.IR ipsec.conf (5)
+configuration file is well suited to define IPsec related configuration
+parameters, it is not useful for other strongSwan applications to read options
+from this file.
+The file is hard to parse and only
+.I ipsec starter
+is capable of doing so. As the number of components of the strongSwan project
+is continually growing, a more flexible configuration file was needed, one that
+is easy to extend and can be used by all components. With strongSwan 4.2.1
+.IR strongswan.conf (5)
+was introduced which meets these requirements.
+
+.SH SYNTAX
+The format of the strongswan.conf file consists of hierarchical
+.B sections
+and a list of
+.B key/value pairs
+in each section. Each section has a name, followed by C-Style curly brackets
+defining the section body. Each section body contains a set of subsections
+and key/value pairs:
+.PP
+.EX
+	settings := (section|keyvalue)*
+	section  := name { settings }
+	keyvalue := key = value\\n
+.EE
+.PP
+Values must be terminated by a newline.
+.PP
+Comments are possible using the \fB#\fP-character, but be careful: The parser
+implementation is currently limited and does not like brackets in comments.
+.PP
+Section names and keys may contain any printable character except:
+.PP
+.EX
+	. { } # \\n \\t space
+.EE
+.PP
+An example file in this format might look like this:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		# yei, a comment
+		yetanother = zz
+	}
+	section-two {
+		x = 12
+	}
+.EE
+.PP
+Indentation is optional, you may use tabs or spaces.
+
+.SH READING VALUES
+Values are accessed using a dot-separated section list and a key.
+With reference to the example above, accessing
+.B section-one.subsection.othervalue
+will return
+.BR xxx .
+
+.SH DEFINED KEYS
+The following keys are currently defined (using dot notation). The default
+value (if any) is listed in brackets after the key.
+
+.SS charon section
+.TP
+.BR charon.block_threshold " [5]"
+Maximum number of half-open IKE_SAs for a single peer IP
+.TP
+.BR charon.close_ike_on_child_failure " [no]"
+Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
+.TP
+.BR charon.cookie_threshold " [10]"
+Number of half-open IKE_SAs that activate the cookie mechanism
+.TP
+.BR charon.dns1
+.TQ
+.BR charon.dns2
+DNS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.dos_protection " [yes]"
+Enable Denial of Service protection using cookies and aggressiveness checks
+.TP
+.BR charon.filelog
+Section to define file loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.flush_auth_cfg " [no]"
+
+.TP
+.BR charon.hash_and_url " [no]"
+Enable hash and URL support
+.TP
+.BR charon.ignore_routing_tables
+A list of routing tables to be excluded from route lookup
+.TP
+.BR charon.ikesa_table_segments " [1]"
+Number of exclusively locked segments in the hash table
+.TP
+.BR charon.ikesa_table_size " [1]"
+Size of the IKE_SA hash table
+.TP
+.BR charon.inactivity_close_ike " [no]"
+Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
+.TP
+.BR charon.install_routes " [yes]"
+Install routes into a separate routing table for established IPsec tunnels
+.TP
+.BR charon.install_virtual_ip " [yes]"
+Install virtual IP addresses
+.TP
+.BR charon.keep_alive " [20s]"
+NAT keep alive interval
+.TP
+.BR charon.load
+Plugins to load in the IKEv2 daemon charon
+.TP
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon
+.TP
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739)
+.TP
+.BR charon.nbns1
+.TQ
+.BR charon.nbns2
+WINS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events
+.TP
+.BR charon.receive_delay " [0]"
+Delay for receiving packets, to simulate larger RTT
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+.TP
+.BR charon.retransmit_timeout " [4.0]
+Timeout in seconds before sending first retransmit
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up
+.TP
+.BR charon.reuse_ikesa " [yes]
+Initiate CHILD_SA within existing IKE_SAs
+.TP
+.BR charon.routing_table
+Numerical routing table to install routes to
+.TP
+.BR charon.routing_table_prio
+Priority of the routing table
+.TP
+.BR charon.send_delay " [0]"
+Delay for sending packets, to simulate larger RTT
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.send_vendor_id " [no]
+Send strongSwan vendor ID payload
+.TP
+.BR charon.syslog
+Section to define syslog loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon
+.SS charon.plugins subsection
+.TP
+.BR charon.plugins.android.loglevel " [1]"
+Loglevel for logging to Android specific logger
+.TP
+.BR charon.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+configuration payload (CP)
+.TP
+.BR charon.plugins.dhcp.identity_lease " [no]"
+Derive user-defined MAC address from hash of IKEv2 identity
+.TP
+.BR charon.plugins.dhcp.server " [255.255.255.255]"
+DHCP server unicast or broadcast IP address
+.TP
+.BR charon.plugins.eap-aka.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-aka-3ggp2.seq_check
+
+.TP
+.BR charon.plugins.eap-gtc.pam_service " [login]"
+PAM service to be used for authentication
+.TP
+.BR charon.plugins.eap-radius.class_group " [no]"
+Use the
+.I class
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.eap_start " [no]"
+Send EAP-Start instead of EAP-Identity to start RADIUS conversation
+.TP
+.BR charon.plugins.eap-radius.filter_id " [no]"
+If the RADIUS
+.I tunnel_type
+attribute with value
+.B ESP
+is received, use the
+.I filter_id 
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.id_prefix
+Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+EAP method
+.TP
+.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
+NAS-Identifier to include in RADIUS messages
+.TP
+.BR charon.plugins.eap-radius.port " [1812]"
+Port of RADIUS server (authentication)
+.TP
+.BR charon.plugins.eap-radius.secret
+Shared secret between RADIUS and NAS
+.TP
+.BR charon.plugins.eap-radius.server
+IP/Hostname of RADIUS server
+.TP
+.BR charon.plugins.eap-radius.servers
+Section to specify multiple RADIUS servers. The
+.BR nas_identifier ,
+.BR secret ,
+.B sockets
+and
+.B port
+options can be specified for each server. A server's IP/Hostname can be
+configured using the
+.B address
+option. For each RADIUS server a priority can be specified using the
+.BR preference " [0]"
+option.
+.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load
+.TP
+.BR charon.plugins.eap-sim.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-simaka-sql.database
+
+.TP
+.BR charon.plugins.eap-simaka-sql.remove_used
+
+.TP
+.BR charon.plugins.eap-tls.fragment_size " [1024]"
+Maximum size of an EAP-TLS packet
+.TP
+.BR charon.plugins.eap-tls.max_message_count " [32]"
+Maximum number of processed EAP-TLS packets
+.TP
+.BR charon.plugins.eap-tnc.fragment_size " [50000]"
+Maximum size of an EAP-TNC packet
+.TP
+.BR charon.plugins.eap-tnc.max_message_count " [10]"
+Maximum number of processed EAP-TNC packets
+.TP
+.BR charon.plugins.eap-ttls.fragment_size " [1024]"
+Maximum size of an EAP-TTLS packet
+.TP
+.BR charon.plugins.eap-ttls.max_message_count " [32]"
+Maximum number of processed EAP-TTLS packets
+.TP
+.BR charon.plugins.eap-ttls.phase2_method " [md5]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+.TP
+.BR charon.plugins.ha.fifo_interface " [yes]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_delay " [1000]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_timeout " [2100]"
+
+.TP
+.BR charon.plugins.ha.local
+
+.TP
+.BR charon.plugins.ha.monitor " [yes]"
+
+.TP
+.BR charon.plugins.ha.pools
+
+.TP
+.BR charon.plugins.ha.remote
+ 
+.TP
+.BR charon.plugins.ha.resync " [yes]"
+
+.TP
+.BR charon.plugins.ha.secret
+
+.TP
+.BR charon.plugins.ha.segment_count " [1]"
+
+.TP
+.BR charon.plugins.led.activity_led
+
+.TP
+.BR charon.plugins.led.blink_time " [50]"
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.TP
+.BR charon.plugins.load-tester
+Section to configure the load-tester plugin, see LOAD TESTS
+.TP
+.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
+File where to add DNS server entries
+.TP
+.BR charon.plugins.sql.database
+Database URI for charons SQL plugin
+.TP
+.BR charon.plugins.sql.loglevel " [-1]"
+Loglevel for logging to SQL database
+.TP
+.BR charon.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations
+.TP
+.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]"
+TNC IMC configuration directory
+.TP
+.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
+TNC IMV configuration directory
+.SS libstrongswan section
+.TP
+.BR libstrongswan.crypto_test.bench " [no]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_size " [1024]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_time " [50]"
+
+.TP
+.BR libstrongswan.crypto_test.on_add " [no]"
+Test crypto algorithms during registration
+.TP
+.BR libstrongswan.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation
+.TP
+.BR libstrongswan.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm
+.TP
+.BR libstrongswan.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy
+.TP
+.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
+strength
+.TP
+.BR libstrongswan.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753
+.TP
+.BR libstrongswan.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup
+.TP
+.BR libstrongswan.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output
+.SS libstrongswan.plugins subsection
+.TP
+.BR libstrongswan.plugins.attr-sql.database
+Database URI for attr-sql plugin used by charon and pluto
+.TP
+.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases
+.TP
+.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+.TP
+.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin
+.TP
+.BR libstrongswan.plugins.pkcs11.modules
+
+.TP
+.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
+
+.TP
+.BR libstrongswan.plugins.x509.enforce_critical " [no]"
+Discard certificates with unsupported or unknown critical extensions
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
+.SS manager section
+.TP
+.BR manager.database
+Credential database URI for manager
+.TP
+.BR manager.debug " [no]"
+Enable debugging in manager
+.TP
+.BR manager.load
+Plugins to load in manager
+.TP
+.BR manager.socket
+FastCGI socket of manager, to run it statically
+.TP
+.BR manager.threads " [10]"
+Threads to use for request handling
+.TP
+.BR manager.timeout " [15m]"
+Session timeout for manager
+.SS mediation client section
+.TP
+.BR medcli.database
+Mediation client database URI
+.TP
+.BR medcli.dpd " [5m]"
+DPD timeout to use in mediation client plugin
+.TP
+.BR medcli.rekey " [20m]"
+Rekeying time on mediation connections in mediation client plugin
+.SS mediation server section
+.TP
+.BR medsrv.database
+Mediation server database URI
+.TP
+.BR medsrv.debug " [no]"
+Debugging in mediation server web application
+.TP
+.BR medsrv.dpd " [5m]"
+DPD timeout to use in mediation server plugin
+.TP
+.BR medsrv.load
+Plugins to load in mediation server plugin
+.TP
+.BR medsrv.password_length " [6]"
+Minimum password length required for mediation server user accounts
+.TP
+.BR medsrv.rekey " [20m]"
+Rekeying time on mediation connections in mediation server plugin
+.TP
+.BR medsrv.socket
+Run Mediation server web application statically on socket
+.TP
+.BR medsrv.threads " [5]"
+Number of thread for mediation service web application
+.TP
+.BR medsrv.timeout " [15m]"
+Session timeout for mediation service
+.SS openac section
+.TP
+.BR openac.load
+Plugins to load in ipsec openac tool
+.SS pki section
+.TP
+.BR pki.load
+Plugins to load in ipsec pki tool
+.SS pluto section
+.TP
+.BR pluto.dns1
+.TQ
+.BR pluto.dns2
+DNS servers assigned to peer via Mode Config
+.TP
+.BR pluto.load
+Plugins to load in IKEv1 pluto daemon
+.TP
+.BR pluto.nbns1
+.TQ
+.BR pluto.nbns2
+WINS servers assigned to peer via Mode Config
+.TP
+.BR pluto.threads " [4]"
+Number of worker threads in pluto
+.SS pluto.plugins section
+.TP
+.BR pluto.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+Mode Config
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.SS pool section
+.TP
+.BR pool.load
+Plugins to load in ipsec pool tool
+.SS scepclient section
+.TP
+.BR scepclient.load
+Plugins to load in ipsec scepclient tool
+.SS starter section
+.TP
+.BR starter.load_warning " [yes]"
+Disable charon/pluto plugin load option warning
+
+.SH LOGGER CONFIGURATION
+The options described below provide a much more flexible way to configure
+loggers for the IKEv2 daemon charon than using the
+.B charondebug
+option in
+.BR ipsec.conf (5).
+.PP
+.B Please note
+that if any loggers are specified in strongswan.conf,
+.B charondebug
+does not have any effect.
+.PP
+There are currently two types of loggers defined:
+.TP
+.B File loggers
+Log directly to a file and are defined by specifying the full path to the
+file as subsection in the
+.B charon.filelog
+section. To log to the console the two special filenames
+.BR stdout " and " stderr
+can be used.
+.TP
+.B Syslog loggers
+Log into a syslog facility and are defined by specifying the facility to log to
+as the name of a subsection in the
+.B charon.syslog
+section. The following facilities are currently supported:
+.BR daemon " and " auth .
+.PP
+Multiple loggers can be defined for each type with different log verbosity for
+the different subsystems of the daemon.
+.SS Options
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+.TQ
+.BR charon.syslog.<facility>.default
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+.TQ
+.BR charon.syslog.<facility>.<subsystem>
+Specifies the loglevel for the given subsystem.
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+.TQ
+.BR charon.syslog.<facility>.ike_name
+Prefix each log entry with the connection name and a unique numerical
+identifier for each IKE_SA.
+.TP
+.BR charon.filelog.<filename>.time_format
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.BR strftime (3).
+
+.SS Subsystems
+.TP
+.B dmn
+Main daemon setup/cleanup/signal handling
+.TP
+.B mgr
+IKE_SA manager, handling synchronization for IKE_SA access
+.TP
+.B ike
+IKE_SA
+.TP
+.B chd
+CHILD_SA
+.TP
+.B job
+Jobs queueing/processing and thread pool management
+.TP
+.B cfg
+Configuration management and plugins
+.TP
+.B knl
+IPsec/Networking kernel interface
+.TP
+.B net
+IKE network communication
+.TP
+.B enc
+Packet encoding/decoding encryption/decryption operations
+.TP
+.B tls
+libtls library messages
+.TP
+.B lib
+libstrongwan library messages
+.SS Loglevels
+.TP
+.B -1
+Absolutely silent
+.TP
+.B 0
+Very basic auditing logs, (e.g. SA up/SA down)
+.TP
+.B 1
+Generic control flow with errors, a good default to see whats going on
+.TP
+.B 2
+More detailed debugging control flow
+.TP
+.B 3
+Including RAW data dumps in Hex
+.TP
+.B 4
+Also include sensitive material in dumps, e.g. keys
+.SS Example
+.PP
+.EX
+	charon {
+		filelog {
+			/var/log/charon.log {
+				time_format = %b %e %T
+				append = no
+				default = 1
+			}
+			stderr {
+				ike = 2
+				knl = 3
+				ike_name = yes
+			}
+		}
+		syslog {
+			# enable logging to LOG_DAEMON, use defaults
+			daemon {
+			}
+			# minimalistic IKE auditing logging to LOG_AUTHPRIV
+			auth {
+				default = -1
+				ike = 0
+			}
+		}
+	}
+.EE
+
+.SH LOAD TESTS
+To do stability testing and performance optimizations, the IKEv2 daemon charon
+provides the load-tester plugin. This plugin allows to setup thousands of
+tunnels concurrently against the daemon itself or a remote host.
+.PP
+.B WARNING:
+Never enable the load-testing plugin on productive systems. It provides
+preconfigured credentials and allows an attacker to authenticate as any user.
+.SS Options
+.TP
+.BR charon.plugins.load-tester.child_rekey " [600]"
+Seconds to start CHILD_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.delay " [0]"
+Delay between initiatons for each thread
+.TP
+.BR charon.plugins.load-tester.delete_after_established " [no]"
+Delete an IKE_SA as soon as it has been established
+.TP
+.BR charon.plugins.load-tester.dynamic_port " [0]"
+Base port to be used for requests (each client uses a different port)
+.TP
+.BR charon.plugins.load-tester.enable " [no]"
+Enable the load testing plugin
+.TP
+.BR charon.plugins.load-tester.fake_kernel " [no]"
+Fake the kernel interface to allow load-testing against self
+.TP
+.BR charon.plugins.load-tester.ike_rekey " [0]"
+Seconds to start IKE_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.initiators " [0]"
+Number of concurrent initiator threads to use in load test
+.TP
+.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
+Authentication method(s) the intiator uses
+.TP
+.BR charon.plugins.load-tester.iterations " [1]"
+Number of IKE_SAs to initate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.pool
+Provide INTERNAL_IPV4_ADDRs from a named pool
+.TP
+.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
+IKE proposal to use in load test
+.TP
+.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+Address to initiation connections to
+.TP
+.BR charon.plugins.load-tester.responder_auth " [pubkey]"
+Authentication method(s) the responder uses
+.TP
+.BR charon.plugins.load-tester.request_virtual_ip " [no]"
+Request an INTERNAL_IPV4_ADDR from the server
+.TP
+.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
+Shutdown the daemon after all IKE_SAs have been established
+.SS Configuration details
+For public key authentication, the responder uses the
+.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
+identity. For the initiator, each connection attempt uses a different identity
+in the form
+.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
+where the first number inidicates the client number, the second the
+authentication round (if multiple authentication is used).
+.PP
+For PSK authentication, FQDN identities are used. The server uses
+.BR srv.strongswan.org ,
+the client uses an identity in the form
+.BR c1-r1.strongswan.org .
+.PP
+For EAP authentication, the client uses a NAI in the form
+.BR 100000000010001@strongswan.org .
+.PP
+To configure multiple authentication, concatenate multiple methods using, e.g.
+.EX
+	initiator_auth = pubkey|psk|eap-md5|eap-aka
+.EE
+.PP
+The responder uses a hardcoded certificate based on a 1024-bit RSA key.
+This certificate additionally serves as CA certificate. A peer uses the same
+private key, but generates client certificates on demand signed by the CA
+certificate. Install the Responder/CA certificate on the remote host to
+authenticate all clients.
+.PP
+To speed up testing, the load tester plugin implements a special Diffie-Hellman
+implementation called modpnull. By setting
+.EX
+	proposal = aes128-sha1-modpnull
+.EE
+this wicked fast DH implementation is used. It does not provide any security
+at all, but allows to run tests without DH calculation overhead.
+.SS Examples
+.PP
+In the simplest case, the daemon initiates IKE_SAs against itself using the
+loopback interface. This will actually establish double the number of IKE_SAs,
+as the daemon is initiator and responder for each IKE_SA at the same time.
+Installation of IPsec SAs would fails, as each SA gets installed twice. To
+simulate the correct behavior, a fake kernel interface can be enabled which does
+not install the IPsec SAs at the kernel level.
+.PP
+A simple loopback configuration might look like this:
+.PP
+.EX
+	charon {
+		# create new IKE_SAs for each CHILD_SA to simulate
+		# different clients
+		reuse_ikesa = no
+		# turn off denial of service protection
+		dos_protection = no
+
+		plugins {
+			load-tester {
+				# enable the plugin
+				enable = yes
+				# use 4 threads to initiate connections
+				# simultaneously
+				initiators = 4
+				# each thread initiates 1000 connections
+				iterations = 1000
+				# delay each initiation in each thread by 20ms
+				delay = 20
+				# enable the fake kernel interface to
+				# avoid SA conflicts
+				fake_kernel = yes
+			}
+		}
+	}
+.EE
+.PP
+This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
+value if your box can not handle that much load, or decrease it to put more
+load on it. If the daemon starts retransmitting messages your box probably can
+not handle all connection attempts.
+.PP
+The plugin also allows to test against a remote host. This might help to test
+against a real world configuration. A connection setup to do stress testing of
+a gateway might look like this:
+.PP
+.EX
+	charon {
+		reuse_ikesa = no
+		threads = 32
+
+		plugins {
+			load-tester {
+				enable = yes
+				# 10000 connections, ten in parallel
+				initiators = 10
+				iterations = 1000
+				# use a delay of 100ms, overall time is:
+				# iterations * delay = 100s
+				delay = 100
+				# address of the gateway
+				remote = 1.2.3.4
+				# IKE-proposal to use
+				proposal = aes128-sha1-modp1024
+				# use faster PSK authentication instead
+				# of 1024bit RSA
+				initiator_auth = psk
+				responder_auth = psk
+				# request a virtual IP using configuration
+				# payloads
+				request_virtual_ip = yes
+				# enable CHILD_SA every 60s
+				child_rekey = 60
+			}
+		}
+	}
+.EE
+
+.SH IKEv2 RETRANSMISSION
+Retransmission timeouts in the IKEv2 daemon charon can be configured globally
+using the three keys listed below:
+.PP
+.RS
+.nf
+.BR charon.retransmit_base " [1.8]"
+.BR charon.retransmit_timeout " [4.0]"
+.BR charon.retransmit_tries " [5]"
+.fi
+.RE
+.PP
+The following algorithm is used to calculate the timeout:
+.PP
+.EX
+	relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
+.EE
+.PP
+Where
+.I n
+is the current retransmission count.
+.PP
+Using the default values, packets are retransmitted in:
+
+.TS
+l r r
+---
+lB r r.
+Retransmission	Relative Timeout	Absolute Timeout
+1	4s	4s
+2	7s	11s
+3	13s	24s
+4	23s	47s
+5	42s	89s
+giving up	76s	165s
+.TE
+
+.SH FILES
+/etc/strongswan.conf
+
+.SH SEE ALSO
+ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+.SH HISTORY
+Written for the
+.UR http://www.strongswan.org
+strongSwan project
+.UE
+by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
new file mode 100644
index 000000000..77db9a3c0
--- /dev/null
+++ b/man/strongswan.conf.5.in
@@ -0,0 +1,910 @@
+.TH STRONGSWAN.CONF 5 "2010-09-09" "@IPSEC_VERSION@" "strongSwan"
+.SH NAME
+strongswan.conf \- strongSwan configuration file
+.SH DESCRIPTION
+While the
+.IR ipsec.conf (5)
+configuration file is well suited to define IPsec related configuration
+parameters, it is not useful for other strongSwan applications to read options
+from this file.
+The file is hard to parse and only
+.I ipsec starter
+is capable of doing so. As the number of components of the strongSwan project
+is continually growing, a more flexible configuration file was needed, one that
+is easy to extend and can be used by all components. With strongSwan 4.2.1
+.IR strongswan.conf (5)
+was introduced which meets these requirements.
+
+.SH SYNTAX
+The format of the strongswan.conf file consists of hierarchical
+.B sections
+and a list of
+.B key/value pairs
+in each section. Each section has a name, followed by C-Style curly brackets
+defining the section body. Each section body contains a set of subsections
+and key/value pairs:
+.PP
+.EX
+	settings := (section|keyvalue)*
+	section  := name { settings }
+	keyvalue := key = value\\n
+.EE
+.PP
+Values must be terminated by a newline.
+.PP
+Comments are possible using the \fB#\fP-character, but be careful: The parser
+implementation is currently limited and does not like brackets in comments.
+.PP
+Section names and keys may contain any printable character except:
+.PP
+.EX
+	. { } # \\n \\t space
+.EE
+.PP
+An example file in this format might look like this:
+.PP
+.EX
+	a = b
+	section-one {
+		somevalue = asdf
+		subsection {
+			othervalue = xxx
+		}
+		# yei, a comment
+		yetanother = zz
+	}
+	section-two {
+		x = 12
+	}
+.EE
+.PP
+Indentation is optional, you may use tabs or spaces.
+
+.SH READING VALUES
+Values are accessed using a dot-separated section list and a key.
+With reference to the example above, accessing
+.B section-one.subsection.othervalue
+will return
+.BR xxx .
+
+.SH DEFINED KEYS
+The following keys are currently defined (using dot notation). The default
+value (if any) is listed in brackets after the key.
+
+.SS charon section
+.TP
+.BR charon.block_threshold " [5]"
+Maximum number of half-open IKE_SAs for a single peer IP
+.TP
+.BR charon.close_ike_on_child_failure " [no]"
+Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
+.TP
+.BR charon.cookie_threshold " [10]"
+Number of half-open IKE_SAs that activate the cookie mechanism
+.TP
+.BR charon.dns1
+.TQ
+.BR charon.dns2
+DNS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.dos_protection " [yes]"
+Enable Denial of Service protection using cookies and aggressiveness checks
+.TP
+.BR charon.filelog
+Section to define file loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.flush_auth_cfg " [no]"
+
+.TP
+.BR charon.hash_and_url " [no]"
+Enable hash and URL support
+.TP
+.BR charon.ignore_routing_tables
+A list of routing tables to be excluded from route lookup
+.TP
+.BR charon.ikesa_table_segments " [1]"
+Number of exclusively locked segments in the hash table
+.TP
+.BR charon.ikesa_table_size " [1]"
+Size of the IKE_SA hash table
+.TP
+.BR charon.inactivity_close_ike " [no]"
+Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
+.TP
+.BR charon.install_routes " [yes]"
+Install routes into a separate routing table for established IPsec tunnels
+.TP
+.BR charon.install_virtual_ip " [yes]"
+Install virtual IP addresses
+.TP
+.BR charon.keep_alive " [20s]"
+NAT keep alive interval
+.TP
+.BR charon.load
+Plugins to load in the IKEv2 daemon charon
+.TP
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon
+.TP
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739)
+.TP
+.BR charon.nbns1
+.TQ
+.BR charon.nbns2
+WINS servers assigned to peer via configuration payload (CP)
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events
+.TP
+.BR charon.receive_delay " [0]"
+Delay for receiving packets, to simulate larger RTT
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+.TP
+.BR charon.retransmit_timeout " [4.0]
+Timeout in seconds before sending first retransmit
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up
+.TP
+.BR charon.reuse_ikesa " [yes]
+Initiate CHILD_SA within existing IKE_SAs
+.TP
+.BR charon.routing_table
+Numerical routing table to install routes to
+.TP
+.BR charon.routing_table_prio
+Priority of the routing table
+.TP
+.BR charon.send_delay " [0]"
+Delay for sending packets, to simulate larger RTT
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any
+.TP
+.BR charon.send_vendor_id " [no]
+Send strongSwan vendor ID payload
+.TP
+.BR charon.syslog
+Section to define syslog loggers, see LOGGER CONFIGURATION
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon
+.SS charon.plugins subsection
+.TP
+.BR charon.plugins.android.loglevel " [1]"
+Loglevel for logging to Android specific logger
+.TP
+.BR charon.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+configuration payload (CP)
+.TP
+.BR charon.plugins.dhcp.identity_lease " [no]"
+Derive user-defined MAC address from hash of IKEv2 identity
+.TP
+.BR charon.plugins.dhcp.server " [255.255.255.255]"
+DHCP server unicast or broadcast IP address
+.TP
+.BR charon.plugins.eap-aka.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-aka-3ggp2.seq_check
+
+.TP
+.BR charon.plugins.eap-gtc.pam_service " [login]"
+PAM service to be used for authentication
+.TP
+.BR charon.plugins.eap-radius.class_group " [no]"
+Use the
+.I class
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.eap_start " [no]"
+Send EAP-Start instead of EAP-Identity to start RADIUS conversation
+.TP
+.BR charon.plugins.eap-radius.filter_id " [no]"
+If the RADIUS
+.I tunnel_type
+attribute with value
+.B ESP
+is received, use the
+.I filter_id 
+attribute sent in the RADIUS-Accept message as group membership information that
+is compared to the groups specified in the
+.B rightgroups
+option in
+.B ipsec.conf (5).
+.TP
+.BR charon.plugins.eap-radius.id_prefix
+Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
+EAP method
+.TP
+.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
+NAS-Identifier to include in RADIUS messages
+.TP
+.BR charon.plugins.eap-radius.port " [1812]"
+Port of RADIUS server (authentication)
+.TP
+.BR charon.plugins.eap-radius.secret
+Shared secret between RADIUS and NAS
+.TP
+.BR charon.plugins.eap-radius.server
+IP/Hostname of RADIUS server
+.TP
+.BR charon.plugins.eap-radius.servers
+Section to specify multiple RADIUS servers. The
+.BR nas_identifier ,
+.BR secret ,
+.B sockets
+and
+.B port
+options can be specified for each server. A server's IP/Hostname can be
+configured using the
+.B address
+option. For each RADIUS server a priority can be specified using the
+.BR preference " [0]"
+option.
+.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load
+.TP
+.BR charon.plugins.eap-sim.request_identity " [yes]"
+
+.TP
+.BR charon.plugins.eap-simaka-sql.database
+
+.TP
+.BR charon.plugins.eap-simaka-sql.remove_used
+
+.TP
+.BR charon.plugins.eap-tls.fragment_size " [1024]"
+Maximum size of an EAP-TLS packet
+.TP
+.BR charon.plugins.eap-tls.max_message_count " [32]"
+Maximum number of processed EAP-TLS packets
+.TP
+.BR charon.plugins.eap-tnc.fragment_size " [50000]"
+Maximum size of an EAP-TNC packet
+.TP
+.BR charon.plugins.eap-tnc.max_message_count " [10]"
+Maximum number of processed EAP-TNC packets
+.TP
+.BR charon.plugins.eap-ttls.fragment_size " [1024]"
+Maximum size of an EAP-TTLS packet
+.TP
+.BR charon.plugins.eap-ttls.max_message_count " [32]"
+Maximum number of processed EAP-TTLS packets
+.TP
+.BR charon.plugins.eap-ttls.phase2_method " [md5]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+.TP
+.BR charon.plugins.ha.fifo_interface " [yes]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_delay " [1000]"
+
+.TP
+.BR charon.plugins.ha.heartbeat_timeout " [2100]"
+
+.TP
+.BR charon.plugins.ha.local
+
+.TP
+.BR charon.plugins.ha.monitor " [yes]"
+
+.TP
+.BR charon.plugins.ha.pools
+
+.TP
+.BR charon.plugins.ha.remote
+ 
+.TP
+.BR charon.plugins.ha.resync " [yes]"
+
+.TP
+.BR charon.plugins.ha.secret
+
+.TP
+.BR charon.plugins.ha.segment_count " [1]"
+
+.TP
+.BR charon.plugins.led.activity_led
+
+.TP
+.BR charon.plugins.led.blink_time " [50]"
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.TP
+.BR charon.plugins.load-tester
+Section to configure the load-tester plugin, see LOAD TESTS
+.TP
+.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
+File where to add DNS server entries
+.TP
+.BR charon.plugins.sql.database
+Database URI for charons SQL plugin
+.TP
+.BR charon.plugins.sql.loglevel " [-1]"
+Loglevel for logging to SQL database
+.TP
+.BR charon.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations
+.TP
+.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]"
+TNC IMC configuration directory
+.TP
+.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
+TNC IMV configuration directory
+.SS libstrongswan section
+.TP
+.BR libstrongswan.crypto_test.bench " [no]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_size " [1024]"
+
+.TP
+.BR libstrongswan.crypto_test.bench_time " [50]"
+
+.TP
+.BR libstrongswan.crypto_test.on_add " [no]"
+Test crypto algorithms during registration
+.TP
+.BR libstrongswan.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation
+.TP
+.BR libstrongswan.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm
+.TP
+.BR libstrongswan.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy
+.TP
+.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
+strength
+.TP
+.BR libstrongswan.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753
+.TP
+.BR libstrongswan.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup
+.TP
+.BR libstrongswan.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output
+.SS libstrongswan.plugins subsection
+.TP
+.BR libstrongswan.plugins.attr-sql.database
+Database URI for attr-sql plugin used by charon and pluto
+.TP
+.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases
+.TP
+.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+.TP
+.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin
+.TP
+.BR libstrongswan.plugins.pkcs11.modules
+
+.TP
+.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
+
+.TP
+.BR libstrongswan.plugins.x509.enforce_critical " [no]"
+Discard certificates with unsupported or unknown critical extensions
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
+.SS manager section
+.TP
+.BR manager.database
+Credential database URI for manager
+.TP
+.BR manager.debug " [no]"
+Enable debugging in manager
+.TP
+.BR manager.load
+Plugins to load in manager
+.TP
+.BR manager.socket
+FastCGI socket of manager, to run it statically
+.TP
+.BR manager.threads " [10]"
+Threads to use for request handling
+.TP
+.BR manager.timeout " [15m]"
+Session timeout for manager
+.SS mediation client section
+.TP
+.BR medcli.database
+Mediation client database URI
+.TP
+.BR medcli.dpd " [5m]"
+DPD timeout to use in mediation client plugin
+.TP
+.BR medcli.rekey " [20m]"
+Rekeying time on mediation connections in mediation client plugin
+.SS mediation server section
+.TP
+.BR medsrv.database
+Mediation server database URI
+.TP
+.BR medsrv.debug " [no]"
+Debugging in mediation server web application
+.TP
+.BR medsrv.dpd " [5m]"
+DPD timeout to use in mediation server plugin
+.TP
+.BR medsrv.load
+Plugins to load in mediation server plugin
+.TP
+.BR medsrv.password_length " [6]"
+Minimum password length required for mediation server user accounts
+.TP
+.BR medsrv.rekey " [20m]"
+Rekeying time on mediation connections in mediation server plugin
+.TP
+.BR medsrv.socket
+Run Mediation server web application statically on socket
+.TP
+.BR medsrv.threads " [5]"
+Number of thread for mediation service web application
+.TP
+.BR medsrv.timeout " [15m]"
+Session timeout for mediation service
+.SS openac section
+.TP
+.BR openac.load
+Plugins to load in ipsec openac tool
+.SS pki section
+.TP
+.BR pki.load
+Plugins to load in ipsec pki tool
+.SS pluto section
+.TP
+.BR pluto.dns1
+.TQ
+.BR pluto.dns2
+DNS servers assigned to peer via Mode Config
+.TP
+.BR pluto.load
+Plugins to load in IKEv1 pluto daemon
+.TP
+.BR pluto.nbns1
+.TQ
+.BR pluto.nbns2
+WINS servers assigned to peer via Mode Config
+.TP
+.BR pluto.threads " [4]"
+Number of worker threads in pluto
+.SS pluto.plugins section
+.TP
+.BR pluto.plugins.attr
+Section to specify arbitrary attributes that are assigned to a peer via
+Mode Config
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device
+.SS pool section
+.TP
+.BR pool.load
+Plugins to load in ipsec pool tool
+.SS scepclient section
+.TP
+.BR scepclient.load
+Plugins to load in ipsec scepclient tool
+.SS starter section
+.TP
+.BR starter.load_warning " [yes]"
+Disable charon/pluto plugin load option warning
+
+.SH LOGGER CONFIGURATION
+The options described below provide a much more flexible way to configure
+loggers for the IKEv2 daemon charon than using the
+.B charondebug
+option in
+.BR ipsec.conf (5).
+.PP
+.B Please note
+that if any loggers are specified in strongswan.conf,
+.B charondebug
+does not have any effect.
+.PP
+There are currently two types of loggers defined:
+.TP
+.B File loggers
+Log directly to a file and are defined by specifying the full path to the
+file as subsection in the
+.B charon.filelog
+section. To log to the console the two special filenames
+.BR stdout " and " stderr
+can be used.
+.TP
+.B Syslog loggers
+Log into a syslog facility and are defined by specifying the facility to log to
+as the name of a subsection in the
+.B charon.syslog
+section. The following facilities are currently supported:
+.BR daemon " and " auth .
+.PP
+Multiple loggers can be defined for each type with different log verbosity for
+the different subsystems of the daemon.
+.SS Options
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+.TQ
+.BR charon.syslog.<facility>.default
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+.TQ
+.BR charon.syslog.<facility>.<subsystem>
+Specifies the loglevel for the given subsystem.
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+.TQ
+.BR charon.syslog.<facility>.ike_name
+Prefix each log entry with the connection name and a unique numerical
+identifier for each IKE_SA.
+.TP
+.BR charon.filelog.<filename>.time_format
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.BR strftime (3).
+
+.SS Subsystems
+.TP
+.B dmn
+Main daemon setup/cleanup/signal handling
+.TP
+.B mgr
+IKE_SA manager, handling synchronization for IKE_SA access
+.TP
+.B ike
+IKE_SA
+.TP
+.B chd
+CHILD_SA
+.TP
+.B job
+Jobs queueing/processing and thread pool management
+.TP
+.B cfg
+Configuration management and plugins
+.TP
+.B knl
+IPsec/Networking kernel interface
+.TP
+.B net
+IKE network communication
+.TP
+.B enc
+Packet encoding/decoding encryption/decryption operations
+.TP
+.B tls
+libtls library messages
+.TP
+.B lib
+libstrongwan library messages
+.SS Loglevels
+.TP
+.B -1
+Absolutely silent
+.TP
+.B 0
+Very basic auditing logs, (e.g. SA up/SA down)
+.TP
+.B 1
+Generic control flow with errors, a good default to see whats going on
+.TP
+.B 2
+More detailed debugging control flow
+.TP
+.B 3
+Including RAW data dumps in Hex
+.TP
+.B 4
+Also include sensitive material in dumps, e.g. keys
+.SS Example
+.PP
+.EX
+	charon {
+		filelog {
+			/var/log/charon.log {
+				time_format = %b %e %T
+				append = no
+				default = 1
+			}
+			stderr {
+				ike = 2
+				knl = 3
+				ike_name = yes
+			}
+		}
+		syslog {
+			# enable logging to LOG_DAEMON, use defaults
+			daemon {
+			}
+			# minimalistic IKE auditing logging to LOG_AUTHPRIV
+			auth {
+				default = -1
+				ike = 0
+			}
+		}
+	}
+.EE
+
+.SH LOAD TESTS
+To do stability testing and performance optimizations, the IKEv2 daemon charon
+provides the load-tester plugin. This plugin allows to setup thousands of
+tunnels concurrently against the daemon itself or a remote host.
+.PP
+.B WARNING:
+Never enable the load-testing plugin on productive systems. It provides
+preconfigured credentials and allows an attacker to authenticate as any user.
+.SS Options
+.TP
+.BR charon.plugins.load-tester.child_rekey " [600]"
+Seconds to start CHILD_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.delay " [0]"
+Delay between initiatons for each thread
+.TP
+.BR charon.plugins.load-tester.delete_after_established " [no]"
+Delete an IKE_SA as soon as it has been established
+.TP
+.BR charon.plugins.load-tester.dynamic_port " [0]"
+Base port to be used for requests (each client uses a different port)
+.TP
+.BR charon.plugins.load-tester.enable " [no]"
+Enable the load testing plugin
+.TP
+.BR charon.plugins.load-tester.fake_kernel " [no]"
+Fake the kernel interface to allow load-testing against self
+.TP
+.BR charon.plugins.load-tester.ike_rekey " [0]"
+Seconds to start IKE_SA rekeying after setup
+.TP
+.BR charon.plugins.load-tester.initiators " [0]"
+Number of concurrent initiator threads to use in load test
+.TP
+.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
+Authentication method(s) the intiator uses
+.TP
+.BR charon.plugins.load-tester.iterations " [1]"
+Number of IKE_SAs to initate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.pool
+Provide INTERNAL_IPV4_ADDRs from a named pool
+.TP
+.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
+IKE proposal to use in load test
+.TP
+.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+Address to initiation connections to
+.TP
+.BR charon.plugins.load-tester.responder_auth " [pubkey]"
+Authentication method(s) the responder uses
+.TP
+.BR charon.plugins.load-tester.request_virtual_ip " [no]"
+Request an INTERNAL_IPV4_ADDR from the server
+.TP
+.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
+Shutdown the daemon after all IKE_SAs have been established
+.SS Configuration details
+For public key authentication, the responder uses the
+.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
+identity. For the initiator, each connection attempt uses a different identity
+in the form
+.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
+where the first number inidicates the client number, the second the
+authentication round (if multiple authentication is used).
+.PP
+For PSK authentication, FQDN identities are used. The server uses
+.BR srv.strongswan.org ,
+the client uses an identity in the form
+.BR c1-r1.strongswan.org .
+.PP
+For EAP authentication, the client uses a NAI in the form
+.BR 100000000010001@strongswan.org .
+.PP
+To configure multiple authentication, concatenate multiple methods using, e.g.
+.EX
+	initiator_auth = pubkey|psk|eap-md5|eap-aka
+.EE
+.PP
+The responder uses a hardcoded certificate based on a 1024-bit RSA key.
+This certificate additionally serves as CA certificate. A peer uses the same
+private key, but generates client certificates on demand signed by the CA
+certificate. Install the Responder/CA certificate on the remote host to
+authenticate all clients.
+.PP
+To speed up testing, the load tester plugin implements a special Diffie-Hellman
+implementation called modpnull. By setting
+.EX
+	proposal = aes128-sha1-modpnull
+.EE
+this wicked fast DH implementation is used. It does not provide any security
+at all, but allows to run tests without DH calculation overhead.
+.SS Examples
+.PP
+In the simplest case, the daemon initiates IKE_SAs against itself using the
+loopback interface. This will actually establish double the number of IKE_SAs,
+as the daemon is initiator and responder for each IKE_SA at the same time.
+Installation of IPsec SAs would fails, as each SA gets installed twice. To
+simulate the correct behavior, a fake kernel interface can be enabled which does
+not install the IPsec SAs at the kernel level.
+.PP
+A simple loopback configuration might look like this:
+.PP
+.EX
+	charon {
+		# create new IKE_SAs for each CHILD_SA to simulate
+		# different clients
+		reuse_ikesa = no
+		# turn off denial of service protection
+		dos_protection = no
+
+		plugins {
+			load-tester {
+				# enable the plugin
+				enable = yes
+				# use 4 threads to initiate connections
+				# simultaneously
+				initiators = 4
+				# each thread initiates 1000 connections
+				iterations = 1000
+				# delay each initiation in each thread by 20ms
+				delay = 20
+				# enable the fake kernel interface to
+				# avoid SA conflicts
+				fake_kernel = yes
+			}
+		}
+	}
+.EE
+.PP
+This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
+value if your box can not handle that much load, or decrease it to put more
+load on it. If the daemon starts retransmitting messages your box probably can
+not handle all connection attempts.
+.PP
+The plugin also allows to test against a remote host. This might help to test
+against a real world configuration. A connection setup to do stress testing of
+a gateway might look like this:
+.PP
+.EX
+	charon {
+		reuse_ikesa = no
+		threads = 32
+
+		plugins {
+			load-tester {
+				enable = yes
+				# 10000 connections, ten in parallel
+				initiators = 10
+				iterations = 1000
+				# use a delay of 100ms, overall time is:
+				# iterations * delay = 100s
+				delay = 100
+				# address of the gateway
+				remote = 1.2.3.4
+				# IKE-proposal to use
+				proposal = aes128-sha1-modp1024
+				# use faster PSK authentication instead
+				# of 1024bit RSA
+				initiator_auth = psk
+				responder_auth = psk
+				# request a virtual IP using configuration
+				# payloads
+				request_virtual_ip = yes
+				# enable CHILD_SA every 60s
+				child_rekey = 60
+			}
+		}
+	}
+.EE
+
+.SH IKEv2 RETRANSMISSION
+Retransmission timeouts in the IKEv2 daemon charon can be configured globally
+using the three keys listed below:
+.PP
+.RS
+.nf
+.BR charon.retransmit_base " [1.8]"
+.BR charon.retransmit_timeout " [4.0]"
+.BR charon.retransmit_tries " [5]"
+.fi
+.RE
+.PP
+The following algorithm is used to calculate the timeout:
+.PP
+.EX
+	relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
+.EE
+.PP
+Where
+.I n
+is the current retransmission count.
+.PP
+Using the default values, packets are retransmitted in:
+
+.TS
+l r r
+---
+lB r r.
+Retransmission	Relative Timeout	Absolute Timeout
+1	4s	4s
+2	7s	11s
+3	13s	24s
+4	23s	47s
+5	42s	89s
+giving up	76s	165s
+.TE
+
+.SH FILES
+/etc/strongswan.conf
+
+.SH SEE ALSO
+ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+.SH HISTORY
+Written for the
+.UR http://www.strongswan.org
+strongSwan project
+.UE
+by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 70a56f697..827fb7dfb 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,9 +1,17 @@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
 AM_CFLAGS = \
--DPLUGINS="\"${libstrongswan_plugins}\""
+-DPLUGINS="\"${scripts_plugins}\""
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \
-	thread_analysis dh_speed pubkey_speed
+	thread_analysis dh_speed pubkey_speed crypt_burn
+
+if USE_TLS
+	noinst_PROGRAMS += tls_test
+	tls_test_SOURCES = tls_test.c
+	tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+			$(top_builddir)/src/libtls/libtls.la
+endif
+
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
 id2sql_SOURCES = id2sql.c
@@ -12,11 +20,13 @@ keyid2sql_SOURCES = keyid2sql.c
 thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
+crypt_burn_SOURCES = crypt_burn.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 key2keyid.o :	$(top_builddir)/config.status
 
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 20e6df94c..e28424350 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -36,7 +36,7 @@ build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \
 	key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \
-	dh_speed$(EXEEXT) pubkey_speed$(EXEEXT)
+	dh_speed$(EXEEXT) pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT)
 subdir = scripts
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -47,6 +47,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -60,6 +61,10 @@ bin2array_LDADD = $(LDADD)
 am_bin2sql_OBJECTS = bin2sql.$(OBJEXT)
 bin2sql_OBJECTS = $(am_bin2sql_OBJECTS)
 bin2sql_LDADD = $(LDADD)
+am_crypt_burn_OBJECTS = crypt_burn.$(OBJEXT)
+crypt_burn_OBJECTS = $(am_crypt_burn_OBJECTS)
+crypt_burn_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la
 am_dh_speed_OBJECTS = dh_speed.$(OBJEXT)
 dh_speed_OBJECTS = $(am_dh_speed_OBJECTS)
 dh_speed_DEPENDENCIES =  \
@@ -96,13 +101,14 @@ CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
-SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) $(dh_speed_SOURCES) \
-	$(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
 	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
 DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \
-	$(dh_speed_SOURCES) $(id2sql_SOURCES) $(key2keyid_SOURCES) \
-	$(keyid2sql_SOURCES) $(pubkey_speed_SOURCES) \
-	$(thread_analysis_SOURCES)
+	$(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \
+	$(key2keyid_SOURCES) $(keyid2sql_SOURCES) \
+	$(pubkey_speed_SOURCES) $(thread_analysis_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -171,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +210,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +235,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +267,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -261,9 +282,9 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls
 AM_CFLAGS = \
--DPLUGINS="\"${libstrongswan_plugins}\""
+-DPLUGINS="\"${scripts_plugins}\""
 
 bin2array_SOURCES = bin2array.c
 bin2sql_SOURCES = bin2sql.c
@@ -273,11 +294,13 @@ keyid2sql_SOURCES = keyid2sql.c
 thread_analysis_SOURCES = thread_analysis.c
 dh_speed_SOURCES = dh_speed.c
 pubkey_speed_SOURCES = pubkey_speed.c
+crypt_burn_SOURCES = crypt_burn.c
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
 pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt
+crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
 
 .SUFFIXES:
@@ -327,6 +350,9 @@ bin2array$(EXEEXT): $(bin2array_OBJECTS) $(bin2array_DEPENDENCIES)
 bin2sql$(EXEEXT): $(bin2sql_OBJECTS) $(bin2sql_DEPENDENCIES) 
 	@rm -f bin2sql$(EXEEXT)
 	$(LINK) $(bin2sql_OBJECTS) $(bin2sql_LDADD) $(LIBS)
+crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) 
+	@rm -f crypt_burn$(EXEEXT)
+	$(LINK) $(crypt_burn_OBJECTS) $(crypt_burn_LDADD) $(LIBS)
 dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) 
 	@rm -f dh_speed$(EXEEXT)
 	$(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS)
@@ -354,6 +380,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2array.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@
@@ -586,6 +613,11 @@ uninstall-am:
 	pdf pdf-am ps ps-am tags uninstall uninstall-am
 
 
+@USE_TLS_TRUE@	noinst_PROGRAMS += tls_test
+@USE_TLS_TRUE@	tls_test_SOURCES = tls_test.c
+@USE_TLS_TRUE@	tls_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+@USE_TLS_TRUE@			$(top_builddir)/src/libtls/libtls.la
+
 key2keyid.o :	$(top_builddir)/config.status
 
 keyid2sql.o :	$(top_builddir)/config.status
diff --git a/scripts/crypt_burn.c b/scripts/crypt_burn.c
new file mode 100644
index 000000000..25f18d47e
--- /dev/null
+++ b/scripts/crypt_burn.c
@@ -0,0 +1,102 @@
+
+#include <stdio.h>
+#include <library.h>
+#include <crypto/proposal/proposal_keywords.h>
+
+int main(int argc, char *argv[])
+{
+	const proposal_token_t *token;
+	aead_t *aead;
+	crypter_t *crypter;
+	char buffer[1024], assoc[8], iv[32];
+	size_t bs;
+	int i = 0, limit = 0;
+
+
+	library_init(NULL);
+	lib->plugins->load(lib->plugins, NULL, PLUGINS);
+	atexit(library_deinit);
+
+	printf("loaded: %s\n", PLUGINS);
+
+	memset(buffer, 0x12, sizeof(buffer));
+	memset(assoc, 0x34, sizeof(assoc));
+	memset(iv, 0x56, sizeof(iv));
+
+	if (argc < 2)
+	{
+		fprintf(stderr, "usage: %s <algorithm>!\n", argv[0]);
+		return 1;
+	}
+	if (argc > 2)
+	{
+		limit = atoi(argv[2]);
+	}
+
+	token = proposal_get_token(argv[1], strlen(argv[1]));
+	if (!token)
+	{
+		fprintf(stderr, "algorithm '%s' unknown!\n", argv[1]);
+		return 1;
+	}
+	if (token->type != ENCRYPTION_ALGORITHM)
+	{
+		fprintf(stderr, "'%s' is not an encryption/aead algorithm!\n", argv[1]);
+		return 1;
+	}
+
+	if (encryption_algorithm_is_aead(token->algorithm))
+	{
+		aead = lib->crypto->create_aead(lib->crypto,
+										token->algorithm, token->keysize / 8);
+		if (!aead)
+		{
+			fprintf(stderr, "aead '%s' not supported!\n", argv[1]);
+			return 1;
+		}
+		while (TRUE)
+		{
+			aead->encrypt(aead,
+				chunk_create(buffer, sizeof(buffer) - aead->get_icv_size(aead)),
+				chunk_from_thing(assoc),
+				chunk_create(iv, aead->get_iv_size(aead)), NULL);
+			if (!aead->decrypt(aead, chunk_create(buffer, sizeof(buffer)),
+				chunk_from_thing(assoc),
+				chunk_create(iv, aead->get_iv_size(aead)), NULL))
+			{
+				fprintf(stderr, "aead integrity check failed!\n");
+				return FALSE;
+			}
+			if (limit && ++i == limit)
+			{
+				break;
+			}
+		}
+	}
+	else
+	{
+		crypter = lib->crypto->create_crypter(lib->crypto,
+										token->algorithm, token->keysize / 8);
+		if (!crypter)
+		{
+			fprintf(stderr, "crypter '%s' not supported!\n", argv[1]);
+			return 1;
+		}
+		bs = crypter->get_block_size(crypter);
+
+		while (i--)
+		{
+			crypter->encrypt(crypter,
+				chunk_create(buffer, sizeof(buffer) / bs * bs),
+				chunk_create(iv, crypter->get_iv_size(crypter)), NULL);
+			crypter->decrypt(crypter,
+				chunk_create(buffer, sizeof(buffer) / bs * bs),
+				chunk_create(iv, crypter->get_iv_size(crypter)), NULL);
+			if (limit && ++i == limit)
+			{
+				break;
+			}
+		}
+	}
+	return 0;
+}
diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c
index 551d031c6..6a8301c6a 100644
--- a/scripts/key2keyid.c
+++ b/scripts/key2keyid.c
@@ -35,7 +35,7 @@ int main(int argc, char *argv[])
 	if (private)
 	{
 		printf("parsed %d bits %N private key.\n",
-			   private->get_keysize(private)*8,
+			   private->get_keysize(private),
 			   key_type_names, private->get_type(private));
 		if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
@@ -65,7 +65,7 @@ int main(int argc, char *argv[])
 	if (public)
 	{
 		printf("parsed %d bits %N public key.\n",
-			   public->get_keysize(public)*8,
+			   public->get_keysize(public),
 			   key_type_names, public->get_type(public));
 		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk))
 		{
diff --git a/scripts/pubkey_speed.c b/scripts/pubkey_speed.c
index 255f650f5..6402e606d 100644
--- a/scripts/pubkey_speed.c
+++ b/scripts/pubkey_speed.c
@@ -79,23 +79,23 @@ int main(int argc, char *argv[])
 	{
 		switch (private->get_keysize(private))
 		{
-			case 32:
+			case 256:
 				scheme = SIGN_ECDSA_256;
 				break;
-			case 48:
+			case 384:
 				scheme = SIGN_ECDSA_384;
 				break;
-			case 66:
+			case 521:
 				scheme = SIGN_ECDSA_521;
 				break;
 			default:
 				printf("%d bit ECDSA private key size not supported",
-						private->get_keysize(private) * 8);
+						private->get_keysize(private));
 				exit(1);
 		}
 	}
 
-	printf("%4d bit %N: ", private->get_keysize(private)*8,
+	printf("%4d bit %N: ", private->get_keysize(private),
 		key_type_names, type);
 
 	sigs = malloc(sizeof(chunk_t) * rounds);
diff --git a/src/Makefile.am b/src/Makefile.am
index 8d4dd2e37..0edddc9fc 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -12,6 +12,10 @@ if USE_SIMAKA
   SUBDIRS += libsimaka
 endif
 
+if USE_TLS
+  SUBDIRS += libtls
+endif
+
 if USE_FILE_CONFIG
   SUBDIRS += libfreeswan starter ipsec _copyright
 endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 0bd728397..cb688d795 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -36,17 +36,18 @@ host_triplet = @host@
 @USE_LIBSTRONGSWAN_TRUE@am__append_1 = libstrongswan
 @USE_LIBHYDRA_TRUE@am__append_2 = libhydra
 @USE_SIMAKA_TRUE@am__append_3 = libsimaka
-@USE_FILE_CONFIG_TRUE@am__append_4 = libfreeswan starter ipsec _copyright
-@USE_PLUTO_TRUE@am__append_5 = pluto whack
-@USE_CHARON_TRUE@am__append_6 = libcharon charon
-@USE_STROKE_TRUE@am__append_7 = stroke
-@USE_UPDOWN_TRUE@am__append_8 = _updown _updown_espmark
-@USE_TOOLS_TRUE@am__append_9 = libfreeswan openac scepclient pki
-@USE_DUMM_TRUE@am__append_10 = dumm
-@USE_FAST_TRUE@am__append_11 = libfast
-@USE_MANAGER_TRUE@am__append_12 = manager
-@USE_MEDSRV_TRUE@am__append_13 = medsrv
-@USE_INTEGRITY_TEST_TRUE@am__append_14 = checksum
+@USE_TLS_TRUE@am__append_4 = libtls
+@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright
+@USE_PLUTO_TRUE@am__append_6 = pluto whack
+@USE_CHARON_TRUE@am__append_7 = libcharon charon
+@USE_STROKE_TRUE@am__append_8 = stroke
+@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark
+@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki
+@USE_DUMM_TRUE@am__append_11 = dumm
+@USE_FAST_TRUE@am__append_12 = libfast
+@USE_MANAGER_TRUE@am__append_13 = manager
+@USE_MEDSRV_TRUE@am__append_14 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -57,6 +58,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -79,10 +81,10 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libfreeswan \
-	starter ipsec _copyright pluto whack libcharon charon stroke \
-	_updown _updown_espmark openac scepclient pki dumm libfast \
-	manager medsrv checksum
+DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \
+	libfreeswan starter ipsec _copyright pluto whack libcharon \
+	charon stroke _updown _updown_espmark openac scepclient pki \
+	dumm libfast manager medsrv checksum
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -174,6 +176,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -205,14 +209,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -227,24 +234,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -252,7 +266,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -268,7 +285,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5) $(am__append_6) \
 	$(am__append_7) $(am__append_8) $(am__append_9) \
 	$(am__append_10) $(am__append_11) $(am__append_12) \
-	$(am__append_13) $(am__append_14)
+	$(am__append_13) $(am__append_14) $(am__append_15)
 EXTRA_DIST = strongswan.conf
 all: all-recursive
 
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index eb52fc52e..58ebb523c 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 9f0ad9785..072998345 100644
--- a/src/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
@@ -20,7 +20,9 @@
 #include <string.h>
 #include <unistd.h>
 #include <getopt.h>
+
 #include <freeswan.h>
+#include <library.h>
 
 char usage[] = "Usage: ipsec _copyright";
 struct option opts[] = {
@@ -40,6 +42,9 @@ main(int argc, char *argv[])
 	const char **notice = ipsec_copyright_notice();
 	const char **co;
 
+	library_init(NULL);
+	atexit(library_deinit);
+
 	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
 		switch (opt) {
 		case 'h':	/* help */
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 73ecf1abb..44c058d03 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -176,14 +179,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -223,7 +236,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 430a0cff6..2c742c010 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 10ea4312f..db44ee74e 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -176,14 +179,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -223,7 +236,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
index 42cd3607b..e078dc245 100644
--- a/src/_updown_espmark/_updown_espmark
+++ b/src/_updown_espmark/_updown_espmark
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 72abca97e..5a60af3d8 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -144,6 +145,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -175,14 +178,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -197,24 +203,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -222,7 +235,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 84cd54615..fd255e919 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -283,7 +283,7 @@ static void usage(const char *msg)
 					"         [--version]\n"
 					"         [--use-syslog]\n"
 					"         [--debug-<type> <level>]\n"
-					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
+					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|tnc|tls|lib)\n"
 					"           <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n"
 					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
 					"\n"
@@ -355,6 +355,8 @@ int main(int argc, char *argv[])
 			{ "debug-knl", required_argument, &group, DBG_KNL },
 			{ "debug-net", required_argument, &group, DBG_NET },
 			{ "debug-enc", required_argument, &group, DBG_ENC },
+			{ "debug-tnc", required_argument, &group, DBG_TNC },
+			{ "debug-tls", required_argument, &group, DBG_TLS },
 			{ "debug-lib", required_argument, &group, DBG_LIB },
 			{ 0,0,0,0 }
 		};
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index ad2923799..3aded1d9e 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -14,13 +14,13 @@ checksum_builder_LDADD = \
 BUILT_SOURCES = checksum.c
 CLEANFILES = checksum.c
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+	-DS_PLUGINS=\""${s_plugins}\"" -DS_PATH=\""${top_builddir}/src/libstrongswan/plugins\"" \
+	-DH_PLUGINS=\""${h_plugins}\"" -DH_PATH=\""${top_builddir}/src/libhydra/plugins\"" \
+	-DP_PLUGINS=\""${p_plugins}\"" -DP_PATH=\""${top_builddir}/src/pluto/plugins\"" \
+	-DC_PLUGINS=\""${c_plugins}\"" -DC_PATH=\""${top_builddir}/src/libcharon/plugins\""
 
-libs =	$(shell find $(top_builddir)/src/libstrongswan \
-			$(top_builddir)/src/libcharon \
-			$(top_builddir)/src/libhydra \
-			$(top_builddir)/src/pluto \
-			-name 'libstrongswan*.so')
+libs = $(top_builddir)/src/libstrongswan/.libs/libstrongswan.so
 
 if USE_LIBHYDRA
   libs += $(top_builddir)/src/libhydra/.libs/libhydra.so
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 05e90a9a1..61bfc1a9d 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -55,6 +55,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -182,6 +183,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -213,14 +216,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -235,24 +241,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -260,7 +273,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -285,10 +301,13 @@ checksum_builder_LDADD = \
 BUILT_SOURCES = checksum.c
 CLEANFILES = checksum.c
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -rdynamic
-libs = $(shell find $(top_builddir)/src/libstrongswan \
-	$(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \
-	$(top_builddir)/src/pluto -name 'libstrongswan*.so') \
+AM_CFLAGS = -rdynamic \
+	-DS_PLUGINS=\""${s_plugins}\"" -DS_PATH=\""${top_builddir}/src/libstrongswan/plugins\"" \
+	-DH_PLUGINS=\""${h_plugins}\"" -DH_PATH=\""${top_builddir}/src/libhydra/plugins\"" \
+	-DP_PLUGINS=\""${p_plugins}\"" -DP_PATH=\""${top_builddir}/src/pluto/plugins\"" \
+	-DC_PLUGINS=\""${c_plugins}\"" -DC_PATH=\""${top_builddir}/src/libcharon/plugins\""
+
+libs = $(top_builddir)/src/libstrongswan/.libs/libstrongswan.so \
 	$(am__append_1) $(am__append_2) $(am__append_3) \
 	$(am__append_4) $(am__append_5)
 all: $(BUILT_SOURCES)
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index 2db68054e..dc1de99c3 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -19,14 +19,113 @@
 #include <dlfcn.h>
 
 #include <library.h>
+#include <utils/enumerator.h>
 
 /* we need to fake the pluto symbol to dlopen() the xauth plugin */
 void *pluto;
 
+/**
+ * Integrity checker
+ */
+integrity_checker_t *integrity;
+
+/**
+ * Create the checksum of a binary, using name and a symbol name
+ */
+static void build_checksum(char *path, char *name, char *sname)
+{
+	void *handle, *symbol;
+	u_int32_t fsum, ssum;
+	size_t fsize = 0;
+	size_t ssize = 0;
+
+	fsum = integrity->build_file(integrity, path, &fsize);
+	ssum = 0;
+	if (sname)
+	{
+		handle = dlopen(path, RTLD_LAZY);
+		if (handle)
+		{
+			symbol = dlsym(handle, sname);
+			if (symbol)
+			{
+				ssum = integrity->build_segment(integrity, symbol, &ssize);
+			}
+			else
+			{
+				fprintf(stderr, "symbol lookup failed: %s\n", dlerror());
+			}
+			dlclose(handle);
+		}
+		else
+		{
+			fprintf(stderr, "dlopen failed: %s\n", dlerror());
+		}
+	}
+	printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
+		   name, fsize, fsum, ssize, ssum);
+	fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
+			name, fsize, fsum, ssize, ssum);
+}
+
+/**
+ * Build checksums for a set of plugins in a given path prefix
+ */
+static void build_plugin_checksums(char *plugins, char *prefix)
+{
+	enumerator_t *enumerator;
+	char *plugin, path[256], under[128], sname[128], name[128];
+
+	enumerator = enumerator_create_token(plugins, " ", " ");
+	while (enumerator->enumerate(enumerator, &plugin))
+	{
+		snprintf(under, sizeof(under), "%s", plugin);
+		translate(under, "-", "_");
+		snprintf(path, sizeof(path), "%s/%s/.libs/libstrongswan-%s.so",
+				 prefix, under, plugin);
+		snprintf(sname, sizeof(sname), "%s_plugin_create", under);
+		snprintf(name, sizeof(name), "%s\",", plugin);
+		build_checksum(path, name, sname);
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Build checksums for a binary/library found at path
+ */
+static void build_binary_checksum(char *path)
+{
+	char *binary, *pos, name[128], sname[128];
+
+	binary = strrchr(path, '/');
+	if (binary)
+	{
+		binary++;
+		pos = strrchr(binary, '.');
+		if (pos && streq(pos, ".so"))
+		{
+			snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary);
+			if (streq(name, "libstrongswan\","))
+			{
+				snprintf(sname, sizeof(sname), "%s", "library_init");
+			}
+			else
+			{
+				snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary);
+			}
+			build_checksum(path, name, sname);
+		}
+		else
+		{
+			snprintf(name, sizeof(name), "%s\",", binary);
+			build_checksum(path, name, NULL);
+		}
+	}
+}
+
 int main(int argc, char* argv[])
 {
 	int i;
-	integrity_checker_t *integrity;
 
 	/* avoid confusing leak reports in build process */
 	setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
@@ -47,105 +146,13 @@ int main(int argc, char* argv[])
 	fprintf(stderr, "module name,       file size / checksum   segment size / checksum\n");
 	for (i = 1; i < argc; i++)
 	{
-		char *name, *path, *sname = NULL;
-		void *handle, *symbol;
-		u_int32_t fsum, ssum;
-		size_t fsize = 0;
-		size_t ssize = 0;
-
-		path = argv[i];
-
-		if ((name = strstr(path, "libstrongswan-")))
-		{
-			name = strdup(name + strlen("libstrongswan-"));
-			name[strlen(name) - 3] = '"';
-			name[strlen(name) - 2] = ',';
-			name[strlen(name) - 1] = '\0';
-			if (asprintf(&sname, "%.*s_plugin_create", strlen(name) - 2,
-						 name) < 0)
-			{
-				fprintf(stderr, "failed to format plugin constructor "
-						"for '%s', ignored", path);
-				free(name);
-				continue;
-			}
-			translate(sname, "-", "_");
-		}
-		else if (strstr(path, "libstrongswan.so"))
-		{
-			name = strdup("libstrongswan\",");
-			sname = strdup("library_init");
-		}
-		else if (strstr(path, "libhydra.so"))
-		{
-			name = strdup("libhydra\",");
-			sname = strdup("libhydra_init");
-		}
-		else if (strstr(path, "libcharon.so"))
-		{
-			name = strdup("libcharon\",");
-			sname = strdup("libcharon_init");
-		}
-		else if (strstr(path, "pool"))
-		{
-			name = strdup("pool\",");
-		}
-		else if (strstr(path, "charon"))
-		{
-			name = strdup("charon\",");
-		}
-		else if (strstr(path, "pluto"))
-		{
-			name = strdup("pluto\",");
-		}
-		else if (strstr(path, "openac"))
-		{
-			name = strdup("openac\",");
-		}
-		else if (strstr(path, "scepclient"))
-		{
-			name = strdup("scepclient\",");
-		}
-		else if (strstr(path, "pki"))
-		{
-			name = strdup("pki\",");
-		}
-		else
-		{
-			fprintf(stderr, "don't know how to handle '%s', ignored", path);
-			continue;
-		}
-
-		fsum = integrity->build_file(integrity, path, &fsize);
-		ssum = 0;
-		if (sname)
-		{
-			handle = dlopen(path, RTLD_LAZY);
-			if (handle)
-			{
-				symbol = dlsym(handle, sname);
-				if (symbol)
-				{
-					ssum = integrity->build_segment(integrity, symbol, &ssize);
-				}
-				else
-				{
-					fprintf(stderr, "symbol lookup failed: %s\n", dlerror());
-				}
-				dlclose(handle);
-			}
-			else
-			{
-				fprintf(stderr, "dlopen failed: %s\n", dlerror());
-			}
-		}
-		printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
-			   name, fsize, fsum, ssize, ssum);
-		fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
-				name, fsize, fsum, ssize, ssum);
-		free(sname);
-		free(name);
+		build_binary_checksum(argv[i]);
 	}
+	build_plugin_checksums(S_PLUGINS, S_PATH);
+	build_plugin_checksums(H_PLUGINS, H_PATH);
+	build_plugin_checksums(P_PLUGINS, P_PATH);
+	build_plugin_checksums(C_PLUGINS, C_PATH);
+
 	printf("};\n");
 	printf("\n");
 	printf("int checksum_count = countof(checksums);\n");
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 37751b856..7c22f5ec5 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/dumm/cowfs.c b/src/dumm/cowfs.c
index 70767890b..b92be53e0 100644
--- a/src/dumm/cowfs.c
+++ b/src/dumm/cowfs.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2001-2007 Miklos Szeredi
@@ -35,6 +36,8 @@
 #include <library.h>
 #include <debug.h>
 #include <threading/thread.h>
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
 
 /** define _XOPEN_SOURCE 500 fails when using libstrongswan, define popen */
 extern ssize_t pread(int fd, void *buf, size_t count, off_t offset);
@@ -55,18 +58,66 @@ struct private_cowfs_t {
 	char *master;
 	/** host filesystem path */
 	char *host;
-	/** overlay filesystem path */
-	char *over;
+	/** overlay filesystems */
+	linked_list_t *overlays;
+	/** lock for overlays */
+	rwlock_t *lock;
 	/** fd of read only master filesystem */
 	int master_fd;
 	/** copy on write overlay to master */
 	int host_fd;
-	/** optional COW overlay */
-	int over_fd;
 	/** thread processing FUSE */
 	thread_t *thread;
 };
 
+typedef struct overlay_t overlay_t;
+
+/**
+ * data for overlay filesystems
+ */
+struct overlay_t {
+	/** path to overlay */
+	char *path;
+	/** overlay fd */
+	int fd;
+};
+
+/**
+ * destroy an overlay
+ */
+static void overlay_destroy(overlay_t *this)
+{
+	close(this->fd);
+	free(this->path);
+	free(this);
+}
+
+/**
+ * compare two overlays by path
+ */
+static bool overlay_equals(overlay_t *this, overlay_t *other)
+{
+	return streq(this->path, other->path);
+}
+
+/**
+ * remove and destroy the overlay with the given absolute path.
+ * returns FALSE, if not found.
+ */
+static bool overlay_remove(private_cowfs_t *this, char *path)
+{
+	overlay_t over, *current;
+	over.path = path;
+	if (this->overlays->find_first(this->overlays,
+			(linked_list_match_t)overlay_equals, (void**)&current, &over) != SUCCESS)
+	{
+		return FALSE;
+	}
+	this->overlays->remove(this->overlays, current, NULL);
+	overlay_destroy(current);
+	return TRUE;
+}
+
 /**
  * get this pointer stored in fuse context
  */
@@ -95,12 +146,25 @@ static void rel(const char **path)
  */
 static int get_rd(const char *path)
 {
+	overlay_t *over;
+	enumerator_t *enumerator;
 	private_cowfs_t *this = get_this();
 
-	if (this->over_fd > 0 && faccessat(this->over_fd, path, F_OK, 0) == 0)
+	this->lock->read_lock(this->lock);
+	enumerator = this->overlays->create_enumerator(this->overlays);
+	while (enumerator->enumerate(enumerator, (void**)&over))
 	{
-		return this->over_fd;
+		if (faccessat(over->fd, path, F_OK, 0) == 0)
+		{
+			int fd = over->fd;
+			enumerator->destroy(enumerator);
+			this->lock->unlock(this->lock);
+			return fd;
+		}
 	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
 	if (faccessat(this->host_fd, path, F_OK, 0) == 0)
 	{
 		return this->host_fd;
@@ -113,12 +177,16 @@ static int get_rd(const char *path)
  */
 static int get_wr(const char *path)
 {
+	overlay_t *over;
 	private_cowfs_t *this = get_this();
-	if (this->over_fd > 0)
+	int fd = this->host_fd;
+	this->lock->read_lock(this->lock);
+	if (this->overlays->get_first(this->overlays, (void**)&over) == SUCCESS)
 	{
-		return this->over_fd;
+		fd = over->fd;
 	}
-	return this->host_fd;
+	this->lock->unlock(this->lock);
+	return fd;
 }
 
 /**
@@ -287,17 +355,29 @@ static DIR* get_dir(char *dir, const char *subdir)
  */
 static bool contains_dir(DIR *d, char *dirname)
 {
-	if (d)
+	struct dirent *ent;
+
+	rewinddir(d);
+	while ((ent = readdir(d)))
 	{
-		struct dirent *ent;
+		if (streq(ent->d_name, dirname))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
 
-		rewinddir(d);
-		while ((ent = readdir(d)))
+/**
+ * check if one of the higher overlays contains a directory
+ */
+static bool overlays_contain_dir(DIR **d, char *dirname)
+{
+	for (; *d; ++d)
+	{
+		if (contains_dir(*d, dirname))
 		{
-			if (streq(ent->d_name, dirname))
-			{
-				return TRUE;
-			}
+			return TRUE;
 		}
 	}
 	return FALSE;
@@ -309,56 +389,54 @@ static bool contains_dir(DIR *d, char *dirname)
 static int cowfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
 						 off_t offset, struct fuse_file_info *fi)
 {
+#define ADD_DIR(overlay, base, path) ({\
+	DIR *dir = get_dir(base, path);\
+	if (dir) { *(--overlay) = dir; }\
+})
 	private_cowfs_t *this = get_this();
-	DIR *d1, *d2, *d3;
+	int count;
+	DIR **d, **overlays;
 	struct stat st;
 	struct dirent *ent;
+	overlay_t *over;
+	enumerator_t *enumerator;
 
 	memset(&st, 0, sizeof(st));
 
-	d1 = get_dir(this->master, path);
-	d2 = get_dir(this->host, path);
-	d3 = get_dir(this->over, path);
+	this->lock->read_lock(this->lock);
+	/* create a null-terminated array of DIR objects for all overlays (including
+	 * the master and host layer). the order is from bottom to top */
+	count = this->overlays->get_count(this->overlays) + 2;
+	overlays = calloc(count + 1, sizeof(DIR*));
+	d = &overlays[count];
 
-	if (d1)
+	enumerator = this->overlays->create_enumerator(this->overlays);
+	while (enumerator->enumerate(enumerator, (void**)&over))
 	{
-		while ((ent = readdir(d1)))
-		{
-			if (!contains_dir(d2, ent->d_name) &&
-				!contains_dir(d3, ent->d_name))
-			{
-				st.st_ino = ent->d_ino;
-				st.st_mode = ent->d_type << 12;
-				filler(buf, ent->d_name, &st, 0);
-			}
-		}
-		closedir(d1);
+		ADD_DIR(d, over->path, path);
 	}
-	if (d2)
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+
+	ADD_DIR(d, this->host, path);
+	ADD_DIR(d, this->master, path);
+
+	for (; *d; ++d)
 	{
-		rewinddir(d2);
-		while ((ent = readdir(d2)))
+		rewinddir(*d);
+		while((ent = readdir(*d)))
 		{
-			if (!contains_dir(d3, ent->d_name))
+			if (!overlays_contain_dir(d + 1, ent->d_name))
 			{
 				st.st_ino = ent->d_ino;
 				st.st_mode = ent->d_type << 12;
 				filler(buf, ent->d_name, &st, 0);
 			}
 		}
-		closedir(d2);
-	}
-	if (d3)
-	{
-		rewinddir(d3);
-		while ((ent = readdir(d3)))
-		{
-			st.st_ino = ent->d_ino;
-			st.st_mode = ent->d_type << 12;
-			filler(buf, ent->d_name, &st, 0);
-		}
-		closedir(d3);
+		closedir(*d);
 	}
+
+	free(overlays);
 	return 0;
 }
 
@@ -758,30 +836,53 @@ static struct fuse_operations cowfs_operations = {
 };
 
 /**
- * Implementation of cowfs_t.set_overlay.
+ * Implementation of cowfs_t.add_overlay.
  */
-static bool set_overlay(private_cowfs_t *this, char *path)
+static bool add_overlay(private_cowfs_t *this, char *path)
 {
-	if (this->over)
-	{
-		free(this->over);
-		this->over = NULL;
-	}
-	if (this->over_fd > 0)
-	{
-		close(this->over_fd);
-		this->over_fd = -1;
-	}
-	if (path)
+	overlay_t *over = malloc_thing(overlay_t);
+	over->fd = open(path, O_RDONLY | O_DIRECTORY);
+	if (over->fd < 0)
+	{
+		DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path);
+		free(over);
+		return FALSE;
+	}
+	over->path = realpath(path, NULL);
+	this->lock->write_lock(this->lock);
+	overlay_remove(this, over->path);
+	this->overlays->insert_first(this->overlays, over);
+	this->lock->unlock(this->lock);
+	return TRUE;
+}
+
+/**
+ * Implementation of cowfs_t.del_overlay.
+ */
+static bool del_overlay(private_cowfs_t *this, char *path)
+{
+	bool removed;
+	char real[PATH_MAX];
+	this->lock->write_lock(this->lock);
+	removed = overlay_remove(this, realpath(path, real));
+	this->lock->unlock(this->lock);
+	return removed;
+}
+
+/**
+ * Implementation of cowfs_t.pop_overlay.
+ */
+static bool pop_overlay(private_cowfs_t *this)
+{
+	overlay_t *over;
+	this->lock->write_lock(this->lock);
+	if (this->overlays->remove_first(this->overlays, (void**)&over) != SUCCESS)
 	{
-		this->over_fd = open(path, O_RDONLY | O_DIRECTORY);
-		if (this->over_fd < 0)
-		{
-			DBG1(DBG_LIB, "failed to open overlay directory '%s': %m", path);
-			return FALSE;
-		}
-		this->over = strdup(path);
+		this->lock->unlock(this->lock);
+		return FALSE;
 	}
+	this->lock->unlock(this->lock);
+	overlay_destroy(over);
 	return TRUE;
 }
 
@@ -794,16 +895,13 @@ static void destroy(private_cowfs_t *this)
 	fuse_unmount(this->mount, this->chan);
 	this->thread->join(this->thread);
 	fuse_destroy(this->fuse);
+	this->lock->destroy(this->lock);
+	this->overlays->destroy_function(this->overlays, (void*)overlay_destroy);
 	free(this->mount);
 	free(this->master);
 	free(this->host);
-	free(this->over);
 	close(this->master_fd);
 	close(this->host_fd);
-	if (this->over_fd > 0)
-	{
-		close(this->over_fd);
-	}
 	free(this);
 }
 
@@ -815,7 +913,9 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	struct fuse_args args = {0, NULL, 0};
 	private_cowfs_t *this = malloc_thing(private_cowfs_t);
 
-	this->public.set_overlay = (bool(*)(cowfs_t*, char *path))set_overlay;
+	this->public.add_overlay = (bool(*)(cowfs_t*, char *path))add_overlay;
+	this->public.del_overlay = (bool(*)(cowfs_t*, char *path))del_overlay;
+	this->public.pop_overlay = (bool(*)(cowfs_t*))pop_overlay;
 	this->public.destroy = (void(*)(cowfs_t*))destroy;
 
 	this->master_fd = open(master, O_RDONLY | O_DIRECTORY);
@@ -833,7 +933,6 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 		free(this);
 		return NULL;
 	}
-	this->over_fd = -1;
 
 	this->chan = fuse_mount(mount, &args);
 	if (this->chan == NULL)
@@ -860,13 +959,16 @@ cowfs_t *cowfs_create(char *master, char *host, char *mount)
 	this->mount = strdup(mount);
 	this->master = strdup(master);
 	this->host = strdup(host);
-	this->over = NULL;
+	this->overlays = linked_list_create();
+	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
 	this->thread = thread_create((thread_main_t)fuse_loop, this->fuse);
 	if (!this->thread)
 	{
 		DBG1(DBG_LIB, "creating thread to handle FUSE failed");
 		fuse_unmount(mount, this->chan);
+		this->lock->destroy(this->lock);
+		this->overlays->destroy(this->overlays);
 		free(this->mount);
 		free(this->master);
 		free(this->host);
diff --git a/src/dumm/cowfs.h b/src/dumm/cowfs.h
index d430597a8..b9334dc96 100644
--- a/src/dumm/cowfs.h
+++ b/src/dumm/cowfs.h
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,12 +28,29 @@ typedef struct cowfs_t cowfs_t;
 struct cowfs_t {
 
 	/**
-	 * Set an additional copy on write overlay.
+	 * Adds an additional copy on write overlay.
+	 *
+	 * If the path was already added as overlay, it is moved to the top.
+	 *
+	 * @param path		path of the overlay
+	 * @return			FALSE, if failed
+	 */
+	bool (*add_overlay)(cowfs_t *this, char *path);
+
+	/**
+	 * Remove the specified copy on write overlay.
 	 *
 	 * @param path		path of the overlay
-	 * @return 			FALSE if failed
+	 * @return			FALSE, if not found
+	 */
+	bool (*del_overlay)(cowfs_t *this, char *path);
+
+	/**
+	 * Remove the most recently added copy on write overlay.
+	 *
+	 * @return			FALSE, if no overlay was found
 	 */
-	bool (*set_overlay)(cowfs_t *this, char *path);
+	bool (*pop_overlay)(cowfs_t *this);
 
 	/**
 	 * Stop, umount and destroy a cowfs FUSE filesystem.
diff --git a/src/dumm/dumm.c b/src/dumm/dumm.c
index 7ec340089..8cd413519 100644
--- a/src/dumm/dumm.c
+++ b/src/dumm/dumm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -128,51 +128,145 @@ static void delete_bridge(private_dumm_t *this, bridge_t *bridge)
 }
 
 /**
- * disable the currently enabled template
+ * Implementation of dumm_t.add_overlay.
  */
-static void clear_template(private_dumm_t *this)
+static bool add_overlay(private_dumm_t *this, char *dir)
 {
 	enumerator_t *enumerator;
 	guest_t *guest;
 
-	free(this->template);
-	this->template = NULL;
+	if (dir == NULL)
+	{
+		return TRUE;
+	}
+	if (strlen(dir) > PATH_MAX)
+	{
+		DBG1(DBG_LIB, "overlay directory string '%s' is too long", dir);
+		return FALSE;
+	}
+	if (access(dir, F_OK) != 0)
+	{
+		if (!mkdir_p(dir, PERME))
+		{
+			DBG1(DBG_LIB, "creating overlay directory '%s' failed: %m", dir);
+			return FALSE;
+		}
+	}
+	enumerator = this->guests->create_enumerator(this->guests);
+	while (enumerator->enumerate(enumerator, (void**)&guest))
+	{
+		char guest_dir[PATH_MAX];
+		int len = snprintf(guest_dir, sizeof(guest_dir), "%s/%s", dir,
+						   guest->get_name(guest));
+		if (len < 0 || len >= sizeof(guest_dir))
+		{
+			goto error;
+		}
+		if (access(guest_dir, F_OK) != 0)
+		{
+			if (!mkdir_p(guest_dir, PERME))
+			{
+				DBG1(DBG_LIB, "creating overlay directory for guest '%s' failed: %m",
+					 guest->get_name(guest));
+				goto error;
+			}
+		}
+		if (!guest->add_overlay(guest, guest_dir))
+		{
+			goto error;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return TRUE;
+error:
+	enumerator->destroy(enumerator);
+	this->public.del_overlay(&this->public, dir);
+	return FALSE;
+}
+
+/**
+ * Implementation of dumm_t.del_overlay.
+ */
+static bool del_overlay(private_dumm_t *this, char *dir)
+{
+	bool ret = FALSE;
+	enumerator_t *enumerator;
+	guest_t *guest;
 
 	enumerator = this->guests->create_enumerator(this->guests);
 	while (enumerator->enumerate(enumerator, (void**)&guest))
 	{
-		guest->load_template(guest, NULL);
+		char guest_dir[PATH_MAX];
+		int len = snprintf(guest_dir, sizeof(guest_dir), "%s/%s", dir,
+						   guest->get_name(guest));
+		if (len < 0 || len >= sizeof(guest_dir))
+		{
+			continue;
+		}
+		ret = guest->del_overlay(guest, guest_dir) || ret;
 	}
 	enumerator->destroy(enumerator);
+	return ret;
 }
 
 /**
- * Implementation of dumm_t.load_template.
+ * Implementation of dumm_t.pop_overlay.
  */
-static bool load_template(private_dumm_t *this, char *dir)
+static bool pop_overlay(private_dumm_t *this)
 {
+	bool ret = FALSE;
 	enumerator_t *enumerator;
 	guest_t *guest;
 
-	clear_template(this);
+	enumerator = this->guests->create_enumerator(this->guests);
+	while (enumerator->enumerate(enumerator, (void**)&guest))
+	{
+		ret = guest->pop_overlay(guest) || ret;
+	}
+	enumerator->destroy(enumerator);
+	return ret;
+}
 
-	if (dir == NULL)
+/**
+ * disable the currently enabled template
+ */
+static void clear_template(private_dumm_t *this)
+{
+	if (this->template)
+	{
+		del_overlay(this, this->template);
+		free(this->template);
+		this->template = NULL;
+	}
+}
+
+/**
+ * Implementation of dumm_t.load_template.
+ */
+static bool load_template(private_dumm_t *this, char *name)
+{
+	clear_template(this);
+	if (name == NULL)
 	{
 		return TRUE;
 	}
-	if (strlen(dir) > PATH_MAX)
+	if (strlen(name) > PATH_MAX)
 	{
-		DBG1(DBG_LIB, "template directory string '%s' is too long", dir);
+		DBG1(DBG_LIB, "template name '%s' is too long", name);
 		return FALSE;
 	}
-
-	if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, dir) < 0)
+	if (strchr(name, '/') != NULL)
+	{
+		DBG1(DBG_LIB, "template name '%s' must not contain '/' characters", name);
+		return FALSE;
+	}
+	if (asprintf(&this->template, "%s/%s", TEMPLATE_DIR, name) < 0)
 	{
 		this->template = NULL;
 		return FALSE;
 	}
 	if (access(this->template, F_OK) != 0)
-	{	/* does not exist, create template */
+	{
 		if (!mkdir_p(this->template, PERME))
 		{
 			DBG1(DBG_LIB, "creating template directory '%s' failed: %m",
@@ -180,18 +274,7 @@ static bool load_template(private_dumm_t *this, char *dir)
 			return FALSE;
 		}
 	}
-	enumerator = this->guests->create_enumerator(this->guests);
-	while (enumerator->enumerate(enumerator, (void**)&guest))
-	{
-		if (!guest->load_template(guest, this->template))
-		{
-			enumerator->destroy(enumerator);
-			clear_template(this);
-			return FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-	return TRUE;
+	return add_overlay(this, this->template);
 }
 
 /**
@@ -205,7 +288,7 @@ typedef struct {
 } template_enumerator_t;
 
 /**
- * Implementation of template_enumerator_t.enumerate
+ * Implementation of template_enumerator_t.enumerate.
  */
 static bool template_enumerate(template_enumerator_t *this, char **template)
 {
@@ -224,7 +307,7 @@ static bool template_enumerate(template_enumerator_t *this, char **template)
 }
 
 /**
- * Implementation of template_enumerator_t.destroy
+ * Implementation of template_enumerator_t.destroy.
  */
 static void template_enumerator_destroy(template_enumerator_t *this)
 {
@@ -233,22 +316,25 @@ static void template_enumerator_destroy(template_enumerator_t *this)
 }
 
 /**
- * Implementation of dumm_t.create_template_enumerator
+ * Implementation of dumm_t.create_template_enumerator.
  */
 static enumerator_t* create_template_enumerator(private_dumm_t *this)
 {
 	template_enumerator_t *enumerator;
-
 	enumerator = malloc_thing(template_enumerator_t);
 	enumerator->public.enumerate = (void*)template_enumerate;
 	enumerator->public.destroy = (void*)template_enumerator_destroy;
 	enumerator->inner = enumerator_create_directory(TEMPLATE_DIR);
-
+	if (!enumerator->inner)
+	{
+		free(enumerator);
+		return enumerator_create_empty();
+	}
 	return &enumerator->public;
 }
 
 /**
- * Implementation of dumm_t.destroy
+ * Implementation of dumm_t.destroy.
  */
 static void destroy(private_dumm_t *this)
 {
@@ -324,7 +410,10 @@ dumm_t *dumm_create(char *dir)
 	this->public.create_bridge = (bridge_t*(*)(dumm_t*, char *name))create_bridge;
 	this->public.create_bridge_enumerator = (enumerator_t*(*)(dumm_t*))create_bridge_enumerator;
 	this->public.delete_bridge = (void(*)(dumm_t*,bridge_t*))delete_bridge;
-	this->public.load_template = (bool(*)(dumm_t*, char *name))load_template;
+	this->public.add_overlay = (bool(*)(dumm_t*,char*))add_overlay;
+	this->public.del_overlay = (bool(*)(dumm_t*,char*))del_overlay;
+	this->public.pop_overlay = (bool(*)(dumm_t*))pop_overlay;
+	this->public.load_template = (bool(*)(dumm_t*,char*))load_template;
 	this->public.create_template_enumerator = (enumerator_t*(*)(dumm_t*))create_template_enumerator;
 	this->public.destroy = (void(*)(dumm_t*))destroy;
 
diff --git a/src/dumm/dumm.h b/src/dumm/dumm.h
index 54c3fbc03..4bd20808c 100644
--- a/src/dumm/dumm.h
+++ b/src/dumm/dumm.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -83,12 +83,47 @@ struct dumm_t {
 	void (*delete_bridge) (dumm_t *this, bridge_t *bridge);
 
 	/**
+	 * Add an overlay to all guests.
+	 *
+	 * Directories named after the guests are created, if they do not exist
+	 * in the given overlay directory.
+	 *
+	 * If adding the overlay on at lest one guest fails, FALSE is returned and
+	 * the overlay is again removed from all guests.
+	 *
+	 * @param dir		dir to the overlay
+	 * @return			FALSE, on failure
+	 */
+	bool (*add_overlay)(dumm_t *this, char *dir);
+
+	/**
+	 * Removes an overlay from all guests.
+	 *
+	 * @param dir		dir to the overlay
+	 * @return			FALSE, if the overlay was not found on any guest
+	 */
+	bool (*del_overlay)(dumm_t *this, char *dir);
+
+	/**
+	 * Remove the latest overlay from all guests.
+	 *
+	 * @return			FALSE, if no overlay was found on any guest
+	 */
+	bool (*pop_overlay)(dumm_t *this);
+
+	/**
 	 * Loads a template, create a new one if it does not exist.
 	 *
-	 * @param name		dir to the template, NULL to close
+	 * This is basically a wrapper around add/del_overlay to simplify working
+	 * with overlays. Templates are located in a predefined directory, so that
+	 * only a name for the template has to be specified here. Only one template
+	 * can be loaded at any one time (but other overlays can be added on top or
+	 * below a template).
+	 *
+	 * @param name		name of the template to load, NULL to unload
 	 * @return			FALSE if load/create failed
 	 */
-	bool (*load_template)(dumm_t *this, char *dir);
+	bool (*load_template)(dumm_t *this, char *name);
 
 	/**
 	 * Create an enumerator over all available templates.
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index 230e8ae68..a9c7cb8bd 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -85,82 +85,108 @@ static void sigchld_handler(int signal, siginfo_t *info, void* ptr)
 	enumerator->destroy(enumerator);
 }
 
+
 /**
- * Guest bindings
+ * Global Dumm bindings
  */
-static VALUE guest_find(VALUE class, VALUE key)
+static VALUE dumm_add_overlay(VALUE class, VALUE dir)
 {
-	enumerator_t *enumerator;
-	guest_t *guest, *found = NULL;
-
-	if (TYPE(key) == T_SYMBOL)
+	if (!dumm->add_overlay(dumm, StringValuePtr(dir)))
 	{
-		key = rb_convert_type(key, T_STRING, "String", "to_s");
+		rb_raise(rb_eRuntimeError, "loading overlay failed");
 	}
+	return class;
+}
+
+static VALUE dumm_del_overlay(VALUE class, VALUE dir)
+{
+	return dumm->del_overlay(dumm, StringValuePtr(dir)) ? Qtrue : Qfalse;
+}
+
+static VALUE dumm_pop_overlay(VALUE class)
+{
+	return dumm->pop_overlay(dumm) ? Qtrue : Qfalse;
+}
+
+static void dumm_init()
+{
+	rbm_dumm = rb_define_module("Dumm");
+
+	rb_define_module_function(rbm_dumm, "add_overlay", dumm_add_overlay, 1);
+	rb_define_module_function(rbm_dumm, "del_overlay", dumm_del_overlay, 1);
+	rb_define_module_function(rbm_dumm, "pop_overlay", dumm_pop_overlay, 0);
+}
+
+/**
+ * Guest bindings
+ */
+static VALUE guest_hash_create(VALUE class)
+{
+	enumerator_t *enumerator;
+	guest_t *guest;
+	VALUE hash = rb_hash_new();
 	enumerator = dumm->create_guest_enumerator(dumm);
 	while (enumerator->enumerate(enumerator, &guest))
 	{
-		if (streq(guest->get_name(guest), StringValuePtr(key)))
-		{
-			found = guest;
-			break;
-		}
+		rb_hash_aset(hash, rb_str_new2(guest->get_name(guest)),
+					 Data_Wrap_Struct(class, NULL, NULL, guest));
 	}
 	enumerator->destroy(enumerator);
-	if (!found)
+	return hash;
+}
+
+static VALUE guest_hash(VALUE class)
+{
+	ID id = rb_intern("@@guests");
+	if (!rb_cvar_defined(class, id))
 	{
-		return Qnil;
+		VALUE hash = guest_hash_create(class);
+		rb_cvar_set(class, id, hash, 0);
+		return hash;
 	}
-	return Data_Wrap_Struct(class, NULL, NULL, found);
+	return rb_cvar_get(class, id);
 }
 
-static VALUE guest_get(VALUE class, VALUE key)
+static VALUE guest_find(VALUE class, VALUE key)
 {
-	VALUE guest = guest_find(class, key);
-	if (NIL_P(guest))
+	if (TYPE(key) != T_STRING)
 	{
-		rb_raise(rb_eRuntimeError, "guest not found");
+		key = rb_convert_type(key, T_STRING, "String", "to_s");
 	}
-	return guest;
+	return rb_hash_aref(guest_hash(class), key);
 }
 
-static VALUE guest_each(int argc, VALUE *argv, VALUE class)
+static VALUE guest_get(VALUE class, VALUE key)
 {
-	linked_list_t *list;
-	enumerator_t *enumerator;
-	guest_t *guest;
+	return guest_find(class, key);
+}
 
+static VALUE guest_each(int argc, VALUE *argv, VALUE class)
+{
 	if (!rb_block_given_p())
 	{
 		rb_raise(rb_eArgError, "must be called with a block");
 	}
-	list = linked_list_create();
-	enumerator = dumm->create_guest_enumerator(dumm);
-	while (enumerator->enumerate(enumerator, &guest))
-	{
-		list->insert_last(list, guest);
-	}
-	enumerator->destroy(enumerator);
-	while (list->remove_first(list, (void**)&guest) == SUCCESS)
-	{
-		rb_yield(Data_Wrap_Struct(class, NULL, NULL, guest));
-	}
-	list->destroy(list);
+	rb_block_call(guest_hash(class), rb_intern("each_value"), 0, 0,
+				  rb_yield, 0);
 	return class;
 }
 
 static VALUE guest_new(VALUE class, VALUE name, VALUE kernel,
 					   VALUE master, VALUE args)
 {
+	VALUE self;
 	guest_t *guest;
-
-	guest = dumm->create_guest(dumm, StringValuePtr(name), StringValuePtr(kernel),
-							   StringValuePtr(master), StringValuePtr(args));
+	guest = dumm->create_guest(dumm, StringValuePtr(name),
+							   StringValuePtr(kernel), StringValuePtr(master),
+							   StringValuePtr(args));
 	if (!guest)
 	{
 		rb_raise(rb_eRuntimeError, "creating guest failed");
 	}
-	return Data_Wrap_Struct(class, NULL, NULL, guest);
+	self = Data_Wrap_Struct(class, NULL, NULL, guest);
+	rb_hash_aset(guest_hash(class), name, self);
+	return self;
 }
 
 static VALUE guest_to_s(VALUE self)
@@ -214,11 +240,9 @@ static VALUE guest_exec(VALUE self, VALUE cmd)
 
 	block = rb_block_given_p();
 	Data_Get_Struct(self, guest_t, guest);
-	if ((ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
-					"exec %s", StringValuePtr(cmd))) != 0)
-	{
-		rb_raise(rb_eRuntimeError, "executing command failed (%d)", ret);
-	}
+	ret = guest->exec_str(guest, block ? (void*)exec_cb : NULL, TRUE, NULL,
+						  "exec %s", StringValuePtr(cmd));
+	rb_iv_set(self, "@execstatus", INT2NUM(ret));
 	return self;
 }
 
@@ -330,6 +354,34 @@ static VALUE guest_delete(VALUE self)
 	return Qnil;
 }
 
+static VALUE guest_add_overlay(VALUE self, VALUE dir)
+{
+	guest_t *guest;
+
+	Data_Get_Struct(self, guest_t, guest);
+	if (!guest->add_overlay(guest, StringValuePtr(dir)))
+	{
+		rb_raise(rb_eRuntimeError, "loading overlay failed");
+	}
+	return self;
+}
+
+static VALUE guest_del_overlay(VALUE self, VALUE dir)
+{
+	guest_t *guest;
+
+	Data_Get_Struct(self, guest_t, guest);
+	return guest->del_overlay(guest, StringValuePtr(dir)) ? Qtrue : Qfalse;
+}
+
+static VALUE guest_pop_overlay(VALUE self)
+{
+	guest_t *guest;
+
+	Data_Get_Struct(self, guest_t, guest);
+	return guest->pop_overlay(guest) ? Qtrue : Qfalse;
+}
+
 static void guest_init()
 {
 	rbc_guest = rb_define_class_under(rbm_dumm , "Guest", rb_cObject);
@@ -354,6 +406,11 @@ static void guest_init()
 	rb_define_method(rbc_guest, "include?", guest_find_iface, 1);
 	rb_define_method(rbc_guest, "iface?", guest_find_iface, 1);
 	rb_define_method(rbc_guest, "delete", guest_delete, 0);
+	rb_define_method(rbc_guest, "add_overlay", guest_add_overlay, 1);
+	rb_define_method(rbc_guest, "del_overlay", guest_del_overlay, 1);
+	rb_define_method(rbc_guest, "pop_overlay", guest_pop_overlay, 0);
+
+	rb_define_attr(rbc_guest, "execstatus", 1, 0);
 }
 
 /**
@@ -711,8 +768,7 @@ void Init_dumm()
 
 	dumm = dumm_create(NULL);
 
-	rbm_dumm = rb_define_module("Dumm");
-
+	dumm_init();
 	guest_init();
 	bridge_init();
 	iface_init();
diff --git a/src/dumm/ext/lib/dumm.rb b/src/dumm/ext/lib/dumm.rb
index 25939e9f4..bb60aad8f 100644
--- a/src/dumm/ext/lib/dumm.rb
+++ b/src/dumm/ext/lib/dumm.rb
@@ -1,5 +1,5 @@
 =begin
-  Copyright (C) 2008 Tobias Brunner
+  Copyright (C) 2008-2009 Tobias Brunner
   Hochschule fuer Technik Rapperswil
 
   This program is free software; you can redistribute it and/or modify it
@@ -38,11 +38,11 @@ module Dumm
     end
   end
   
-  # unload templates, reset all guests and delete bridges
+  # unload template/overlays, reset all guests and delete bridges
   def reset
     Template.unload
     Guest.each { |guest|
-      guest.reset if guest.running?
+      guest.reset
     }
     Bridge.each { |bridge|
       bridge.delete
diff --git a/src/dumm/ext/lib/dumm/guest.rb b/src/dumm/ext/lib/dumm/guest.rb
index 936f512dd..7488f1358 100644
--- a/src/dumm/ext/lib/dumm/guest.rb
+++ b/src/dumm/ext/lib/dumm/guest.rb
@@ -1,5 +1,5 @@
 =begin
-  Copyright (C) 2008 Tobias Brunner
+  Copyright (C) 2008-2010 Tobias Brunner
   Hochschule fuer Technik Rapperswil
 
   This program is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@ module Dumm
       end
       Guest[id]
     end
-    
+
     # accessor for interfaces
     # e.g. guest.eth0 instead of guest["eth0"]
     def method_missing(id, *args)
@@ -32,24 +32,21 @@ module Dumm
       end
       self[id]
     end
-    
-    # delete all interfaces
+
+    # remove all overlays, delete all interfaces
     def reset
+      while pop_overlay; end
       each {|i|
         i.delete
       }
     end
-    
+
     # has the guest booted up?
     def booted?
-      begin
-        exec("pgrep getty")
-      rescue
-        return false
-      end
-      return true
+      exec("pgrep getty")
+      execstatus == 0
     end
-    
+
     # wait until the guest has booted
     def boot
       while not booted?
diff --git a/src/dumm/guest.c b/src/dumm/guest.c
index ebd87769a..36d048dcf 100644
--- a/src/dumm/guest.c
+++ b/src/dumm/guest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -297,37 +297,42 @@ static bool start(private_guest_t *this, invoke_function_t invoke, void* data,
 }
 
 /**
- * Implementation of guest_t.load_template.
+ * Implementation of guest_t.add_overlay.
  */
-static bool load_template(private_guest_t *this, char *path)
+static bool add_overlay(private_guest_t *this, char *path)
 {
-	char dir[PATH_MAX];
-	size_t len;
-
 	if (path == NULL)
 	{
-		return this->cowfs->set_overlay(this->cowfs, NULL);
-	}
-
-	len = snprintf(dir, sizeof(dir), "%s/%s", path, this->name);
-	if (len < 0 || len >= sizeof(dir))
-	{
 		return FALSE;
 	}
-	if (access(dir, F_OK) != 0)
+
+	if (access(path, F_OK) != 0)
 	{
-		if (!mkdir_p(dir, PERME))
+		if (!mkdir_p(path, PERME))
 		{
 			DBG1(DBG_LIB, "creating overlay for guest '%s' failed: %m",
 				 this->name);
 			return FALSE;
 		}
 	}
-	if (!this->cowfs->set_overlay(this->cowfs, dir))
-	{
-		return FALSE;
-	}
-	return TRUE;
+
+	return this->cowfs->add_overlay(this->cowfs, path);
+}
+
+/**
+ * Implementation of guest_t.del_overlay.
+ */
+static bool del_overlay(private_guest_t *this, char *path)
+{
+	return this->cowfs->del_overlay(this->cowfs, path);
+}
+
+/**
+ * Implementation of guest_t.pop_overlay.
+ */
+static bool pop_overlay(private_guest_t *this)
+{
+	return this->cowfs->pop_overlay(this->cowfs);
 }
 
 /**
@@ -567,7 +572,9 @@ static private_guest_t *guest_create_generic(char *parent, char *name,
 	this->public.create_iface_enumerator = (enumerator_t*(*)(guest_t*))create_iface_enumerator;
 	this->public.start = (void*)start;
 	this->public.stop = (void*)stop;
-	this->public.load_template = (bool(*)(guest_t*, char *path))load_template;
+	this->public.add_overlay = (bool(*)(guest_t*,char*))add_overlay;
+	this->public.del_overlay = (bool(*)(guest_t*,char*))del_overlay;
+	this->public.pop_overlay = (bool(*)(guest_t*))pop_overlay;
 	this->public.exec = (int(*)(guest_t*, void(*cb)(void*,char*,size_t),void*,char*,...))exec;
 	this->public.exec_str = (int(*)(guest_t*, void(*cb)(void*,char*),bool,void*,char*,...))exec_str;
 	this->public.sigchild = (void(*)(guest_t*))sigchild;
diff --git a/src/dumm/guest.h b/src/dumm/guest.h
index 5f812f8eb..789f2310e 100644
--- a/src/dumm/guest.h
+++ b/src/dumm/guest.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -134,12 +134,27 @@ struct guest_t {
 	enumerator_t* (*create_iface_enumerator)(guest_t *this);
 
 	/**
-	 * Set the template COWFS overlay to use.
+	 * Adds a COWFS overlay. The directory is created if it does not exist.
 	 *
-	 * @param parent	parent directory where template diff should point to
-	 * @return			FALSE if failed
+	 * @param dir		directory where overlay diff should point to
+	 * @return			FALSE, if failed
 	 */
-	bool (*load_template)(guest_t *this, char *parent);
+	bool (*add_overlay)(guest_t *this, char *dir);
+
+	/**
+	 * Removes the specified COWFS overlay.
+	 *
+	 * @param dir		directory where overlay diff points to
+	 * @return			FALSE, if no found
+	 */
+	bool (*del_overlay)(guest_t *this, char *dir);
+
+	/**
+	 * Removes the latest COWFS overlay.
+	 *
+	 * @return			FALSE, if no overlay was found
+	 */
+	bool (*pop_overlay)(guest_t *this);
 
 	/**
 	 * Execute a command on the guests mconsole.
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index c47e6e451..498fb17f1 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -43,6 +43,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -117,6 +118,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -148,14 +151,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -170,24 +176,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -195,7 +208,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 2b4b14b49..276d9f36d 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -145,6 +146,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -176,14 +179,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -198,24 +204,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -223,7 +236,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8
index 150fefc12..f995119aa 100644
--- a/src/ipsec/ipsec.8
+++ b/src/ipsec/ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2010-05-30" "4.4.1rc3" "strongSwan"
+.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan"
 .SH NAME
 ipsec \- invoke IPsec utilities
 .SH SYNOPSIS
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 3297654e9..21a2b8ee6 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -40,16 +40,12 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct
 encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.h \
+kernel/kernel_handler.c kernel/kernel_handler.h \
 network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
 network/socket_manager.c network/socket_manager.h network/socket.h \
-processing/jobs/job.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
@@ -62,8 +58,6 @@ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-processing/scheduler.c processing/scheduler.h \
-processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
@@ -94,7 +88,9 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/tasks/task.c sa/tasks/task.h \
+tnccs/tnccs.c tnccs/tnccs.h \
+tnccs/tnccs_manager.h tnccs/tnccs_manager.c
 
 # adding the plugin source files
 
@@ -141,10 +137,6 @@ LOCAL_SRC_FILES += $(addprefix ../libsimaka/, \
 	)
 endif
 
-LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
-
-LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
-
 LOCAL_SRC_FILES += $(call add_plugin, load-tester)
 
 LOCAL_SRC_FILES += $(call add_plugin, socket-default)
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 44501c0d0..2b7646327 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -38,16 +38,12 @@ encoding/payloads/transform_substructure.c encoding/payloads/transform_substruct
 encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
 encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
 encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
-kernel/kernel_interface.c kernel/kernel_interface.h \
-kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-kernel/kernel_net.h \
+kernel/kernel_handler.c kernel/kernel_handler.h \
 network/packet.c network/packet.h \
 network/receiver.c network/receiver.h \
 network/sender.c network/sender.h \
 network/socket_manager.c network/socket_manager.h network/socket.h \
-processing/jobs/job.h \
 processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
-processing/jobs/callback_job.c processing/jobs/callback_job.h \
 processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
 processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
 processing/jobs/migrate_job.c processing/jobs/migrate_job.h \
@@ -60,8 +56,6 @@ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-processing/scheduler.c processing/scheduler.h \
-processing/processor.c processing/processor.h  \
 sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
 sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
@@ -92,7 +86,9 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
 sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
-sa/tasks/task.c sa/tasks/task.h
+sa/tasks/task.c sa/tasks/task.h \
+tnccs/tnccs.c tnccs/tnccs.h \
+tnccs/tnccs_manager.h tnccs/tnccs_manager.c
 
 daemon.lo :		$(top_builddir)/config.status
 
@@ -104,7 +100,8 @@ INCLUDES = \
 
 AM_CFLAGS = \
 	-DIPSEC_DIR=\"${ipsecdir}\" \
-	-DIPSEC_PIDDIR=\"${piddir}\"
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${libcharon_plugins}\""
 
 libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
 
@@ -135,51 +132,15 @@ else
 SUBDIRS = .
 endif
 
-PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins}
-
 if USE_LOAD_TESTER
   SUBDIRS += plugins/load_tester
-  PLUGINS += load-tester
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/load_tester/libstrongswan-load-tester.la
 endif
 endif
 
-if USE_KERNEL_PFKEY
-  SUBDIRS += plugins/kernel_pfkey
-  PLUGINS += kernel-pfkey
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-endif
-endif
-
-if USE_KERNEL_PFROUTE
-  SUBDIRS += plugins/kernel_pfroute
-  PLUGINS += kernel-pfroute
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-endif
-endif
-
-if USE_KERNEL_KLIPS
-  SUBDIRS += plugins/kernel_klips
-  PLUGINS += kernel-klips
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
-endif
-endif
-
-if USE_KERNEL_NETLINK
-  SUBDIRS += plugins/kernel_netlink
-  PLUGINS += kernel-netlink
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-endif
-endif
-
 if USE_SOCKET_DEFAULT
   SUBDIRS += plugins/socket_default
-  PLUGINS += socket-default
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/socket_default/libstrongswan-socket-default.la
 endif
@@ -187,7 +148,6 @@ endif
 
 if USE_SOCKET_RAW
   SUBDIRS += plugins/socket_raw
-  PLUGINS += socket-raw
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/socket_raw/libstrongswan-socket-raw.la
 endif
@@ -195,7 +155,6 @@ endif
 
 if USE_SOCKET_DYNAMIC
   SUBDIRS += plugins/socket_dynamic
-  PLUGINS += socket-dynamic
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/socket_dynamic/libstrongswan-socket-dynamic.la
 endif
@@ -203,7 +162,6 @@ endif
 
 if USE_FARP
   SUBDIRS += plugins/farp
-  PLUGINS += farp
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/farp/libstrongswan-farp.la
 endif
@@ -211,7 +169,6 @@ endif
 
 if USE_STROKE
   SUBDIRS += plugins/stroke
-  PLUGINS += stroke
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/stroke/libstrongswan-stroke.la
 endif
@@ -219,7 +176,6 @@ endif
 
 if USE_SMP
   SUBDIRS += plugins/smp
-  PLUGINS += smp
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/smp/libstrongswan-smp.la
 endif
@@ -227,7 +183,6 @@ endif
 
 if USE_SQL
   SUBDIRS += plugins/sql
-  PLUGINS += sql
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/sql/libstrongswan-sql.la
 endif
@@ -235,7 +190,6 @@ endif
 
 if USE_UPDOWN
   SUBDIRS += plugins/updown
-  PLUGINS += updown
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/updown/libstrongswan-updown.la
 endif
@@ -243,7 +197,6 @@ endif
 
 if USE_EAP_IDENTITY
   SUBDIRS += plugins/eap_identity
-  PLUGINS += eap-identity
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_identity/libstrongswan-eap-identity.la
 endif
@@ -251,7 +204,6 @@ endif
 
 if USE_EAP_SIM
   SUBDIRS += plugins/eap_sim
-  PLUGINS += eap-sim
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_sim/libstrongswan-eap-sim.la
 endif
@@ -259,7 +211,6 @@ endif
 
 if USE_EAP_SIM_FILE
   SUBDIRS += plugins/eap_sim_file
-  PLUGINS += eap-sim-file
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_sim_file/libstrongswan-eap-sim-file.la
 endif
@@ -267,7 +218,6 @@ endif
 
 if USE_EAP_SIMAKA_SQL
   SUBDIRS += plugins/eap_simaka_sql
-  PLUGINS += eap-simaka-sql
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
 endif
@@ -275,7 +225,6 @@ endif
 
 if USE_EAP_SIMAKA_PSEUDONYM
   SUBDIRS += plugins/eap_simaka_pseudonym
-  PLUGINS += eap-simaka-pseudonym
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
 endif
@@ -283,7 +232,6 @@ endif
 
 if USE_EAP_SIMAKA_REAUTH
   SUBDIRS += plugins/eap_simaka_reauth
-  PLUGINS += eap-simaka-reauth
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
 endif
@@ -291,7 +239,6 @@ endif
 
 if USE_EAP_AKA
   SUBDIRS += plugins/eap_aka
-  PLUGINS += eap-aka
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_aka/libstrongswan-eap-aka.la
 endif
@@ -299,7 +246,6 @@ endif
 
 if USE_EAP_AKA_3GPP2
   SUBDIRS += plugins/eap_aka_3gpp2
-  PLUGINS += eap-aka-3gpp2
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
 endif
@@ -314,7 +260,6 @@ endif
 
 if USE_EAP_MD5
   SUBDIRS += plugins/eap_md5
-  PLUGINS += eap-md5
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_md5/libstrongswan-eap-md5.la
 endif
@@ -322,7 +267,6 @@ endif
 
 if USE_EAP_GTC
   SUBDIRS += plugins/eap_gtc
-  PLUGINS += eap-gtc
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_gtc/libstrongswan-eap-gtc.la
 endif
@@ -330,7 +274,6 @@ endif
 
 if USE_EAP_MSCHAPV2
   SUBDIRS += plugins/eap_mschapv2
-  PLUGINS += eap-mschapv2
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
 endif
@@ -338,15 +281,69 @@ endif
 
 if USE_EAP_RADIUS
   SUBDIRS += plugins/eap_radius
-  PLUGINS += eap-radius
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/eap_radius/libstrongswan-eap-radius.la
 endif
 endif
 
+if USE_EAP_TLS
+  SUBDIRS += plugins/eap_tls
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_tls/libstrongswan-eap-tls.la
+endif
+endif
+
+if USE_EAP_TTLS
+  SUBDIRS += plugins/eap_ttls
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_ttls/libstrongswan-eap-ttls.la
+endif
+endif
+
+if USE_EAP_TNC
+  SUBDIRS += plugins/eap_tnc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/eap_tnc/libstrongswan-eap-tnc.la
+endif
+endif
+
+if USE_TLS
+if MONOLITHIC
+  # otherwise this library is linked to eap_tls
+  libcharon_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+endif
+endif
+
+if USE_TNC_IMC
+  SUBDIRS += plugins/tnc_imc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la
+endif
+endif
+
+if USE_TNC_IMV
+  SUBDIRS += plugins/tnc_imv
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la
+endif
+endif
+
+if USE_TNCCS_11
+  SUBDIRS += plugins/tnccs_11
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnccs_11/libstrongswan-tnccs-11.la
+endif
+endif
+
+if USE_TNCCS_20
+  SUBDIRS += plugins/tnccs_20
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnccs_20/libstrongswan-tnccs-20.la
+endif
+endif
+
 if USE_MEDSRV
   SUBDIRS += plugins/medsrv
-  PLUGINS += medsrv
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/medsrv/libstrongswan-medsrv.la
 endif
@@ -354,7 +351,6 @@ endif
 
 if USE_MEDCLI
   SUBDIRS += plugins/medcli
-  PLUGINS += medcli
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/medcli/libstrongswan-medcli.la
 endif
@@ -362,7 +358,6 @@ endif
 
 if USE_NM
   SUBDIRS += plugins/nm
-  PLUGINS += nm
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/nm/libstrongswan-nm.la
 endif
@@ -370,7 +365,6 @@ endif
 
 if USE_DHCP
   SUBDIRS += plugins/dhcp
-  PLUGINS += dhcp
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/dhcp/libstrongswan-dhcp.la
 endif
@@ -378,23 +372,34 @@ endif
 
 if USE_ANDROID
   SUBDIRS += plugins/android
-  PLUGINS += android
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/android/libstrongswan-android.la
 endif
 endif
 
+if USE_MAEMO
+  SUBDIRS += plugins/maemo
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/maemo/libstrongswan-maemo.la
+endif
+endif
+
 if USE_HA
   SUBDIRS += plugins/ha
-  PLUGINS += ha
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/ha/libstrongswan-ha.la
 endif
 endif
 
+if USE_LED
+  SUBDIRS += plugins/led
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/led/libstrongswan-led.la
+endif
+endif
+
 if USE_UCI
   SUBDIRS += plugins/uci
-  PLUGINS += uci
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/uci/libstrongswan-uci.la
 endif
@@ -402,7 +407,6 @@ endif
 
 if USE_ADDRBLOCK
   SUBDIRS += plugins/addrblock
-  PLUGINS += addrblock
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la
 endif
@@ -410,11 +414,8 @@ endif
 
 if USE_UNIT_TESTS
   SUBDIRS += plugins/unit_tester
-  PLUGINS += unit-tester
 if MONOLITHIC
   libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la
 endif
 endif
 
-AM_CFLAGS += -DPLUGINS=\""${PLUGINS}\""
-
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 8e58b0e2e..8a7a99ddd 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -46,108 +46,85 @@ host_triplet = @host@
 
 @USE_LIBCAP_TRUE@am__append_2 = -lcap
 @USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester
-@USE_LOAD_TESTER_TRUE@am__append_4 = load-tester
-@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la
-@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_7 = kernel-pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
-@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_11 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
-@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_14 = plugins/kernel_klips/libstrongswan-kernel-klips.la
-@USE_KERNEL_NETLINK_TRUE@am__append_15 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_16 = kernel-netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_17 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-@USE_SOCKET_DEFAULT_TRUE@am__append_18 = plugins/socket_default
-@USE_SOCKET_DEFAULT_TRUE@am__append_19 = socket-default
-@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_20 = plugins/socket_default/libstrongswan-socket-default.la
-@USE_SOCKET_RAW_TRUE@am__append_21 = plugins/socket_raw
-@USE_SOCKET_RAW_TRUE@am__append_22 = socket-raw
-@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_23 = plugins/socket_raw/libstrongswan-socket-raw.la
-@USE_SOCKET_DYNAMIC_TRUE@am__append_24 = plugins/socket_dynamic
-@USE_SOCKET_DYNAMIC_TRUE@am__append_25 = socket-dynamic
-@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_26 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
-@USE_FARP_TRUE@am__append_27 = plugins/farp
-@USE_FARP_TRUE@am__append_28 = farp
-@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_29 = plugins/farp/libstrongswan-farp.la
-@USE_STROKE_TRUE@am__append_30 = plugins/stroke
-@USE_STROKE_TRUE@am__append_31 = stroke
-@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_32 = plugins/stroke/libstrongswan-stroke.la
-@USE_SMP_TRUE@am__append_33 = plugins/smp
-@USE_SMP_TRUE@am__append_34 = smp
-@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_35 = plugins/smp/libstrongswan-smp.la
-@USE_SQL_TRUE@am__append_36 = plugins/sql
-@USE_SQL_TRUE@am__append_37 = sql
-@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_38 = plugins/sql/libstrongswan-sql.la
-@USE_UPDOWN_TRUE@am__append_39 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_40 = updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_41 = plugins/updown/libstrongswan-updown.la
-@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_43 = eap-identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_44 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_46 = eap-sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_47 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_52 = eap-simaka-sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_53 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_54 = plugins/eap_simaka_pseudonym
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_55 = eap-simaka-pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_56 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_57 = plugins/eap_simaka_reauth
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_58 = eap-simaka-reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_59 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_60 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_61 = eap-aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_62 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_63 = plugins/eap_aka_3gpp2
-@USE_EAP_AKA_3GPP2_TRUE@am__append_64 = eap-aka-3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_65 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_66 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_67 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_68 = eap-md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_69 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_70 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_71 = eap-gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_72 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_73 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_74 = eap-mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_75 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_RADIUS_TRUE@am__append_76 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_77 = eap-radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_78 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_80 = medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_83 = medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_84 = plugins/medcli/libstrongswan-medcli.la
-@USE_NM_TRUE@am__append_85 = plugins/nm
-@USE_NM_TRUE@am__append_86 = nm
-@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_87 = plugins/nm/libstrongswan-nm.la
-@USE_DHCP_TRUE@am__append_88 = plugins/dhcp
-@USE_DHCP_TRUE@am__append_89 = dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_90 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_ANDROID_TRUE@am__append_91 = plugins/android
-@USE_ANDROID_TRUE@am__append_92 = android
-@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la
-@USE_HA_TRUE@am__append_94 = plugins/ha
-@USE_HA_TRUE@am__append_95 = ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_96 = plugins/ha/libstrongswan-ha.la
-@USE_UCI_TRUE@am__append_97 = plugins/uci
-@USE_UCI_TRUE@am__append_98 = uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_100 = plugins/addrblock
-@USE_ADDRBLOCK_TRUE@am__append_101 = addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_102 = plugins/uci/libstrongswan-addrblock.la
-@USE_UNIT_TESTS_TRUE@am__append_103 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_104 = unit-tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester/libstrongswan-unit-tester.la
+@MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_4 = plugins/load_tester/libstrongswan-load-tester.la
+@USE_SOCKET_DEFAULT_TRUE@am__append_5 = plugins/socket_default
+@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_6 = plugins/socket_default/libstrongswan-socket-default.la
+@USE_SOCKET_RAW_TRUE@am__append_7 = plugins/socket_raw
+@MONOLITHIC_TRUE@@USE_SOCKET_RAW_TRUE@am__append_8 = plugins/socket_raw/libstrongswan-socket-raw.la
+@USE_SOCKET_DYNAMIC_TRUE@am__append_9 = plugins/socket_dynamic
+@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
+@USE_FARP_TRUE@am__append_11 = plugins/farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_12 = plugins/farp/libstrongswan-farp.la
+@USE_STROKE_TRUE@am__append_13 = plugins/stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_14 = plugins/stroke/libstrongswan-stroke.la
+@USE_SMP_TRUE@am__append_15 = plugins/smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_16 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_17 = plugins/sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_18 = plugins/sql/libstrongswan-sql.la
+@USE_UPDOWN_TRUE@am__append_19 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_20 = plugins/updown/libstrongswan-updown.la
+@USE_EAP_IDENTITY_TRUE@am__append_21 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_22 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_23 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_24 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_25 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_26 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_27 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_28 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_29 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_30 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_31 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_32 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_34 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_35 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_36 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_37 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_38 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_39 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_40 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_41 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_42 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_43 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_RADIUS_TRUE@am__append_44 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_45 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_46 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_47 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_48 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_49 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_TNC_TRUE@am__append_50 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la
+@USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc
+@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la
+@USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv
+@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la
+@USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11
+@MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la
+@USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20
+@MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la
+@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la
+@USE_NM_TRUE@am__append_65 = plugins/nm
+@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la
+@USE_DHCP_TRUE@am__append_67 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_ANDROID_TRUE@am__append_69 = plugins/android
+@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la
+@USE_MAEMO_TRUE@am__append_71 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_73 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la
+@USE_LED_TRUE@am__append_75 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la
+@USE_UCI_TRUE@am__append_77 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la
+@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester
+@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la
 subdir = src/libcharon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -158,6 +135,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -190,18 +168,20 @@ LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__append_5) $(am__append_8) \
-	$(am__append_11) $(am__append_14) $(am__append_17) \
-	$(am__append_20) $(am__append_23) $(am__append_26) \
-	$(am__append_29) $(am__append_32) $(am__append_35) \
-	$(am__append_38) $(am__append_41) $(am__append_44) \
-	$(am__append_47) $(am__append_50) $(am__append_53) \
-	$(am__append_56) $(am__append_59) $(am__append_62) \
-	$(am__append_65) $(am__append_66) $(am__append_69) \
-	$(am__append_72) $(am__append_75) $(am__append_78) \
-	$(am__append_81) $(am__append_84) $(am__append_87) \
-	$(am__append_90) $(am__append_93) $(am__append_96) \
-	$(am__append_99) $(am__append_102) $(am__append_105)
+	$(am__DEPENDENCIES_1) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_12) \
+	$(am__append_14) $(am__append_16) $(am__append_18) \
+	$(am__append_20) $(am__append_22) $(am__append_24) \
+	$(am__append_26) $(am__append_28) $(am__append_30) \
+	$(am__append_32) $(am__append_34) $(am__append_36) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_80) $(am__append_82)
 am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	bus/listeners/listener.h bus/listeners/file_logger.c \
 	bus/listeners/file_logger.h bus/listeners/sys_logger.c \
@@ -249,16 +229,12 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	encoding/payloads/unknown_payload.c \
 	encoding/payloads/unknown_payload.h \
 	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h \
-	kernel/kernel_interface.c kernel/kernel_interface.h \
-	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-	kernel/kernel_net.h network/packet.c network/packet.h \
+	encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \
+	kernel/kernel_handler.h network/packet.c network/packet.h \
 	network/receiver.c network/receiver.h network/sender.c \
 	network/sender.h network/socket_manager.c \
 	network/socket_manager.h network/socket.h \
-	processing/jobs/job.h processing/jobs/acquire_job.c \
-	processing/jobs/acquire_job.h processing/jobs/callback_job.c \
-	processing/jobs/callback_job.h \
+	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 	processing/jobs/delete_child_sa_job.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
@@ -279,9 +255,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h processing/scheduler.c \
-	processing/scheduler.h processing/processor.c \
-	processing/processor.h sa/authenticators/authenticator.c \
+	processing/jobs/inactivity_job.h \
+	sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
 	sa/authenticators/eap_authenticator.c \
 	sa/authenticators/eap_authenticator.h \
@@ -313,7 +288,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	encoding/payloads/endpoint_notify.c \
+	tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \
+	tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \
 	encoding/payloads/endpoint_notify.h \
 	processing/jobs/initiate_mediation_job.c \
 	processing/jobs/initiate_mediation_job.h \
@@ -334,22 +310,21 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \
 	notify_payload.lo payload.lo proposal_substructure.lo \
 	sa_payload.lo traffic_selector_substructure.lo \
 	transform_attribute.lo transform_substructure.lo ts_payload.lo \
-	unknown_payload.lo vendor_id_payload.lo kernel_interface.lo \
-	kernel_ipsec.lo packet.lo receiver.lo sender.lo \
-	socket_manager.lo acquire_job.lo callback_job.lo \
-	delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \
-	process_message_job.lo rekey_child_sa_job.lo \
+	unknown_payload.lo vendor_id_payload.lo kernel_handler.lo \
+	packet.lo receiver.lo sender.lo socket_manager.lo \
+	acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \
+	migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \
 	rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \
 	send_keepalive_job.lo roam_job.lo update_sa_job.lo \
-	inactivity_job.lo scheduler.lo processor.lo authenticator.lo \
-	eap_authenticator.lo eap_method.lo eap_manager.lo \
-	sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \
-	child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \
-	task_manager.lo keymat.lo trap_manager.lo child_create.lo \
-	child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \
-	ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \
-	ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \
-	ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \
+	inactivity_job.lo authenticator.lo eap_authenticator.lo \
+	eap_method.lo eap_manager.lo sim_manager.lo \
+	psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \
+	ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \
+	keymat.lo trap_manager.lo child_create.lo child_delete.lo \
+	child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \
+	ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \
+	ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \
+	ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \
 	$(am__objects_1)
 libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
@@ -381,18 +356,19 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
-	plugins/kernel_pfroute plugins/kernel_klips \
-	plugins/kernel_netlink plugins/socket_default \
+DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
 	plugins/socket_raw plugins/socket_dynamic plugins/farp \
 	plugins/stroke plugins/smp plugins/sql plugins/updown \
 	plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \
 	plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
 	plugins/eap_simaka_reauth plugins/eap_aka \
 	plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
-	plugins/eap_mschapv2 plugins/eap_radius plugins/medsrv \
-	plugins/medcli plugins/nm plugins/dhcp plugins/android \
-	plugins/ha plugins/uci plugins/addrblock plugins/unit_tester
+	plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \
+	plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \
+	plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \
+	plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \
+	plugins/android plugins/maemo plugins/ha plugins/led \
+	plugins/uci plugins/addrblock plugins/unit_tester
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -484,6 +460,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -515,14 +493,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -537,24 +518,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -562,7 +550,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -622,16 +613,12 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	encoding/payloads/unknown_payload.c \
 	encoding/payloads/unknown_payload.h \
 	encoding/payloads/vendor_id_payload.c \
-	encoding/payloads/vendor_id_payload.h \
-	kernel/kernel_interface.c kernel/kernel_interface.h \
-	kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
-	kernel/kernel_net.h network/packet.c network/packet.h \
+	encoding/payloads/vendor_id_payload.h kernel/kernel_handler.c \
+	kernel/kernel_handler.h network/packet.c network/packet.h \
 	network/receiver.c network/receiver.h network/sender.c \
 	network/sender.h network/socket_manager.c \
 	network/socket_manager.h network/socket.h \
-	processing/jobs/job.h processing/jobs/acquire_job.c \
-	processing/jobs/acquire_job.h processing/jobs/callback_job.c \
-	processing/jobs/callback_job.h \
+	processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
 	processing/jobs/delete_child_sa_job.c \
 	processing/jobs/delete_child_sa_job.h \
 	processing/jobs/delete_ike_sa_job.c \
@@ -652,9 +639,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	processing/jobs/update_sa_job.c \
 	processing/jobs/update_sa_job.h \
 	processing/jobs/inactivity_job.c \
-	processing/jobs/inactivity_job.h processing/scheduler.c \
-	processing/scheduler.h processing/processor.c \
-	processing/processor.h sa/authenticators/authenticator.c \
+	processing/jobs/inactivity_job.h \
+	sa/authenticators/authenticator.c \
 	sa/authenticators/authenticator.h \
 	sa/authenticators/eap_authenticator.c \
 	sa/authenticators/eap_authenticator.h \
@@ -686,78 +672,78 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
 	sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
 	sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \
 	sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \
-	$(am__append_1)
+	tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \
+	tnccs/tnccs_manager.c $(am__append_1)
 INCLUDES = \
 	-I${linux_headers} \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
-	-DPLUGINS=\""${PLUGINS}\""
+AM_CFLAGS = \
+	-DIPSEC_DIR=\"${ipsecdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DPLUGINS=\""${libcharon_plugins}\""
+
 libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \
-	$(am__append_2) $(am__append_5) $(am__append_8) \
-	$(am__append_11) $(am__append_14) $(am__append_17) \
-	$(am__append_20) $(am__append_23) $(am__append_26) \
-	$(am__append_29) $(am__append_32) $(am__append_35) \
-	$(am__append_38) $(am__append_41) $(am__append_44) \
-	$(am__append_47) $(am__append_50) $(am__append_53) \
-	$(am__append_56) $(am__append_59) $(am__append_62) \
-	$(am__append_65) $(am__append_66) $(am__append_69) \
-	$(am__append_72) $(am__append_75) $(am__append_78) \
-	$(am__append_81) $(am__append_84) $(am__append_87) \
-	$(am__append_90) $(am__append_93) $(am__append_96) \
-	$(am__append_99) $(am__append_102) $(am__append_105)
+	$(am__append_2) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_12) \
+	$(am__append_14) $(am__append_16) $(am__append_18) \
+	$(am__append_20) $(am__append_22) $(am__append_24) \
+	$(am__append_26) $(am__append_28) $(am__append_30) \
+	$(am__append_32) $(am__append_34) $(am__append_36) \
+	$(am__append_37) $(am__append_39) $(am__append_41) \
+	$(am__append_43) $(am__append_45) $(am__append_47) \
+	$(am__append_49) $(am__append_51) $(am__append_52) \
+	$(am__append_54) $(am__append_56) $(am__append_58) \
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70) \
+	$(am__append_72) $(am__append_74) $(am__append_76) \
+	$(am__append_78) $(am__append_80) $(am__append_82)
 EXTRA_DIST = Android.mk
-@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \
-@MONOLITHIC_FALSE@	$(am__append_9) $(am__append_12) \
-@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_18) \
-@MONOLITHIC_FALSE@	$(am__append_21) $(am__append_24) \
-@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_30) \
-@MONOLITHIC_FALSE@	$(am__append_33) $(am__append_36) \
-@MONOLITHIC_FALSE@	$(am__append_39) $(am__append_42) \
-@MONOLITHIC_FALSE@	$(am__append_45) $(am__append_48) \
-@MONOLITHIC_FALSE@	$(am__append_51) $(am__append_54) \
-@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_60) \
-@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_67) \
-@MONOLITHIC_FALSE@	$(am__append_70) $(am__append_73) \
-@MONOLITHIC_FALSE@	$(am__append_76) $(am__append_79) \
-@MONOLITHIC_FALSE@	$(am__append_82) $(am__append_85) \
-@MONOLITHIC_FALSE@	$(am__append_88) $(am__append_91) \
-@MONOLITHIC_FALSE@	$(am__append_94) $(am__append_97) \
-@MONOLITHIC_FALSE@	$(am__append_100) $(am__append_103)
+@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \
+@MONOLITHIC_FALSE@	$(am__append_7) $(am__append_9) \
+@MONOLITHIC_FALSE@	$(am__append_11) $(am__append_13) \
+@MONOLITHIC_FALSE@	$(am__append_15) $(am__append_17) \
+@MONOLITHIC_FALSE@	$(am__append_19) $(am__append_21) \
+@MONOLITHIC_FALSE@	$(am__append_23) $(am__append_25) \
+@MONOLITHIC_FALSE@	$(am__append_27) $(am__append_29) \
+@MONOLITHIC_FALSE@	$(am__append_31) $(am__append_33) \
+@MONOLITHIC_FALSE@	$(am__append_35) $(am__append_38) \
+@MONOLITHIC_FALSE@	$(am__append_40) $(am__append_42) \
+@MONOLITHIC_FALSE@	$(am__append_44) $(am__append_46) \
+@MONOLITHIC_FALSE@	$(am__append_48) $(am__append_50) \
+@MONOLITHIC_FALSE@	$(am__append_53) $(am__append_55) \
+@MONOLITHIC_FALSE@	$(am__append_57) $(am__append_59) \
+@MONOLITHIC_FALSE@	$(am__append_61) $(am__append_63) \
+@MONOLITHIC_FALSE@	$(am__append_65) $(am__append_67) \
+@MONOLITHIC_FALSE@	$(am__append_69) $(am__append_71) \
+@MONOLITHIC_FALSE@	$(am__append_73) $(am__append_75) \
+@MONOLITHIC_FALSE@	$(am__append_77) $(am__append_79) \
+@MONOLITHIC_FALSE@	$(am__append_81)
 
 # build optional plugins
 ########################
-@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_6) \
-@MONOLITHIC_TRUE@	$(am__append_9) $(am__append_12) \
-@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_18) \
-@MONOLITHIC_TRUE@	$(am__append_21) $(am__append_24) \
-@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_30) \
-@MONOLITHIC_TRUE@	$(am__append_33) $(am__append_36) \
-@MONOLITHIC_TRUE@	$(am__append_39) $(am__append_42) \
-@MONOLITHIC_TRUE@	$(am__append_45) $(am__append_48) \
-@MONOLITHIC_TRUE@	$(am__append_51) $(am__append_54) \
-@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_60) \
-@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_67) \
-@MONOLITHIC_TRUE@	$(am__append_70) $(am__append_73) \
-@MONOLITHIC_TRUE@	$(am__append_76) $(am__append_79) \
-@MONOLITHIC_TRUE@	$(am__append_82) $(am__append_85) \
-@MONOLITHIC_TRUE@	$(am__append_88) $(am__append_91) \
-@MONOLITHIC_TRUE@	$(am__append_94) $(am__append_97) \
-@MONOLITHIC_TRUE@	$(am__append_100) $(am__append_103)
-PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \
-	$(am__append_7) $(am__append_10) $(am__append_13) \
-	$(am__append_16) $(am__append_19) $(am__append_22) \
-	$(am__append_25) $(am__append_28) $(am__append_31) \
-	$(am__append_34) $(am__append_37) $(am__append_40) \
-	$(am__append_43) $(am__append_46) $(am__append_49) \
-	$(am__append_52) $(am__append_55) $(am__append_58) \
-	$(am__append_61) $(am__append_64) $(am__append_68) \
-	$(am__append_71) $(am__append_74) $(am__append_77) \
-	$(am__append_80) $(am__append_83) $(am__append_86) \
-	$(am__append_89) $(am__append_92) $(am__append_95) \
-	$(am__append_98) $(am__append_101) $(am__append_104)
+@MONOLITHIC_TRUE@SUBDIRS = $(am__append_3) $(am__append_5) \
+@MONOLITHIC_TRUE@	$(am__append_7) $(am__append_9) \
+@MONOLITHIC_TRUE@	$(am__append_11) $(am__append_13) \
+@MONOLITHIC_TRUE@	$(am__append_15) $(am__append_17) \
+@MONOLITHIC_TRUE@	$(am__append_19) $(am__append_21) \
+@MONOLITHIC_TRUE@	$(am__append_23) $(am__append_25) \
+@MONOLITHIC_TRUE@	$(am__append_27) $(am__append_29) \
+@MONOLITHIC_TRUE@	$(am__append_31) $(am__append_33) \
+@MONOLITHIC_TRUE@	$(am__append_35) $(am__append_38) \
+@MONOLITHIC_TRUE@	$(am__append_40) $(am__append_42) \
+@MONOLITHIC_TRUE@	$(am__append_44) $(am__append_46) \
+@MONOLITHIC_TRUE@	$(am__append_48) $(am__append_50) \
+@MONOLITHIC_TRUE@	$(am__append_53) $(am__append_55) \
+@MONOLITHIC_TRUE@	$(am__append_57) $(am__append_59) \
+@MONOLITHIC_TRUE@	$(am__append_61) $(am__append_63) \
+@MONOLITHIC_TRUE@	$(am__append_65) $(am__append_67) \
+@MONOLITHIC_TRUE@	$(am__append_69) $(am__append_71) \
+@MONOLITHIC_TRUE@	$(am__append_73) $(am__append_75) \
+@MONOLITHIC_TRUE@	$(am__append_77) $(am__append_79) \
+@MONOLITHIC_TRUE@	$(am__append_81)
 all: all-recursive
 
 .SUFFIXES:
@@ -837,7 +823,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@
@@ -885,8 +870,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_handler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keymat.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mediation_manager.Plo@am__quote@
@@ -899,7 +883,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Plo@am__quote@
@@ -910,7 +893,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/roam_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@
@@ -919,6 +901,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@
@@ -1194,19 +1178,12 @@ vendor_id_payload.lo: encoding/payloads/vendor_id_payload.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.lo `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
 
-kernel_interface.lo: kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
-
-kernel_ipsec.lo: kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+kernel_handler.lo: kernel/kernel_handler.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_handler.lo -MD -MP -MF $(DEPDIR)/kernel_handler.Tpo -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_handler.Tpo $(DEPDIR)/kernel_handler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_handler.c' object='kernel_handler.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_handler.lo `test -f 'kernel/kernel_handler.c' || echo '$(srcdir)/'`kernel/kernel_handler.c
 
 packet.lo: network/packet.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.lo -MD -MP -MF $(DEPDIR)/packet.Tpo -c -o packet.lo `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
@@ -1243,13 +1220,6 @@ acquire_job.lo: processing/jobs/acquire_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.lo `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
 
-callback_job.lo: processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
-
 delete_child_sa_job.lo: processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.lo -MD -MP -MF $(DEPDIR)/delete_child_sa_job.Tpo -c -o delete_child_sa_job.lo `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/delete_child_sa_job.Tpo $(DEPDIR)/delete_child_sa_job.Plo
@@ -1334,20 +1304,6 @@ inactivity_job.lo: processing/jobs/inactivity_job.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o inactivity_job.lo `test -f 'processing/jobs/inactivity_job.c' || echo '$(srcdir)/'`processing/jobs/inactivity_job.c
 
-scheduler.lo: processing/scheduler.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
-
-processor.lo: processing/processor.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
-
 authenticator.lo: sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.lo -MD -MP -MF $(DEPDIR)/authenticator.Tpo -c -o authenticator.lo `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/authenticator.Tpo $(DEPDIR)/authenticator.Plo
@@ -1565,6 +1521,20 @@ task.lo: sa/tasks/task.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
 
+tnccs.lo: tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c
+
+tnccs_manager.lo: tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c
+
 endpoint_notify.lo: encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo
@@ -1934,6 +1904,8 @@ daemon.lo :		$(top_builddir)/config.status
 
 @MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@  # otherwise this library is linked to both the eap_aka and the eap_sim plugin
 
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@  # otherwise this library is linked to eap_tls
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 441009e5e..ab8d0fc48 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -17,7 +17,6 @@
 
 #include <stdint.h>
 
-#include <daemon.h>
 #include <threading/thread.h>
 #include <threading/thread_value.h>
 #include <threading/condvar.h>
@@ -163,7 +162,7 @@ METHOD(bus_t, listen_, void,
 
 	this->mutex->lock(this->mutex);
 	this->listeners->insert_last(this->listeners, data.entry);
-	charon->processor->queue_job(charon->processor, job);
+	lib->processor->queue_job(lib->processor, job);
 	thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
 	thread_cleanup_push((thread_cleanup_t)listener_cleanup, &data);
 	old = thread_cancelability(TRUE);
diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c
index 87db532f5..157436a7d 100644
--- a/src/libcharon/bus/listeners/file_logger.c
+++ b/src/libcharon/bus/listeners/file_logger.c
@@ -46,6 +46,11 @@ struct private_file_logger_t {
 	 * strftime() format of time prefix, if any
 	 */
 	char *time_format;
+
+	/**
+	 * Print the name/# of the IKE_SA?
+	 */
+	bool ike_name;
 };
 
 /**
@@ -56,7 +61,7 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 {
 	if (level <= this->levels[group])
 	{
-		char buffer[8192], timestr[128];
+		char buffer[8192], timestr[128], namestr[128] = "";
 		char *current = buffer, *next;
 		struct tm tm;
 		time_t t;
@@ -67,6 +72,23 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 			localtime_r(&t, &tm);
 			strftime(timestr, sizeof(timestr), this->time_format, &tm);
 		}
+		if (this->ike_name && ike_sa)
+		{
+			if (ike_sa->get_peer_cfg(ike_sa))
+			{
+				snprintf(namestr, sizeof(namestr), " <%s|%d>",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+			}
+			else
+			{
+				snprintf(namestr, sizeof(namestr), " <%d>",
+					ike_sa->get_unique_id(ike_sa));
+			}
+		}
+		else
+		{
+			namestr[0] = '\0';
+		}
 
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
@@ -81,13 +103,13 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level,
 			}
 			if (this->time_format)
 			{
-				fprintf(this->out, "%s %.2d[%N] %s\n",
-						timestr, thread, debug_names, group, current);
+				fprintf(this->out, "%s %.2d[%N]%s %s\n",
+						timestr, thread, debug_names, group, namestr, current);
 			}
 			else
 			{
-				fprintf(this->out, "%.2d[%N] %s\n",
-						thread, debug_names, group, current);
+				fprintf(this->out, "%.2d[%N]%s %s\n",
+						thread, debug_names, group, namestr, current);
 			}
 			current = next;
 		}
@@ -129,7 +151,7 @@ static void destroy(private_file_logger_t *this)
 /*
  * Described in header.
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format)
+file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name)
 {
 	private_file_logger_t *this = malloc_thing(private_file_logger_t);
 
@@ -142,6 +164,7 @@ file_logger_t *file_logger_create(FILE *out, char *time_format)
 	/* private variables */
 	this->out = out;
 	this->time_format = time_format;
+	this->ike_name = ike_name;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h
index e02a12c0c..d02f1701d 100644
--- a/src/libcharon/bus/listeners/file_logger.h
+++ b/src/libcharon/bus/listeners/file_logger.h
@@ -54,8 +54,9 @@ struct file_logger_t {
  *
  * @param out			FILE to write to
  * @param time_format	format of timestamp prefix, as in strftime()
+ * @param ike_name		TRUE to prefix the name of the IKE_SA
  * @return				file_logger_t object
  */
-file_logger_t *file_logger_create(FILE *out, char *time_format);
+file_logger_t *file_logger_create(FILE *out, char *time_format, bool ike_name);
 
 #endif /** FILE_LOGGER_H_ @}*/
diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c
index 5bc1d581a..fa394ba88 100644
--- a/src/libcharon/bus/listeners/sys_logger.c
+++ b/src/libcharon/bus/listeners/sys_logger.c
@@ -41,6 +41,11 @@ struct private_sys_logger_t {
 	 * Maximum level to log, for each group
 	 */
 	level_t levels[DBG_MAX];
+
+	/**
+	 * Print the name/# of the IKE_SA?
+	 */
+	bool ike_name;
 };
 
 /**
@@ -51,12 +56,26 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
 {
 	if (level <= this->levels[group])
 	{
-		char buffer[8192];
+		char buffer[8192], namestr[128] = "";
 		char *current = buffer, *next;
 
 		/* write in memory buffer first */
 		vsnprintf(buffer, sizeof(buffer), format, args);
 
+		if (this->ike_name && ike_sa)
+		{
+			if (ike_sa->get_peer_cfg(ike_sa))
+			{
+				snprintf(namestr, sizeof(namestr), " <%s|%d>",
+					ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+			}
+			else
+			{
+				snprintf(namestr, sizeof(namestr), " <%d>",
+					ike_sa->get_unique_id(ike_sa));
+			}
+		}
+
 		/* do a syslog with every line */
 		while (current)
 		{
@@ -65,8 +84,8 @@ static bool log_(private_sys_logger_t *this, debug_t group, level_t level,
 			{
 				*(next++) = '\0';
 			}
-			syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n",
-				   thread, debug_names, group, current);
+			syslog(this->facility|LOG_INFO, "%.2d[%N]%s %s\n",
+				   thread, debug_names, group, namestr, current);
 			current = next;
 		}
 	}
@@ -104,7 +123,7 @@ static void destroy(private_sys_logger_t *this)
 /*
  * Described in header.
  */
-sys_logger_t *sys_logger_create(int facility)
+sys_logger_t *sys_logger_create(int facility, bool ike_name)
 {
 	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
 
@@ -116,6 +135,7 @@ sys_logger_t *sys_logger_create(int facility)
 
 	/* private variables */
 	this->facility = facility;
+	this->ike_name = ike_name;
 	set_level(this, DBG_ANY, LEVEL_SILENT);
 
 	return &this->public;
diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h
index 58d4de529..d83715a6a 100644
--- a/src/libcharon/bus/listeners/sys_logger.h
+++ b/src/libcharon/bus/listeners/sys_logger.h
@@ -53,8 +53,9 @@ struct sys_logger_t {
  * Constructor to create a sys_logger_t object.
  *
  * @param facility	syslog facility to use
+ * @param ike_name	TRUE to prefix the name of the IKE_SA
  * @return			sys_logger_t object
  */
-sys_logger_t *sys_logger_create(int facility);
+sys_logger_t *sys_logger_create(int facility, bool ike_name);
 
 #endif /** SYS_LOGGER_H_ @}*/
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 70f38b285..1cdfd5949 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -27,15 +27,6 @@ ENUM(action_names, ACTION_NONE, ACTION_RESTART,
 	"restart",
 );
 
-ENUM_BEGIN(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_NONE,
-	"IPCOMP_NONE");
-ENUM_NEXT(ipcomp_transform_names, IPCOMP_OUI, IPCOMP_LZJH, IPCOMP_NONE,
-	"IPCOMP_OUI",
-	"IPCOMP_DEFLATE",
-	"IPCOMP_LZS",
-	"IPCOMP_LZJH");
-ENUM_END(ipcomp_transform_names, IPCOMP_LZJH);
-
 typedef struct private_child_cfg_t private_child_cfg_t;
 
 /**
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index d34835ead..1e6fe3fe9 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -24,9 +24,6 @@
 #define CHILD_CFG_H_
 
 typedef enum action_t action_t;
-typedef enum ipcomp_transform_t ipcomp_transform_t;
-typedef struct lifetime_cfg_t lifetime_cfg_t;
-typedef struct mark_t mark_t;
 typedef struct child_cfg_t child_cfg_t;
 
 #include <library.h>
@@ -52,48 +49,6 @@ enum action_t {
 extern enum_name_t *action_names;
 
 /**
- * IPComp transform IDs, as in RFC 4306
- */
-enum ipcomp_transform_t {
-	IPCOMP_NONE = 241,
-	IPCOMP_OUI = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS = 3,
-	IPCOMP_LZJH = 4,
-};
-
-/**
- * enum strings for ipcomp_transform_t.
- */
-extern enum_name_t *ipcomp_transform_names;
-
-/**
- * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
- *
- * Set any of these values to 0 to ignore.
- */
-struct lifetime_cfg_t {
-	struct {
-		/** Limit before the CHILD_SA gets invalid. */
-		u_int64_t	life;
-		/** Limit before the CHILD_SA gets rekeyed. */
-		u_int64_t	rekey;
-		/** The range of a random value subtracted from rekey. */
-		u_int64_t	jitter;
-	} time, bytes, packets;
-};
-
-/**
- * A mark_t defines an optional mark in a CHILD_SA.
- */
-struct mark_t {
-	/** Mark value */
-	u_int32_t value;
-	/** Mark mask */
-	u_int32_t mask;
-};
-
-/**
  * A child_cfg_t defines the config template for a CHILD_SA.
  *
  * After creation, proposals and traffic selectors may be added to the config.
@@ -238,7 +193,7 @@ struct child_cfg_t {
 	 * Check whether IPComp should be used, if the other peer supports it.
 	 *
 	 * @return				TRUE, if IPComp should be used
-	 * 						FALSE, otherwise
+	 *						FALSE, otherwise
 	 */
 	bool (*use_ipcomp)(child_cfg_t *this);
 
@@ -259,7 +214,7 @@ struct child_cfg_t {
 	/**
 	 * Optional mark for CHILD_SA
 	 *
-	 * @param inbound		TRUE for inbound, FALSE for outbound 
+	 * @param inbound		TRUE for inbound, FALSE for outbound
 	 * @return				mark
 	 */
 	mark_t (*get_mark)(child_cfg_t *this, bool inbound);
@@ -277,7 +232,7 @@ struct child_cfg_t {
 	 * Check whether IPsec transport SA should be set up in proxy mode
 	 *
 	 * @return				TRUE, if proxy mode should be used
-	 * 						FALSE, otherwise
+	 *						FALSE, otherwise
 	 */
 	bool (*use_proxy_mode)(child_cfg_t *this);
 
@@ -285,7 +240,7 @@ struct child_cfg_t {
 	 * Check whether IPsec policies should be installed in the kernel
 	 *
 	 * @return				TRUE, if IPsec kernel policies should be installed
-	 * 						FALSE, otherwise
+	 *						FALSE, otherwise
 	 */
 	bool (*install_policy)(child_cfg_t *this);
 
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index e86393028..5b8294599 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -87,6 +87,11 @@ struct private_proposal_t {
 	 * senders SPI
 	 */
 	u_int64_t spi;
+
+	/**
+	 * Proposal number
+	 */
+	u_int number;
 };
 
 /**
@@ -117,11 +122,9 @@ static void add_algo(linked_list_t *list, u_int16_t algo, u_int16_t key_size)
 	list->insert_last(list, (void*)algo_key);
 }
 
-/**
- * Implements proposal_t.add_algorithm
- */
-static void add_algorithm(private_proposal_t *this, transform_type_t type,
-						  u_int16_t algo, u_int16_t key_size)
+METHOD(proposal_t, add_algorithm, void,
+	private_proposal_t *this, transform_type_t type,
+	u_int16_t algo, u_int16_t key_size)
 {
 	switch (type)
 	{
@@ -160,11 +163,8 @@ static bool alg_filter(void *null, algorithm_t **in, u_int16_t *alg,
 	return TRUE;
 }
 
-/**
- * Implements proposal_t.create_enumerator.
- */
-static enumerator_t *create_enumerator(private_proposal_t *this,
-									   transform_type_t type)
+METHOD(proposal_t, create_enumerator, enumerator_t*,
+	private_proposal_t *this, transform_type_t type)
 {
 	linked_list_t *list;
 
@@ -192,11 +192,9 @@ static enumerator_t *create_enumerator(private_proposal_t *this,
 									(void*)alg_filter, NULL, NULL);
 }
 
-/**
- * Implements proposal_t.get_algorithm.
- */
-static bool get_algorithm(private_proposal_t *this, transform_type_t type,
-						  u_int16_t *alg, u_int16_t *key_size)
+METHOD(proposal_t, get_algorithm, bool,
+	private_proposal_t *this, transform_type_t type,
+	u_int16_t *alg, u_int16_t *key_size)
 {
 	enumerator_t *enumerator;
 	bool found = FALSE;
@@ -210,10 +208,8 @@ static bool get_algorithm(private_proposal_t *this, transform_type_t type,
 	return found;
 }
 
-/**
- * Implements proposal_t.has_dh_group
- */
-static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
+METHOD(proposal_t, has_dh_group, bool,
+	private_proposal_t *this, diffie_hellman_group_t group)
 {
 	bool result = FALSE;
 
@@ -240,10 +236,8 @@ static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
 	return result;
 }
 
-/**
- * Implementation of proposal_t.strip_dh.
- */
-static void strip_dh(private_proposal_t *this)
+METHOD(proposal_t, strip_dh, void,
+	private_proposal_t *this)
 {
 	algorithm_t *alg;
 
@@ -254,28 +248,6 @@ static void strip_dh(private_proposal_t *this)
 }
 
 /**
- * Returns true if the given alg is an authenticated encryption algorithm
- */
-static bool is_authenticated_encryption(u_int16_t alg)
-{
-	switch(alg)
-	{
-		case ENCR_AES_CCM_ICV8:
-		case ENCR_AES_CCM_ICV12:
-		case ENCR_AES_CCM_ICV16:
-		case ENCR_AES_GCM_ICV8:
-		case ENCR_AES_GCM_ICV12:
-		case ENCR_AES_GCM_ICV16:
-		case ENCR_CAMELLIA_CCM_ICV8:
-		case ENCR_CAMELLIA_CCM_ICV12:
-		case ENCR_CAMELLIA_CCM_ICV16:
-		case ENCR_NULL_AUTH_AES_GMAC:
-			return TRUE;
-	}
-	return FALSE;
-}
-
-/**
  * Find a matching alg/keysize in two linked lists
  */
 static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
@@ -326,12 +298,10 @@ static bool select_algo(linked_list_t *first, linked_list_t *second, bool priv,
 	return FALSE;
 }
 
-/**
- * Implements proposal_t.select.
- */
-static proposal_t *select_proposal(private_proposal_t *this,
-								private_proposal_t *other, bool private)
+METHOD(proposal_t, select_proposal, proposal_t*,
+	private_proposal_t *this, proposal_t *other_pub, bool private)
 {
+	private_proposal_t *other = (private_proposal_t*)other_pub;
 	proposal_t *selected;
 	u_int16_t algo;
 	size_t key_size;
@@ -346,7 +316,7 @@ static proposal_t *select_proposal(private_proposal_t *this,
 		return NULL;
 	}
 
-	selected = proposal_create(this->protocol);
+	selected = proposal_create(this->protocol, other->number);
 
 	/* select encryption algorithm */
 	if (select_algo(this->encryption_algos, other->encryption_algos, private,
@@ -366,7 +336,7 @@ static proposal_t *select_proposal(private_proposal_t *this,
 		return NULL;
 	}
 	/* select integrity algorithm */
-	if (!is_authenticated_encryption(algo))
+	if (!encryption_algorithm_is_aead(algo))
 	{
 		if (select_algo(this->integrity_algos, other->integrity_algos, private,
 						&add, &algo, &key_size))
@@ -442,26 +412,20 @@ static proposal_t *select_proposal(private_proposal_t *this,
 	return selected;
 }
 
-/**
- * Implements proposal_t.get_protocols.
- */
-static protocol_id_t get_protocol(private_proposal_t *this)
+METHOD(proposal_t, get_protocol, protocol_id_t,
+	private_proposal_t *this)
 {
 	return this->protocol;
 }
 
-/**
- * Implements proposal_t.set_spi.
- */
-static void set_spi(private_proposal_t *this, u_int64_t spi)
+METHOD(proposal_t, set_spi, void,
+	private_proposal_t *this, u_int64_t spi)
 {
 	this->spi = spi;
 }
 
-/**
- * Implements proposal_t.get_spi.
- */
-static u_int64_t get_spi(private_proposal_t *this)
+METHOD(proposal_t, get_spi, u_int64_t,
+	private_proposal_t *this)
 {
 	return this->spi;
 }
@@ -514,19 +478,21 @@ static bool algo_list_equals(linked_list_t *l1, linked_list_t *l2)
 	return equals;
 }
 
-/**
- * Implementation of proposal_t.equals.
- */
-static bool equals(private_proposal_t *this, private_proposal_t *other)
+METHOD(proposal_t, get_number, u_int,
+	private_proposal_t *this)
+{
+	return this->number;
+}
+
+METHOD(proposal_t, equals, bool,
+	private_proposal_t *this, proposal_t *other_pub)
 {
+	private_proposal_t *other = (private_proposal_t*)other_pub;
+
 	if (this == other)
 	{
 		return TRUE;
 	}
-	if (this->public.equals != other->public.equals)
-	{
-		return FALSE;
-	}
 	return (
 		algo_list_equals(this->encryption_algos, other->encryption_algos) &&
 		algo_list_equals(this->integrity_algos, other->integrity_algos) &&
@@ -535,13 +501,12 @@ static bool equals(private_proposal_t *this, private_proposal_t *other)
 		algo_list_equals(this->esns, other->esns));
 }
 
-/**
- * Implements proposal_t.clone
- */
-static proposal_t *clone_(private_proposal_t *this)
+METHOD(proposal_t, clone_, proposal_t*,
+	private_proposal_t *this)
 {
-	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
+	private_proposal_t *clone;
 
+	clone = (private_proposal_t*)proposal_create(this->protocol, 0);
 	clone_algo_list(this->encryption_algos, clone->encryption_algos);
 	clone_algo_list(this->integrity_algos, clone->integrity_algos);
 	clone_algo_list(this->prf_algos, clone->prf_algos);
@@ -549,6 +514,7 @@ static proposal_t *clone_(private_proposal_t *this)
 	clone_algo_list(this->esns, clone->esns);
 
 	clone->spi = this->spi;
+	clone->number = this->number;
 
 	return &clone->public;
 }
@@ -565,7 +531,7 @@ static void check_proposal(private_proposal_t *this)
 	e = this->encryption_algos->create_enumerator(this->encryption_algos);
 	while (e->enumerate(e, &alg))
 	{
-		if (!is_authenticated_encryption(alg->algorithm))
+		if (!encryption_algorithm_is_aead(alg->algorithm))
 		{
 			all_aead = FALSE;
 			break;
@@ -623,6 +589,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			case AUTH_AES_XCBC_96:
 				prf = PRF_AES128_XCBC;
 				break;
+			case AUTH_CAMELLIA_XCBC_96:
+				prf = PRF_CAMELLIA128_XCBC;
+				break;
 			default:
 				prf = PRF_UNDEFINED;
 		}
@@ -715,10 +684,8 @@ int proposal_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	return written;
 }
 
-/**
- * Implements proposal_t.destroy.
- */
-static void destroy(private_proposal_t *this)
+METHOD(proposal_t, destroy, void,
+	private_proposal_t *this)
 {
 	this->encryption_algos->destroy_function(this->encryption_algos, free);
 	this->integrity_algos->destroy_function(this->integrity_algos, free);
@@ -731,31 +698,34 @@ static void destroy(private_proposal_t *this)
 /*
  * Describtion in header-file
  */
-proposal_t *proposal_create(protocol_id_t protocol)
+proposal_t *proposal_create(protocol_id_t protocol, u_int number)
 {
-	private_proposal_t *this = malloc_thing(private_proposal_t);
-
-	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,u_int16_t))add_algorithm;
-	this->public.create_enumerator = (enumerator_t* (*)(proposal_t*,transform_type_t))create_enumerator;
-	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,u_int16_t*,u_int16_t*))get_algorithm;
-	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
-	this->public.strip_dh = (void(*)(proposal_t*))strip_dh;
-	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*,bool))select_proposal;
-	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
-	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
-	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
-	this->public.equals = (bool(*)(proposal_t*, proposal_t *other))equals;
-	this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
-	this->public.destroy = (void(*)(proposal_t*))destroy;
-
-	this->spi = 0;
-	this->protocol = protocol;
-
-	this->encryption_algos = linked_list_create();
-	this->integrity_algos = linked_list_create();
-	this->prf_algos = linked_list_create();
-	this->dh_groups = linked_list_create();
-	this->esns = linked_list_create();
+	private_proposal_t *this;
+
+	INIT(this,
+		.public = {
+			.add_algorithm = _add_algorithm,
+			.create_enumerator = _create_enumerator,
+			.get_algorithm = _get_algorithm,
+			.has_dh_group = _has_dh_group,
+			.strip_dh = _strip_dh,
+			.select = _select_proposal,
+			.get_protocol = _get_protocol,
+			.set_spi = _set_spi,
+			.get_spi = _get_spi,
+			.get_number = _get_number,
+			.equals = _equals,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.protocol = protocol,
+		.number = number,
+		.encryption_algos = linked_list_create(),
+		.integrity_algos = linked_list_create(),
+		.prf_algos = linked_list_create(),
+		.dh_groups = linked_list_create(),
+		.esns = linked_list_create(),
+	);
 
 	return &this->public;
 }
@@ -777,19 +747,24 @@ static void proposal_add_supported_ike(private_proposal_t *this)
 		switch (encryption)
 		{
 			case ENCR_AES_CBC:
-				/* we assume that we support all AES sizes */
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
-				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
-				break;
-			case ENCR_3DES:
 			case ENCR_AES_CTR:
+			case ENCR_CAMELLIA_CBC:
+			case ENCR_CAMELLIA_CTR:
 			case ENCR_AES_CCM_ICV8:
 			case ENCR_AES_CCM_ICV12:
 			case ENCR_AES_CCM_ICV16:
 			case ENCR_AES_GCM_ICV8:
 			case ENCR_AES_GCM_ICV12:
 			case ENCR_AES_GCM_ICV16:
+			case ENCR_CAMELLIA_CCM_ICV8:
+			case ENCR_CAMELLIA_CCM_ICV12:
+			case ENCR_CAMELLIA_CCM_ICV16:
+				/* we assume that we support all AES/Camellia sizes */
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 128);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 192);
+				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 256);
+				break;
+			case ENCR_3DES:
 				add_algorithm(this, ENCRYPTION_ALGORITHM, encryption, 0);
 				break;
 			case ENCR_DES:
@@ -877,7 +852,7 @@ static void proposal_add_supported_ike(private_proposal_t *this)
  */
 proposal_t *proposal_create_default(protocol_id_t protocol)
 {
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
 
 	switch (protocol)
 	{
@@ -912,7 +887,7 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
  */
 proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
 {
-	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
 	chunk_t string = {(void*)algs, strlen(algs)};
 	chunk_t alg;
 	status_t status = SUCCESS;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index 30f63b80d..97af5b60b 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -161,6 +161,13 @@ struct proposal_t {
 	void (*set_spi) (proposal_t *this, u_int64_t spi);
 
 	/**
+	 * Get the proposal number, as encoded in SA payload
+	 *
+	 * @return				proposal number
+	 */
+	u_int (*get_number)(proposal_t *this);
+
+	/**
 	 * Check for the eqality of two proposals.
 	 *
 	 * @param other			other proposal to check for equality
@@ -185,9 +192,10 @@ struct proposal_t {
  * Create a child proposal for AH, ESP or IKE.
  *
  * @param protocol			protocol, such as PROTO_ESP
+ * @param number			proposal number, as encoded in SA payload
  * @return 					proposal_t object
  */
-proposal_t *proposal_create(protocol_id_t protocol);
+proposal_t *proposal_create(protocol_id_t protocol, u_int number);
 
 /**
  * Create a default proposal if nothing further specified.
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index c0227027c..4b8e1fadd 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -33,6 +33,7 @@
 
 #include <library.h>
 #include <config/proposal.h>
+#include <kernel/kernel_handler.h>
 
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
@@ -50,6 +51,11 @@ struct private_daemon_t {
 	daemon_t public;
 
 	/**
+	 * Handler for kernel events
+	 */
+	kernel_handler_t *kernel_handler;
+
+	/**
 	 * capabilities to keep
 	 */
 #ifdef CAPABILITIES_LIBCAP
@@ -94,10 +100,8 @@ static void dbg_bus(debug_t group, level_t level, char *fmt, ...)
 static void destroy(private_daemon_t *this)
 {
 	/* terminate all idle threads */
-	if (this->public.processor)
-	{
-		this->public.processor->set_threads(this->public.processor, 0);
-	}
+	lib->processor->set_threads(lib->processor, 0);
+
 	/* close all IKE_SAs */
 	if (this->public.ike_sa_manager)
 	{
@@ -110,21 +114,19 @@ static void destroy(private_daemon_t *this)
 #ifdef CAPABILITIES_LIBCAP
 	cap_free(this->caps);
 #endif /* CAPABILITIES_LIBCAP */
+	DESTROY_IF(this->kernel_handler);
 	DESTROY_IF(this->public.traps);
 	DESTROY_IF(this->public.ike_sa_manager);
-	DESTROY_IF(this->public.kernel_interface);
-	DESTROY_IF(this->public.scheduler);
 	DESTROY_IF(this->public.controller);
 	DESTROY_IF(this->public.eap);
 	DESTROY_IF(this->public.sim);
+	DESTROY_IF(this->public.tnccs);
 #ifdef ME
 	DESTROY_IF(this->public.connect_manager);
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
-	/* wait until all threads are gone */
-	DESTROY_IF(this->public.processor);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -176,7 +178,7 @@ METHOD(daemon_t, start, void,
 	   private_daemon_t *this)
 {
 	/* start the engine, go multithreaded */
-	charon->processor->set_threads(charon->processor,
+	lib->processor->set_threads(lib->processor,
 						lib->settings->get_int(lib->settings, "charon.threads",
 											   DEFAULT_THREADS));
 }
@@ -213,7 +215,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	int loggers_defined = 0;
 	debug_t group;
 	level_t  def;
-	bool append;
+	bool append, ike_name;
 	FILE *file;
 
 	/* setup sysloggers */
@@ -222,13 +224,16 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	while (enumerator->enumerate(enumerator, &facility))
 	{
 		loggers_defined++;
+
+		ike_name = lib->settings->get_bool(lib->settings,
+								"charon.syslog.%s.ike_name", FALSE, facility);
 		if (streq(facility, "daemon"))
 		{
-			sys_logger = sys_logger_create(LOG_DAEMON);
+			sys_logger = sys_logger_create(LOG_DAEMON, ike_name);
 		}
 		else if (streq(facility, "auth"))
 		{
-			sys_logger = sys_logger_create(LOG_AUTHPRIV);
+			sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name);
 		}
 		else
 		{
@@ -282,7 +287,9 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 		}
 		file_logger = file_logger_create(file,
 						lib->settings->get_str(lib->settings,
-							"charon.filelog.%s.time_format", NULL, filename));
+							"charon.filelog.%s.time_format", NULL, filename),
+						lib->settings->get_bool(lib->settings,
+							"charon.filelog.%s.ike_name", FALSE, filename));
 		def = lib->settings->get_int(lib->settings,
 									 "charon.filelog.%s.default", 1, filename);
 		for (group = 0; group < DBG_MAX; group++)
@@ -303,12 +310,12 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 	if (!loggers_defined)
 	{
 		/* set up default stdout file_logger */
-		file_logger = file_logger_create(stdout, NULL);
+		file_logger = file_logger_create(stdout, NULL, FALSE);
 		this->public.bus->add_listener(this->public.bus, &file_logger->listener);
 		this->public.file_loggers->insert_last(this->public.file_loggers,
 											   file_logger);
 		/* set up default daemon sys_logger */
-		sys_logger = sys_logger_create(LOG_DAEMON);
+		sys_logger = sys_logger_create(LOG_DAEMON, FALSE);
 		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 		this->public.sys_loggers->insert_last(this->public.sys_loggers,
 											  sys_logger);
@@ -322,7 +329,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr,
 		}
 
 		/* set up default auth sys_logger */
-		sys_logger = sys_logger_create(LOG_AUTHPRIV);
+		sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE);
 		this->public.bus->add_listener(this->public.bus, &sys_logger->listener);
 		this->public.sys_loggers->insert_last(this->public.sys_loggers,
 											  sys_logger);
@@ -356,15 +363,14 @@ METHOD(daemon_t, initialize, bool,
 	}
 
 	/* load secrets, ca certificates and crls */
-	this->public.processor = processor_create();
-	this->public.scheduler = scheduler_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.sim = sim_manager_create();
+	this->public.tnccs = tnccs_manager_create();
 	this->public.backends = backend_manager_create();
-	this->public.kernel_interface = kernel_interface_create();
 	this->public.socket = socket_manager_create();
 	this->public.traps = trap_manager_create();
+	this->kernel_handler = kernel_handler_create();
 
 	/* load plugins, further infrastructure may need it */
 	if (!lib->plugins->load(lib->plugins, NULL,
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 38f0256e7..c0c834b43 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -37,7 +37,7 @@
  * @defgroup payloads payloads
  * @ingroup encoding
  *
- * @defgroup kernel kernel
+ * @defgroup ckernel kernel
  * @ingroup libcharon
  *
  * @defgroup network network
@@ -46,11 +46,11 @@
  * @defgroup cplugins plugins
  * @ingroup libcharon
  *
- * @defgroup processing processing
+ * @defgroup cprocessing processing
  * @ingroup libcharon
  *
- * @defgroup jobs jobs
- * @ingroup processing
+ * @defgroup cjobs jobs
+ * @ingroup cprocessing
  *
  * @defgroup sa sa
  * @ingroup libcharon
@@ -140,9 +140,6 @@ typedef struct daemon_t daemon_t;
 #include <network/sender.h>
 #include <network/receiver.h>
 #include <network/socket_manager.h>
-#include <processing/scheduler.h>
-#include <processing/processor.h>
-#include <kernel/kernel_interface.h>
 #include <control/controller.h>
 #include <bus/bus.h>
 #include <bus/listeners/file_logger.h>
@@ -152,6 +149,7 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <sa/authenticators/eap/sim_manager.h>
+#include <tnccs/tnccs_manager.h>
 
 #ifdef ME
 #include <sa/connect_manager.h>
@@ -209,16 +207,6 @@ struct daemon_t {
 	receiver_t *receiver;
 
 	/**
-	 * The Scheduler-Thread.
-	 */
-	scheduler_t *scheduler;
-
-	/**
-	 * Job processing using a thread pool.
-	 */
-	processor_t *processor;
-
-	/**
 	 * The signaling bus.
 	 */
 	bus_t *bus;
@@ -234,11 +222,6 @@ struct daemon_t {
 	linked_list_t *sys_loggers;
 
 	/**
-	 * Kernel Interface to communicate with kernel
-	 */
-	kernel_interface_t *kernel_interface;
-
-	/**
 	 * Controller to control the daemon
 	 */
 	controller_t *controller;
@@ -253,6 +236,11 @@ struct daemon_t {
 	 */
 	sim_manager_t *sim;
 
+	/**
+	 * TNCCS manager to maintain registered TNCCS protocols
+	 */
+	tnccs_manager_t *tnccs;
+
 #ifdef ME
 	/**
 	 * Connect manager
diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
index 6485da492..224f76fce 100644
--- a/src/libcharon/encoding/generator.c
+++ b/src/libcharon/encoding/generator.c
@@ -42,6 +42,16 @@
 #include <encoding/payloads/configuration_attribute.h>
 #include <encoding/payloads/eap_payload.h>
 
+/**
+ * Generating is done in a data buffer.
+ * This is the start size of this buffer in bytes.
+ */
+#define GENERATOR_DATA_BUFFER_SIZE 500
+
+/**
+ * Number of bytes to increase the buffer, if it is too small.
+ */
+#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
 
 typedef struct private_generator_t private_generator_t;
 
@@ -453,36 +463,19 @@ static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
 	write_bytes_to_buffer(this, value->ptr, value->len);
 }
 
-/**
- * Implementation of private_generator_t.write_to_chunk.
- */
-static void write_to_chunk(private_generator_t *this,chunk_t *data)
+METHOD(generator_t, get_chunk, chunk_t,
+	private_generator_t *this, u_int32_t **lenpos)
 {
-	int data_length = get_length(this);
-	u_int32_t header_length_field = data_length;
-
-	/* write length into header length field */
-	if (this->header_length_position_offset > 0)
-	{
-		u_int32_t val = htonl(header_length_field);
-		write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
-										this->header_length_position_offset);
-	}
+	chunk_t data;
 
-	if (this->current_bit > 0)
-	{
-		data_length++;
-	}
-	*data = chunk_alloc(data_length);
-	memcpy(data->ptr, this->buffer, data_length);
-
-	DBG3(DBG_ENC, "generated data of this generator %B", data);
+	*lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset);
+	data = chunk_create(this->buffer, get_length(this));
+	DBG3(DBG_ENC, "generated data of this generator %B", &data);
+	return data;
 }
 
-/**
- * Implementation of private_generator_t.generate_payload.
- */
-static void generate_payload (private_generator_t *this,payload_t *payload)
+METHOD(generator_t, generate_payload, void,
+	private_generator_t *this,payload_t *payload)
 {
 	int i, offset_start;
 	size_t rule_count;
@@ -846,14 +839,11 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
 		 this->out_position - this->buffer - offset_start);
 }
 
-/**
- * Implementation of generator_t.destroy.
- */
-static status_t destroy(private_generator_t *this)
+METHOD(generator_t, destroy, void,
+	private_generator_t *this)
 {
 	free(this->buffer);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -863,26 +853,18 @@ generator_t *generator_create()
 {
 	private_generator_t *this;
 
-	this = malloc_thing(private_generator_t);
-
-	/* initiate public functions */
-	this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
-	this->public.destroy = (void(*)(generator_t*)) destroy;
-	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
+	INIT(this,
+		.public = {
+			.get_chunk = _get_chunk,
+			.generate_payload = _generate_payload,
+			.destroy = _destroy,
+		},
+		.buffer = malloc(GENERATOR_DATA_BUFFER_SIZE),
+	);
 
-	/* allocate memory for buffer */
-	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
-
-	/* initiate private variables */
 	this->out_position = this->buffer;
 	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
-	this->data_struct = NULL;
-	this->current_bit = 0;
-	this->last_payload_length_position_offset = 0;
-	this->header_length_position_offset = 0;
-	this->attribute_format = FALSE;
-	this->attribute_length = 0;
-
-	return &(this->public);
+
+	return &this->public;
 }
 
diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h
index 2221c84af..fe561fdfd 100644
--- a/src/libcharon/encoding/generator.h
+++ b/src/libcharon/encoding/generator.h
@@ -29,24 +29,12 @@ typedef struct generator_t generator_t;
 #include <encoding/payloads/payload.h>
 
 /**
- * Generating is done in a data buffer.
- * This is the start size of this buffer in bytes.
- */
-#define GENERATOR_DATA_BUFFER_SIZE 500
-
-/**
- * Number of bytes to increase the buffer, if it is too small.
- */
-#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
-
-
-/**
  * A generator_t class used to generate IKEv2 payloads.
  *
  * After creation, multiple payloads can be generated with the generate_payload
  * method. The generated bytes are appended. After all payloads are added,
  * the write_to_chunk method writes out all generated data since
- * the creation of the generator. After that, the generator must be destroyed.
+ * the creation of the generator.
  * The generater uses a set of encoding rules, which it can get from
  * the supplied payload. With this rules, the generater can generate
  * the payload and all substructures automatically.
@@ -56,18 +44,20 @@ struct generator_t {
 	/**
 	 * Generates a specific payload from given payload object.
 	 *
-	 * Remember: Header and substructures are also handled as payloads.
-	 *
 	 * @param payload 		interface payload_t implementing object
 	 */
 	void (*generate_payload) (generator_t *this,payload_t *payload);
 
 	/**
-	 * Writes all generated data of the generator to a chunk.
+	 * Return a chunk for the currently generated data.
+	 *
+	 * The returned length pointer must be filled in with the length of
+	 * the generated chunk (in network order).
 	 *
-	 * @param data 		chunk to write the data to
+	 * @param lenpos		receives a pointer to fill in length value
+	 * @param return		chunk to internal buffer.
 	 */
-	void (*write_to_chunk) (generator_t *this,chunk_t *data);
+	chunk_t (*get_chunk) (generator_t *this, u_int32_t **lenpos);
 
 	/**
 	 * Destroys a generator_t object.
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index ee49a6686..d41ad4697 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2006-2007 Tobias Brunner
- * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -43,111 +44,61 @@
  */
 #define MAX_DELETE_PAYLOADS 20
 
-
-typedef struct payload_rule_t payload_rule_t;
-
 /**
  * A payload rule defines the rules for a payload
  * in a specific message rule. It defines if and how
  * many times a payload must/can occur in a message
  * and if it must be encrypted.
  */
-struct payload_rule_t {
-	/**
-	 * Payload type.
-	 */
-	 payload_type_t payload_type;
-
-	 /**
-	  * Minimal occurence of this payload.
-	  */
-	 size_t min_occurence;
-
-	 /**
-	  * Max occurence of this payload.
-	  */
-	 size_t max_occurence;
-
-	 /**
-	  * TRUE if payload must be encrypted
-	  */
-	 bool encrypted;
-
-	 /**
-	  * If this payload occurs, the message rule is
-	  * fullfilled in any case. This applies e.g. to
-	  * notify_payloads.
-	  */
-	 bool sufficient;
-};
-
-typedef struct payload_order_t payload_order_t;
+typedef struct {
+	/* Payload type */
+	 payload_type_t type;
+	/* Minimal occurence of this payload. */
+	size_t min_occurence;
+	/* Max occurence of this payload. */
+	size_t max_occurence;
+	/* TRUE if payload must be encrypted */
+	bool encrypted;
+	/* If payload occurs, the message rule is fullfilled */
+	bool sufficient;
+} payload_rule_t;
 
 /**
  * payload ordering structure allows us to reorder payloads according to RFC.
  */
-struct payload_order_t {
-
-	/**
-	 * payload type
-	 */
+typedef struct {
+	/** payload type */
 	payload_type_t type;
-
-	/**
-	 * notify type, if payload == NOTIFY
-	 */
+	/** notify type, if payload == NOTIFY */
 	notify_type_t notify;
-};
-
-
-typedef struct message_rule_t message_rule_t;
+} payload_order_t;
 
 /**
  * A message rule defines the kind of a message,
  * if it has encrypted contents and a list
  * of payload ordering rules and payload parsing rules.
  */
-struct message_rule_t {
-	/**
-	 * Type of message.
-	 */
+typedef struct {
+	/** Type of message. */
 	exchange_type_t exchange_type;
-
-	/**
-	 * Is message a request or response.
-	 */
+	/** Is message a request or response. */
 	bool is_request;
-
-	/**
-	 * Message contains encrypted content.
-	 */
-	bool encrypted_content;
-
-	/**
-	 * Number of payload rules which will follow
-	 */
-	int payload_rule_count;
-
-	/**
-	 * Pointer to first payload rule
-	 */
-	payload_rule_t *payload_rules;
-
-	/**
-	 * Number of payload order rules
-	 */
-	int payload_order_count;
-
-	/**
-	 * payload ordering rules
-	 */
-	payload_order_t *payload_order;
-};
+	/** Message contains encrypted payloads. */
+	bool encrypted;
+	/** Number of payload rules which will follow */
+	int rule_count;
+	/** Pointer to first payload rule */
+	payload_rule_t *rules;
+	/** Number of payload order rules */
+	int order_count;
+	/** payload ordering rules */
+	payload_order_t *order;
+} message_rule_t;
 
 /**
  * Message rule for IKE_SA_INIT from initiator.
  */
-static payload_rule_t ike_sa_init_i_payload_rules[] = {
+static payload_rule_t ike_sa_init_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	FALSE},
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
@@ -159,7 +110,7 @@ static payload_rule_t ike_sa_init_i_payload_rules[] = {
 /**
  * payload order for IKE_SA_INIT initiator
  */
-static payload_order_t ike_sa_init_i_payload_order[] = {
+static payload_order_t ike_sa_init_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						COOKIE},
 	{SECURITY_ASSOCIATION,			0},
@@ -174,7 +125,7 @@ static payload_order_t ike_sa_init_i_payload_order[] = {
 /**
  * Message rule for IKE_SA_INIT from responder.
  */
-static payload_rule_t ike_sa_init_r_payload_rules[] = {
+static payload_rule_t ike_sa_init_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	FALSE,	TRUE},
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
@@ -186,7 +137,7 @@ static payload_rule_t ike_sa_init_r_payload_rules[] = {
 /**
  * payload order for IKE_SA_INIT responder
  */
-static payload_order_t ike_sa_init_r_payload_order[] = {
+static payload_order_t ike_sa_init_r_order[] = {
 /*	payload type					notify type */
 	{SECURITY_ASSOCIATION,			0},
 	{KEY_EXCHANGE,					0},
@@ -202,7 +153,7 @@ static payload_order_t ike_sa_init_r_payload_order[] = {
 /**
  * Message rule for IKE_AUTH from initiator.
  */
-static payload_rule_t ike_auth_i_payload_rules[] = {
+static payload_rule_t ike_auth_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
@@ -227,7 +178,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
 /**
  * payload order for IKE_AUTH initiator
  */
-static payload_order_t ike_auth_i_payload_order[] = {
+static payload_order_t ike_auth_i_order[] = {
 /*	payload type					notify type */
 	{ID_INITIATOR,					0},
 	{CERTIFICATE,					0},
@@ -256,7 +207,7 @@ static payload_order_t ike_auth_i_payload_order[] = {
 /**
  * Message rule for IKE_AUTH from responder.
  */
-static payload_rule_t ike_auth_r_payload_rules[] = {
+static payload_rule_t ike_auth_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{EXTENSIBLE_AUTHENTICATION,		0,	1,						TRUE,	TRUE},
@@ -273,7 +224,7 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
 /**
  * payload order for IKE_AUTH responder
  */
-static payload_order_t ike_auth_r_payload_order[] = {
+static payload_order_t ike_auth_r_order[] = {
 /*	payload type					notify type */
 	{ID_RESPONDER,					0},
 	{CERTIFICATE,					0},
@@ -299,7 +250,7 @@ static payload_order_t ike_auth_r_payload_order[] = {
 /**
  * Message rule for INFORMATIONAL from initiator.
  */
-static payload_rule_t informational_i_payload_rules[] = {
+static payload_rule_t informational_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
@@ -310,7 +261,7 @@ static payload_rule_t informational_i_payload_rules[] = {
 /**
  * payload order for INFORMATIONAL initiator
  */
-static payload_order_t informational_i_payload_order[] = {
+static payload_order_t informational_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						UPDATE_SA_ADDRESSES},
 	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
@@ -324,7 +275,7 @@ static payload_order_t informational_i_payload_order[] = {
 /**
  * Message rule for INFORMATIONAL from responder.
  */
-static payload_rule_t informational_r_payload_rules[] = {
+static payload_rule_t informational_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{CONFIGURATION,					0,	1,						TRUE,	FALSE},
@@ -335,7 +286,7 @@ static payload_rule_t informational_r_payload_rules[] = {
 /**
  * payload order for INFORMATIONAL responder
  */
-static payload_order_t informational_r_payload_order[] = {
+static payload_order_t informational_r_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						UPDATE_SA_ADDRESSES},
 	{NOTIFY,						NAT_DETECTION_SOURCE_IP},
@@ -349,7 +300,7 @@ static payload_order_t informational_r_payload_order[] = {
 /**
  * Message rule for CREATE_CHILD_SA from initiator.
  */
-static payload_rule_t create_child_sa_i_payload_rules[] = {
+static payload_rule_t create_child_sa_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	FALSE},
 	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
@@ -364,7 +315,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
 /**
  * payload order for CREATE_CHILD_SA from initiator.
  */
-static payload_order_t create_child_sa_i_payload_order[] = {
+static payload_order_t create_child_sa_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						REKEY_SA},
 	{NOTIFY,						IPCOMP_SUPPORTED},
@@ -382,7 +333,7 @@ static payload_order_t create_child_sa_i_payload_order[] = {
 /**
  * Message rule for CREATE_CHILD_SA from responder.
  */
-static payload_rule_t create_child_sa_r_payload_rules[] = {
+static payload_rule_t create_child_sa_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{SECURITY_ASSOCIATION,			1,	1,						TRUE,	FALSE},
@@ -397,7 +348,7 @@ static payload_rule_t create_child_sa_r_payload_rules[] = {
 /**
  * payload order for CREATE_CHILD_SA from responder.
  */
-static payload_order_t create_child_sa_r_payload_order[] = {
+static payload_order_t create_child_sa_r_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						IPCOMP_SUPPORTED},
 	{NOTIFY,						USE_TRANSPORT_MODE},
@@ -416,7 +367,7 @@ static payload_order_t create_child_sa_r_payload_order[] = {
 /**
  * Message rule for ME_CONNECT from initiator.
  */
-static payload_rule_t me_connect_i_payload_rules[] = {
+static payload_rule_t me_connect_i_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{ID_PEER,						1,	1,						TRUE,	FALSE},
@@ -426,7 +377,7 @@ static payload_rule_t me_connect_i_payload_rules[] = {
 /**
  * payload order for ME_CONNECT from initiator.
  */
-static payload_order_t me_connect_i_payload_order[] = {
+static payload_order_t me_connect_i_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						0},
 	{ID_PEER,						0},
@@ -436,7 +387,7 @@ static payload_order_t me_connect_i_payload_order[] = {
 /**
  * Message rule for ME_CONNECT from responder.
  */
-static payload_rule_t me_connect_r_payload_rules[] = {
+static payload_rule_t me_connect_r_rules[] = {
 /*	payload type					min	max						encr	suff */
 	{NOTIFY,						0,	MAX_NOTIFY_PAYLOADS,	TRUE,	TRUE},
 	{VENDOR_ID,						0,	10,						TRUE,	FALSE}
@@ -445,7 +396,7 @@ static payload_rule_t me_connect_r_payload_rules[] = {
 /**
  * payload order for ME_CONNECT from responder.
  */
-static payload_order_t me_connect_r_payload_order[] = {
+static payload_order_t me_connect_r_order[] = {
 /*	payload type					notify type */
 	{NOTIFY,						0},
 	{VENDOR_ID,						0},
@@ -457,65 +408,45 @@ static payload_order_t me_connect_r_payload_order[] = {
  */
 static message_rule_t message_rules[] = {
 	{IKE_SA_INIT,		TRUE,	FALSE,
-		(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),
-		ike_sa_init_i_payload_rules,
-		(sizeof(ike_sa_init_i_payload_order)/sizeof(payload_order_t)),
-		ike_sa_init_i_payload_order,
+		countof(ike_sa_init_i_rules), ike_sa_init_i_rules,
+		countof(ike_sa_init_i_order), ike_sa_init_i_order,
 	},
 	{IKE_SA_INIT,		FALSE,	FALSE,
-		(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),
-		ike_sa_init_r_payload_rules,
-		(sizeof(ike_sa_init_r_payload_order)/sizeof(payload_order_t)),
-		ike_sa_init_r_payload_order,
+		countof(ike_sa_init_r_rules), ike_sa_init_r_rules,
+		countof(ike_sa_init_r_order), ike_sa_init_r_order,
 	},
 	{IKE_AUTH,			TRUE,	TRUE,
-		(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),
-		ike_auth_i_payload_rules,
-		(sizeof(ike_auth_i_payload_order)/sizeof(payload_order_t)),
-		ike_auth_i_payload_order,
+		countof(ike_auth_i_rules), ike_auth_i_rules,
+		countof(ike_auth_i_order), ike_auth_i_order,
 	},
 	{IKE_AUTH,			FALSE,	TRUE,
-		(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),
-		ike_auth_r_payload_rules,
-		(sizeof(ike_auth_r_payload_order)/sizeof(payload_order_t)),
-		ike_auth_r_payload_order,
+		countof(ike_auth_r_rules), ike_auth_r_rules,
+		countof(ike_auth_r_order), ike_auth_r_order,
 	},
 	{INFORMATIONAL,		TRUE,	TRUE,
-		(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),
-		informational_i_payload_rules,
-		(sizeof(informational_i_payload_order)/sizeof(payload_order_t)),
-		informational_i_payload_order,
+		countof(informational_i_rules), informational_i_rules,
+		countof(informational_i_order), informational_i_order,
 	},
 	{INFORMATIONAL,		FALSE,	TRUE,
-		(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),
-		informational_r_payload_rules,
-		(sizeof(informational_r_payload_order)/sizeof(payload_order_t)),
-		informational_r_payload_order,
+		countof(informational_r_rules), informational_r_rules,
+		countof(informational_r_order), informational_r_order,
 	},
 	{CREATE_CHILD_SA,	TRUE,	TRUE,
-		(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),
-		create_child_sa_i_payload_rules,
-		(sizeof(create_child_sa_i_payload_order)/sizeof(payload_order_t)),
-		create_child_sa_i_payload_order,
+		countof(create_child_sa_i_rules), create_child_sa_i_rules,
+		countof(create_child_sa_i_order), create_child_sa_i_order,
 	},
 	{CREATE_CHILD_SA,	FALSE,	TRUE,
-		(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),
-		create_child_sa_r_payload_rules,
-		(sizeof(create_child_sa_r_payload_order)/sizeof(payload_order_t)),
-		create_child_sa_r_payload_order,
+		countof(create_child_sa_r_rules), create_child_sa_r_rules,
+		countof(create_child_sa_r_order), create_child_sa_r_order,
 	},
 #ifdef ME
 	{ME_CONNECT,		TRUE,	TRUE,
-		(sizeof(me_connect_i_payload_rules)/sizeof(payload_rule_t)),
-		me_connect_i_payload_rules,
-		(sizeof(me_connect_i_payload_order)/sizeof(payload_order_t)),
-		me_connect_i_payload_order,
+		countof(me_connect_i_rules), me_connect_i_rules,
+		countof(me_connect_i_order), me_connect_i_order,
 	},
 	{ME_CONNECT,		FALSE,	TRUE,
-		(sizeof(me_connect_r_payload_rules)/sizeof(payload_rule_t)),
-		me_connect_r_payload_rules,
-		(sizeof(me_connect_r_payload_order)/sizeof(payload_order_t)),
-		me_connect_r_payload_order,
+		countof(me_connect_r_rules), me_connect_r_rules,
+		countof(me_connect_r_order), me_connect_r_order,
 	},
 #endif /* ME */
 };
@@ -586,169 +517,132 @@ struct private_message_t {
 	/**
 	 * The message rule for this message instance
 	 */
-	message_rule_t *message_rule;
+	message_rule_t *rule;
 };
 
 /**
- * Implementation of private_message_t.set_message_rule.
+ * Get the message rule that applies to this message
  */
-static  status_t set_message_rule(private_message_t *this)
+static message_rule_t* get_message_rule(private_message_t *this)
 {
 	int i;
 
-	for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
+	for (i = 0; i < countof(message_rules); i++)
 	{
 		if ((this->exchange_type == message_rules[i].exchange_type) &&
 			(this->is_request == message_rules[i].is_request))
 		{
-			/* found rule for given exchange_type*/
-			this->message_rule = &(message_rules[i]);
-			return SUCCESS;
+			return &message_rules[i];
 		}
 	}
-	this->message_rule = NULL;
-	return NOT_FOUND;
+	return NULL;
 }
 
 /**
- * Implementation of private_message_t.get_payload_rule.
+ * Look up a payload rule
  */
-static status_t get_payload_rule(private_message_t *this,
-					payload_type_t payload_type, payload_rule_t **payload_rule)
+static payload_rule_t* get_payload_rule(private_message_t *this,
+										payload_type_t type)
 {
 	int i;
 
-	for (i = 0; i < this->message_rule->payload_rule_count;i++)
+	for (i = 0; i < this->rule->rule_count;i++)
 	{
-		if (this->message_rule->payload_rules[i].payload_type == payload_type)
+		if (this->rule->rules[i].type == type)
 		{
-			*payload_rule = &(this->message_rule->payload_rules[i]);
-			return SUCCESS;
+			return &this->rule->rules[i];
 		}
 	}
-
-	*payload_rule = NULL;
-	return NOT_FOUND;
+	return NULL;
 }
 
-/**
- * Implementation of message_t.set_ike_sa_id.
- */
-static void set_ike_sa_id(private_message_t *this,ike_sa_id_t *ike_sa_id)
+METHOD(message_t, set_ike_sa_id, void,
+	private_message_t *this,ike_sa_id_t *ike_sa_id)
 {
 	DESTROY_IF(this->ike_sa_id);
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
 }
 
-/**
- * Implementation of message_t.get_ike_sa_id.
- */
-static ike_sa_id_t* get_ike_sa_id(private_message_t *this)
+METHOD(message_t, get_ike_sa_id, ike_sa_id_t*,
+	private_message_t *this)
 {
 	return this->ike_sa_id;
 }
 
-/**
- * Implementation of message_t.set_message_id.
- */
-static void set_message_id(private_message_t *this,u_int32_t message_id)
+METHOD(message_t, set_message_id, void,
+	private_message_t *this,u_int32_t message_id)
 {
 	this->message_id = message_id;
 }
 
-/**
- * Implementation of message_t.get_message_id.
- */
-static u_int32_t get_message_id(private_message_t *this)
+METHOD(message_t, get_message_id, u_int32_t,
+	private_message_t *this)
 {
 	return this->message_id;
 }
 
-/**
- * Implementation of message_t.get_initiator_spi.
- */
-static u_int64_t get_initiator_spi(private_message_t *this)
+METHOD(message_t, get_initiator_spi, u_int64_t,
+	private_message_t *this)
 {
 	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
 }
 
-/**
- * Implementation of message_t.get_responder_spi.
- */
-static u_int64_t get_responder_spi(private_message_t *this)
+METHOD(message_t, get_responder_spi, u_int64_t,
+	private_message_t *this)
 {
 	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
 }
 
-/**
- * Implementation of message_t.set_major_version.
- */
-static void set_major_version(private_message_t *this,u_int8_t major_version)
+METHOD(message_t, set_major_version, void,
+	private_message_t *this, u_int8_t major_version)
 {
 	this->major_version = major_version;
 }
 
-/**
- * Implementation of message_t.set_major_version.
- */
-static u_int8_t get_major_version(private_message_t *this)
+METHOD(message_t, get_major_version, u_int8_t,
+	private_message_t *this)
 {
 	return this->major_version;
 }
 
-/**
- * Implementation of message_t.set_minor_version.
- */
-static void set_minor_version(private_message_t *this,u_int8_t minor_version)
+METHOD(message_t, set_minor_version, void,
+	private_message_t *this,u_int8_t minor_version)
 {
 	this->minor_version = minor_version;
 }
 
-/**
- * Implementation of message_t.get_minor_version.
- */
-static u_int8_t get_minor_version(private_message_t *this)
+METHOD(message_t, get_minor_version, u_int8_t,
+	private_message_t *this)
 {
 	return this->minor_version;
 }
 
-/**
- * Implementation of message_t.set_exchange_type.
- */
-static void set_exchange_type(private_message_t *this,
-							  exchange_type_t exchange_type)
+METHOD(message_t, set_exchange_type, void,
+	private_message_t *this, exchange_type_t exchange_type)
 {
 	this->exchange_type = exchange_type;
 }
 
-/**
- * Implementation of message_t.get_exchange_type.
- */
-static exchange_type_t get_exchange_type(private_message_t *this)
+METHOD(message_t, get_exchange_type, exchange_type_t,
+	private_message_t *this)
 {
 	return this->exchange_type;
 }
 
-/**
- * Implementation of message_t.get_first_payload_type.
- */
-static payload_type_t get_first_payload_type(private_message_t *this)
+METHOD(message_t, get_first_payload_type, payload_type_t,
+	private_message_t *this)
 {
 	return this->first_payload;
 }
 
-/**
- * Implementation of message_t.set_request.
- */
-static void set_request(private_message_t *this, bool request)
+METHOD(message_t, set_request, void,
+	private_message_t *this, bool request)
 {
 	this->is_request = request;
 }
 
-/**
- * Implementation of message_t.get_request.
- */
-static exchange_type_t get_request(private_message_t *this)
+METHOD(message_t, get_request, bool,
+	private_message_t *this)
 {
 	return this->is_request;
 }
@@ -767,10 +661,8 @@ static bool is_encoded(private_message_t *this)
 	return TRUE;
 }
 
-/**
- * Implementation of message_t.add_payload.
- */
-static void add_payload(private_message_t *this, payload_t *payload)
+METHOD(message_t, add_payload, void,
+	private_message_t *this, payload_t *payload)
 {
 	payload_t *last_payload;
 
@@ -790,11 +682,8 @@ static void add_payload(private_message_t *this, payload_t *payload)
 		 payload_type_names, payload->get_type(payload));
 }
 
-/**
- * Implementation of message_t.add_notify.
- */
-static void add_notify(private_message_t *this, bool flush, notify_type_t type,
-					   chunk_t data)
+METHOD(message_t, add_notify, void,
+	private_message_t *this, bool flush, notify_type_t type, chunk_t data)
 {
 	notify_payload_t *notify;
 	payload_t *payload;
@@ -813,50 +702,38 @@ static void add_notify(private_message_t *this, bool flush, notify_type_t type,
 	add_payload(this, (payload_t*)notify);
 }
 
-/**
- * Implementation of message_t.set_source.
- */
-static void set_source(private_message_t *this, host_t *host)
+METHOD(message_t, set_source, void,
+	private_message_t *this, host_t *host)
 {
 	this->packet->set_source(this->packet, host);
 }
 
-/**
- * Implementation of message_t.set_destination.
- */
-static void set_destination(private_message_t *this, host_t *host)
+METHOD(message_t, set_destination, void,
+	private_message_t *this, host_t *host)
 {
 	this->packet->set_destination(this->packet, host);
 }
 
-/**
- * Implementation of message_t.get_source.
- */
-static host_t* get_source(private_message_t *this)
+METHOD(message_t, get_source, host_t*,
+	private_message_t *this)
 {
 	return this->packet->get_source(this->packet);
 }
 
-/**
- * Implementation of message_t.get_destination.
- */
-static host_t * get_destination(private_message_t *this)
+METHOD(message_t, get_destination, host_t*,
+	private_message_t *this)
 {
 	return this->packet->get_destination(this->packet);
 }
 
-/**
- * Implementation of message_t.create_payload_enumerator.
- */
-static enumerator_t *create_payload_enumerator(private_message_t *this)
+METHOD(message_t, create_payload_enumerator, enumerator_t*,
+	private_message_t *this)
 {
 	return this->payloads->create_enumerator(this->payloads);
 }
 
-/**
- * Implementation of message_t.get_payload.
- */
-static payload_t *get_payload(private_message_t *this, payload_type_t type)
+METHOD(message_t, get_payload, payload_t*,
+	private_message_t *this, payload_type_t type)
 {
 	payload_t *current, *found = NULL;
 	enumerator_t *enumerator;
@@ -874,10 +751,8 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type)
 	return found;
 }
 
-/**
- * Implementation of message_t.get_notify
- */
-static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
+METHOD(message_t, get_notify, notify_payload_t*,
+	private_message_t *this, notify_type_t type)
 {
 	enumerator_t *enumerator;
 	notify_payload_t *notify = NULL;
@@ -1034,11 +909,13 @@ static void order_payloads(private_message_t *this)
 		list->insert_first(list, payload);
 	}
 	/* for each rule, ... */
-	for (i = 0; i < this->message_rule->payload_order_count; i++)
+	for (i = 0; i < this->rule->order_count; i++)
 	{
 		enumerator_t *enumerator;
 		notify_payload_t *notify;
-		payload_order_t order = this->message_rule->payload_order[i];
+		payload_order_t order;
+
+		order = this->rule->order[i];
 
 		/* ... find all payload ... */
 		enumerator = list->create_enumerator(list);
@@ -1068,8 +945,8 @@ static void order_payloads(private_message_t *this)
 		{
 			DBG1(DBG_ENC, "payload %N has no ordering rule in %N %s",
 				 payload_type_names, payload->get_type(payload),
-				 exchange_type_names, this->message_rule->exchange_type,
-				 this->message_rule->is_request ? "request" : "response");
+				 exchange_type_names, this->rule->exchange_type,
+				 this->rule->is_request ? "request" : "response");
 		}
 		add_payload(this, payload);
 	}
@@ -1077,98 +954,67 @@ static void order_payloads(private_message_t *this)
 }
 
 /**
- * Implementation of private_message_t.encrypt_payloads.
+ * Wrap payloads in a encryption payload
  */
-static status_t encrypt_payloads(private_message_t *this,
-								 crypter_t *crypter, signer_t* signer)
+static encryption_payload_t* wrap_payloads(private_message_t *this)
 {
 	encryption_payload_t *encryption;
 	linked_list_t *payloads;
 	payload_t *current;
-	status_t status;
 
-	if (!this->message_rule->encrypted_content)
-	{
-		DBG2(DBG_ENC, "message doesn't have to be encrypted");
-		/* message contains no content to encrypt */
-		return SUCCESS;
-	}
-
-	if (!crypter || !signer)
-	{
-		DBG2(DBG_ENC, "no crypter or signer specified, do not encrypt message");
-		/* message contains no content to encrypt */
-		return SUCCESS;
-	}
-
-	DBG2(DBG_ENC, "copy all payloads to a temporary list");
+	/* copy all payloads in a temporary list */
 	payloads = linked_list_create();
-
-	/* first copy all payloads in a temporary list */
-	while (this->payloads->get_count(this->payloads) > 0)
+	while (this->payloads->remove_first(this->payloads,
+										(void**)&current) == SUCCESS)
 	{
-		this->payloads->remove_first(this->payloads, (void**)&current);
 		payloads->insert_last(payloads, current);
 	}
 
 	encryption = encryption_payload_create();
-
-	DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
-	while (payloads->get_count(payloads) > 0)
+	while (payloads->remove_first(payloads, (void**)&current) == SUCCESS)
 	{
 		payload_rule_t *rule;
 		payload_type_t type;
-		bool to_encrypt = TRUE;
-
-		payloads->remove_first(payloads, (void**)&current);
+		bool encrypt = TRUE;
 
 		type = current->get_type(current);
-		if (get_payload_rule(this, type, &rule) == SUCCESS)
+		rule = get_payload_rule(this, type);
+		if (rule)
 		{
-			to_encrypt = rule->encrypted;
+			encrypt = rule->encrypted;
 		}
-		if (to_encrypt)
+		if (encrypt)
 		{
 			DBG2(DBG_ENC, "insert payload %N to encryption payload",
-				 payload_type_names, current->get_type(current));
+				 payload_type_names, type);
 			encryption->add_payload(encryption, current);
 		}
 		else
 		{
 			DBG2(DBG_ENC, "insert payload %N unencrypted",
-				 payload_type_names, current->get_type(current));
-			add_payload(this, (payload_t*)current);
+				 payload_type_names, type);
+			add_payload(this, current);
 		}
 	}
-
-	DBG2(DBG_ENC, "encrypting encryption payload");
-	encryption->set_transforms(encryption, crypter, signer);
-	status = encryption->encrypt(encryption);
-	DBG2(DBG_ENC, "add encrypted payload to payload list");
-	add_payload(this, (payload_t*)encryption);
-
 	payloads->destroy(payloads);
 
-	return status;
+	return encryption;
 }
 
-/**
- * Implementation of message_t.generate.
- */
-static status_t generate(private_message_t *this, crypter_t *crypter,
-						 signer_t* signer, packet_t **packet)
+METHOD(message_t, generate, status_t,
+	private_message_t *this, aead_t *aead, packet_t **packet)
 {
 	generator_t *generator;
 	ike_header_t *ike_header;
-	payload_t *payload, *next_payload;
+	payload_t *payload, *next;
+	encryption_payload_t *encryption = NULL;
 	enumerator_t *enumerator;
-	status_t status;
-	chunk_t packet_data;
+	chunk_t chunk;
 	char str[256];
+	u_int32_t *lenpos;
 
 	if (is_encoded(this))
-	{
-		/* already generated, return a new packet clone */
+	{	/* already generated, return a new packet clone */
 		*packet = this->packet->clone(this->packet);
 		return SUCCESS;
 	}
@@ -1182,14 +1028,12 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 	if (this->packet->get_source(this->packet) == NULL ||
 		this->packet->get_destination(this->packet) == NULL)
 	{
-		DBG1(DBG_ENC, "%s not defined",
-			 !this->packet->get_source(this->packet) ? "source" : "destination");
+		DBG1(DBG_ENC, "source/destination not defined");
 		return INVALID_STATE;
 	}
 
-	/* set the rules for this messge */
-	status = set_message_rule(this);
-	if (status != SUCCESS)
+	this->rule = get_message_rule(this);
+	if (!this->rule)
 	{
 		DBG1(DBG_ENC, "no message rules specified for this message type");
 		return NOT_SUPPORTED;
@@ -1199,17 +1043,16 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 
 	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
 
-	/* going to encrypt all content which have to be encrypted */
-	status = encrypt_payloads(this, crypter, signer);
-	if (status != SUCCESS)
+	if (aead && this->rule->encrypted)
 	{
-		DBG1(DBG_ENC, "payload encryption failed");
-		return status;
+		encryption = wrap_payloads(this);
+	}
+	else
+	{
+		DBG2(DBG_ENC, "not encrypting payloads");
 	}
 
-	/* build ike header */
 	ike_header = ike_header_create();
-
 	ike_header->set_exchange_type(ike_header, this->exchange_type);
 	ike_header->set_message_id(ike_header, this->message_id);
 	ike_header->set_response_flag(ike_header, !this->is_request);
@@ -1222,54 +1065,49 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
 
 	generator = generator_create();
 
+	/* generate all payloads with proper next type */
 	payload = (payload_t*)ike_header;
-
-	/* generate every payload expect last one, this is done later*/
 	enumerator = create_payload_enumerator(this);
-	while (enumerator->enumerate(enumerator, &next_payload))
+	while (enumerator->enumerate(enumerator, &next))
 	{
-		payload->set_next_type(payload, next_payload->get_type(next_payload));
+		payload->set_next_type(payload, next->get_type(next));
 		generator->generate_payload(generator, payload);
-		payload = next_payload;
+		payload = next;
 	}
 	enumerator->destroy(enumerator);
-
-	/* last payload has no next payload*/
-	payload->set_next_type(payload, NO_PAYLOAD);
-
+	payload->set_next_type(payload, encryption ? ENCRYPTED : NO_PAYLOAD);
 	generator->generate_payload(generator, payload);
-
 	ike_header->destroy(ike_header);
 
-	/* build packet */
-	generator->write_to_chunk(generator, &packet_data);
-	generator->destroy(generator);
-
-	/* if last payload is of type encrypted, integrity checksum if necessary */
-	if (payload->get_type(payload) == ENCRYPTED)
+	if (encryption)
 	{
-		DBG2(DBG_ENC, "build signature on whole message");
-		encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
-		status = encryption_payload->build_signature(encryption_payload, packet_data);
-		if (status != SUCCESS)
+		u_int32_t *lenpos;
+
+		/* build associated data (without header of encryption payload) */
+		chunk = generator->get_chunk(generator, &lenpos);
+		encryption->set_transform(encryption, aead);
+		/* fill in length, including encryption payload */
+		htoun32(lenpos, chunk.len + encryption->get_length(encryption));
+
+		this->payloads->insert_last(this->payloads, encryption);
+		if (!encryption->encrypt(encryption, chunk))
 		{
-			return status;
+			generator->destroy(generator);
+			return INVALID_STATE;
 		}
+		generator->generate_payload(generator, &encryption->payload_interface);
 	}
+	chunk = generator->get_chunk(generator, &lenpos);
+	htoun32(lenpos, chunk.len);
+	this->packet->set_data(this->packet, chunk_clone(chunk));
+	generator->destroy(generator);
 
-	this->packet->set_data(this->packet, packet_data);
-
-	/* clone packet for caller */
 	*packet = this->packet->clone(this->packet);
-
-	DBG2(DBG_ENC, "message generated successfully");
 	return SUCCESS;
 }
 
-/**
- * Implementation of message_t.get_packet.
- */
-static packet_t *get_packet(private_message_t *this)
+METHOD(message_t, get_packet, packet_t*,
+	private_message_t *this)
 {
 	if (this->packet == NULL)
 	{
@@ -1278,10 +1116,8 @@ static packet_t *get_packet(private_message_t *this)
 	return this->packet->clone(this->packet);
 }
 
-/**
- * Implementation of message_t.get_packet_data.
- */
-static chunk_t get_packet_data(private_message_t *this)
+METHOD(message_t, get_packet_data, chunk_t,
+	private_message_t *this)
 {
 	if (this->packet == NULL)
 	{
@@ -1290,10 +1126,8 @@ static chunk_t get_packet_data(private_message_t *this)
 	return chunk_clone(this->packet->get_data(this->packet));
 }
 
-/**
- * Implementation of message_t.parse_header.
- */
-static status_t parse_header(private_message_t *this)
+METHOD(message_t, parse_header, status_t,
+	private_message_t *this)
 {
 	ike_header_t *ike_header;
 	status_t status;
@@ -1310,7 +1144,6 @@ static status_t parse_header(private_message_t *this)
 
 	}
 
-	/* verify payload */
 	status = ike_header->payload_interface.verify(
 										&ike_header->payload_interface);
 	if (status != SUCCESS)
@@ -1320,18 +1153,14 @@ static status_t parse_header(private_message_t *this)
 		return status;
 	}
 
-	if (this->ike_sa_id != NULL)
-	{
-		this->ike_sa_id->destroy(this->ike_sa_id);
-	}
-
+	DESTROY_IF(this->ike_sa_id);
 	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
 									ike_header->get_responder_spi(ike_header),
 									ike_header->get_initiator_flag(ike_header));
 
 	this->exchange_type = ike_header->get_exchange_type(ike_header);
 	this->message_id = ike_header->get_message_id(ike_header);
-	this->is_request = (!(ike_header->get_response_flag(ike_header)));
+	this->is_request = !ike_header->get_response_flag(ike_header);
 	this->major_version = ike_header->get_maj_version(ike_header);
 	this->minor_version = ike_header->get_min_version(ike_header);
 	this->first_payload = ike_header->payload_interface.get_next_type(
@@ -1342,232 +1171,151 @@ static status_t parse_header(private_message_t *this)
 
 	ike_header->destroy(ike_header);
 
-	/* get the rules for this messge */
-	status = set_message_rule(this);
-	if (status != SUCCESS)
+	this->rule = get_message_rule(this);
+	if (!this->rule)
 	{
 		DBG1(DBG_ENC, "no message rules specified for a %N %s",
 			 exchange_type_names, this->exchange_type,
 			 this->is_request ? "request" : "response");
 	}
-
 	return status;
 }
 
 /**
- * Implementation of private_message_t.decrypt_and_verify_payloads.
+ * Decrypt payload from the encryption payload
  */
-static status_t decrypt_payloads(private_message_t *this, crypter_t *crypter,
-								 signer_t* signer)
+static status_t decrypt_payloads(private_message_t *this, aead_t *aead)
 {
-	bool current_payload_was_encrypted = FALSE;
-	payload_t *previous_payload = NULL;
-	int payload_number = 1;
-	iterator_t *iterator;
-	payload_t *current_payload;
-	status_t status;
-
-	iterator = this->payloads->create_iterator(this->payloads,TRUE);
+	bool was_encrypted = FALSE;
+	payload_t *payload, *previous = NULL;
+	enumerator_t *enumerator;
+	payload_rule_t *rule;
+	payload_type_t type;
+	status_t status = SUCCESS;
 
-	/* process each payload and decrypt a encryption payload */
-	while(iterator->iterate(iterator, (void**)&current_payload))
+	enumerator = this->payloads->create_enumerator(this->payloads);
+	while (enumerator->enumerate(enumerator, &payload))
 	{
-		payload_rule_t *payload_rule;
-		payload_type_t current_payload_type;
+		type = payload->get_type(payload);
 
-		/* needed to check */
-		current_payload_type = current_payload->get_type(current_payload);
+		DBG2(DBG_ENC, "process payload of type %N", payload_type_names, type);
 
-		DBG2(DBG_ENC, "process payload of type %N",
-			 payload_type_names, current_payload_type);
-
-		if (current_payload_type == ENCRYPTED)
+		if (type == ENCRYPTED)
 		{
-			encryption_payload_t *encryption_payload;
-			payload_t *current_encrypted_payload;
+			encryption_payload_t *encryption;
+			payload_t *encrypted;
+			chunk_t chunk;
 
-			encryption_payload = (encryption_payload_t*)current_payload;
+			encryption = (encryption_payload_t*)payload;
 
 			DBG2(DBG_ENC, "found an encryption payload");
 
-			if (payload_number != this->payloads->get_count(this->payloads))
+			if (enumerator->enumerate(enumerator, &payload))
 			{
-				/* encrypted payload is not last one */
 				DBG1(DBG_ENC, "encrypted payload is not last payload");
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
+				status = VERIFY_ERROR;
+				break;
 			}
-			/* decrypt */
-			encryption_payload->set_transforms(encryption_payload,
-											   crypter, signer);
-			DBG2(DBG_ENC, "verify signature of encryption payload");
-			status = encryption_payload->verify_signature(encryption_payload,
-										this->packet->get_data(this->packet));
-			if (status != SUCCESS)
+			encryption->set_transform(encryption, aead);
+			chunk = this->packet->get_data(this->packet);
+			if (chunk.len < encryption->get_length(encryption))
 			{
-				DBG1(DBG_ENC, "encryption payload signature invalid");
-				iterator->destroy(iterator);
-				return FAILED;
+				DBG1(DBG_ENC, "invalid payload length");
+				status = VERIFY_ERROR;
+				break;
 			}
-			DBG2(DBG_ENC, "decrypting content of encryption payload");
-			status = encryption_payload->decrypt(encryption_payload);
+			chunk.len -= encryption->get_length(encryption);
+			status = encryption->decrypt(encryption, chunk);
 			if (status != SUCCESS)
 			{
-				DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
-				iterator->destroy(iterator);
-				return PARSE_ERROR;
-			}
-
-			/* needed later to find out if a payload was encrypted */
-			current_payload_was_encrypted = TRUE;
-
-			/* check if there are payloads contained in the encryption payload */
-			if (encryption_payload->get_payload_count(encryption_payload) == 0)
-			{
-				DBG2(DBG_ENC, "encrypted payload is empty");
-				/* remove the encryption payload, is not needed anymore */
-				iterator->remove(iterator);
-				/* encrypted payload contains no other payload */
-				current_payload_type = NO_PAYLOAD;
-			}
-			else
-			{
-				/* encryption_payload is replaced with first payload contained
-				 * in encryption_payload */
-				encryption_payload->remove_first_payload(encryption_payload,
-													&current_encrypted_payload);
-				iterator->replace(iterator, NULL,
-								  (void *)current_encrypted_payload);
-				current_payload_type = current_encrypted_payload->get_type(
-													current_encrypted_payload);
+				break;
 			}
 
-			/* is the current paylad the first in the message? */
-			if (previous_payload == NULL)
-			{
-				/* yes, set the first payload type of the message to the
-				 * current type */
-				this->first_payload = current_payload_type;
-			}
-			else
-			{
-				/* no, set the next_type of the previous payload to the
-				 * current type */
-				previous_payload->set_next_type(previous_payload,
-												current_payload_type);
-			}
+			was_encrypted = TRUE;
+			this->payloads->remove_at(this->payloads, enumerator);
 
-			/* all encrypted payloads are added to the payload list */
-			while (encryption_payload->get_payload_count(encryption_payload) > 0)
+			while ((encrypted = encryption->remove_payload(encryption)))
 			{
-				encryption_payload->remove_first_payload(encryption_payload,
-													&current_encrypted_payload);
-				DBG2(DBG_ENC, "insert unencrypted payload of type "
-					 "%N at end of list", payload_type_names,
-					 current_encrypted_payload->get_type(
-											current_encrypted_payload));
-				this->payloads->insert_last(this->payloads,
-											current_encrypted_payload);
+				type = encrypted->get_type(encrypted);
+				if (previous)
+				{
+					previous->set_next_type(previous, type);
+				}
+				else
+				{
+					this->first_payload = type;
+				}
+				DBG2(DBG_ENC, "insert decrypted payload of type "
+					 "%N at end of list", payload_type_names, type);
+				this->payloads->insert_last(this->payloads, encrypted);
+				previous = encrypted;
 			}
-
-			/* encryption payload is processed, payloads are moved. Destroy it. */
-			encryption_payload->destroy(encryption_payload);
+			encryption->destroy(encryption);
 		}
-
-		/* we allow unknown payloads of any type and don't bother if it was
-		 * encrypted. Not our problem. */
-		if (current_payload_type != UNKNOWN_PAYLOAD &&
-			current_payload_type != NO_PAYLOAD)
+		if (type != UNKNOWN_PAYLOAD && !was_encrypted)
 		{
-			/* get the ruleset for found payload */
-			status = get_payload_rule(this, current_payload_type, &payload_rule);
-			if (status != SUCCESS)
-			{
-				/* payload is not allowed */
-				DBG1(DBG_ENC, "payload type %N not allowed",
-								  payload_type_names, current_payload_type);
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
-			}
-
-			/* check if the payload was encrypted, and if it should been have
-			 * encrypted */
-			if (payload_rule->encrypted != current_payload_was_encrypted)
+			rule = get_payload_rule(this, type);
+			if (!rule || rule->encrypted)
 			{
-				/* payload was not encrypted, but should have been.
-				 * or vice-versa */
-				DBG1(DBG_ENC, "payload type %N should be %s!",
-					 payload_type_names, current_payload_type,
-					 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
-				iterator->destroy(iterator);
-				return VERIFY_ERROR;
+				DBG1(DBG_ENC, "payload type %N was not encrypted",
+					 payload_type_names, type);
+				status = VERIFY_ERROR;
+				break;
 			}
 		}
-		/* advance to the next payload */
-		payload_number++;
-		/* is stored to set next payload in case of found encryption payload */
-		previous_payload = current_payload;
+		previous = payload;
 	}
-	iterator->destroy(iterator);
-	return SUCCESS;
+	enumerator->destroy(enumerator);
+	return status;
 }
 
 /**
- * Implementation of private_message_t.verify.
+ * Verify a message and all payload according to message/payload rules
  */
 static status_t verify(private_message_t *this)
 {
 	int i;
-	enumerator_t *enumerator;
-	payload_t *current_payload;
-	size_t total_found_payloads = 0;
 
 	DBG2(DBG_ENC, "verifying message structure");
 
 	/* check for payloads with wrong count*/
-	for (i = 0; i < this->message_rule->payload_rule_count; i++)
+	for (i = 0; i < this->rule->rule_count; i++)
 	{
-		size_t found_payloads = 0;
+		enumerator_t *enumerator;
+		payload_t *payload;
 		payload_rule_t *rule;
+		int found = 0;
 
-		rule = &this->message_rule->payload_rules[i];
+		rule = &this->rule->rules[i];
 		enumerator = create_payload_enumerator(this);
-
-		/* check all payloads for specific rule */
-		while (enumerator->enumerate(enumerator, &current_payload))
+		while (enumerator->enumerate(enumerator, &payload))
 		{
-			payload_type_t current_payload_type;
-			unknown_payload_t *unknown_payload;
+			payload_type_t type;
+			unknown_payload_t *unknown;
 
-			current_payload_type = current_payload->get_type(current_payload);
-			if (current_payload_type == UNKNOWN_PAYLOAD)
+			type = payload->get_type(payload);
+			if (type == UNKNOWN_PAYLOAD)
 			{
-				/* unknown payloads are ignored, IF they are not critical */
-				unknown_payload = (unknown_payload_t*)current_payload;
-				if (unknown_payload->is_critical(unknown_payload))
+				/* unknown payloads are ignored if they are not critical */
+				unknown = (unknown_payload_t*)payload;
+				if (unknown->is_critical(unknown))
 				{
 					DBG1(DBG_ENC, "%N is not supported, but its critical!",
-						 payload_type_names, current_payload_type);
+						 payload_type_names, type);
 					enumerator->destroy(enumerator);
 					return NOT_SUPPORTED;
 				}
 			}
-			else if (current_payload_type == rule->payload_type)
+			else if (type == rule->type)
 			{
-				found_payloads++;
-				total_found_payloads++;
-				DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
-					 rule->payload_type);
-
-				/* as soon as ohe payload occures more then specified,
-				 * the verification fails */
-				if (found_payloads >
-					rule->max_occurence)
+				found++;
+				DBG2(DBG_ENC, "found payload of type %N",
+					 payload_type_names, type);
+				if (found > rule->max_occurence)
 				{
 					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
 						 "occured in current message", payload_type_names,
-						 current_payload_type, rule->max_occurence,
-						 found_payloads);
+						 type, rule->max_occurence, found);
 					enumerator->destroy(enumerator);
 					return VERIFY_ERROR;
 				}
@@ -1575,11 +1323,10 @@ static status_t verify(private_message_t *this)
 		}
 		enumerator->destroy(enumerator);
 
-		if (found_payloads < rule->min_occurence)
+		if (found < rule->min_occurence)
 		{
 			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
-				 payload_type_names, rule->payload_type, rule->min_occurence,
-				 found_payloads);
+				 payload_type_names, rule->type, rule->min_occurence, found);
 			return VERIFY_ERROR;
 		}
 		if (rule->sufficient)
@@ -1590,72 +1337,60 @@ static status_t verify(private_message_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of message_t.parse_body.
- */
-static status_t parse_body(private_message_t *this, crypter_t *crypter,
-						   signer_t *signer)
+METHOD(message_t, parse_body, status_t,
+	private_message_t *this, aead_t *aead)
 {
 	status_t status = SUCCESS;
-	payload_type_t current_payload_type;
+	payload_t *payload;
+	payload_type_t type;
 	char str[256];
 
-	current_payload_type = this->first_payload;
+	type = this->first_payload;
 
 	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
-		 payload_type_names, current_payload_type);
+		 payload_type_names, type);
 
-	/* parse payload for payload, while there are more available */
-	while ((current_payload_type != NO_PAYLOAD))
+	while (type != NO_PAYLOAD)
 	{
-		payload_t *current_payload;
-
 		DBG2(DBG_ENC, "starting parsing a %N payload",
-			 payload_type_names, current_payload_type);
+			 payload_type_names, type);
 
-		/* parse current payload */
-		status = this->parser->parse_payload(this->parser, current_payload_type,
-											 (payload_t**)&current_payload);
+		status = this->parser->parse_payload(this->parser, type, &payload);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "payload type %N could not be parsed",
-				 payload_type_names, current_payload_type);
+				 payload_type_names, type);
 			return PARSE_ERROR;
 		}
 
-		DBG2(DBG_ENC, "verifying payload of type %N",
-			 payload_type_names, current_payload_type);
-
-		/* verify it, stop parsig if its invalid */
-		status = current_payload->verify(current_payload);
+		DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type);
+		status = payload->verify(payload);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "%N payload verification failed",
-				 payload_type_names, current_payload_type);
-			current_payload->destroy(current_payload);
+				 payload_type_names, type);
+			payload->destroy(payload);
 			return VERIFY_ERROR;
 		}
 
 		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
-			 payload_type_names, current_payload_type);
-		this->payloads->insert_last(this->payloads,current_payload);
+			 payload_type_names, type);
+		this->payloads->insert_last(this->payloads, payload);
 
 		/* an encryption payload is the last one, so STOP here. decryption is
 		 * done later */
-		if (current_payload_type == ENCRYPTED)
+		if (type == ENCRYPTED)
 		{
 			DBG2(DBG_ENC, "%N payload found. Stop parsing",
-				 payload_type_names, current_payload_type);
+				 payload_type_names, type);
 			break;
 		}
-
-		/* get next payload type */
-		current_payload_type = current_payload->get_next_type(current_payload);
+		type = payload->get_next_type(payload);
 	}
 
-	if (current_payload_type == ENCRYPTED)
+	if (type == ENCRYPTED)
 	{
-		status = decrypt_payloads(this,crypter,signer);
+		status = decrypt_payloads(this, aead);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "could not decrypt payloads");
@@ -1674,10 +1409,8 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter,
 	return SUCCESS;
 }
 
-/**
- * Implementation of message_t.destroy.
- */
-static void destroy (private_message_t *this)
+METHOD(message_t, destroy, void,
+	private_message_t *this)
 {
 	DESTROY_IF(this->ike_sa_id);
 	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
@@ -1691,58 +1424,48 @@ static void destroy (private_message_t *this)
  */
 message_t *message_create_from_packet(packet_t *packet)
 {
-	private_message_t *this = malloc_thing(private_message_t);
-
-	/* public functions */
-	this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
-	this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
-	this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
-	this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
-	this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
-	this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
-	this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
-	this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
-	this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
-	this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
-	this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
-	this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
-	this->public.get_first_payload_type = (payload_type_t(*)(message_t*))get_first_payload_type;
-	this->public.set_request = (void(*)(message_t*, bool))set_request;
-	this->public.get_request = (bool(*)(message_t*))get_request;
-	this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
-	this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
-	this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
-	this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
-	this->public.get_source = (host_t * (*) (message_t*)) get_source;
-	this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
-	this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
-	this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
-	this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
-	this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
-	this->public.parse_header = (status_t (*) (message_t *)) parse_header;
-	this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
-	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
-	this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
-	this->public.destroy = (void(*)(message_t*))destroy;
-
-	/* private values */
-	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
-	this->is_request = TRUE;
-	this->ike_sa_id = NULL;
-	this->first_payload = NO_PAYLOAD;
-	this->message_id = 0;
-
-	/* private values */
-	if (packet == NULL)
-	{
-		packet = packet_create();
-	}
-	this->message_rule = NULL;
-	this->packet = packet;
-	this->payloads = linked_list_create();
-
-	/* parser is created from data of packet */
-	this->parser = parser_create(this->packet->get_data(this->packet));
+	private_message_t *this;
+
+	INIT(this,
+		.public = {
+			.set_major_version = _set_major_version,
+			.get_major_version = _get_major_version,
+			.set_minor_version = _set_minor_version,
+			.get_minor_version = _get_minor_version,
+			.set_message_id = _set_message_id,
+			.get_message_id = _get_message_id,
+			.get_initiator_spi = _get_initiator_spi,
+			.get_responder_spi = _get_responder_spi,
+			.set_ike_sa_id = _set_ike_sa_id,
+			.get_ike_sa_id = _get_ike_sa_id,
+			.set_exchange_type = _set_exchange_type,
+			.get_exchange_type = _get_exchange_type,
+			.get_first_payload_type = _get_first_payload_type,
+			.set_request = _set_request,
+			.get_request = _get_request,
+			.add_payload = _add_payload,
+			.add_notify = _add_notify,
+			.generate = _generate,
+			.set_source = _set_source,
+			.get_source = _get_source,
+			.set_destination = _set_destination,
+			.get_destination = _get_destination,
+			.create_payload_enumerator = _create_payload_enumerator,
+			.get_payload = _get_payload,
+			.get_notify = _get_notify,
+			.parse_header = _parse_header,
+			.parse_body = _parse_body,
+			.get_packet = _get_packet,
+			.get_packet_data = _get_packet_data,
+			.destroy = _destroy,
+		},
+		.exchange_type = EXCHANGE_TYPE_UNDEFINED,
+		.is_request = TRUE,
+		.first_payload = NO_PAYLOAD,
+		.packet = packet,
+		.payloads = linked_list_create(),
+		.parser = parser_create(packet->get_data(packet)),
+	);
 
 	return (&this->public);
 }
@@ -1752,6 +1475,6 @@ message_t *message_create_from_packet(packet_t *packet)
  */
 message_t *message_create()
 {
-	return message_create_from_packet(NULL);
+	return message_create_from_packet(packet_create());
 }
 
diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h
index 2c7718f49..8c1cbcd09 100644
--- a/src/libcharon/encoding/message.h
+++ b/src/libcharon/encoding/message.h
@@ -32,8 +32,7 @@ typedef struct message_t message_t;
 #include <encoding/payloads/ike_header.h>
 #include <encoding/payloads/notify_payload.h>
 #include <utils/linked_list.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 
 /**
  * This class is used to represent an IKEv2-Message.
@@ -201,14 +200,10 @@ struct message_t {
 	 * The body gets not only parsed, but rather it gets verified.
 	 * All payloads are verified if they are allowed to exist in the message
 	 * of this type and if their own structure is ok.
-	 * If there are encrypted payloads, they get decrypted via the supplied
-	 * crypter. Also the message integrity gets verified with the supplied
-	 * signer.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption
-	 * payload is expected.
-	 *
-	 * @param crypter	crypter to decrypt encryption payloads
-	 * @param signer	signer to verifiy a message with an encryption payload
+	 * If there are encrypted payloads, they get decrypted and verified using
+	 * the given aead transform (if given).
+	 *
+	 * @param aead		aead transform to verify/decrypt message
 	 * @return
 	 * 					- SUCCESS if parsing successful
 	 * 					- NOT_SUPPORTED if ciritcal unknown payloads found
@@ -216,32 +211,28 @@ struct message_t {
 	 *					- PARSE_ERROR if message parsing failed
 	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
 	 * 					- FAILED if integrity check failed
-	 * 					- INVALID_STATE if crypter/signer not supplied, but needed
+	 * 					- INVALID_STATE if aead not supplied, but needed
 	 */
-	status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
+	status_t (*parse_body) (message_t *this, aead_t *aead);
 
 	/**
 	 * Generates the UDP packet of specific message.
 	 *
 	 * Payloads which must be encrypted are generated first and added to
-	 * an encryption payload. This encryption payload will get encrypted via
-	 * the supplied crypter. Then all other payloads and the header get generated.
-	 * After that, the checksum is added to the encryption payload over the full
-	 * message.
-	 * Crypter/signer can be omitted (by passing NULL) when no encryption
-	 * payload is expected.
-	 * Generation is only done once, multiple calls will just return a packet copy.
-	 *
-	 * @param crypter	crypter to use when a payload must be encrypted
-	 * @param signer	signer to build a mac
+	 * an encryption payload. This encryption payload will get encrypted and
+	 * signed via the supplied aead transform (if given).
+	 * Generation is only done once, multiple calls will just return a copy
+	 * of the packet.
+	 *
+	 * @param aead		aead transform to encrypt/sign message
 	 * @param packet	copy of generated packet
 	 * @return
 	 * 					- SUCCESS if packet could be generated
 	 * 					- INVALID_STATE if exchange type is currently not set
 	 * 					- NOT_FOUND if no rules found for message generation
-	 * 					- INVALID_STATE if crypter/signer not supplied but needed.
+	 * 					- INVALID_STATE if aead not supplied but needed.
 	 */
-	status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
+	status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet);
 
 	/**
 	 * Gets the source host informations.
@@ -331,13 +322,8 @@ struct message_t {
 /**
  * Creates an message_t object from a incoming UDP Packet.
  *
- * @warning the given packet_t object is not copied and gets
- *			destroyed in message_t's destroy call.
- *
- * - exchange_type is set to NOT_SET
- * - original_initiator is set to TRUE
- * - is_request is set to TRUE
- * Call message_t.parse_header afterwards.
+ * The given packet gets owned by the message. The message is uninitialized,
+ * call parse_header() to populate header fields.
  *
  * @param packet		packet_t object which is assigned to message
  * @return 				message_t object
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index 97b4743b2..5fc3b7c88 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -65,11 +66,6 @@ struct private_delete_payload_t {
 	 * The contained SPI's.
 	 */
 	chunk_t spis;
-
-	/**
-	 * List containing u_int32_t spis
-	 */
-	linked_list_t *spi_list;
 };
 
 /**
@@ -77,7 +73,6 @@ struct private_delete_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_delete_payload_t.
- *
  */
 encoding_rule_t delete_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
@@ -85,20 +80,20 @@ encoding_rule_t delete_payload_encodings[] = {
 	/* the critical bit */
 	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
+	{ RESERVED_BIT,		0 													},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)},
+	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)	},
 	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
 	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
 	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
 	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
-	{ SPIS,			offsetof(private_delete_payload_t, spis) 				}
+	{ SPIS,				offsetof(private_delete_payload_t, spis) 			}
 };
 
 /*
@@ -115,10 +110,8 @@ encoding_rule_t delete_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_delete_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_delete_payload_t *this)
 {
 	switch (this->protocol_id)
 	{
@@ -147,112 +140,104 @@ static status_t verify(private_delete_payload_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of delete_payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = delete_payload_encodings;
-	*rule_count = sizeof(delete_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(delete_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_payload_type(private_delete_payload_t *this)
+METHOD(payload_t, get_payload_type, payload_type_t,
+	private_delete_payload_t *this)
 {
 	return DELETE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_delete_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_delete_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_delete_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_delete_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_delete_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_delete_payload_t *this)
 {
 	return this->payload_length;
 }
 
-/**
- * Implementation of delete_payload_t.get_protocol_id.
- */
-static protocol_id_t get_protocol_id (private_delete_payload_t *this)
+METHOD(delete_payload_t, get_protocol_id, protocol_id_t,
+	private_delete_payload_t *this)
 {
-	return (this->protocol_id);
+	return this->protocol_id;
 }
 
-/**
- * Implementation of delete_payload_t.add_spi.
- */
-static void add_spi(private_delete_payload_t *this, u_int32_t spi)
+METHOD(delete_payload_t, add_spi, void,
+	private_delete_payload_t *this, u_int32_t spi)
 {
-	/* only add SPIs if AH|ESP, ignore others */
-	if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
+	switch (this->protocol_id)
 	{
-		this->spi_count += 1;
-		this->spis.len += this->spi_size;
-		this->spis.ptr = realloc(this->spis.ptr, this->spis.len);
-		*(u_int32_t*)(this->spis.ptr + (this->spis.len / this->spi_size - 1)) = spi;
-		if (this->spi_list)
-		{
-			/* reset SPI iterator list */
-			this->spi_list->destroy(this->spi_list);
-			this->spi_list = NULL;
-		}
+		case PROTO_AH:
+		case PROTO_ESP:
+			this->spi_count++;
+			this->payload_length += sizeof(spi);
+			this->spis = chunk_cat("mc", this->spis, chunk_from_thing(spi));
+			break;
+		default:
+			break;
 	}
 }
 
 /**
- * Implementation of delete_payload_t.create_spi_iterator.
+ * SPI enumerator implementation
  */
-static iterator_t* create_spi_iterator(private_delete_payload_t *this)
-{
-	int i;
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** remaining SPIs */
+	chunk_t spis;
+} spi_enumerator_t;
 
-	if (this->spi_list == NULL)
+METHOD(enumerator_t, spis_enumerate, bool,
+	spi_enumerator_t *this, u_int32_t *spi)
+{
+	if (this->spis.len >= sizeof(*spi))
 	{
-		this->spi_list = linked_list_create();
-		/* only parse SPIs if AH|ESP */
-		if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
-		{
-			for (i = 0; i < this->spi_count; i++)
-			{
-				this->spi_list->insert_last(this->spi_list, this->spis.ptr + i *
-															this->spi_size);
-			}
-		}
+		memcpy(spi, this->spis.ptr, sizeof(*spi));
+		this->spis = chunk_skip(this->spis, sizeof(*spi));
+		return TRUE;
 	}
-	return this->spi_list->create_iterator(this->spi_list, TRUE);
+	return FALSE;
 }
 
-/**
- * Implementation of payload_t.destroy and delete_payload_t.destroy.
- */
-static void destroy(private_delete_payload_t *this)
+METHOD(delete_payload_t, create_spi_enumerator, enumerator_t*,
+	private_delete_payload_t *this)
 {
-	if (this->spis.ptr != NULL)
-	{
-		chunk_free(&this->spis);
-	}
-	if (this->spi_list)
+	spi_enumerator_t *e;
+
+	if (this->spi_size != sizeof(u_int32_t))
 	{
-		this->spi_list->destroy(this->spi_list);
+		return enumerator_create_empty();
 	}
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_spis_enumerate,
+			.destroy = (void*)free,
+		},
+		.spis = this->spis,
+	);
+	return &e->public;
+}
+
+METHOD2(payload_t, delete_payload_t, destroy, void,
+	private_delete_payload_t *this)
+{
+	free(this->spis.ptr);
 	free(this);
 }
 
@@ -261,32 +246,28 @@ static void destroy(private_delete_payload_t *this)
  */
 delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
 {
-	private_delete_payload_t *this = malloc_thing(private_delete_payload_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.destroy = (void (*) (delete_payload_t *)) destroy;
-	this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
-	this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
-	this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
-
-	/* private variables */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = DELETE_PAYLOAD_HEADER_LENGTH;
-	this->protocol_id = protocol_id;
-	this->spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0;
-	this->spi_count = 0;
-	this->spis = chunk_empty;
-	this->spi_list = NULL;
+	private_delete_payload_t *this;
 
-	return (&this->public);
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_payload_type,
+				.destroy = _destroy,
+			},
+			.get_protocol_id = _get_protocol_id,
+			.add_spi = _add_spi,
+			.create_spi_enumerator = _create_spi_enumerator,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = DELETE_PAYLOAD_HEADER_LENGTH,
+		.protocol_id = protocol_id,
+		.spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0,
+	);
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index 3b62c1af1..026829f97 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -39,6 +39,7 @@ typedef struct delete_payload_t delete_payload_t;
  * The DELETE payload format is described in RFC section 3.11.
  */
 struct delete_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
@@ -59,13 +60,11 @@ struct delete_payload_t {
 	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
 
 	/**
-	 * Get an iterator over the SPIs.
-	 *
-	 * The iterate() function returns a pointer to a u_int32_t SPI.
+	 * Get an enumerator over the SPIs in network order.
 	 *
-	 * @return				iterator over SPIs
+	 * @return				enumerator over SPIs, u_int32_t
 	 */
-	iterator_t *(*create_spi_iterator) (delete_payload_t *this);
+	enumerator_t *(*create_spi_enumerator) (delete_payload_t *this);
 
 	/**
 	 * Destroys an delete_payload_t object.
diff --git a/src/libcharon/encoding/payloads/encryption_payload.c b/src/libcharon/encoding/payloads/encryption_payload.c
index 2adbb88b9..3b23ea9fb 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.c
+++ b/src/libcharon/encoding/payloads/encryption_payload.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,9 +25,6 @@
 #include <utils/linked_list.h>
 #include <encoding/generator.h>
 #include <encoding/parser.h>
-#include <utils/iterator.h>
-#include <crypto/signers/signer.h>
-
 
 typedef struct private_encryption_payload_t private_encryption_payload_t;
 
@@ -50,9 +48,9 @@ struct private_encryption_payload_t {
 	u_int8_t next_payload;
 
 	/**
-	 * Critical flag.
+	 * Flags, including reserved bits
 	 */
-	bool critical;
+	u_int8_t flags;
 
 	/**
 	 * Length of this payload
@@ -60,28 +58,17 @@ struct private_encryption_payload_t {
 	u_int16_t payload_length;
 
 	/**
-	 * Chunk containing the iv, data, padding,
-	 * and (an eventually not calculated) signature.
+	 * Chunk containing the IV, plain, padding and ICV.
 	 */
 	chunk_t encrypted;
 
 	/**
-	 * Chunk containing the data in decrypted (unpadded) form.
-	 */
-	chunk_t decrypted;
-
-	/**
-	 * Signer set by set_signer.
+	 * AEAD transform to use
 	 */
-	signer_t *signer;
+	aead_t *aead;
 
 	/**
-	 * Crypter, supplied by encrypt/decrypt
-	 */
-	crypter_t *crypter;
-
-	/**
-	 * Contained payloads of this encrpytion_payload.
+	 * Contained payloads
 	 */
 	linked_list_t *payloads;
 };
@@ -91,25 +78,16 @@ struct private_encryption_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_encryption_payload_t.
- *
  */
 encoding_rule_t encryption_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
 	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload)	},
-	/* the critical bit */
-	{ FLAG,				offsetof(private_encryption_payload_t, critical)		},
-	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
-	{ RESERVED_BIT,		0														},
+	/* Critical and 7 reserved bits, all stored for reconstruction */
+	{ U_INT_8,			offsetof(private_encryption_payload_t, flags)			},
 	/* Length of the whole encryption payload*/
 	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length)	},
 	/* encrypted data, stored in a chunk. contains iv, data, padding */
-	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)			},
+	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)		},
 };
 
 /*
@@ -131,108 +109,90 @@ encoding_rule_t encryption_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_encryption_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_encryption_payload_t *this)
 {
 	return SUCCESS;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_encryption_payload_t *this, encoding_rule_t **rules,
+	size_t *count)
 {
 	*rules = encryption_payload_encodings;
-	*rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
+	*count = countof(encryption_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_encryption_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_encryption_payload_t *this)
 {
 	return ENCRYPTED;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_encryption_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_encryption_payload_t *this)
 {
-	/* returns first contained payload here */
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_encryption_payload_t *this, payload_type_t type)
 {
-	/* set next type is not allowed, since this payload MUST be the last one
-	 * and so nothing is done in here*/
+	/* the next payload is set during add */
 }
 
 /**
- * (re-)compute the lenght of the whole payload
+ * Compute the lenght of the whole payload
  */
 static void compute_length(private_encryption_payload_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_payload;
-	size_t block_size, length = 0;
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+	enumerator_t *enumerator;
+	payload_t *payload;
+	size_t bs, length = 0;
 
-	/* count payload length */
-	while (iterator->iterate(iterator, (void **) &current_payload))
+	if (this->encrypted.len)
 	{
-		length += current_payload->get_length(current_payload);
+		length = this->encrypted.len;
 	}
-	iterator->destroy(iterator);
-
-	if (this->crypter && this->signer)
+	else
 	{
-		/* append one byte for padding length */
-		length++;
-		/* append padding */
-		block_size = this->crypter->get_block_size(this->crypter);
-		length += block_size - length % block_size;
-		/* add iv */
-		length += block_size;
-		/* add signature */
-		length += this->signer->get_block_size(this->signer);
+		enumerator = this->payloads->create_enumerator(this->payloads);
+		while (enumerator->enumerate(enumerator, &payload))
+		{
+			length += payload->get_length(payload);
+		}
+		enumerator->destroy(enumerator);
+
+		if (this->aead)
+		{
+			/* append padding */
+			bs = this->aead->get_block_size(this->aead);
+			length += bs - (length % bs);
+			/* add iv */
+			length += this->aead->get_iv_size(this->aead);
+			/* add icv */
+			length += this->aead->get_icv_size(this->aead);
+		}
 	}
 	length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
 	this->payload_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_encryption_payload_t *this)
+METHOD2(payload_t, encryption_payload_t, get_length, size_t,
+	private_encryption_payload_t *this)
 {
 	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of payload_t.create_payload_iterator.
- */
-static  iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
-{
-	return (this->payloads->create_iterator(this->payloads, forward));
-}
-
-/**
- * Implementation of payload_t.add_payload.
- */
-static void add_payload(private_encryption_payload_t *this, payload_t *payload)
+METHOD(encryption_payload_t, add_payload, void,
+	private_encryption_payload_t *this, payload_t *payload)
 {
 	payload_t *last_payload;
+
 	if (this->payloads->get_count(this->payloads) > 0)
 	{
-		this->payloads->get_last(this->payloads,(void **) &last_payload);
+		this->payloads->get_last(this->payloads, (void **)&last_payload);
 		last_payload->set_next_type(last_payload, payload->get_type(payload));
 	}
 	else
@@ -240,339 +200,255 @@ static void add_payload(private_encryption_payload_t *this, payload_t *payload)
 		this->next_payload = payload->get_type(payload);
 	}
 	payload->set_next_type(payload, NO_PAYLOAD);
-	this->payloads->insert_last(this->payloads, (void*)payload);
+	this->payloads->insert_last(this->payloads, payload);
 	compute_length(this);
 }
 
-/**
- * Implementation of encryption_payload_t.remove_first_payload.
- */
-static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
+METHOD(encryption_payload_t, remove_payload, payload_t *,
+	private_encryption_payload_t *this)
 {
-	return this->payloads->remove_first(this->payloads, (void**)payload);
-}
+	payload_t *payload;
 
-/**
- * Implementation of encryption_payload_t.get_payload_count.
- */
-static size_t get_payload_count(private_encryption_payload_t *this)
-{
-	return this->payloads->get_count(this->payloads);
+	if (this->payloads->remove_first(this->payloads,
+									 (void**)&payload) == SUCCESS)
+	{
+		return payload;
+	}
+	return NULL;
 }
 
 /**
- * Generate payload before encryption.
+ * Generate payload before encryption
  */
-static void generate(private_encryption_payload_t *this)
+static chunk_t generate(private_encryption_payload_t *this,
+						generator_t *generator)
 {
-	payload_t *current_payload, *next_payload;
-	generator_t *generator;
-	iterator_t *iterator;
-
-	/* recalculate length before generating */
-	compute_length(this);
+	payload_t *current, *next;
+	enumerator_t *enumerator;
+	u_int32_t *lenpos;
+	chunk_t chunk = chunk_empty;
 
-	/* create iterator */
-	iterator = this->payloads->create_iterator(this->payloads, TRUE);
-
-	/* get first payload */
-	if (iterator->iterate(iterator, (void**)&current_payload))
-	{
-		this->next_payload = current_payload->get_type(current_payload);
-	}
-	else
+	enumerator = this->payloads->create_enumerator(this->payloads);
+	if (enumerator->enumerate(enumerator, &current))
 	{
-		/* no paylads? */
-		DBG2(DBG_ENC, "generating contained payloads, but none available");
-		free(this->decrypted.ptr);
-		this->decrypted = chunk_empty;
-		iterator->destroy(iterator);
-		return;
-	}
+		this->next_payload = current->get_type(current);
 
-	generator = generator_create();
+		while (enumerator->enumerate(enumerator, &next))
+		{
+			current->set_next_type(current, next->get_type(next));
+			generator->generate_payload(generator, current);
+			current = next;
+		}
+		current->set_next_type(current, NO_PAYLOAD);
+		generator->generate_payload(generator, current);
 
-	/* build all payload, except last */
-	while(iterator->iterate(iterator, (void**)&next_payload))
-	{
-		current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
-		generator->generate_payload(generator, current_payload);
-		current_payload = next_payload;
+		chunk = generator->get_chunk(generator, &lenpos);
+		DBG2(DBG_ENC, "generated content in encryption payload");
 	}
-	iterator->destroy(iterator);
-
-	/* build last payload */
-	current_payload->set_next_type(current_payload, NO_PAYLOAD);
-	generator->generate_payload(generator, current_payload);
-
-	/* free already generated data */
-	free(this->decrypted.ptr);
-
-	generator->write_to_chunk(generator, &(this->decrypted));
-	generator->destroy(generator);
-	DBG2(DBG_ENC, "successfully generated content in encryption payload");
+	enumerator->destroy(enumerator);
+	return chunk;
 }
 
 /**
- * Implementation of encryption_payload_t.encrypt.
+ * Append the encryption payload header to the associated data
  */
-static status_t encrypt(private_encryption_payload_t *this)
+static chunk_t append_header(private_encryption_payload_t *this, chunk_t assoc)
 {
-	chunk_t iv, padding, to_crypt, result;
+	struct {
+		u_int8_t next_payload;
+		u_int8_t flags;
+		u_int16_t length;
+	} __attribute__((packed)) header = {
+		.next_payload = this->next_payload,
+		.flags = this->flags,
+		.length = htons(get_length(this)),
+	};
+	return chunk_cat("cc", assoc, chunk_from_thing(header));
+}
+
+METHOD(encryption_payload_t, encrypt, bool,
+	private_encryption_payload_t *this, chunk_t assoc)
+{
+	chunk_t iv, plain, padding, icv, crypt;
+	generator_t *generator;
 	rng_t *rng;
-	size_t block_size;
+	size_t bs;
 
-	if (this->signer == NULL || this->crypter == NULL)
+	if (this->aead == NULL)
 	{
-		DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
-		return INVALID_STATE;
+		DBG1(DBG_ENC, "encrypting encryption payload failed, transform missing");
+		return FALSE;
 	}
 
-	/* for random data in iv and padding */
 	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
 	if (!rng)
 	{
-		DBG1(DBG_ENC, "could not encrypt, no RNG found");
-		return FAILED;
+		DBG1(DBG_ENC, "encrypting encryption payload failed, no RNG found");
+		return FALSE;
 	}
-	/* build payload chunk */
-	generate(this);
 
-	DBG2(DBG_ENC, "encrypting payloads");
-	DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
+	assoc = append_header(this, assoc);
 
-	/* build padding */
-	block_size = this->crypter->get_block_size(this->crypter);
-	padding.len = block_size - ((this->decrypted.len + 1) %  block_size);
-	rng->allocate_bytes(rng, padding.len, &padding);
-
-	/* concatenate payload data, padding, padding len */
-	to_crypt.len = this->decrypted.len + padding.len + 1;
-	to_crypt.ptr = malloc(to_crypt.len);
-
-	memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
-	memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
-	*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
+	generator = generator_create();
+	plain = generate(this, generator);
+	bs = this->aead->get_block_size(this->aead);
+	/* we need at least one byte padding to store the padding length */
+	padding.len = bs - (plain.len % bs);
+	iv.len = this->aead->get_iv_size(this->aead);
+	icv.len = this->aead->get_icv_size(this->aead);
+
+	/* prepare data to authenticate-encrypt:
+	 * | IV | plain | padding | ICV |
+	 *       \____crypt______/   ^
+	 *              |           /
+	 *              v          /
+	 *     assoc -> + ------->/
+	 */
+	free(this->encrypted.ptr);
+	this->encrypted = chunk_alloc(iv.len + plain.len + padding.len + icv.len);
+	iv.ptr = this->encrypted.ptr;
+	memcpy(iv.ptr + iv.len, plain.ptr, plain.len);
+	plain.ptr = iv.ptr + iv.len;
+	padding.ptr = plain.ptr + plain.len;
+	icv.ptr = padding.ptr + padding.len;
+	crypt = chunk_create(plain.ptr, plain.len + padding.len);
+	generator->destroy(generator);
 
-	/* build iv */
-	iv.len = block_size;
-	rng->allocate_bytes(rng, iv.len, &iv);
+	rng->get_bytes(rng, iv.len, iv.ptr);
+	rng->get_bytes(rng, padding.len - 1, padding.ptr);
+	padding.ptr[padding.len - 1] = padding.len - 1;
 	rng->destroy(rng);
 
-	DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
+	DBG3(DBG_ENC, "encryption payload encryption:");
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+	DBG3(DBG_ENC, "assoc %B", &assoc);
 
-	/* encrypt to_crypt chunk */
-	free(this->encrypted.ptr);
-	this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
-	free(padding.ptr);
-	free(to_crypt.ptr);
-
-	DBG3(DBG_ENC, "data after encryption %B", &result);
-
-	/* build encrypted result with iv and signature */
-	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
-	free(this->encrypted.ptr);
-	this->encrypted.ptr = malloc(this->encrypted.len);
+	this->aead->encrypt(this->aead, crypt, assoc, iv, NULL);
 
-	/* fill in result, signature is left out */
-	memcpy(this->encrypted.ptr, iv.ptr, iv.len);
-	memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
+	DBG3(DBG_ENC, "encrypted %B", &crypt);
+	DBG3(DBG_ENC, "ICV %B", &icv);
 
-	free(result.ptr);
-	free(iv.ptr);
-	DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
-		 &this->encrypted);
+	free(assoc.ptr);
 
-	return SUCCESS;
+	return TRUE;
 }
 
 /**
  * Parse the payloads after decryption.
  */
-static status_t parse(private_encryption_payload_t *this)
+static status_t parse(private_encryption_payload_t *this, chunk_t plain)
 {
 	parser_t *parser;
-	status_t status;
-	payload_type_t current_payload_type;
-
-	/* build a parser on the decrypted data */
-	parser = parser_create(this->decrypted);
+	payload_type_t type;
 
-	current_payload_type = this->next_payload;
-	/* parse all payloads */
-	while (current_payload_type != NO_PAYLOAD)
+	parser = parser_create(plain);
+	type = this->next_payload;
+	while (type != NO_PAYLOAD)
 	{
-		payload_t *current_payload;
+		payload_t *payload;
 
-		status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
-		if (status != SUCCESS)
+		if (parser->parse_payload(parser, type, &payload) != SUCCESS)
 		{
 			parser->destroy(parser);
 			return PARSE_ERROR;
 		}
-
-		status = current_payload->verify(current_payload);
-		if (status != SUCCESS)
+		if (payload->verify(payload) != SUCCESS)
 		{
 			DBG1(DBG_ENC, "%N verification failed",
-				 payload_type_names, current_payload->get_type(current_payload));
-			current_payload->destroy(current_payload);
+				 payload_type_names, payload->get_type(payload));
+			payload->destroy(payload);
 			parser->destroy(parser);
 			return VERIFY_ERROR;
 		}
-
-		/* get next payload type */
-		current_payload_type = current_payload->get_next_type(current_payload);
-
-		this->payloads->insert_last(this->payloads,current_payload);
+		type = payload->get_next_type(payload);
+		this->payloads->insert_last(this->payloads, payload);
 	}
 	parser->destroy(parser);
-	DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
+	DBG2(DBG_ENC, "parsed content of encryption payload");
 	return SUCCESS;
 }
 
-/**
- * Implementation of encryption_payload_t.encrypt.
- */
-static status_t decrypt(private_encryption_payload_t *this)
+METHOD(encryption_payload_t, decrypt, status_t,
+	private_encryption_payload_t *this, chunk_t assoc)
 {
-	chunk_t iv, concatenated;
-	u_int8_t padding_length;
-
-	DBG2(DBG_ENC, "decrypting encryption payload");
-	DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
-		 &this->encrypted);
+	chunk_t iv, plain, padding, icv, crypt;
+	size_t bs;
 
-	if (this->signer == NULL || this->crypter == NULL)
+	if (this->aead == NULL)
 	{
-		DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
+		DBG1(DBG_ENC, "decrypting encryption payload failed, transform missing");
 		return INVALID_STATE;
 	}
 
-	/* get IV */
-	iv.len = this->crypter->get_block_size(this->crypter);
+	/* prepare data to authenticate-decrypt:
+	 * | IV | plain | padding | ICV |
+	 *       \____crypt______/   ^
+	 *              |           /
+	 *              v          /
+	 *     assoc -> + ------->/
+	 */
 
+	bs = this->aead->get_block_size(this->aead);
+	iv.len = this->aead->get_iv_size(this->aead);
 	iv.ptr = this->encrypted.ptr;
+	icv.len = this->aead->get_icv_size(this->aead);
+	icv.ptr = this->encrypted.ptr + this->encrypted.len - icv.len;
+	crypt.ptr = iv.ptr + iv.len;
+	crypt.len = this->encrypted.len - iv.len;
 
-	/* point concatenated to data + padding + padding_length*/
-	concatenated.ptr = this->encrypted.ptr + iv.len;
-	concatenated.len = this->encrypted.len - iv.len -
-								this->signer->get_block_size(this->signer);
-
-	/* concatenated must be a multiple of block_size of crypter */
-	if (concatenated.len < iv.len || concatenated.len % iv.len)
+	if (iv.len + icv.len > this->encrypted.len ||
+		(crypt.len - icv.len) % bs)
 	{
-		DBG1(DBG_ENC, "could not decrypt, invalid input");
+		DBG1(DBG_ENC, "decrypting encryption payload failed, invalid length");
 		return FAILED;
 	}
 
-	/* free previus data, if any */
-	free(this->decrypted.ptr);
-
-	DBG3(DBG_ENC, "data before decryption %B", &concatenated);
-
-	this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
+	assoc = append_header(this, assoc);
 
-	DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
+	DBG3(DBG_ENC, "encryption payload decryption:");
+	DBG3(DBG_ENC, "IV %B", &iv);
+	DBG3(DBG_ENC, "encrypted %B", &crypt);
+	DBG3(DBG_ENC, "ICV %B", &icv);
+	DBG3(DBG_ENC, "assoc %B", &assoc);
 
-	/* get padding length, sits just bevore signature */
-	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
-	/* add one byte to the padding length, since the padding_length field is
-	 * not included */
-	padding_length++;
-
-	/* check size again */
-	if (padding_length > concatenated.len || padding_length > this->decrypted.len)
+	if (!this->aead->decrypt(this->aead, crypt, assoc, iv, NULL))
 	{
-		DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
-		/* decryption failed :-/ */
+		DBG1(DBG_ENC, "verifying encryption payload integrity failed");
+		free(assoc.ptr);
 		return FAILED;
 	}
-	this->decrypted.len -= padding_length;
-
-	/* free padding */
-	this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
-	DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
-	DBG2(DBG_ENC, "decryption successful, trying to parse content");
-	return parse(this);
-}
+	free(assoc.ptr);
 
-/**
- * Implementation of encryption_payload_t.set_transforms.
- */
-static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
-{
-	this->signer = signer;
-	this->crypter = crypter;
-}
-
-/**
- * Implementation of encryption_payload_t.build_signature.
- */
-static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
-{
-	chunk_t data_without_sig = data;
-	chunk_t sig;
-
-	if (this->signer == NULL)
+	plain = chunk_create(crypt.ptr, crypt.len - icv.len);
+	padding.len = plain.ptr[plain.len - 1] + 1;
+	if (padding.len > plain.len)
 	{
-		DBG1(DBG_ENC, "unable to build signature, no signer set");
-		return INVALID_STATE;
+		DBG1(DBG_ENC, "decrypting encryption payload failed, "
+			 "padding invalid %B", &crypt);
+		return PARSE_ERROR;
 	}
+	plain.len -= padding.len;
+	padding.ptr = plain.ptr + plain.len;
 
-	sig.len = this->signer->get_block_size(this->signer);
-	data_without_sig.len -= sig.len;
-	sig.ptr = data.ptr + data_without_sig.len;
-	DBG2(DBG_ENC, "building signature");
-	this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
-	return SUCCESS;
+	DBG3(DBG_ENC, "plain %B", &plain);
+	DBG3(DBG_ENC, "padding %B", &padding);
+
+	return parse(this, plain);
 }
 
-/**
- * Implementation of encryption_payload_t.verify_signature.
- */
-static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
+METHOD(encryption_payload_t, set_transform, void,
+	private_encryption_payload_t *this, aead_t* aead)
 {
-	chunk_t sig, data_without_sig;
-	bool valid;
-
-	if (this->signer == NULL)
-	{
-		DBG1(DBG_ENC, "unable to verify signature, no signer set");
-		return INVALID_STATE;
-	}
-	/* find signature in data chunk */
-	sig.len = this->signer->get_block_size(this->signer);
-	if (data.len <= sig.len)
-	{
-		DBG1(DBG_ENC, "unable to verify signature, invalid input");
-		return FAILED;
-	}
-	sig.ptr = data.ptr + data.len - sig.len;
-
-	/* verify it */
-	data_without_sig.len = data.len - sig.len;
-	data_without_sig.ptr = data.ptr;
-	valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
-
-	if (!valid)
-	{
-		DBG1(DBG_ENC, "signature verification failed");
-		return FAILED;
-	}
-
-	DBG2(DBG_ENC, "signature verification successful");
-	return SUCCESS;
+	this->aead = aead;
 }
 
-/**
- * Implementation of payload_t.destroy.
- */
-static void destroy(private_encryption_payload_t *this)
+METHOD2(payload_t, encryption_payload_t, destroy, void,
+	private_encryption_payload_t *this)
 {
 	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
 	free(this->encrypted.ptr);
-	free(this->decrypted.ptr);
 	free(this);
 }
 
@@ -581,39 +457,31 @@ static void destroy(private_encryption_payload_t *this)
  */
 encryption_payload_t *encryption_payload_create()
 {
-	private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
-
-	/* payload_t interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
-	this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
-	this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
-	this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
-
-	this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
-	this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
-	this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
-	this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
-	this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
-	this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
-	this->encrypted = chunk_empty;
-	this->decrypted = chunk_empty;
-	this->signer = NULL;
-	this->crypter = NULL;
-	this->payloads = linked_list_create();
-
-	return (&(this->public));
+	private_encryption_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.get_length = _get_length,
+			.add_payload = _add_payload,
+			.remove_payload = _remove_payload,
+			.set_transform = _set_transform,
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH,
+		.payloads = linked_list_create(),
+	);
+
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h
index ac5326b87..e99c42fb7 100644
--- a/src/libcharon/encoding/payloads/encryption_payload.h
+++ b/src/libcharon/encoding/payloads/encryption_payload.h
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -25,45 +26,30 @@
 typedef struct encryption_payload_t encryption_payload_t;
 
 #include <library.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 #include <encoding/payloads/payload.h>
-#include <utils/linked_list.h>
 
 /**
  * Encrpytion payload length in bytes without IV and following data.
  */
 #define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
 
-
 /**
  * The encryption payload as described in RFC section 3.14.
- *
- * Before any crypt/decrypt/sign/verify operation can occur,
- * the transforms must be set. After that, a parsed encryption payload
- * can be decrypted, which also will parse the contained payloads.
- * Encryption is done the same way, added payloads will get generated
- * and then encrypted.
- * For signature building, there is the FULL packet needed. Meaning it
- * must be builded after generation of all payloads and the encryption
- * of the encryption payload.
- * Signature verificatin is done before decryption.
  */
 struct encryption_payload_t {
+
 	/**
 	 * Implements payload_t interface.
 	 */
 	payload_t payload_interface;
 
 	/**
-	 * Creates an iterator for all contained payloads.
+	 * Get the payload length.
 	 *
-	 * iterator_t object has to get destroyed by the caller.
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * return				created iterator_t object
+	 * @return			(expected) payload length
 	 */
-	 iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
+	size_t (*get_length)(encryption_payload_t *this);
 
 	/**
 	 * Adds a payload to this encryption payload.
@@ -73,89 +59,39 @@ struct encryption_payload_t {
 	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
 
 	/**
-	 * Reove the last payload in the contained payload list.
+	 * Remove the first payload in the list
 	 *
 	 * @param payload		removed payload
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- NOT_FOUND if list empty
-	 */
-	status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
-
-	/**
-	 * Get the number of payloads.
-	 *
-	 * @return				number of contained payloads
+	 * @return				payload, NULL if none left
 	 */
-	size_t (*get_payload_count) (encryption_payload_t *this);
+	payload_t* (*remove_payload)(encryption_payload_t *this);
 
 	/**
-	 * Set transforms to use.
-	 *
-	 * To decryption, encryption, signature building and verifying,
-	 * the payload needs a crypter and a signer object.
+	 * Set the AEAD transform to use.
 	 *
-	 * @warning Do NOT call this function again after encryption, since
-	 * the signer must be the same while encrypting and signature building!
-	 *
-	 * @param crypter		crypter_t to use for data de-/encryption
-	 * @param signer		signer_t to use for data signing/verifying
+	 * @param aead		aead transform to use
 	 */
-	void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
+	void (*set_transform) (encryption_payload_t *this, aead_t *aead);
 
 	/**
-	 * Generate and encrypt contained payloads.
-	 *
-	 * This function generates the content for added payloads
-	 * and encrypts them. Signature is not built, since we need
-	 * additional data (the full message).
+	 * Generate, encrypt and sign contained payloads.
 	 *
-	 * @return				SUCCESS, or INVALID_STATE if transforms not set
+	 * @param assoc			associated data
+	 * @return				TRUE if encrypted
 	 */
-	status_t (*encrypt) (encryption_payload_t *this);
+	bool (*encrypt) (encryption_payload_t *this, chunk_t assoc);
 
 	/**
-	 * Decrypt and parse contained payloads.
-	 *
-	 * This function decrypts the contained data. After,
-	 * the payloads are parsed internally and are accessible
-	 * via the iterator.
-	 *
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- INVALID_STATE if transforms not set, or
-	 * 						- FAILED if data is invalid
-	 */
-	status_t (*decrypt) (encryption_payload_t *this);
-
-	/**
-	 * Build the signature.
-	 *
-	 * The signature is built over the FULL message, so the header
-	 * and every payload (inclusive this one) must already be generated.
-	 * The generated message is supplied via the data paramater.
-	 *
-	 * @param data			chunk contains the already generated message
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- INVALID_STATE if transforms not set
-	 */
-	status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
-
-	/**
-	 * Verify the signature.
-	 *
-	 * Since the signature is built over the full message, we need
-	 * this data to do the verification. The message data
-	 * is supplied via the data argument.
-	 *
-	 * @param data			chunk contains the message
-	 * @return
-	 * 						- SUCCESS, or
-	 * 						- FAILED if signature invalid, or
-	 * 						- INVALID_STATE if transforms not set
+	 * Decrypt, verify and parse contained payloads.
+	 *
+	 * @param assoc			associated data
+	 * 						- SUCCESS if parsing successful
+	 *						- PARSE_ERROR if sub-payload parsing failed
+	 * 						- VERIFY_ERROR if sub-payload verification failed
+	 * 						- FAILED if integrity check failed
+	 * 						- INVALID_STATE if aead not supplied, but needed
 	 */
-	status_t (*verify_signature) (encryption_payload_t *this, chunk_t data);
+	status_t (*decrypt) (encryption_payload_t *this, chunk_t assoc);
 
 	/**
 	 * Destroys an encryption_payload_t object.
@@ -166,7 +102,7 @@ struct encryption_payload_t {
 /**
  * Creates an empty encryption_payload_t object.
  *
- * @return encryption_payload_t object
+ * @return			encryption_payload_t object
  */
 encryption_payload_t *encryption_payload_create(void);
 
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index 469698ef5..a56fd1869 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -41,7 +41,7 @@ ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL
 	"INVALID_KE_PAYLOAD");
 ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTHENTICATION_FAILED");
-ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR_REQUIRED",
 	"NO_ADDITIONAL_SAS",
 	"INTERNAL_ADDRESS_FAILURE",
@@ -50,10 +50,12 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICAT
 	"INVALID_SELECTORS",
 	"UNACCEPTABLE_ADDRESSES",
 	"UNEXPECTED_NAT_DETECTED",
-	"USE_ASSIGNED_HoA");
-ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
+	"USE_ASSIGNED_HoA",
+	"TEMPORARY_FAILURE",
+	"CHILD_SA_NOT_FOUND");
+ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND,
 	"ME_CONNECT_FAILED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED,
 	"INITIAL_CONTACT",
 	"SET_WINDOW_SIZE",
 	"ADDITIONAL_TS_POSSIBLE",
@@ -84,8 +86,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
 	"TICKET_ACK",
 	"TICKET_NACK",
 	"TICKET_OPAQUE",
-	"LINK_ID");
-ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
+	"LINK_ID",
+	"USE_WESP_MODE",
+	"ROHC_SUPPORTED",
 	"EAP_ONLY_AUTHENTICATION");
 ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"USE_BEET_MODE");
@@ -117,7 +120,7 @@ ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PR
 	"INVAL_KE");
 ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
 	"AUTH_FAILED");
-ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHENTICATION_FAILED,
+ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTICATION_FAILED,
 	"SINGLE_PAIR",
 	"NO_ADD_SAS",
 	"INT_ADDR_FAIL",
@@ -126,10 +129,12 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, USE_ASSIGNED_HoA, AUTHE
 	"INVAL_SEL",
 	"UNACCEPT_ADDR",
 	"UNEXPECT_NAT",
-	"ASSIGNED_HoA");
-ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, USE_ASSIGNED_HoA,
+	"ASSIGNED_HoA",
+	"TEMP_FAIL",
+	"NO_CHILD_SA");
+ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_FOUND,
 	"ME_CONN_FAIL");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, EAP_ONLY_AUTHENTICATION, ME_CONNECT_FAILED,
 	"INIT_CONTACT",
 	"SET_WINSIZE",
 	"ADD_TS_POSS",
@@ -160,8 +165,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, LINK_ID, ME_CONNECT_FAILED,
 	"TKT_ACK",
 	"TKT_NACK",
 	"TKT_OPAK",
-	"LINK_ID");
-ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, LINK_ID,
+	"LINK_ID",
+	"WESP_MODE",
+	"ROHC_SUP",
 	"EAP_ONLY");
 ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, EAP_ONLY_AUTHENTICATION,
 	"BEET_MODE");
@@ -238,29 +244,29 @@ struct private_notify_payload_t {
  */
 encoding_rule_t notify_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload) 		},
+	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload)		},
 	/* the critical bit */
-	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},
+	{ FLAG,				offsetof(private_notify_payload_t, critical)			},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
+	{ RESERVED_BIT,	0														},
 	/* Length of the whole payload*/
-	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length)		},
 	/* Protocol ID as 8 bit field*/
-	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id) 			},
+	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id)			},
 	/* SPI Size as 8 bit field*/
-	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size) 			},
+	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size)			},
 	/* Notify message type as 16 bit field*/
 	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
 	/* SPI as variable length field*/
 	{ SPI,				offsetof(private_notify_payload_t, spi)					},
 	/* Key Exchange Data is from variable size */
-	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data) 	}
+	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data)	}
 };
 
 /*
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 0e1bc23b8..8abc236e1 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -64,6 +64,9 @@ enum notify_type_t {
 	UNEXPECTED_NAT_DETECTED = 41,
 	/* mobile IPv6 bootstrapping, RFC 5026 */
 	USE_ASSIGNED_HoA = 42,
+	/* IKEv2 RFC 5996 */
+	TEMPORARY_FAILURE = 43,
+	CHILD_SA_NOT_FOUND = 44,
 
 	/* IKE-ME, private use */
 	ME_CONNECT_FAILED = 8192,
@@ -98,16 +101,21 @@ enum notify_type_t {
 	REDIRECT_SUPPORTED = 16406,
 	REDIRECT = 16407,
 	REDIRECTED_FROM = 16408,
-	/* draft-ietf-ipsecme-ikev2-resumption, assigned by IANA */
+	/* session resumption, RFC 5723 */
 	TICKET_LT_OPAQUE = 16409,
 	TICKET_REQUEST = 16410,
 	TICKET_ACK = 16411,
 	TICKET_NACK = 16412,
 	TICKET_OPAQUE = 16413,
+	/* IPv6 configuration, RFC 5739 */
 	LINK_ID = 16414,
+	/* wrapped esp, RFC 5840 */
+	USE_WESP_MODE = 16415,
+	/* robust header compression, RFC 5857 */
+	ROHC_SUPPORTED = 16416,
+	/* EAP-only authentication, RFC 5998 */
+	EAP_ONLY_AUTHENTICATION = 16417,
 
-	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
-	EAP_ONLY_AUTHENTICATION = 40960,
 	/* BEET mode, not even a draft yet. private use */
 	USE_BEET_MODE = 40961,
 	/* IKE-ME, private use */
@@ -144,7 +152,7 @@ struct notify_payload_t {
 	/**
 	 * Gets the protocol id of this payload.
 	 *
-	 * @return 			protocol id of this payload
+	 * @return			protocol id of this payload
 	 */
 	u_int8_t (*get_protocol_id) (notify_payload_t *this);
 
@@ -158,7 +166,7 @@ struct notify_payload_t {
 	/**
 	 * Gets the notify message type of this payload.
 	 *
-	 * @return 			notify message type of this payload
+	 * @return			notify message type of this payload
 	 */
 	notify_type_t (*get_notify_type) (notify_payload_t *this);
 
@@ -174,7 +182,7 @@ struct notify_payload_t {
 	 *
 	 * This is only valid for notifys with protocol AH|ESP
 	 *
-	 * @return 		SPI value
+	 * @return		SPI value
 	 */
 	u_int32_t (*get_spi) (notify_payload_t *this);
 
@@ -192,7 +200,7 @@ struct notify_payload_t {
 	 *
 	 * Returned data are not copied.
 	 *
-	 * @return 		chunk_t pointing to the value
+	 * @return		chunk_t pointing to the value
 	 */
 	chunk_t (*get_notification_data) (notify_payload_t *this);
 
@@ -201,7 +209,7 @@ struct notify_payload_t {
 	 *
 	 * @warning Value is getting copied.
 	 *
-	 * @param notification_data 	chunk_t pointing to the value to set
+	 * @param notification_data	chunk_t pointing to the value to set
 	 */
 	void (*set_notification_data) (notify_payload_t *this,
 								   chunk_t notification_data);
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index c93f73a68..985b03255 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,20 +24,18 @@
 #include <utils/linked_list.h>
 #include <daemon.h>
 
-
 /**
  * IKEv1 Value for a proposal payload.
  */
 #define PROPOSAL_TYPE_VALUE 2
 
-
 typedef struct private_proposal_substructure_t private_proposal_substructure_t;
 
 /**
  * Private data of an proposal_substructure_t object.
- *
  */
 struct private_proposal_substructure_t {
+
 	/**
 	 * Public proposal_substructure_t interface.
 	 */
@@ -92,24 +90,24 @@ struct private_proposal_substructure_t {
  */
 encoding_rule_t proposal_substructure_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload) 		},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload)		},
 	/* Reserved Byte is skipped */
-	{ RESERVED_BYTE,		0															},
+	{ RESERVED_BYTE,	0															},
 	/* Length of the whole proposal substructure payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_proposal_substructure_t, proposal_length) 	},
+	{ PAYLOAD_LENGTH,	offsetof(private_proposal_substructure_t, proposal_length)	},
 	/* proposal number is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, proposal_number) 	},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, proposal_number)	},
 	/* protocol ID is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, protocol_id)		},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, protocol_id)		},
 	/* SPI Size has its own type */
-	{ SPI_SIZE,				offsetof(private_proposal_substructure_t, spi_size)			},
+	{ SPI_SIZE,			offsetof(private_proposal_substructure_t, spi_size)			},
 	/* Number of transforms is a number of 8 bit */
-	{ U_INT_8,				offsetof(private_proposal_substructure_t, transforms_count)	},
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, transforms_count)	},
 	/* SPI is a chunk of variable size*/
-	{ SPI,					offsetof(private_proposal_substructure_t, spi)				},
+	{ SPI,				offsetof(private_proposal_substructure_t, spi)				},
 	/* Transforms are stored in a transform substructure,
 	   offset points to a linked_list_t pointer */
-	{ TRANSFORMS,			offsetof(private_proposal_substructure_t, transforms) 		}
+	{ TRANSFORMS,		offsetof(private_proposal_substructure_t, transforms)		}
 };
 
 /*
@@ -128,16 +126,14 @@ encoding_rule_t proposal_substructure_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_proposal_substructure_t *this)
+METHOD(payload_t, verify, status_t,
+	private_proposal_substructure_t *this)
 {
 	status_t status = SUCCESS;
-	iterator_t *iterator;
-	payload_t *current_transform;
+	enumerator_t *enumerator;
+	payload_t *current;
 
-	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
+	if (this->next_payload != NO_PAYLOAD && this->next_payload != 2)
 	{
 		/* must be 0 or 2 */
 		DBG1(DBG_ENC, "inconsistent next payload");
@@ -169,61 +165,46 @@ static status_t verify(private_proposal_substructure_t *this)
 			}
 			break;
 		default:
-			DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
-			return FAILED;
-	}
-	if ((this->protocol_id == 0) || (this->protocol_id >= 4))
-	{
-		/* reserved are not supported */
-		DBG1(DBG_ENC, "invalid protocol");
-		return FAILED;
+			break;
 	}
-
-	iterator = this->transforms->create_iterator(this->transforms,TRUE);
-	while(iterator->iterate(iterator, (void**)&current_transform))
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		status = current_transform->verify(current_transform);
+		status = current->verify(current);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
 			break;
 		}
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	/* proposal number is checked in SA payload */
 	return status;
 }
 
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_proposal_substructure_t *this, encoding_rule_t **rules,
+	size_t *rule_count)
 {
 	*rules = proposal_substructure_encodings;
-	*rule_count = sizeof(proposal_substructure_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(proposal_substructure_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_proposal_substructure_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_proposal_substructure_t *this)
 {
 	return PROPOSAL_SUBSTRUCTURE;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_proposal_substructure_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_proposal_substructure_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_proposal_substructure_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_proposal_substructure_t *this, payload_type_t type)
 {
 }
 
@@ -250,145 +231,88 @@ static void compute_length(private_proposal_substructure_t *this)
 	this->proposal_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_proposal_substructure_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_proposal_substructure_t *this)
 {
 	compute_length(this);
 	return this->proposal_length;
 }
 
 /**
- * Implementation of proposal_substructure_t.create_transform_substructure_iterator.
- */
-static iterator_t *create_transform_substructure_iterator (private_proposal_substructure_t *this,bool forward)
-{
-	return (this->transforms->create_iterator(this->transforms,forward));
-}
-
-/**
- * Implementation of proposal_substructure_t.add_transform_substructure.
+ * Add a transform substructure to the proposal
  */
-static void add_transform_substructure (private_proposal_substructure_t *this,transform_substructure_t *transform)
+static void add_transform_substructure(private_proposal_substructure_t *this,
+									   transform_substructure_t *transform)
 {
-	status_t status;
 	if (this->transforms->get_count(this->transforms) > 0)
 	{
-		transform_substructure_t *last_transform;
-		status = this->transforms->get_last(this->transforms,(void **) &last_transform);
-		/* last transform is now not anymore last one */
-		last_transform->set_is_last_transform(last_transform,FALSE);
+		transform_substructure_t *last;
 
+		this->transforms->get_last(this->transforms, (void **)&last);
+		last->set_is_last_transform(last, FALSE);
 	}
 	transform->set_is_last_transform(transform,TRUE);
-
-	this->transforms->insert_last(this->transforms,(void *) transform);
+	this->transforms->insert_last(this->transforms, transform);
 	compute_length(this);
 }
 
-/**
- * Implementation of proposal_substructure_t.proposal_substructure_t.
- */
-static void set_is_last_proposal (private_proposal_substructure_t *this, bool is_last)
+METHOD(proposal_substructure_t, set_is_last_proposal, void,
+	private_proposal_substructure_t *this, bool is_last)
 {
-	this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
+	this->next_payload = is_last ? 0 : PROPOSAL_TYPE_VALUE;
 }
 
-/**
- * Implementation of proposal_substructure_t.set_proposal_number.
- */
-static void set_proposal_number(private_proposal_substructure_t *this,u_int8_t proposal_number)
+METHOD(proposal_substructure_t, set_proposal_number, void,
+	private_proposal_substructure_t *this,u_int8_t proposal_number)
 {
 	this->proposal_number = proposal_number;
 }
 
-/**
- * Implementation of proposal_substructure_t.get_proposal_number.
- */
-static u_int8_t get_proposal_number (private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_proposal_number, u_int8_t,
+	private_proposal_substructure_t *this)
 {
-	return (this->proposal_number);
+	return this->proposal_number;
 }
 
-/**
- * Implementation of proposal_substructure_t.set_protocol_id.
- */
-static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t protocol_id)
+METHOD(proposal_substructure_t, set_protocol_id, void,
+	private_proposal_substructure_t *this,u_int8_t protocol_id)
 {
 	this->protocol_id = protocol_id;
 }
 
-/**
- * Implementation of proposal_substructure_t.get_protocol_id.
- */
-static u_int8_t get_protocol_id(private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_protocol_id, u_int8_t,
+	private_proposal_substructure_t *this)
 {
-	return (this->protocol_id);
+	return this->protocol_id;
 }
 
-/**
- * Implementation of proposal_substructure_t.set_spi.
- */
-static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
+METHOD(proposal_substructure_t, set_spi, void,
+	private_proposal_substructure_t *this, chunk_t spi)
 {
-	/* first delete already set spi value */
-	if (this->spi.ptr != NULL)
-	{
-		free(this->spi.ptr);
-		this->spi.ptr = NULL;
-		this->spi.len = 0;
-		compute_length(this);
-	}
-
-	this->spi.ptr = clalloc(spi.ptr,spi.len);
-	this->spi.len = spi.len;
+	free(this->spi.ptr);
+	this->spi = chunk_clone(spi);
 	this->spi_size = spi.len;
 	compute_length(this);
 }
 
-/**
- * Implementation of proposal_substructure_t.get_spi.
- */
-static chunk_t get_spi(private_proposal_substructure_t *this)
-{
-	chunk_t spi;
-	spi.ptr = this->spi.ptr;
-	spi.len = this->spi.len;
-
-	return spi;
-}
-
-/**
- * Implementation of proposal_substructure_t.get_transform_count.
- */
-static size_t get_transform_count (private_proposal_substructure_t *this)
-{
-	return this->transforms->get_count(this->transforms);
-}
-
-/**
- * Implementation of proposal_substructure_t.get_spi_size.
- */
-static size_t get_spi_size (private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_spi, chunk_t,
+	private_proposal_substructure_t *this)
 {
-	return this->spi.len;
+	return this->spi;
 }
 
-/**
- * Implementation of proposal_substructure_t.get_proposal.
- */
-proposal_t* get_proposal(private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, get_proposal, proposal_t*,
+	private_proposal_substructure_t *this)
 {
-	iterator_t *iterator;
+	enumerator_t *enumerator;
 	transform_substructure_t *transform;
 	proposal_t *proposal;
 	u_int64_t spi;
 
-	proposal = proposal_create(this->protocol_id);
+	proposal = proposal_create(this->protocol_id, this->proposal_number);
 
-	iterator = this->transforms->create_iterator(this->transforms, TRUE);
-	while (iterator->iterate(iterator, (void**)&transform))
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &transform))
 	{
 		transform_type_t transform_type;
 		u_int16_t transform_id;
@@ -400,7 +324,7 @@ proposal_t* get_proposal(private_proposal_substructure_t *this)
 
 		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	switch (this->spi.len)
 	{
@@ -418,42 +342,36 @@ proposal_t* get_proposal(private_proposal_substructure_t *this)
 	return proposal;
 }
 
-/**
- * Implementation of proposal_substructure_t.clone.
- */
-static private_proposal_substructure_t* clone_(private_proposal_substructure_t *this)
+METHOD(proposal_substructure_t, clone_, proposal_substructure_t*,
+	private_proposal_substructure_t *this)
 {
 	private_proposal_substructure_t *clone;
-	iterator_t *transforms;
-	transform_substructure_t *current_transform;
+	enumerator_t *enumerator;
+	transform_substructure_t *current;
 
-	clone = (private_proposal_substructure_t *) proposal_substructure_create();
+	clone = (private_proposal_substructure_t*)proposal_substructure_create();
 	clone->next_payload = this->next_payload;
 	clone->proposal_number = this->proposal_number;
 	clone->protocol_id = this->protocol_id;
 	clone->spi_size = this->spi_size;
 	if (this->spi.ptr != NULL)
 	{
-		clone->spi.ptr = clalloc(this->spi.ptr,this->spi.len);
+		clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len);
 		clone->spi.len = this->spi.len;
 	}
-
-	transforms = this->transforms->create_iterator(this->transforms,FALSE);
-	while (transforms->iterate(transforms, (void**)&current_transform))
+	enumerator = this->transforms->create_enumerator(this->transforms);
+	while (enumerator->enumerate(enumerator, &current))
 	{
-		current_transform = current_transform->clone(current_transform);
-		clone->public.add_transform_substructure(&clone->public, current_transform);
+		current = current->clone(current);
+		add_transform_substructure(clone, current);
 	}
-	transforms->destroy(transforms);
+	enumerator->destroy(enumerator);
 
-	return clone;
+	return &clone->public;
 }
 
-/**
- * Implements payload_t's and proposal_substructure_t's destroy function.
- * See #payload_s.destroy or proposal_substructure_s.destroy for description.
- */
-static void destroy(private_proposal_substructure_t *this)
+METHOD2(payload_t, proposal_substructure_t, destroy, void,
+	private_proposal_substructure_t *this)
 {
 	this->transforms->destroy_offset(this->transforms,
 									 offsetof(transform_substructure_t, destroy));
@@ -466,53 +384,42 @@ static void destroy(private_proposal_substructure_t *this)
  */
 proposal_substructure_t *proposal_substructure_create()
 {
-	private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
-
-	/* interface functions */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-
-	/* public functions */
-	this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
-	this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
-	this->public.set_proposal_number = (void (*) (proposal_substructure_t *,u_int8_t))set_proposal_number;
-	this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
-	this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
-	this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
-	this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
-	this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
-	this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
-	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
-	this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
-	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;
-	this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
-	this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
-
-	/* set default values of the fields */
-	this->next_payload = NO_PAYLOAD;
-	this->proposal_length = 0;
-	this->proposal_number = 0;
-	this->protocol_id = 0;
-	this->transforms_count = 0;
-	this->spi_size = 0;
-	this->spi.ptr = NULL;
-	this->spi.len = 0;
-
-	this->transforms = linked_list_create();
-
-	return (&(this->public));
+	private_proposal_substructure_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.set_proposal_number = _set_proposal_number,
+			.get_proposal_number = _get_proposal_number,
+			.set_protocol_id = _set_protocol_id,
+			.get_protocol_id = _get_protocol_id,
+			.set_is_last_proposal = _set_is_last_proposal,
+			.get_proposal = _get_proposal,
+			.set_spi = _set_spi,
+			.get_spi = _get_spi,
+			.clone = _clone_,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.transforms = linked_list_create(),
+	);
+
+	return &this->public;
 }
 
 /*
  * Described in header.
  */
-proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
+proposal_substructure_t *proposal_substructure_create_from_proposal(
+														proposal_t *proposal)
 {
 	transform_substructure_t *transform;
 	private_proposal_substructure_t *this;
@@ -591,7 +498,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *
 		default:
 			break;
 	}
-	this->proposal_number = 0;
+	this->proposal_number = proposal->get_number(proposal);
 	this->protocol_id = proposal->get_protocol(proposal);
 
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h
index 4934802af..56e7184b6 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.h
+++ b/src/libcharon/encoding/payloads/proposal_substructure.h
@@ -42,36 +42,19 @@ typedef struct proposal_substructure_t proposal_substructure_t;
  * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
  */
 struct proposal_substructure_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
 	/**
-	 * Creates an iterator of stored transform_substructure_t objects.
-	 *
-	 * @param forward		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_transform_substructure_iterator) (
-								proposal_substructure_t *this, bool forward);
-
-	/**
-	 * Adds a transform_substructure_t object to this object.
-	 *
-	 * @param transform 	transform_substructure_t object to add
-	 */
-	void (*add_transform_substructure) (proposal_substructure_t *this,
-										transform_substructure_t *transform);
-
-	/**
 	 * Sets the proposal number of current proposal.
 	 *
 	 * @param id			proposal number to set
 	 */
 	void (*set_proposal_number) (proposal_substructure_t *this,
 								 u_int8_t proposal_number);
-
 	/**
 	 * get proposal number of current proposal.
 	 *
@@ -80,20 +63,6 @@ struct proposal_substructure_t {
 	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
 
 	/**
-	 * get the number of transforms in current proposal.
-	 *
-	 * @return 			transform count in current proposal
-	 */
-	size_t (*get_transform_count) (proposal_substructure_t *this);
-
-	/**
-	 * get size of the set spi in bytes.
-	 *
-	 * @return 			size of the spi in bytes
-	 */
-	size_t (*get_spi_size) (proposal_substructure_t *this);
-
-	/**
 	 * Sets the protocol id of current proposal.
 	 *
 	 * @param id		protocol id to set
diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c
index 187a8fee0..4fbd4cac0 100644
--- a/src/libcharon/encoding/payloads/sa_payload.c
+++ b/src/libcharon/encoding/payloads/sa_payload.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -27,9 +27,9 @@ typedef struct private_sa_payload_t private_sa_payload_t;
 
 /**
  * Private data of an sa_payload_t object.
- *
  */
 struct private_sa_payload_t {
+
 	/**
 	 * Public sa_payload_t interface.
 	 */
@@ -61,26 +61,25 @@ struct private_sa_payload_t {
  *
  * The defined offsets are the positions in a object of type
  * private_sa_payload_t.
- *
  */
 encoding_rule_t sa_payload_encodings[] = {
 	/* 1 Byte next payload type, stored in the field next_payload */
-	{ U_INT_8,		offsetof(private_sa_payload_t, next_payload) 			},
+	{ U_INT_8,			offsetof(private_sa_payload_t, next_payload)		},
 	/* the critical bit */
-	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},
+	{ FLAG,				offsetof(private_sa_payload_t, critical)			},
 	/* 7 Bit reserved bits, nowhere stored */
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
-	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
+	{ RESERVED_BIT,		0													},
 	/* Length of the whole SA payload*/
-	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},
+	{ PAYLOAD_LENGTH,	offsetof(private_sa_payload_t, payload_length)		},
 	/* Proposals are stored in a proposal substructure,
 	   offset points to a linked_list_t pointer */
-	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals) 				}
+	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals)			},
 };
 
 /*
@@ -95,26 +94,23 @@ encoding_rule_t sa_payload_encodings[] = {
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 */
 
-/**
- * Implementation of payload_t.verify.
- */
-static status_t verify(private_sa_payload_t *this)
+METHOD(payload_t, verify, status_t,
+	private_sa_payload_t *this)
 {
 	int expected_number = 1, current_number;
 	status_t status = SUCCESS;
-	iterator_t *iterator;
-	proposal_substructure_t *current_proposal;
+	enumerator_t *enumerator;
+	proposal_substructure_t *substruct;
 	bool first = TRUE;
 
 	/* check proposal numbering */
-	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-
-	while(iterator->iterate(iterator, (void**)&current_proposal))
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, (void**)&substruct))
 	{
-		current_number = current_proposal->get_proposal_number(current_proposal);
+		current_number = substruct->get_proposal_number(substruct);
 		if (current_number < expected_number)
 		{
-			if (current_number != (expected_number + 1))
+			if (current_number != expected_number + 1)
 			{
 				DBG1(DBG_ENC, "proposal number is %d, expected %d or %d",
 					 current_number, expected_number, expected_number + 1);
@@ -124,13 +120,12 @@ static status_t verify(private_sa_payload_t *this)
 		}
 		else if (current_number < expected_number)
 		{
-			/* must not be smaller then proceeding one */
-			DBG1(DBG_ENC, "proposal number smaller than that of previous proposal");
+			DBG1(DBG_ENC, "proposal number smaller than previous");
 			status = FAILED;
 			break;
 		}
 
-		status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
+		status = substruct->payload_interface.verify(&substruct->payload_interface);
 		if (status != SUCCESS)
 		{
 			DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
@@ -139,52 +134,31 @@ static status_t verify(private_sa_payload_t *this)
 		first = FALSE;
 		expected_number = current_number;
 	}
-
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 	return status;
 }
 
-
-/**
- * Implementation of payload_t.destroy and sa_payload_t.destroy.
- */
-static status_t destroy(private_sa_payload_t *this)
-{
-	this->proposals->destroy_offset(this->proposals,
-									offsetof(proposal_substructure_t, destroy));
-	free(this);
-	return SUCCESS;
-}
-
-/**
- * Implementation of payload_t.get_encoding_rules.
- */
-static void get_encoding_rules(private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+METHOD(payload_t, get_encoding_rules, void,
+	private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
 {
 	*rules = sa_payload_encodings;
-	*rule_count = sizeof(sa_payload_encodings) / sizeof(encoding_rule_t);
+	*rule_count = countof(sa_payload_encodings);
 }
 
-/**
- * Implementation of payload_t.get_type.
- */
-static payload_type_t get_type(private_sa_payload_t *this)
+METHOD(payload_t, get_type, payload_type_t,
+	private_sa_payload_t *this)
 {
 	return SECURITY_ASSOCIATION;
 }
 
-/**
- * Implementation of payload_t.get_next_type.
- */
-static payload_type_t get_next_type(private_sa_payload_t *this)
+METHOD(payload_t, get_next_type, payload_type_t,
+	private_sa_payload_t *this)
 {
-	return (this->next_payload);
+	return this->next_payload;
 }
 
-/**
- * Implementation of payload_t.set_next_type.
- */
-static void set_next_type(private_sa_payload_t *this,payload_type_t type)
+METHOD(payload_t, set_next_type, void,
+	private_sa_payload_t *this,payload_type_t type)
 {
 	this->next_payload = type;
 }
@@ -192,116 +166,104 @@ static void set_next_type(private_sa_payload_t *this,payload_type_t type)
 /**
  * recompute length of the payload.
  */
-static void compute_length (private_sa_payload_t *this)
+static void compute_length(private_sa_payload_t *this)
 {
-	iterator_t *iterator;
-	payload_t *current_proposal;
+	enumerator_t *enumerator;
+	payload_t *current;
 	size_t length = SA_PAYLOAD_HEADER_LENGTH;
 
-	iterator = this->proposals->create_iterator(this->proposals,TRUE);
-	while (iterator->iterate(iterator, (void **)&current_proposal))
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, (void **)&current))
 	{
-		length += current_proposal->get_length(current_proposal);
+		length += current->get_length(current);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
 	this->payload_length = length;
 }
 
-/**
- * Implementation of payload_t.get_length.
- */
-static size_t get_length(private_sa_payload_t *this)
+METHOD(payload_t, get_length, size_t,
+	private_sa_payload_t *this)
 {
 	compute_length(this);
 	return this->payload_length;
 }
 
-/**
- * Implementation of sa_payload_t.create_proposal_substructure_iterator.
- */
-static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *this,bool forward)
+METHOD(sa_payload_t, add_proposal, void,
+	private_sa_payload_t *this, proposal_t *proposal)
 {
-	return this->proposals->create_iterator(this->proposals,forward);
-}
+	proposal_substructure_t *substruct, *last;
+	u_int count;
 
-/**
- * Implementation of sa_payload_t.add_proposal_substructure.
- */
-static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
-{
-	status_t status;
-	u_int proposal_count = this->proposals->get_count(this->proposals);
-
-	if (proposal_count > 0)
+	count = this->proposals->get_count(this->proposals);
+	substruct = proposal_substructure_create_from_proposal(proposal);
+	if (count > 0)
 	{
-		proposal_substructure_t *last_proposal;
-		status = this->proposals->get_last(this->proposals,(void **) &last_proposal);
+		this->proposals->get_last(this->proposals, (void**)&last);
 		/* last transform is now not anymore last one */
-		last_proposal->set_is_last_proposal(last_proposal, FALSE);
+		last->set_is_last_proposal(last, FALSE);
+	}
+	substruct->set_is_last_proposal(substruct, TRUE);
+	if (proposal->get_number(proposal))
+	{	/* use the selected proposals number, if any */
+		substruct->set_proposal_number(substruct, proposal->get_number(proposal));
+	}
+	else
+	{
+		substruct->set_proposal_number(substruct, count + 1);
 	}
-	proposal->set_is_last_proposal(proposal, TRUE);
-	proposal->set_proposal_number(proposal, proposal_count + 1);
-	this->proposals->insert_last(this->proposals,(void *) proposal);
+	this->proposals->insert_last(this->proposals, substruct);
 	compute_length(this);
 }
 
-/**
- * Implementation of sa_payload_t.add_proposal.
- */
-static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
-{
-	proposal_substructure_t *substructure;
-
-	substructure = proposal_substructure_create_from_proposal(proposal);
-	add_proposal_substructure(this, substructure);
-}
-
-/**
- * Implementation of sa_payload_t.get_proposals.
- */
-static linked_list_t *get_proposals(private_sa_payload_t *this)
+METHOD(sa_payload_t, get_proposals, linked_list_t*,
+	private_sa_payload_t *this)
 {
 	int struct_number = 0;
 	int ignore_struct_number = 0;
-	iterator_t *iterator;
-	proposal_substructure_t *proposal_struct;
-	linked_list_t *proposal_list;
-
-	/* this list will hold our proposals */
-	proposal_list = linked_list_create();
+	enumerator_t *enumerator;
+	proposal_substructure_t *substruct;
+	linked_list_t *list;
+	proposal_t *proposal;
 
+	list = linked_list_create();
 	/* we do not support proposals split up to two proposal substructures, as
 	 * AH+ESP bundles are not supported in RFC4301 anymore.
 	 * To handle such structures safely, we just skip proposals with multiple
 	 * protocols.
 	 */
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void **)&proposal_struct))
+	enumerator = this->proposals->create_enumerator(this->proposals);
+	while (enumerator->enumerate(enumerator, &substruct))
 	{
-		proposal_t *proposal;
-
 		/* check if a proposal has a single protocol */
-		if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
+		if (substruct->get_proposal_number(substruct) == struct_number)
 		{
 			if (ignore_struct_number < struct_number)
 			{
-				/* remova an already added, if first of series */
-				proposal_list->remove_last(proposal_list, (void**)&proposal);
+				/* remove an already added, if first of series */
+				list->remove_last(list, (void**)&proposal);
 				proposal->destroy(proposal);
 				ignore_struct_number = struct_number;
 			}
 			continue;
 		}
 		struct_number++;
-		proposal = proposal_struct->get_proposal(proposal_struct);
+		proposal = substruct->get_proposal(substruct);
 		if (proposal)
 		{
-			proposal_list->insert_last(proposal_list, proposal);
+			list->insert_last(list, proposal);
 		}
 	}
-	iterator->destroy(iterator);
-	return proposal_list;
+	enumerator->destroy(enumerator);
+	return list;
+}
+
+METHOD2(payload_t, sa_payload_t, destroy, void,
+	private_sa_payload_t *this)
+{
+	this->proposals->destroy_offset(this->proposals,
+									offsetof(proposal_substructure_t, destroy));
+	free(this);
 }
 
 /*
@@ -309,29 +271,27 @@ static linked_list_t *get_proposals(private_sa_payload_t *this)
  */
 sa_payload_t *sa_payload_create()
 {
-	private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
-
-	/* public interface */
-	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
-	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
-	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
-	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
-	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
-	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
-	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
-
-	/* public functions */
-	this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
-	this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
-	this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
-	this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
-	this->public.destroy = (void (*) (sa_payload_t *)) destroy;
-
-	/* set default values of the fields */
-	this->critical = FALSE;
-	this->next_payload = NO_PAYLOAD;
-	this->payload_length = SA_PAYLOAD_HEADER_LENGTH;
-	this->proposals = linked_list_create();
+	private_sa_payload_t *this;
+
+	INIT(this,
+		.public = {
+			.payload_interface = {
+				.verify = _verify,
+				.get_encoding_rules = _get_encoding_rules,
+				.get_length = _get_length,
+				.get_next_type = _get_next_type,
+				.set_next_type = _set_next_type,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
+			.add_proposal = _add_proposal,
+			.get_proposals = _get_proposals,
+			.destroy = _destroy,
+		},
+		.next_payload = NO_PAYLOAD,
+		.payload_length = SA_PAYLOAD_HEADER_LENGTH,
+		.proposals = linked_list_create(),
+	);
 	return &this->public;
 }
 
@@ -340,19 +300,19 @@ sa_payload_t *sa_payload_create()
  */
 sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
 {
-	iterator_t *iterator;
+	private_sa_payload_t *this;
+	enumerator_t *enumerator;
 	proposal_t *proposal;
-	sa_payload_t *sa_payload = sa_payload_create();
 
-	/* add every payload from the list */
-	iterator = proposals->create_iterator(proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&proposal))
+	this = (private_sa_payload_t*)sa_payload_create();
+	enumerator = proposals->create_enumerator(proposals);
+	while (enumerator->enumerate(enumerator, &proposal))
 	{
-		add_proposal((private_sa_payload_t*)sa_payload, proposal);
+		add_proposal(this, proposal);
 	}
-	iterator->destroy(iterator);
+	enumerator->destroy(enumerator);
 
-	return sa_payload;
+	return &this->public;
 }
 
 /*
@@ -360,9 +320,10 @@ sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
  */
 sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
 {
-	sa_payload_t *sa_payload = sa_payload_create();
+	private_sa_payload_t *this;
 
-	add_proposal((private_sa_payload_t*)sa_payload, proposal);
+	this = (private_sa_payload_t*)sa_payload_create();
+	add_proposal(this, proposal);
 
-	return sa_payload;
+	return &this->public;
 }
diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h
index 25f5a2407..801a70738 100644
--- a/src/libcharon/encoding/payloads/sa_payload.h
+++ b/src/libcharon/encoding/payloads/sa_payload.h
@@ -40,33 +40,13 @@ typedef struct sa_payload_t sa_payload_t;
  * The SA Payload format is described in RFC section 3.3.
  */
 struct sa_payload_t {
+
 	/**
 	 * The payload_t interface.
 	 */
 	payload_t payload_interface;
 
 	/**
-	 * Creates an iterator of stored proposal_substructure_t objects.
-	 *
-	 * When deleting an proposal using this iterator,
-	 * the length of this transform substructure has to be refreshed
-	 * by calling get_length()!
-	 *
-	 * @param forward 		iterator direction (TRUE: front to end)
-	 * @return				created iterator_t object
-	 */
-	iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this,
-														  bool forward);
-
-	/**
-	 * Adds a proposal_substructure_t object to this object.
-	 *
-	 * @param proposal  		proposal_substructure_t object to add
-	 */
-	void (*add_proposal_substructure) (sa_payload_t *this,
-									   proposal_substructure_t *proposal);
-
-	/**
 	 * Gets the proposals in this payload as a list.
 	 *
 	 * @return					a list containing proposal_t s
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
new file mode 100644
index 000000000..d9e39fe43
--- /dev/null
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "kernel_handler.h"
+
+#include <hydra.h>
+#include <daemon.h>
+#include <processing/jobs/acquire_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/migrate_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/roam_job.h>
+#include <processing/jobs/update_sa_job.h>
+
+typedef struct private_kernel_handler_t private_kernel_handler_t;
+
+/**
+ * Private data of a kernel_handler_t object.
+ */
+struct private_kernel_handler_t {
+
+	/**
+	 * Public part of kernel_handler_t object.
+	 */
+	kernel_handler_t public;
+
+};
+
+/**
+ * convert an IP protocol identifier to the IKEv2 specific protocol identifier.
+ */
+static inline protocol_id_t proto_ip2ike(u_int8_t protocol)
+{
+	switch (protocol)
+	{
+		case IPPROTO_ESP:
+			return PROTO_ESP;
+		case IPPROTO_AH:
+			return PROTO_AH;
+		default:
+			return protocol;
+	}
+}
+
+METHOD(kernel_listener_t, acquire, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	job_t *job;
+	if (src_ts && dst_ts)
+	{
+		DBG1(DBG_KNL, "creating acquire job for policy %R === %R "
+					  "with reqid {%u}", src_ts, dst_ts, reqid);
+	}
+	else
+	{
+		DBG1(DBG_KNL, "creating acquire job for policy with reqid {%u}", reqid);
+	}
+	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, expire, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
+	   u_int32_t spi, bool hard)
+{
+	job_t *job;
+	protocol_id_t proto = proto_ip2ike(protocol);
+	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x "
+				  "and reqid {%u}", hard ? "delete" : "rekey",
+				  protocol_id_names, proto, ntohl(spi), reqid);
+	if (hard)
+	{
+		job = (job_t*)delete_child_sa_job_create(reqid, proto, spi);
+	}
+	else
+	{
+		job = (job_t*)rekey_child_sa_job_create(reqid, proto, spi);
+	}
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, mapping, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi,
+	   host_t *remote)
+{
+	job_t *job;
+	DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
+				  "reqid {%u} changed, queuing update job", ntohl(spi), reqid);
+	job = (job_t*)update_sa_job_create(reqid, remote);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, migrate, bool,
+	   private_kernel_handler_t *this, u_int32_t reqid,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	   policy_dir_t direction, host_t *local, host_t *remote)
+{
+	job_t *job;
+	DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with "
+				  "reqid {%u}", src_ts, dst_ts, policy_dir_names, direction,
+				  reqid, local);
+	job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, direction, local,
+									 remote);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_listener_t, roam, bool,
+	   private_kernel_handler_t *this, bool address)
+{
+	job_t *job;
+	job = (job_t*)roam_job_create(address);
+	lib->processor->queue_job(lib->processor, job);
+	return TRUE;
+}
+
+METHOD(kernel_handler_t, destroy, void,
+	   private_kernel_handler_t *this)
+{
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 &this->public.listener);
+	free(this);
+}
+
+kernel_handler_t *kernel_handler_create()
+{
+	private_kernel_handler_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.acquire = _acquire,
+				.expire = _expire,
+				.mapping = _mapping,
+				.migrate = _migrate,
+				.roam = _roam,
+			},
+			.destroy = _destroy,
+		},
+	);
+
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  &this->public.listener);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/kernel/kernel_handler.h b/src/libcharon/kernel/kernel_handler.h
new file mode 100644
index 000000000..48ad6889c
--- /dev/null
+++ b/src/libcharon/kernel/kernel_handler.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_handler kernel_handler
+ * @{ @ingroup ckernel
+ */
+
+#ifndef KERNEL_HANDLER_H_
+#define KERNEL_HANDLER_H_
+
+typedef struct kernel_handler_t kernel_handler_t;
+
+#include <kernel/kernel_listener.h>
+
+/**
+ * Listens to and handles kernel events.
+ */
+struct kernel_handler_t {
+
+	/**
+	 * Implements the kernel listener interface.
+	 */
+	kernel_listener_t listener;
+
+	/**
+	 * Destroy this instance.
+	 */
+	void (*destroy)(kernel_handler_t *this);
+
+};
+
+/**
+ * Create an object of type kernel_handler_t.
+ */
+kernel_handler_t *kernel_handler_create();
+
+#endif /** KERNEL_HANDLER_H_ @}*/
diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
index 63a8cab58..d8cebe192 100644
--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
@@ -146,7 +146,7 @@ static void send_notify(message_t *request, notify_type_t type, chunk_t data)
 		ike_sa_id->switch_initiator(ike_sa_id);
 		response->set_ike_sa_id(response, ike_sa_id);
 		response->add_notify(response, FALSE, type, data);
-		if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
+		if (response->generate(response, NULL, &packet) == SUCCESS)
 		{
 			charon->sender->send(charon->sender, packet);
 			response->destroy(response);
@@ -274,9 +274,17 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 {
 	packet_t *packet;
 	message_t *message;
+	status_t status;
 
 	/* read in a packet */
-	if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+	status = charon->socket->receive(charon->socket, &packet);
+	if (status == NOT_SUPPORTED)
+	{
+		/* the processor destroys this job  */
+		this->job = NULL;
+		return JOB_REQUEUE_NONE;
+	}
+	else if (status != SUCCESS)
 	{
 		DBG2(DBG_NET, "receiving from socket failed!");
 		return JOB_REQUEUE_FAIR;
@@ -353,22 +361,25 @@ static job_requeue_t receive_packets(private_receiver_t *this)
 			{
 				DBG1(DBG_NET, "using receive delay: %dms",
 					 this->receive_delay);
-				charon->scheduler->schedule_job_ms(charon->scheduler,
+				lib->scheduler->schedule_job_ms(lib->scheduler,
 								(job_t*)process_message_job_create(message),
 								this->receive_delay);
 				return JOB_REQUEUE_DIRECT;
 			}
 		}
 	}
-	charon->processor->queue_job(charon->processor,
-								 (job_t*)process_message_job_create(message));
+	lib->processor->queue_job(lib->processor,
+							  (job_t*)process_message_job_create(message));
 	return JOB_REQUEUE_DIRECT;
 }
 
 METHOD(receiver_t, destroy, void,
 	private_receiver_t *this)
 {
-	this->job->cancel(this->job);
+	if (this->job)
+	{
+		this->job->cancel(this->job);
+	}
 	this->rng->destroy(this->rng);
 	this->hasher->destroy(this->hasher);
 	free(this);
@@ -383,7 +394,9 @@ receiver_t *receiver_create()
 	u_int32_t now = time_monotonic(NULL);
 
 	INIT(this,
-		.public.destroy = _destroy,
+		.public = {
+			.destroy = _destroy,
+		},
 		.secret_switch = now,
 		.secret_offset = random() % now,
 	);
@@ -424,7 +437,7 @@ receiver_t *receiver_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_packets,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
index bb6d50605..4177fb3e1 100644
--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
@@ -195,7 +195,7 @@ sender_t * sender_create()
 											"charon.send_delay_response", TRUE),
 	);
 
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/network/socket.h b/src/libcharon/network/socket.h
index 5c5a4edfb..51b26920f 100644
--- a/src/libcharon/network/socket.h
+++ b/src/libcharon/network/socket.h
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -30,6 +31,11 @@ typedef struct socket_t socket_t;
 #include <utils/enumerator.h>
 
 /**
+ * Constructor prototype for sockets.
+ */
+typedef socket_t *(*socket_constructor_t)();
+
+/**
  * Socket interface definition.
  */
 struct socket_t {
@@ -42,8 +48,8 @@ struct socket_t {
 	 *
 	 * @param packet		pinter gets address from allocated packet_t
 	 * @return
-	 * 						- SUCCESS when packet successfully received
-	 * 						- FAILED when unable to receive
+	 *						- SUCCESS when packet successfully received
+	 *						- FAILED when unable to receive
 	 */
 	status_t (*receive) (socket_t *this, packet_t **packet);
 
@@ -55,10 +61,15 @@ struct socket_t {
 	 *
 	 * @param packet		packet_t to send
 	 * @return
-	 * 						- SUCCESS when packet successfully sent
-	 * 						- FAILED when unable to send
+	 *						- SUCCESS when packet successfully sent
+	 *						- FAILED when unable to send
 	 */
 	status_t (*send) (socket_t *this, packet_t *packet);
+
+	/**
+	 * Destroy a socket implementation.
+	 */
+	void (*destroy) (socket_t *this);
 };
 
 #endif /** SOCKET_H_ @}*/
diff --git a/src/libcharon/network/socket_manager.c b/src/libcharon/network/socket_manager.c
index 0dbce4b1b..72a454301 100644
--- a/src/libcharon/network/socket_manager.c
+++ b/src/libcharon/network/socket_manager.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -33,11 +35,21 @@ struct private_socket_manager_t {
 	socket_manager_t public;
 
 	/**
-	 * List of registered socket
+	 * List of registered socket constructors
 	 */
 	linked_list_t *sockets;
 
 	/**
+	 * Instantiated socket implementation
+	 */
+	socket_t *socket;
+
+	/**
+	 * The constructor used to create the current socket
+	 */
+	socket_constructor_t create;
+
+	/**
 	 * Lock for sockets list
 	 */
 	rwlock_t *lock;
@@ -46,11 +58,9 @@ struct private_socket_manager_t {
 METHOD(socket_manager_t, receiver, status_t,
 	private_socket_manager_t *this, packet_t **packet)
 {
-	socket_t *socket;
 	status_t status;
-
 	this->lock->read_lock(this->lock);
-	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	if (!this->socket)
 	{
 		DBG1(DBG_NET, "no socket implementation registered, receiving failed");
 		this->lock->unlock(this->lock);
@@ -58,7 +68,7 @@ METHOD(socket_manager_t, receiver, status_t,
 	}
 	/* receive is blocking and the thread can be cancelled */
 	thread_cleanup_push((thread_cleanup_t)this->lock->unlock, this->lock);
-	status = socket->receive(socket, packet);
+	status = this->socket->receive(this->socket, packet);
 	thread_cleanup_pop(TRUE);
 	return status;
 }
@@ -66,40 +76,67 @@ METHOD(socket_manager_t, receiver, status_t,
 METHOD(socket_manager_t, sender, status_t,
 	private_socket_manager_t *this, packet_t *packet)
 {
-	socket_t *socket;
 	status_t status;
-
 	this->lock->read_lock(this->lock);
-	if (this->sockets->get_first(this->sockets, (void**)&socket) != SUCCESS)
+	if (!this->socket)
 	{
 		DBG1(DBG_NET, "no socket implementation registered, sending failed");
 		this->lock->unlock(this->lock);
 		return NOT_SUPPORTED;
 	}
-	status = socket->send(socket, packet);
+	status = this->socket->send(this->socket, packet);
 	this->lock->unlock(this->lock);
 	return status;
 }
 
+static void create_socket(private_socket_manager_t *this)
+{
+	socket_constructor_t create;
+	/* remove constructors in order to avoid trying to create broken ones
+	 * multiple times */
+	while (this->sockets->remove_first(this->sockets,
+									   (void**)&create) == SUCCESS)
+	{
+		this->socket = create();
+		if (this->socket)
+		{
+			this->create = create;
+			break;
+		}
+	}
+}
+
 METHOD(socket_manager_t, add_socket, void,
-	private_socket_manager_t *this, socket_t *socket)
+	private_socket_manager_t *this, socket_constructor_t create)
 {
 	this->lock->write_lock(this->lock);
-	this->sockets->insert_last(this->sockets, socket);
+	this->sockets->insert_last(this->sockets, create);
+	if (!this->socket)
+	{
+		create_socket(this);
+	}
 	this->lock->unlock(this->lock);
 }
 
 METHOD(socket_manager_t, remove_socket, void,
-	private_socket_manager_t *this, socket_t *socket)
+	private_socket_manager_t *this, socket_constructor_t create)
 {
 	this->lock->write_lock(this->lock);
-	this->sockets->remove(this->sockets, socket, NULL);
+	this->sockets->remove(this->sockets, create, NULL);
+	if (this->create == create)
+	{
+		this->socket->destroy(this->socket);
+		this->socket = NULL;
+		this->create = NULL;
+		create_socket(this);
+	}
 	this->lock->unlock(this->lock);
 }
 
 METHOD(socket_manager_t, destroy, void,
 	private_socket_manager_t *this)
 {
+	DESTROY_IF(this->socket);
 	this->sockets->destroy(this->sockets);
 	this->lock->destroy(this->lock);
 	free(this);
diff --git a/src/libcharon/network/socket_manager.h b/src/libcharon/network/socket_manager.h
index b33d5c71c..94185d21c 100644
--- a/src/libcharon/network/socket_manager.h
+++ b/src/libcharon/network/socket_manager.h
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -51,14 +53,18 @@ struct socket_manager_t {
 	status_t (*send) (socket_manager_t *this, packet_t *packet);
 
 	/**
-	 * Register a socket implementation.
+	 * Register a socket constructor.
+	 *
+	 * @param create		constructor for the socket
 	 */
-	void (*add_socket)(socket_manager_t *this, socket_t *socket);
+	void (*add_socket)(socket_manager_t *this, socket_constructor_t create);
 
 	/**
-	 * Unregister a registered socket implementation.
+	 * Unregister a registered socket constructor.
+	 *
+	 * @param create		constructor for the socket
 	 */
-	void (*remove_socket)(socket_manager_t *this, socket_t *socket);
+	void (*remove_socket)(socket_manager_t *this, socket_constructor_t create);
 
 	/**
 	 * Destroy a socket_manager_t.
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 4cb047929..426d1a689 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c
index 1c407035d..5fdb36c5c 100644
--- a/src/libcharon/plugins/addrblock/addrblock_plugin.c
+++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c
@@ -61,7 +61,11 @@ plugin_t *addrblock_plugin_create()
 	private_addrblock_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.validator = addrblock_validator_create(),
 		.narrower = addrblock_narrow_create(),
 	);
diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in
index 6e4903ee1..d80868798 100644
--- a/src/libcharon/plugins/android/Makefile.in
+++ b/src/libcharon/plugins/android/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c
index e2c8572ef..3d82d8f60 100644
--- a/src/libcharon/plugins/android/android_plugin.c
+++ b/src/libcharon/plugins/android/android_plugin.c
@@ -79,8 +79,10 @@ plugin_t *android_plugin_create()
 	private_android_plugin_t *this;
 
 	INIT(this,
-		.public.plugin = {
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
 		},
 		.logger = android_logger_create(),
 		.handler = android_handler_create(),
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 538c4a9a2..f9a8e1ea1 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -141,7 +141,7 @@ METHOD(listener_t, child_updown, bool,
 			 * callback, but from a different thread. we also delay it to avoid
 			 * a race condition during a regular shutdown */
 			job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
-			charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1);
+			lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, 1);
 			return FALSE;
 		}
 	}
@@ -378,7 +378,7 @@ android_service_t *android_service_create(android_creds_t *creds)
 	charon->bus->add_listener(charon->bus, &this->public.listener);
 	this->job = callback_job_create((callback_job_cb_t)initiate, this,
 									NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index b34654fb7..e843c42e8 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index 829fd6356..fccc99ba5 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -62,7 +62,11 @@ plugin_t *dhcp_plugin_create()
 	private_dhcp_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.socket = dhcp_socket_create(),
 	);
 
diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
index f61b3a60e..e1e83d648 100644
--- a/src/libcharon/plugins/dhcp/dhcp_socket.c
+++ b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -31,6 +31,7 @@
 #include <threading/condvar.h>
 #include <threading/thread.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
@@ -205,8 +206,8 @@ static int prepare_dhcp(private_dhcp_socket_t *this,
 	else
 	{
 		/* act as relay agent */
-		src = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, this->dst, NULL);
+		src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+													   this->dst, NULL);
 		if (src)
 		{
 			memcpy(&dhcp->gateway_address, src->get_address(src).ptr,
@@ -462,8 +463,6 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 
 	offer = host_create_from_chunk(AF_INET,
 					chunk_from_thing(dhcp->your_address), 0);
-	server = host_create_from_chunk(AF_INET,
-					chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT);
 
 	this->mutex->lock(this->mutex);
 	enumerator = this->discover->create_enumerator(this->discover);
@@ -471,11 +470,8 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 	{
 		if (transaction->get_id(transaction) == dhcp->transaction_id)
 		{
-			DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
 			this->discover->remove_at(this->discover, enumerator);
 			this->request->insert_last(this->request, transaction);
-			transaction->set_address(transaction, offer->clone(offer));
-			transaction->set_server(transaction, server->clone(server));
 			break;
 		}
 	}
@@ -504,9 +500,22 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen)
 						chunk_create((char*)&option->data[pos], 4));
 				}
 			}
+			if (option->type == DHCP_SERVER_ID && option->len == 4)
+			{
+				server = host_create_from_chunk(AF_INET,
+							chunk_create(option->data, 4), DHCP_SERVER_PORT);
+			}
 			optlen -= optsize;
 			optpos += optsize;
 		}
+		if (!server)
+		{
+			server = host_create_from_chunk(AF_INET,
+				chunk_from_thing(dhcp->server_address), DHCP_SERVER_PORT);
+		}
+		DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server);
+		transaction->set_address(transaction, offer->clone(offer));
+		transaction->set_server(transaction, server->clone(server));
 	}
 	this->mutex->unlock(this->mutex);
 	this->condvar->broadcast(this->condvar);
@@ -751,7 +760,7 @@ dhcp_socket_t *dhcp_socket_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_dhcp,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 14bf3f15d..c0750786d 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index b41b59616..41f69546e 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 57952f621..02d659197 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index d78957438..46011694a 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.c b/src/libcharon/plugins/eap_identity/eap_identity.c
index ab082a955..03066b2f8 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity.c
@@ -59,11 +59,8 @@ struct eap_identity_header_t {
 	u_int8_t data[];
 } __attribute__((__packed__));
 
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_identity_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_peer, status_t,
+	private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t id;
 	eap_identity_header_t *hdr;
@@ -74,7 +71,7 @@ static status_t process_peer(private_eap_identity_t *this,
 
 	hdr = alloca(len);
 	hdr->code = EAP_RESPONSE;
-	hdr->identifier = in->get_identifier(in);
+	hdr->identifier = in ? in->get_identifier(in) : 0;
 	hdr->length = htons(len);
 	hdr->type = EAP_IDENTITY;
 	memcpy(hdr->data, id.ptr, id.len);
@@ -83,20 +80,15 @@ static status_t process_peer(private_eap_identity_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_identity_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_peer, status_t,
+	private_eap_identity_t *this, eap_payload_t **out)
 {
 	/* peer never initiates */
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_identity_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_server, status_t,
+	private_eap_identity_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t data;
 
@@ -108,10 +100,8 @@ static status_t process_server(private_eap_identity_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_server, status_t,
+	private_eap_identity_t *this, eap_payload_t **out)
 {
 	eap_identity_header_t hdr;
 
@@ -125,19 +115,15 @@ static status_t initiate_server(private_eap_identity_t *this, eap_payload_t **ou
 	return NEED_MORE;
 }
 
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_identity_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_identity_t *this, u_int32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_IDENTITY;
 }
 
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_identity_t *this, chunk_t *msk)
 {
 	if (this->identity.ptr)
 	{
@@ -147,56 +133,42 @@ static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_identity_t *this)
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_identity_t *this)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_identity_t *this)
+METHOD(eap_method_t, destroy, void,
+	private_eap_identity_t *this)
 {
 	this->peer->destroy(this->peer);
 	free(this->identity.ptr);
 	free(this);
 }
 
-/**
- * Generic constructor
- */
-static private_eap_identity_t *eap_identity_create(identification_t *server,
-												   identification_t *peer)
-{
-	private_eap_identity_t *this = malloc_thing(private_eap_identity_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	this->peer = peer->clone(peer);
-	this->identity = chunk_empty;
-
-	return this;
-}
-
 /*
  * Described in header.
  */
 eap_identity_t *eap_identity_create_peer(identification_t *server,
 										 identification_t *peer)
 {
-	private_eap_identity_t *this = eap_identity_create(server, peer);
-
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+	private_eap_identity_t *this;
+
+	INIT(this,
+		.public =  {
+			.eap_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.identity = chunk_empty,
+	);
 
 	return &this->public;
 }
@@ -207,11 +179,22 @@ eap_identity_t *eap_identity_create_peer(identification_t *server,
 eap_identity_t *eap_identity_create_server(identification_t *server,
 										   identification_t *peer)
 {
-	private_eap_identity_t *this = eap_identity_create(server, peer);
-
-	/* public functions */
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+	private_eap_identity_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.identity = chunk_empty,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_identity/eap_identity.h b/src/libcharon/plugins/eap_identity/eap_identity.h
index 7364a8bda..9a7f28574 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity.h
+++ b/src/libcharon/plugins/eap_identity/eap_identity.h
@@ -33,7 +33,7 @@ struct eap_identity_t {
 	/**
 	 * Implemented eap_method_t interface.
 	 */
-	eap_method_t eap_method_interface;
+	eap_method_t eap_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
index 082997154..079c27909 100644
--- a/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/libcharon/plugins/eap_identity/eap_identity_plugin.c
@@ -14,15 +14,12 @@
  */
 
 #include "eap_identity_plugin.h"
-
 #include "eap_identity.h"
 
 #include <daemon.h>
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_identity_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	eap_identity_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap,
 							   (eap_constructor_t)eap_identity_create_server);
@@ -36,9 +33,13 @@ static void destroy(eap_identity_plugin_t *this)
  */
 plugin_t *eap_identity_plugin_create()
 {
-	eap_identity_plugin_t *this = malloc_thing(eap_identity_plugin_t);
+	eap_identity_plugin_t *this;
 
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
 
 	charon->eap->add_method(charon->eap, EAP_IDENTITY, 0, EAP_SERVER,
 							(eap_constructor_t)eap_identity_create_server);
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 5bfc59fa4..2e307147f 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index 3554ae12e..f70754abb 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -47,7 +47,7 @@ struct private_eap_md5_t {
 	chunk_t challenge;
 
 	/**
-	 * EAP message identififier
+	 * EAP message identifier
 	 */
 	u_int8_t identifier;
 };
@@ -105,19 +105,15 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the peer
- */
-static status_t initiate_peer(private_eap_md5_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_peer, status_t,
+	private_eap_md5_t *this, eap_payload_t **out)
 {
 	/* peer never initiates */
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.initiate for the server
- */
-static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
+METHOD(eap_method_t, initiate_server, status_t,
+	private_eap_md5_t *this, eap_payload_t **out)
 {
 	rng_t *rng;
 	eap_md5_header_t *req;
@@ -142,11 +138,8 @@ static status_t initiate_server(private_eap_md5_t *this, eap_payload_t **out)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of eap_method_t.process for the peer
- */
-static status_t process_peer(private_eap_md5_t *this,
-							 eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_peer, status_t,
+	private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t response;
 	chunk_t data;
@@ -177,11 +170,8 @@ static status_t process_peer(private_eap_md5_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Implementation of eap_method_t.process for the server
- */
-static status_t process_server(private_eap_md5_t *this,
-							   eap_payload_t *in, eap_payload_t **out)
+METHOD(eap_method_t, process_server, status_t,
+	private_eap_md5_t *this, eap_payload_t *in, eap_payload_t **out)
 {
 	chunk_t response, expected;
 	chunk_t data;
@@ -209,35 +199,27 @@ static status_t process_server(private_eap_md5_t *this,
 	return SUCCESS;
 }
 
-/**
- * Implementation of eap_method_t.get_type.
- */
-static eap_type_t get_type(private_eap_md5_t *this, u_int32_t *vendor)
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_md5_t *this, u_int32_t *vendor)
 {
 	*vendor = 0;
 	return EAP_MD5;
 }
 
-/**
- * Implementation of eap_method_t.get_msk.
- */
-static status_t get_msk(private_eap_md5_t *this, chunk_t *msk)
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_md5_t *this, chunk_t *msk)
 {
 	return FAILED;
 }
 
-/**
- * Implementation of eap_method_t.is_mutual.
- */
-static bool is_mutual(private_eap_md5_t *this)
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_md5_t *this)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of eap_method_t.destroy.
- */
-static void destroy(private_eap_md5_t *this)
+METHOD(eap_method_t, destroy, void,
+	private_eap_md5_t *this)
 {
 	this->peer->destroy(this->peer);
 	this->server->destroy(this->server);
@@ -245,39 +227,27 @@ static void destroy(private_eap_md5_t *this)
 	free(this);
 }
 
-/**
- * Generic constructor
- */
-static private_eap_md5_t *eap_md5_create_generic(identification_t *server,
-												 identification_t *peer)
-{
-	private_eap_md5_t *this = malloc_thing(private_eap_md5_t);
-
-	this->public.eap_method_interface.initiate = NULL;
-	this->public.eap_method_interface.process = NULL;
-	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
-	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
-	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
-	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
-
-	/* private data */
-	this->peer = peer->clone(peer);
-	this->server = server->clone(server);
-	this->challenge = chunk_empty;
-	this->identifier = 0;
-
-	return this;
-}
-
 /*
- * see header
+ * See header
  */
 eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *peer)
 {
-	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_server;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_server;
+	private_eap_md5_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_server,
+				.process = _process_server,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+	);
 
 	/* generate a non-zero identifier */
 	do {
@@ -288,14 +258,26 @@ eap_md5_t *eap_md5_create_server(identification_t *server, identification_t *pee
 }
 
 /*
- * see header
+ * See header
  */
 eap_md5_t *eap_md5_create_peer(identification_t *server, identification_t *peer)
 {
-	private_eap_md5_t *this = eap_md5_create_generic(server, peer);
-
-	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate_peer;
-	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process_peer;
+	private_eap_md5_t *this;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate_peer,
+				.process = _process_peer,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+		.peer = peer->clone(peer),
+		.server = server->clone(server),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.h b/src/libcharon/plugins/eap_md5/eap_md5.h
index 3cff0dd79..c6687149a 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.h
+++ b/src/libcharon/plugins/eap_md5/eap_md5.h
@@ -33,7 +33,7 @@ struct eap_md5_t {
 	/**
 	 * Implemented eap_method_t interface.
 	 */
-	eap_method_t eap_method_interface;
+	eap_method_t eap_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
index e716dc6e8..39a6f5731 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5_plugin.c
@@ -14,15 +14,12 @@
  */
 
 #include "eap_md5_plugin.h"
-
 #include "eap_md5.h"
 
 #include <daemon.h>
 
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(eap_md5_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	eap_md5_plugin_t *this)
 {
 	charon->eap->remove_method(charon->eap,
 							   (eap_constructor_t)eap_md5_create_server);
@@ -36,9 +33,13 @@ static void destroy(eap_md5_plugin_t *this)
  */
 plugin_t *eap_md5_plugin_create()
 {
-	eap_md5_plugin_t *this = malloc_thing(eap_md5_plugin_t);
+	eap_md5_plugin_t *this;
 
-	this->plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
 
 	charon->eap->add_method(charon->eap, EAP_MD5, 0, EAP_SERVER,
 							(eap_constructor_t)eap_md5_create_server);
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index d61cc9e5d..635cfe6ec 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index 3cd8d994c..4f39c8608 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -818,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	eap_mschapv2_header_t *eap;
 	chunk_t data;
 	char *message, *token, *msg = NULL;
-	int message_len, error = 0, retryable;
+	int message_len, error = 0, retriable;
 	chunk_t challenge = chunk_empty;
 
 	data = in->get_data(in);
@@ -847,7 +847,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 		else if (strneq(token, "R=", 2))
 		{
 			token += 2;
-			retryable = atoi(token);
+			retriable = atoi(token);
 		}
 		else if (strneq(token, "C=", 2))
 		{
@@ -880,17 +880,17 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 		 mschapv2_error_names, error, sanitize(msg));
 
 	/**
-	 * at this point, if the error is retryable, we MAY retry the authentication
+	 * at this point, if the error is retriable, we MAY retry the authentication
 	 * or MAY send a Change Password packet.
 	 *
-	 * if the error is not retryable (or if we do neither of the above), we
+	 * if the error is not retriable (or if we do neither of the above), we
 	 * SHOULD send a Failure Response packet.
 	 * windows clients don't do that, and since windows server 2008 r2 behaves
 	 * pretty odd if we do send a Failure Response, we just don't send one
 	 * either. windows 7 actually sends a delete notify (which, according to the
 	 * logs, results in an error on windows server 2008 r2).
 	 *
-	 * btw, windows server 2008 r2 does not send non-retryable errors for e.g.
+	 * btw, windows server 2008 r2 does not send non-retriable errors for e.g.
 	 * a disabled account but returns the windows error code in a notify payload
 	 * of type 12345.
 	 */
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index bb372d13c..1d771d9a4 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 65b868bc6..157034fe5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -20,6 +20,8 @@
 
 #include <daemon.h>
 
+#define TUNNEL_TYPE_ESP		9
+
 typedef struct private_eap_radius_t private_eap_radius_t;
 
 /**
@@ -71,6 +73,11 @@ struct private_eap_radius_t {
 	 * Handle the Class attribute as group membership information?
 	 */
 	bool class_group;
+
+	/**
+	 * Handle the Filter-Id attribute as IPsec CHILD_SA name?
+	 */
+	bool filter_id;
 };
 
 /**
@@ -211,6 +218,62 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg)
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Handle the Filter-Id attribute as IPsec CHILD_SA name
+ */
+static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
+{
+	enumerator_t *enumerator;
+	int type;
+	u_int8_t tunnel_tag;
+	u_int32_t tunnel_type;
+	chunk_t filter_id = chunk_empty, data;
+	bool is_esp_tunnel = FALSE;
+
+	enumerator = msg->create_enumerator(msg);
+	while (enumerator->enumerate(enumerator, &type, &data))
+	{
+		switch (type)
+		{
+			case RAT_TUNNEL_TYPE:
+				if (data.len != 4)
+				{
+					continue;
+				}
+				tunnel_tag = *data.ptr;
+				*data.ptr = 0x00;
+				tunnel_type = untoh32(data.ptr);
+				DBG1(DBG_IKE, "received RADIUS attribute Tunnel-Type: "
+							  "tag = %u, value = %u", tunnel_tag, tunnel_type);
+				is_esp_tunnel = (tunnel_type == TUNNEL_TYPE_ESP);
+				break;
+			case RAT_FILTER_ID:
+				filter_id = data;
+				DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: "
+							  "'%.*s'", filter_id.len, filter_id.ptr);
+				break;
+			default:
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (is_esp_tunnel && filter_id.len)
+	{
+		identification_t *id;
+		ike_sa_t *ike_sa;
+		auth_cfg_t *auth;
+
+		ike_sa = charon->bus->get_sa(charon->bus);
+		if (ike_sa)
+		{
+			auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+			id = identification_create_from_data(filter_id);
+			auth->add(auth, AUTH_RULE_GROUP, id);
+		}
+	}
+}
+
 METHOD(eap_method_t, process, status_t,
 	private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
 {
@@ -247,12 +310,17 @@ METHOD(eap_method_t, process, status_t,
 				{
 					process_class(this, response);
 				}
+				if (this->filter_id)
+				{
+					process_filter_id(this, response);
+				}
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
+					 this->peer);
 				status = SUCCESS;
 				break;
 			case RMC_ACCESS_REJECT:
 			default:
-				DBG1(DBG_CFG, "received %N from RADIUS server",
-					 radius_message_code_names, response->get_code(response));
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
 				status = FAILED;
 				break;
 		}
@@ -313,13 +381,15 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	private_eap_radius_t *this;
 
 	INIT(this,
-		.public.eap_method_interface = {
-			.initiate = _initiate,
-			.process = _process,
-			.get_type = _get_type,
-			.is_mutual = _is_mutual,
-			.get_msk = _get_msk,
-			.destroy = _destroy,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
 		},
 		/* initially EAP_RADIUS, but is set to the method selected by RADIUS */
 		.type = EAP_RADIUS,
@@ -329,6 +399,9 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 								"charon.plugins.eap-radius.id_prefix", ""),
 		.class_group = lib->settings->get_bool(lib->settings,
 								"charon.plugins.eap-radius.class_group", FALSE),
+		.filter_id = lib->settings->get_bool(lib->settings,
+								"charon.plugins.eap-radius.filter_id", FALSE),
+
 	);
 	this->client = radius_client_create();
 	if (!this->client)
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h
index 8eb9e8c2d..e98cb06e3 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius.h
@@ -33,7 +33,7 @@ struct eap_radius_t {
 	/**
 	 * Implemented eap_method_t interface.
 	 */
-	eap_method_t eap_method_interface;
+	eap_method_t eap_method;
 };
 
 /**
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 91aae2f62..1c24d77d5 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -151,7 +151,11 @@ plugin_t *eap_radius_plugin_create()
 	private_eap_radius_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.servers = linked_list_create(),
 	);
 
diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h
index b820cb583..ba4c94619 100644
--- a/src/libcharon/plugins/eap_radius/radius_server.h
+++ b/src/libcharon/plugins/eap_radius/radius_server.h
@@ -79,6 +79,7 @@ struct radius_server_t {
  * @param server			server address
  * @param port				server port
  * @param nas_identifier	NAS-Identifier to use with this server
+ * @param secret			secret to use with this server
  * @param sockets			number of sockets to create in pool
  * @param preference		preference boost for this server
  */
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index d0f44e925..d05930bbd 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 2aa0ac832..46a584265 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 7d80f8019..2d8556a59 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -201,14 +204,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -248,7 +261,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index fc26f4497..e59015f82 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index f2e82df0a..3c66d2f36 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
index 0f5319792..1cc5352d8 100644
--- a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
+++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c
@@ -85,8 +85,10 @@ plugin_t *eap_simaka_sql_plugin_create()
 							"charon.plugins.eap-simaka-sql.remove_used", FALSE);
 
 	INIT(this,
-		.public.plugin =  {
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
 		},
 		.db = db,
 		.provider = eap_simaka_sql_provider_create(db, remove_used),
diff --git a/src/libcharon/plugins/eap_tls/Makefile.am b/src/libcharon/plugins/eap_tls/Makefile.am
new file mode 100644
index 000000000..29ddd822b
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-tls.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-tls.la
+libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_tls_la_SOURCES = \
+	eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c
+
+libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
new file mode 100644
index 000000000..e4b78faf8
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -0,0 +1,605 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_tls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_tls_la_OBJECTS = eap_tls_plugin.lo eap_tls.lo
+libstrongswan_eap_tls_la_OBJECTS =  \
+	$(am_libstrongswan_eap_tls_la_OBJECTS)
+libstrongswan_eap_tls_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_tls_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_tls_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_tls_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_tls_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tls.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tls.la
+@MONOLITHIC_FALSE@libstrongswan_eap_tls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_tls_la_SOURCES = \
+	eap_tls_plugin.h eap_tls_plugin.c eap_tls.h eap_tls.c
+
+libstrongswan_eap_tls_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-tls.la: $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_DEPENDENCIES) 
+	$(libstrongswan_eap_tls_la_LINK) $(am_libstrongswan_eap_tls_la_rpath) $(libstrongswan_eap_tls_la_OBJECTS) $(libstrongswan_eap_tls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tls_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
new file mode 100644
index 000000000..efe72c437
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tls.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_tls_t private_eap_tls_t;
+
+/**
+ * Private data of an eap_tls_t object.
+ */
+struct private_eap_tls_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_tls_t public;
+
+	/**
+	 * TLS stack, wrapped by EAP helper
+	 */
+	tls_eap_t *tls_eap;
+};
+
+/** Maximum number of EAP-TLS messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 32 
+/** Default size of a EAP-TLS fragment */
+#define MAX_FRAGMENT_LEN 1024
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_tls_t *this, eap_payload_t **out)
+{
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_tls_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status;
+	chunk_t data;
+
+	data = in->get_data(in);
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_tls_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TLS;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_tls_t *this, chunk_t *msk)
+{
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_tls_t *this)
+{
+	return TRUE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_tls_t *this)
+{
+	this->tls_eap->destroy(this->tls_eap);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_tls_t *eap_tls_create(identification_t *server,
+								 identification_t *peer, bool is_server)
+{
+	private_eap_tls_t *this;
+	size_t frag_size;
+	int max_msg_count;
+	tls_t *tls;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
+	max_msg_count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
+	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count);
+	if (!this->tls_eap)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+eap_tls_t *eap_tls_create_server(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_tls_create(server, peer, TRUE);
+}
+
+eap_tls_t *eap_tls_create_peer(identification_t *server,
+							   identification_t *peer)
+{
+	return eap_tls_create(server, peer, FALSE);
+}
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.h b/src/libcharon/plugins/eap_tls/eap_tls.h
new file mode 100644
index 000000000..7e080230a
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tls_i eap_tls
+ * @{ @ingroup eap_tls
+ */
+
+#ifndef EAP_TLS_H_
+#define EAP_TLS_H_
+
+typedef struct eap_tls_t eap_tls_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of eap_method_t using EAP-TLS.
+ */
+struct eap_tls_t {
+
+	/**
+	 * Implements eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TLS acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tls_t object
+ */
+eap_tls_t *eap_tls_create_server(identification_t *server,
+								 identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TLS acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tls_t object
+ */
+eap_tls_t *eap_tls_create_peer(identification_t *server,
+							   identification_t *peer);
+
+#endif /** EAP_TLS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.c b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
new file mode 100644
index 000000000..a7c040bf4
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tls_plugin.h"
+
+#include "eap_tls.h"
+
+#include <daemon.h>
+
+
+METHOD(plugin_t, destroy, void,
+	eap_tls_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tls_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tls_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_tls_plugin_create()
+{
+	eap_tls_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_SERVER,
+							(eap_constructor_t)eap_tls_create_server);
+	charon->eap->add_method(charon->eap, EAP_TLS, 0, EAP_PEER,
+							(eap_constructor_t)eap_tls_create_peer);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/eap_tls/eap_tls_plugin.h b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
new file mode 100644
index 000000000..5ea719603
--- /dev/null
+++ b/src/libcharon/plugins/eap_tls/eap_tls_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tls eap_tls
+ * @ingroup cplugins
+ *
+ * @defgroup eap_tls_plugin eap_tls_plugin
+ * @{ @ingroup eap_tls
+ */
+
+#ifndef EAP_TLS_PLUGIN_H_
+#define EAP_TLS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_tls_plugin_t eap_tls_plugin_t;
+
+/**
+ * EAP-TLS plugin
+ */
+struct eap_tls_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_tls_plugin instance.
+ */
+plugin_t *eap_tls_plugin_create();
+
+#endif /** EAP_TLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.am b/src/libcharon/plugins/eap_tnc/Makefile.am
new file mode 100644
index 000000000..9c5a445c5
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/Makefile.am
@@ -0,0 +1,17 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_tnc_la_SOURCES = \
+	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+
+libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
new file mode 100644
index 000000000..fb7108a8a
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -0,0 +1,605 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_tnc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_tnc_la_OBJECTS = eap_tnc_plugin.lo eap_tnc.lo
+libstrongswan_eap_tnc_la_OBJECTS =  \
+	$(am_libstrongswan_eap_tnc_la_OBJECTS)
+libstrongswan_eap_tnc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_eap_tnc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_tnc_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_tnc_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_tnc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+@MONOLITHIC_FALSE@libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_tnc_la_SOURCES = \
+	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+
+libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_tnc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-tnc.la: $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_DEPENDENCIES) 
+	$(libstrongswan_eap_tnc_la_LINK) $(am_libstrongswan_eap_tnc_la_rpath) $(libstrongswan_eap_tnc_la_OBJECTS) $(libstrongswan_eap_tnc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_tnc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
new file mode 100644
index 000000000..f0bff0e1f
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tnc.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_tnc_t private_eap_tnc_t;
+
+/**
+ * Private data of an eap_tnc_t object.
+ */
+struct private_eap_tnc_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_tnc_t public;
+
+	/**
+	 * TLS stack, wrapped by EAP helper
+	 */
+	tls_eap_t *tls_eap;
+};
+
+
+/** Maximum number of EAP-TNC messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 10 
+/** Default size of a EAP-TNC fragment */
+#define MAX_FRAGMENT_LEN 50000
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_tnc_t *this, eap_payload_t **out)
+{
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status;
+	chunk_t data;
+
+	data = in->get_data(in);
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_tnc_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TNC;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_tnc_t *this, chunk_t *msk)
+{
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_tnc_t *this)
+{
+	return FALSE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_tnc_t *this)
+{
+	this->tls_eap->destroy(this->tls_eap);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_tnc_t *eap_tnc_create(identification_t *server,
+								 identification_t *peer, bool is_server)
+{
+	private_eap_tnc_t *this;
+	size_t frag_size;
+	int max_msg_count;
+	tnccs_t *tnccs;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
+	max_msg_count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT);
+	tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server);
+	this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count);
+	if (!this->tls_eap)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+eap_tnc_t *eap_tnc_create_server(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_tnc_create(server, peer, TRUE);
+}
+
+eap_tnc_t *eap_tnc_create_peer(identification_t *server,
+							   identification_t *peer)
+{
+	return eap_tnc_create(server, peer, FALSE);
+}
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.h b/src/libcharon/plugins/eap_tnc/eap_tnc.h
new file mode 100644
index 000000000..7e166fb60
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tnc_i eap_tnc
+ * @{ @ingroup eap_tnc
+ */
+
+#ifndef EAP_TNC_H_
+#define EAP_TNC_H_
+
+typedef struct eap_tnc_t eap_tnc_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of the eap_method_t interface using EAP-TNC.
+ */
+struct eap_tnc_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TNC acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TNC acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer);
+
+#endif /** EAP_TNC_H_ @}*/
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
new file mode 100644
index 000000000..7430e4cac
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_tnc_plugin.h"
+#include "eap_tnc.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	eap_tnc_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tnc_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_tnc_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_tnc_plugin_create()
+{
+	eap_tnc_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_SERVER,
+							(eap_constructor_t)eap_tnc_create_server);
+	charon->eap->add_method(charon->eap, EAP_TNC, 0, EAP_PEER,
+							(eap_constructor_t)eap_tnc_create_peer);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
new file mode 100644
index 000000000..97298eb5c
--- /dev/null
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_tnc eap_tnc
+ * @ingroup cplugins
+ *
+ * @defgroup eap_tnc_plugin eap_tnc_plugin
+ * @{ @ingroup eap_tnc
+ */
+
+#ifndef EAP_TNC_PLUGIN_H_
+#define EAP_TNC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_tnc_plugin_t eap_tnc_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct eap_tnc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** EAP_TNC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.am b/src/libcharon/plugins/eap_ttls/Makefile.am
new file mode 100644
index 000000000..94ce5cc1e
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
+else
+plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
+libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_eap_ttls_la_SOURCES = \
+	eap_ttls_plugin.h eap_ttls_plugin.c \
+	eap_ttls_avp.h eap_ttls_avp.c \
+	eap_ttls.h eap_ttls.c \
+	eap_ttls_peer.h eap_ttls_peer.c \
+	eap_ttls_server.h eap_ttls_server.c
+
+libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
new file mode 100644
index 000000000..2cdd7701d
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -0,0 +1,615 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/eap_ttls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_DEPENDENCIES =  \
+@MONOLITHIC_FALSE@	$(top_builddir)/src/libtls/libtls.la
+am_libstrongswan_eap_ttls_la_OBJECTS = eap_ttls_plugin.lo \
+	eap_ttls_avp.lo eap_ttls.lo eap_ttls_peer.lo \
+	eap_ttls_server.lo
+libstrongswan_eap_ttls_la_OBJECTS =  \
+	$(am_libstrongswan_eap_ttls_la_OBJECTS)
+libstrongswan_eap_ttls_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_ttls_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_eap_ttls_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_eap_ttls_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_eap_ttls_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-ttls.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-ttls.la
+@MONOLITHIC_FALSE@libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libstrongswan_eap_ttls_la_SOURCES = \
+	eap_ttls_plugin.h eap_ttls_plugin.c \
+	eap_ttls_avp.h eap_ttls_avp.c \
+	eap_ttls.h eap_ttls.c \
+	eap_ttls_peer.h eap_ttls_peer.c \
+	eap_ttls_server.h eap_ttls_server.c
+
+libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/eap_ttls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-eap-ttls.la: $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_DEPENDENCIES) 
+	$(libstrongswan_eap_ttls_la_LINK) $(am_libstrongswan_eap_ttls_la_rpath) $(libstrongswan_eap_ttls_la_OBJECTS) $(libstrongswan_eap_ttls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_avp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_ttls_server.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
new file mode 100644
index 000000000..a62af6ea4
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2010 Martin Willi, revosec AG
+ * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls.h"
+#include "eap_ttls_peer.h"
+#include "eap_ttls_server.h"
+
+#include <tls_eap.h>
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_ttls_t private_eap_ttls_t;
+
+/**
+ * Private data of an eap_ttls_t object.
+ */
+struct private_eap_ttls_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_ttls_t public;
+
+	/**
+	 * TLS stack, wrapped by EAP helper
+	 */
+	tls_eap_t *tls_eap;
+};
+
+/** Maximum number of EAP-TTLS messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 32
+/** Default size of a EAP-TTLS fragment */
+#define MAX_FRAGMENT_LEN 1024
+
+METHOD(eap_method_t, initiate, status_t,
+	private_eap_ttls_t *this, eap_payload_t **out)
+{
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, process, status_t,
+	private_eap_ttls_t *this, eap_payload_t *in, eap_payload_t **out)
+{
+	status_t status;
+	chunk_t data;
+
+	data = in->get_data(in);
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
+}
+
+METHOD(eap_method_t, get_type, eap_type_t,
+	private_eap_ttls_t *this, u_int32_t *vendor)
+{
+	*vendor = 0;
+	return EAP_TTLS;
+}
+
+METHOD(eap_method_t, get_msk, status_t,
+	private_eap_ttls_t *this, chunk_t *msk)
+{
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+METHOD(eap_method_t, is_mutual, bool,
+	private_eap_ttls_t *this)
+{
+	return TRUE;
+}
+
+METHOD(eap_method_t, destroy, void,
+	private_eap_ttls_t *this)
+{
+	this->tls_eap->destroy(this->tls_eap);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+static eap_ttls_t *eap_ttls_create(identification_t *server,
+								   identification_t *peer, bool is_server,
+								   tls_application_t *application)
+{
+	private_eap_ttls_t *this;
+	size_t frag_size;
+	int max_msg_count;
+	tls_t *tls;
+
+	INIT(this,
+		.public = {
+			.eap_method = {
+				.initiate = _initiate,
+				.process = _process,
+				.get_type = _get_type,
+				.is_mutual = _is_mutual,
+				.get_msk = _get_msk,
+				.destroy = _destroy,
+			},
+		},
+	);
+	if (is_server && !lib->settings->get_bool(lib->settings,
+							"charon.plugins.eap-ttls.request_peer_auth", FALSE))
+	{
+		peer = NULL;
+	}
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
+	max_msg_count = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
+	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count);
+	if (!this->tls_eap)
+	{
+		application->destroy(application);
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+eap_ttls_t *eap_ttls_create_server(identification_t *server,
+						  		   identification_t *peer)
+{
+	return eap_ttls_create(server, peer, TRUE,
+						   &eap_ttls_server_create(server, peer)->application);
+}
+
+eap_ttls_t *eap_ttls_create_peer(identification_t *server,
+								 identification_t *peer)
+{
+	return eap_ttls_create(server, peer, FALSE,
+						   &eap_ttls_peer_create(server, peer)->application);
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.h b/src/libcharon/plugins/eap_ttls/eap_ttls.h
new file mode 100644
index 000000000..6e3bf2ceb
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_i eap_ttls
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_H_
+#define EAP_TTLS_H_
+
+typedef struct eap_ttls_t eap_ttls_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Implementation of eap_method_t using EAP-TTLS.
+ */
+struct eap_ttls_t {
+
+	/**
+	 * Implements eap_method_t interface.
+	 */
+	eap_method_t eap_method;
+};
+
+/**
+ * Creates the EAP method EAP-TTLS acting as server.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_ttls_t object
+ */
+eap_ttls_t *eap_ttls_create_server(identification_t *server,
+								   identification_t *peer);
+
+/**
+ * Creates the EAP method EAP-TTLS acting as peer.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_ttls_t object
+ */
+eap_ttls_t *eap_ttls_create_peer(identification_t *server,
+								 identification_t *peer);
+
+#endif /** EAP_TTLS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
new file mode 100644
index 000000000..0eb5e94be
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+
+#define AVP_EAP_MESSAGE		79
+#define AVP_HEADER_LEN		 8
+
+typedef struct private_eap_ttls_avp_t private_eap_ttls_avp_t;
+
+/**
+ * Private data of an eap_ttls_avp_t object.
+ */
+struct private_eap_ttls_avp_t {
+
+	/**
+	 * Public eap_ttls_avp_t interface.
+	 */
+	eap_ttls_avp_t public;
+
+	/**
+	 * AVP input buffer
+	 */
+	chunk_t input;
+
+	/**
+	 * Position in input buffer
+	 */
+	size_t inpos;
+
+	/**
+	 * process header (TRUE) or body (FALSE)
+	 */
+	bool process_header;
+
+	/**
+	 * Size of AVP data
+	 */
+	size_t data_len;
+};
+
+METHOD(eap_ttls_avp_t, build, void,
+	private_eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data)
+{
+	char zero_padding[] = { 0x00, 0x00, 0x00 };
+	chunk_t   avp_padding;
+	u_int8_t  avp_flags;
+	u_int32_t avp_len;
+
+	avp_flags = 0x40;
+	avp_len = 8 + data.len;
+	avp_padding = chunk_create(zero_padding, (4 - data.len) % 4);
+
+	writer->write_uint32(writer, AVP_EAP_MESSAGE);
+	writer->write_uint8(writer, avp_flags);
+	writer->write_uint24(writer, avp_len);
+	writer->write_data(writer, data);
+	writer->write_data(writer, avp_padding);
+}
+
+METHOD(eap_ttls_avp_t, process, status_t,
+	private_eap_ttls_avp_t* this, tls_reader_t *reader, chunk_t *data)
+{
+	size_t len;
+	chunk_t buf;
+
+	if (this->process_header)
+	{
+		tls_reader_t *header;
+		u_int32_t avp_code;
+		u_int8_t  avp_flags;
+		u_int32_t avp_len;
+		bool success;
+
+		len = min(reader->remaining(reader), AVP_HEADER_LEN - this->inpos);
+		if (!reader->read_data(reader, len, &buf))
+		{
+			return FAILED;
+		}
+		if (this->input.len == 0)
+		{
+			/* start of a new AVP header */
+			this->input = chunk_alloc(AVP_HEADER_LEN);
+			memcpy(this->input.ptr, buf.ptr, len);
+			this->inpos = len;
+		}
+		else
+		{
+			memcpy(this->input.ptr + this->inpos, buf.ptr, len);
+			this->inpos += len;
+		}
+
+		if (this->inpos < AVP_HEADER_LEN)
+		{
+			return NEED_MORE;
+		}
+
+		/* parse AVP header */
+		header = tls_reader_create(this->input);
+		success = header->read_uint32(header, &avp_code) &&
+				  header->read_uint8(header, &avp_flags) &&
+				  header->read_uint24(header, &avp_len);
+		header->destroy(header);
+		chunk_free(&this->input);
+		this->inpos = 0;
+
+		if (!success)
+		{
+			DBG1(DBG_IKE, "received invalid AVP header");
+			return FAILED;
+		}
+ 		if (avp_code != AVP_EAP_MESSAGE)
+		{
+			DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code);
+			return FAILED;
+		}
+		this->process_header = FALSE;
+		this->data_len = avp_len - 8;
+		this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);
+	}
+
+	/* process AVP data */
+	len = min(reader->remaining(reader), this->input.len - this->inpos);
+	if (!reader->read_data(reader, len, &buf))
+	{
+		return FAILED;
+	}
+	memcpy(this->input.ptr + this->inpos, buf.ptr, len);
+	this->inpos += len;
+	if (this->inpos < this->input.len)
+	{
+		return NEED_MORE;
+	}
+
+	*data = this->input;
+	data->len = this->data_len;
+
+	/* preparing for next AVP */
+	this->input = chunk_empty;
+	this->inpos = 0;
+	this->process_header = TRUE;
+
+	return SUCCESS;
+}
+
+METHOD(eap_ttls_avp_t, destroy, void,
+	private_eap_ttls_avp_t *this)
+{
+	chunk_free(&this->input);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void)
+{
+	private_eap_ttls_avp_t *this;
+
+	INIT(this,
+		.public= {
+			.process = _process,
+			.build = _build,
+			.destroy = _destroy,
+		},
+		.input = chunk_empty,
+		.inpos = 0,
+		.process_header = TRUE,
+		.data_len = 0,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h
new file mode 100644
index 000000000..cad1d9c56
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_avp eap_ttls_avp
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_AVP_H_
+#define EAP_TTLS_AVP_H_
+
+typedef struct eap_ttls_avp_t eap_ttls_avp_t;
+
+#include <library.h>
+
+#include <tls_reader.h>
+#include <tls_writer.h>
+
+/**
+ * EAP-TTLS Attribute-Value Pair (AVP) handler.
+ */
+struct eap_ttls_avp_t {
+
+	/**
+	 * Process received EAP-TTLS EAP Message AVP.
+	 *
+	 * @param reader	TLS data buffer
+	 * @param data		received EAP Message
+	 * @return
+	 *					- SUCCESS if AVP processing succeeded
+	 *					- FAILED if AVP processing failed
+	 *					- NEED_MORE if another invocation of process/build needed
+	 */
+	status_t (*process)(eap_ttls_avp_t *this, tls_reader_t *reader,
+						chunk_t *data);
+
+	/**
+	 * Build EAP-TTLS EAP Message AVP to send out.
+	 *
+	 * @param writer	TLS data buffer to write to
+	 * @param data		EAP Message to send
+	 */
+	void (*build)(eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data);
+
+	/**
+	 * Destroy a eap_ttls_application_t.
+	 */
+	void (*destroy)(eap_ttls_avp_t *this);
+};
+
+/**
+ * Create an eap_ttls_avp instance.
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void);
+
+#endif /** EAP_TTLS_AVP_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
new file mode 100644
index 000000000..10d08ca2a
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_peer.h"
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
+
+/**
+ * Private data of an eap_ttls_peer_t object.
+ */
+struct private_eap_ttls_peer_t {
+
+	/**
+	 * Public eap_ttls_peer_t interface.
+	 */
+	eap_ttls_peer_t public;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Current EAP-TTLS state
+	 */
+	bool start_phase2;
+
+	/**
+     * Current phase 2 EAP method
+	 */
+	eap_method_t *method;
+
+	/**
+     * Pending outbound EAP message
+	 */
+	eap_payload_t *out;
+
+	/**
+	 * AVP handler
+	 */
+	eap_ttls_avp_t *avp;
+};
+
+/**
+ * EAP packet format
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t code;
+	u_int8_t identifier;
+	u_int16_t length;
+	u_int8_t type;
+	u_int8_t data;
+} eap_packet_t;
+
+#define MAX_RADIUS_ATTRIBUTE_SIZE	253
+
+METHOD(tls_application_t, process, status_t,
+	private_eap_ttls_peer_t *this, tls_reader_t *reader)
+{
+	chunk_t avp_data = chunk_empty;
+	chunk_t eap_data = chunk_empty;
+	status_t status;
+	payload_t *payload;
+	eap_payload_t *in;
+	eap_packet_t *pkt;
+	eap_code_t code;
+	eap_type_t type, received_type;
+	u_int32_t vendor, received_vendor;
+	u_int16_t eap_len;
+	size_t eap_pos = 0;
+	bool concatenated = FALSE;
+
+	do
+	{
+		status = this->avp->process(this->avp, reader, &avp_data);
+		switch (status)
+		{
+			case SUCCESS:
+				break;
+			case NEED_MORE:
+				DBG1(DBG_IKE, "need more AVP data");
+				return NEED_MORE;
+			case FAILED:
+			default:
+				return FAILED;
+		}
+
+		if (eap_data.len == 0)
+		{
+			if (avp_data.len < 4)
+			{
+				DBG1(DBG_IKE, "AVP size to small to contain EAP header");
+				chunk_free(&avp_data);
+				return FAILED;
+			}
+			pkt = (eap_packet_t*)avp_data.ptr;
+			eap_len = untoh16(&pkt->length);
+
+			if (eap_len <= avp_data.len)
+			{
+				/* standard:  EAP packet contained in a single AVP */
+				eap_data = avp_data;
+				break;
+			}
+			else if (avp_data.len == MAX_RADIUS_ATTRIBUTE_SIZE)
+			{
+				/* non-standard: EAP packet segmented into multiple AVPs */
+				eap_data = chunk_alloc(eap_len);
+				concatenated = TRUE;
+			}
+			else
+			{
+				DBG1(DBG_IKE, "non-radius segmentation of EAP packet into AVPs");
+				chunk_free(&avp_data);
+				return FAILED;
+			}
+		}
+
+		if (avp_data.len > eap_data.len - eap_pos)
+		{
+			DBG1(DBG_IKE, "AVP size to large to fit into EAP packet");
+			chunk_free(&avp_data);
+			chunk_free(&eap_data);
+			return FAILED;
+		}
+		memcpy(eap_data.ptr + eap_pos, avp_data.ptr, avp_data.len);
+		eap_pos += avp_data.len;
+		chunk_free(&avp_data);
+	}
+	while (eap_pos < eap_data.len);
+ 		
+	in = eap_payload_create_data(eap_data);
+	chunk_free(&eap_data);
+	payload = (payload_t*)in;
+
+	if (payload->verify(payload) != SUCCESS)
+	{
+		in->destroy(in);
+		return FAILED;
+	}
+	code = in->get_code(in);
+	received_type = in->get_type(in, &received_vendor);
+	DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP%s [EAP/%N/%N]",
+							concatenated ? "s" : "",
+					   		eap_code_short_names, code,
+							eap_type_short_names, received_type);
+	if (code != EAP_REQUEST)
+	{
+		DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
+		in->destroy(in);
+		return FAILED;
+	}
+
+	if (this->method == NULL)
+	{
+		if (received_vendor)
+		{
+			DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
+				 received_type, received_vendor);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "server requested %N authentication",
+				 eap_type_names, received_type);
+		}
+		this->method = charon->eap->create_instance(charon->eap,
+									received_type, received_vendor,
+									EAP_PEER, this->server, this->peer);
+		if (!this->method)
+		{
+			DBG1(DBG_IKE, "EAP method not supported");
+			this->out = eap_payload_create_nak(in->get_identifier(in));
+			in->destroy(in);
+			return NEED_MORE;
+		}
+	}
+
+	type = this->method->get_type(this->method, &vendor);
+
+	if (type != received_type || vendor != received_vendor)
+	{
+		DBG1(DBG_IKE, "received invalid EAP request");
+		in->destroy(in);
+		return FAILED;
+	}
+
+	status = this->method->process(this->method, in, &this->out);
+	in->destroy(in);
+
+	switch (status)
+	{
+		case SUCCESS:
+			this->method->destroy(this->method);
+			this->method = NULL;
+			return NEED_MORE;
+		case NEED_MORE:
+			if (type != EAP_TNC)
+			{
+				this->method->destroy(this->method);
+				this->method = NULL;
+			}
+			return NEED_MORE;
+		case FAILED:
+		default:
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+							   type, vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+			}
+			return FAILED;
+	}
+}
+
+METHOD(tls_application_t, build, status_t,
+	private_eap_ttls_peer_t *this, tls_writer_t *writer)
+{
+	chunk_t data;
+	eap_code_t code;
+	eap_type_t type;
+	u_int32_t vendor;
+
+	if (this->method == NULL && this->start_phase2)
+	{
+		/* generate an EAP Identity response */
+		this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+								 0,	EAP_PEER, this->server, this->peer);
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "EAP_IDENTITY method not available");
+			return FAILED;
+		}
+		this->method->process(this->method, NULL, &this->out);
+		this->method->destroy(this->method);
+		this->method = NULL;
+		this->start_phase2 = FALSE;
+	}
+
+	if (this->out)
+	{
+		code = this->out->get_code(this->out);
+		type = this->out->get_type(this->out, &vendor);
+		DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
+						eap_code_short_names, code, eap_type_short_names, type);
+
+		/* get the raw EAP message data */
+		data = this->out->get_data(this->out);
+		this->avp->build(this->avp, writer, data);
+
+		this->out->destroy(this->out);
+		this->out = NULL;
+	}
+	return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+	private_eap_ttls_peer_t *this)
+{
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	DESTROY_IF(this->method);
+	DESTROY_IF(this->out);
+	this->avp->destroy(this->avp);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
+									  identification_t *peer)
+{
+	private_eap_ttls_peer_t *this;
+
+	INIT(this,
+		.public = {
+			.application = {
+				.process = _process,
+				.build = _build,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.start_phase2 = TRUE,
+		.avp = eap_ttls_avp_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h
new file mode 100644
index 000000000..31fc0d9db
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_peer eap_ttls_peer
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_PEER_H_
+#define EAP_TTLS_PEER_H_
+
+typedef struct eap_ttls_peer_t eap_ttls_peer_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+
+/**
+ * TLS application data handler as peer.
+ */
+struct eap_ttls_peer_t {
+
+	/**
+	 * Implements the TLS application data handler.
+	 */
+	tls_application_t application;
+};
+
+/**
+ * Create an eap_ttls_peer instance.
+ */
+eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
+									  identification_t *peer);
+
+#endif /** EAP_TTLS_PEER_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
new file mode 100644
index 000000000..48e759dcc
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_plugin.h"
+
+#include "eap_ttls.h"
+
+#include <daemon.h>
+
+
+METHOD(plugin_t, destroy, void,
+	eap_ttls_plugin_t *this)
+{
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_ttls_create_server);
+	charon->eap->remove_method(charon->eap,
+							   (eap_constructor_t)eap_ttls_create_peer);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *eap_ttls_plugin_create()
+{
+	eap_ttls_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_SERVER,
+							(eap_constructor_t)eap_ttls_create_server);
+	charon->eap->add_method(charon->eap, EAP_TTLS, 0, EAP_PEER,
+							(eap_constructor_t)eap_ttls_create_peer);
+
+	return &this->plugin;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
new file mode 100644
index 000000000..2abc82931
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls eap_ttls
+ * @ingroup cplugins
+ *
+ * @defgroup eap_ttls_plugin eap_ttls_plugin
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_PLUGIN_H_
+#define EAP_TTLS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_ttls_plugin_t eap_ttls_plugin_t;
+
+/**
+ * EAP-TTLS plugin
+ */
+struct eap_ttls_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_ttls_plugin instance.
+ */
+plugin_t *eap_ttls_plugin_create();
+
+#endif /** EAP_TTLS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
new file mode 100644
index 000000000..835cd7306
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_server.h"
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
+
+/**
+ * Private data of an eap_ttls_server_t object.
+ */
+struct private_eap_ttls_server_t {
+
+	/**
+	 * Public eap_ttls_server_t interface.
+	 */
+	eap_ttls_server_t public;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Current EAP-TTLS phase2 state
+	 */
+	bool start_phase2;
+
+	/**
+	 * Current EAP-TTLS phase2 TNC state
+	 */
+	bool start_phase2_tnc;
+
+	/**
+     * Current phase 2 EAP method
+	 */
+	eap_method_t *method;
+
+	/**
+     * Pending outbound EAP message
+	 */
+	eap_payload_t *out;
+
+	/**
+	 * AVP handler
+	 */
+	eap_ttls_avp_t *avp;
+};
+
+/**
+ * Start EAP client authentication protocol
+ */
+static status_t start_phase2_auth(private_eap_ttls_server_t *this)
+{
+	char *eap_type_str;
+	eap_type_t type;
+
+	eap_type_str = lib->settings->get_str(lib->settings,
+					 	"charon.plugins.eap-ttls.phase2_method", "md5");
+	type = eap_type_from_string(eap_type_str);
+	if (type == 0)
+	{
+		DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
+		return FAILED;
+	}
+	DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+		this->method = charon->eap->create_instance(charon->eap, type, 0,
+								EAP_SERVER, this->server, this->peer);
+	if (this->method == NULL)
+	{
+		DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
+		return FAILED;
+	}
+	if (this->method->initiate(this->method, &this->out) == NEED_MORE)
+	{
+		return NEED_MORE;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+			return FAILED;
+	}
+}
+
+/**
+ * If configured, start EAP-TNC protocol
+ */
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+{
+	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
+					 	"charon.plugins.eap-ttls.phase2_tnc", FALSE))
+	{
+		DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
+		this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
+									0, EAP_SERVER, this->server, this->peer);
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
+			return FAILED;
+		}
+		this->start_phase2_tnc = FALSE;
+		if (this->method->initiate(this->method, &this->out) == NEED_MORE)
+		{
+			return NEED_MORE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
+			return FAILED;
+		}
+	}
+	return SUCCESS;
+}
+
+METHOD(tls_application_t, process, status_t,
+	private_eap_ttls_server_t *this, tls_reader_t *reader)
+{
+	chunk_t data = chunk_empty;
+	status_t status;
+	payload_t *payload;
+	eap_payload_t *in;
+	eap_code_t code;
+	eap_type_t type = EAP_NAK, received_type;
+	u_int32_t vendor, received_vendor;
+
+	status = this->avp->process(this->avp, reader, &data);
+	switch (status)
+	{
+		case SUCCESS:
+			break;
+		case NEED_MORE:
+			return NEED_MORE;
+		case FAILED:
+		default:
+			return FAILED;
+	}
+	in = eap_payload_create_data(data);
+	chunk_free(&data);
+	payload = (payload_t*)in;
+
+	if (payload->verify(payload) != SUCCESS)
+	{
+		in->destroy(in);
+		return FAILED;
+	}
+	code = in->get_code(in);
+	received_type = in->get_type(in, &received_vendor);
+	DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
+					   		eap_code_short_names, code,
+							eap_type_short_names, received_type);
+	if (code != EAP_RESPONSE)
+	{
+		DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
+		in->destroy(in);
+		return FAILED;
+	}
+
+	if (this->method)
+	{
+		type = this->method->get_type(this->method, &vendor);
+
+		if (type != received_type || vendor != received_vendor)
+		{
+			if (received_vendor == 0 && received_type == EAP_NAK)
+			{
+				DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "received invalid EAP response");
+			}
+			in->destroy(in);
+			return FAILED;
+		}
+	}
+
+	if (!received_vendor && received_type == EAP_IDENTITY)
+	{
+		chunk_t eap_id;
+
+		if (this->method == NULL)
+		{
+			/* Received an EAP Identity response without a matching request */
+			this->method = charon->eap->create_instance(charon->eap,
+											 EAP_IDENTITY, 0, EAP_SERVER,
+											 this->server, this->peer);
+			if (this->method == NULL)
+			{
+				DBG1(DBG_IKE, "%N method not available",
+							   eap_type_names, EAP_IDENTITY);
+				return FAILED;
+			}
+		}
+
+		if (this->method->process(this->method, in, &this->out) != SUCCESS)
+		{
+
+			DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+			return FAILED;
+		}
+
+		if (this->method->get_msk(this->method, &eap_id) == SUCCESS)
+		{
+			this->peer->destroy(this->peer);
+			this->peer = identification_create_from_data(eap_id);
+			DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
+		}
+
+		in->destroy(in);
+		this->method->destroy(this->method);
+		this->method = NULL;
+
+		/* Start Phase 2 of EAP-TTLS authentication */
+		if (lib->settings->get_bool(lib->settings,
+					 	"charon.plugins.eap-ttls.request_peer_auth", FALSE))
+		{
+			return start_phase2_tnc(this);
+		}
+		else
+		{
+			return start_phase2_auth(this);
+		}
+	}
+
+	if (this->method == 0)
+	{
+		DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS);
+		in->destroy(in);
+		return FAILED;
+	}
+
+	status = this->method->process(this->method, in, &this->out);
+	in->destroy(in);
+
+	switch (status)
+	{
+		case SUCCESS:
+			DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
+							eap_type_names, EAP_TTLS, this->peer,
+							eap_type_names, type);
+			this->method->destroy(this->method);
+			this->method = NULL;
+
+			/* continue phase2 with EAP-TNC? */
+			return start_phase2_tnc(this);
+		case NEED_MORE:
+			break;
+		case FAILED:
+		default:
+			if (vendor)
+			{
+				DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed",
+							   type, vendor);
+			}
+			else
+			{
+				DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+			}
+			return FAILED;
+ 	}
+	return status;
+}
+
+METHOD(tls_application_t, build, status_t,
+	private_eap_ttls_server_t *this, tls_writer_t *writer)
+{
+	chunk_t data;
+	eap_code_t code;
+	eap_type_t type;
+	u_int32_t vendor;
+
+	if (this->method == NULL && this->start_phase2 &&
+		lib->settings->get_bool(lib->settings,
+			 	"charon.plugins.eap-ttls.phase2_piggyback", FALSE))
+	{
+		/* generate an EAP Identity request which will be piggybacked right
+		 * onto the TLS Finished message thus initiating EAP-TTLS phase2
+		 */
+		this->method = charon->eap->create_instance(charon->eap, EAP_IDENTITY,
+								 0,	EAP_SERVER, this->server, this->peer);
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "%N method not available",
+				 eap_type_names, EAP_IDENTITY);
+			return FAILED;
+		}
+		this->method->initiate(this->method, &this->out);
+		this->start_phase2 = FALSE;
+	}
+
+	if (this->out)
+	{
+		code = this->out->get_code(this->out);
+		type = this->out->get_type(this->out, &vendor);
+		DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
+						eap_code_short_names, code, eap_type_short_names, type);
+
+		/* get the raw EAP message data */
+		data = this->out->get_data(this->out);
+		this->avp->build(this->avp, writer, data);
+
+		this->out->destroy(this->out);
+		this->out = NULL;
+	}
+	return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+	private_eap_ttls_server_t *this)
+{
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	DESTROY_IF(this->method);
+	DESTROY_IF(this->out);
+	this->avp->destroy(this->avp);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+										  identification_t *peer)
+{
+	private_eap_ttls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.application = {
+				.process = _process,
+				.build = _build,
+				.destroy = _destroy,
+			},
+		},
+		.server = server->clone(server),
+		.peer = peer->clone(peer),
+		.start_phase2 = TRUE,
+		.start_phase2_tnc = TRUE,
+		.avp = eap_ttls_avp_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.h b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h
new file mode 100644
index 000000000..a66a813ec
--- /dev/null
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_server eap_ttls_server
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_SERVER_H_
+#define EAP_TTLS_SERVER_H_
+
+typedef struct eap_ttls_server_t eap_ttls_server_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+
+/**
+ * TLS application data handler as server.
+ */
+struct eap_ttls_server_t {
+
+	/**
+	 * Implements the TLS application data handler.
+	 */
+	tls_application_t application;
+};
+
+/**
+ * Create an eap_ttls_server instance.
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+										  identification_t *peer);
+
+#endif /** EAP_TTLS_SERVER_H_ @}*/
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 47952b99e..bfd50d6da 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index 01c2a39c8..d83bc1fd2 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -60,7 +60,11 @@ plugin_t *farp_plugin_create()
 	private_farp_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.listener = farp_listener_create(),
 	);
 
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index 20bb44fd3..a904a6538 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -191,7 +191,7 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
 
 	this->job = callback_job_create((callback_job_cb_t)receive_arp,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 5ca9b464b..3600eb7c6 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index 1ebc33ca4..9ff3fd5ff 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -354,7 +354,7 @@ ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket,
 	if (sync)
 	{
 		/* request a resync as soon as we are up */
-		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 						callback_job_create((callback_job_cb_t)request_resync,
 											this, NULL, NULL), 1);
 	}
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index e188a8484..980c0551a 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -114,6 +114,7 @@ METHOD(ha_ctl_t, destroy, void,
 ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 {
 	private_ha_ctl_t *this;
+	mode_t old;
 
 	INIT(this,
 		.public = {
@@ -125,16 +126,23 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 
 	if (access(HA_FIFO, R_OK|W_OK) != 0)
 	{
-		if (mkfifo(HA_FIFO, 600) != 0)
+		old = umask(~(S_IRWXU | S_IRWXG));
+		if (mkfifo(HA_FIFO, S_IRUSR | S_IWUSR) != 0)
 		{
 			DBG1(DBG_CFG, "creating HA FIFO %s failed: %s",
 				 HA_FIFO, strerror(errno));
 		}
+		umask(old);
+	}
+	if (chown(HA_FIFO, charon->uid, charon->gid) != 0)
+	{
+		DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
+			 strerror(errno));
 	}
 
 	this->job = callback_job_create((callback_job_cb_t)dispatch_fifo,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 	return &this->public;
 }
 
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index 3bc426ea0..b46a221bd 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -136,7 +136,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message
 		diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
 								.destroy = (void*)&secret };
 
-		proposal = proposal_create(PROTO_IKE);
+		proposal = proposal_create(PROTO_IKE, 0);
 		keymat = ike_sa->get_keymat(ike_sa);
 		if (integ)
 		{
@@ -549,7 +549,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
 	child_sa->set_protocol(child_sa, PROTO_ESP);
 	child_sa->set_ipcomp(child_sa, ipcomp);
 
-	proposal = proposal_create(PROTO_ESP);
+	proposal = proposal_create(PROTO_ESP, 0);
 	if (integ)
 	{
 		proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
@@ -869,7 +869,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
 	);
 	this->job = callback_job_create((callback_job_cb_t)dispatch,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index 10a63453a..56bdbf454 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -216,6 +216,11 @@ static void disable_all(private_ha_kernel_t *this)
 	enumerator = enumerator_create_directory(CLUSTERIP_DIR);
 	while (enumerator->enumerate(enumerator, NULL, &file, NULL))
 	{
+		if (chown(file, charon->uid, charon->gid) != 0)
+		{
+			DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
+				 strerror(errno));
+		}
 		active = get_active(this, file);
 		for (i = 1; i <= this->count; i++)
 		{
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index e722b4f3a..581294e60 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -142,7 +142,11 @@ plugin_t *ha_plugin_create()
 	}
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
 	if (secret)
diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
index be2d7e428..19e0f692e 100644
--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
@@ -283,7 +283,7 @@ static void start_watchdog(private_ha_segments_t *this)
 {
 	this->job = callback_job_create((callback_job_cb_t)watchdog,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 }
 
 METHOD(ha_segments_t, handle_status, void,
@@ -345,7 +345,7 @@ static job_requeue_t send_status(private_ha_segments_t *this)
 	message->destroy(message);
 
 	/* schedule next invocation */
-	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
+	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 									callback_job_create((callback_job_cb_t)
 										send_status, this, NULL, NULL),
 									this->heartbeat_delay);
@@ -382,7 +382,9 @@ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
 
 	INIT(this,
 		.public = {
-			.listener.alert = _alert_hook,
+			.listener = {
+				.alert = _alert_hook,
+			},
 			.activate = _activate,
 			.deactivate = _deactivate,
 			.handle_status = _handle_status,
diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c
index 21e6eb6d5..614c70ed3 100644
--- a/src/libcharon/plugins/ha/ha_socket.c
+++ b/src/libcharon/plugins/ha/ha_socket.c
@@ -107,7 +107,7 @@ METHOD(ha_socket_t, push, void,
 
 			job = callback_job_create((callback_job_cb_t)send_message,
 									  data, (void*)job_data_destroy, NULL);
-			charon->processor->queue_job(charon->processor, (job_t*)job);
+			lib->processor->queue_job(lib->processor, (job_t*)job);
 			return;
 		}
 		DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
diff --git a/src/libcharon/plugins/led/Makefile.am b/src/libcharon/plugins/led/Makefile.am
new file mode 100644
index 000000000..6428361fc
--- /dev/null
+++ b/src/libcharon/plugins/led/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-led.la
+else
+plugin_LTLIBRARIES = libstrongswan-led.la
+endif
+
+libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \
+	led_listener.h led_listener.c
+
+libstrongswan_led_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
new file mode 100644
index 000000000..a4e529d89
--- /dev/null
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -0,0 +1,601 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/led
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_led_la_LIBADD =
+am_libstrongswan_led_la_OBJECTS = led_plugin.lo led_listener.lo
+libstrongswan_led_la_OBJECTS = $(am_libstrongswan_led_la_OBJECTS)
+libstrongswan_led_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_led_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_led_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_led_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_led_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_led_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-led.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-led.la
+libstrongswan_led_la_SOURCES = led_plugin.h led_plugin.c \
+	led_listener.h led_listener.c
+
+libstrongswan_led_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/led/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-led.la: $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_DEPENDENCIES) 
+	$(libstrongswan_led_la_LINK) $(am_libstrongswan_led_la_rpath) $(libstrongswan_led_la_OBJECTS) $(libstrongswan_led_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/led_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/led/led_listener.c b/src/libcharon/plugins/led/led_listener.c
new file mode 100644
index 000000000..18def8005
--- /dev/null
+++ b/src/libcharon/plugins/led/led_listener.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "led_listener.h"
+
+#include <errno.h>
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_led_listener_t private_led_listener_t;
+
+/**
+ * Private data of an led_listener_t object.
+ */
+struct private_led_listener_t {
+
+	/**
+	 * Public led_listener_t interface.
+	 */
+	led_listener_t public;
+
+	/**
+	 * Mutex
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Number of established IKE_SAs
+	 */
+	int count;
+
+	/**
+	 * LED blink on/off time, in ms
+	 */
+	int blink_time;
+
+	/**
+	 * Activity LED fd, if any
+	 */
+	FILE *activity;
+
+	/**
+	 * Activity LED maximum brightness
+	 */
+	int activity_max;
+};
+
+/**
+ * Open a LED brightness control file, get max brightness
+ */
+static FILE *open_led(char *name, int *max_brightness)
+{
+	char path[PATH_MAX];
+	FILE *f;
+
+	if (!name)
+	{
+		return NULL;
+	}
+
+	*max_brightness = 1;
+	snprintf(path, sizeof(path), "/sys/class/leds/%s/max_brightness", name);
+	f = fopen(path, "r");
+	if (f)
+	{
+		if (fscanf(f, "%d\n", max_brightness) != 1)
+		{
+			DBG1(DBG_CFG, "reading max brightness for '%s' failed: %s, using 1",
+				 name, strerror(errno));
+		}
+		fclose(f);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "reading max_brightness for '%s' failed: %s, using 1",
+			 name, strerror(errno));
+	}
+
+	snprintf(path, sizeof(path), "/sys/class/leds/%s/brightness", name);
+	f = fopen(path, "w");
+	if (!f)
+	{
+		DBG1(DBG_CFG, "opening LED file '%s' failed: %s", path, strerror(errno));
+	}
+	return f;
+}
+
+/**
+ * Set a LED to a given brightness
+ */
+static void set_led(FILE *led, int brightness)
+{
+	if (led)
+	{
+		if (fprintf(led, "%d\n", brightness) <= 0 ||
+			fflush(led) != 0)
+		{
+			DBG1(DBG_CFG, "setting LED brightness failed: %s", strerror(errno));
+		}
+	}
+}
+
+/**
+ * Plugin unloaded?
+ */
+static bool plugin_gone = FALSE;
+
+/**
+ * Reset activity LED after timeout
+ */
+static job_requeue_t reset_activity_led(private_led_listener_t *this)
+{
+	if (!plugin_gone)
+	{	/* TODO: fix race */
+		this->mutex->lock(this->mutex);
+		if (this->count)
+		{
+			set_led(this->activity, this->activity_max);
+		}
+		else
+		{
+			set_led(this->activity, 0);
+		}
+		this->mutex->unlock(this->mutex);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Blink the activity LED
+ */
+static void blink_activity(private_led_listener_t *this)
+{
+	if (this->activity)
+	{
+		this->mutex->lock(this->mutex);
+		if (this->count)
+		{
+			set_led(this->activity, 0);
+		}
+		else
+		{
+			set_led(this->activity, this->activity_max);
+		}
+		lib->scheduler->schedule_job_ms(lib->scheduler,
+			(job_t*)callback_job_create((callback_job_cb_t)reset_activity_led,
+										this, NULL, NULL), this->blink_time);
+		this->mutex->unlock(this->mutex);
+	}
+}
+
+METHOD(listener_t, ike_state_change, bool,
+	private_led_listener_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	this->mutex->lock(this->mutex);
+	if (state == IKE_ESTABLISHED && ike_sa->get_state(ike_sa) != IKE_ESTABLISHED)
+	{
+		this->count++;
+		if (this->count == 1)
+		{
+			set_led(this->activity, this->activity_max);
+		}
+	}
+	if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && state != IKE_ESTABLISHED)
+	{
+		this->count--;
+		if (this->count == 0)
+		{
+			set_led(this->activity, 0);
+		}
+	}
+	this->mutex->unlock(this->mutex);
+	return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_led_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming)
+{
+	if (incoming || message->get_request(message))
+	{
+		blink_activity(this);
+	}
+	return TRUE;
+}
+
+METHOD(led_listener_t, destroy, void,
+	private_led_listener_t *this)
+{
+	this->mutex->lock(this->mutex);
+	set_led(this->activity, 0);
+	plugin_gone = TRUE;
+	this->mutex->unlock(this->mutex);
+	if (this->activity)
+	{
+		fclose(this->activity);
+	}
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * See header
+ */
+led_listener_t *led_listener_create()
+{
+	private_led_listener_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_state_change = _ike_state_change,
+				.message = _message_hook,
+			},
+			.destroy = _destroy,
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.blink_time = lib->settings->get_int(lib->settings,
+				"charon.plugins.led.blink_time", 50),
+	);
+
+	this->activity = open_led(lib->settings->get_str(lib->settings,
+				"charon.plugins.led.activity_led", NULL), &this->activity_max);
+	set_led(this->activity, 0);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/led/led_listener.h b/src/libcharon/plugins/led/led_listener.h
new file mode 100644
index 000000000..05ae28275
--- /dev/null
+++ b/src/libcharon/plugins/led/led_listener.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup led_listener led_listener
+ * @{ @ingroup led
+ */
+
+#ifndef LED_LISTENER_H_
+#define LED_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct led_listener_t led_listener_t;
+
+/**
+ * Listener that controls LEDs based on IKEv2 activity/state.
+ */
+struct led_listener_t {
+
+	/**
+	 * Implements listener_t interface.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a led_listener_t.
+	 */
+	void (*destroy)(led_listener_t *this);
+};
+
+/**
+ * Create a led_listener instance.
+ */
+led_listener_t *led_listener_create();
+
+#endif /** LED_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/led/led_plugin.c b/src/libcharon/plugins/led/led_plugin.c
new file mode 100644
index 000000000..322d198ff
--- /dev/null
+++ b/src/libcharon/plugins/led/led_plugin.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "led_plugin.h"
+
+#include "led_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_led_plugin_t private_led_plugin_t;
+
+/**
+ * private data of led plugin
+ */
+struct private_led_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	led_plugin_t public;
+
+	/**
+	 * Listener controlling LEDs
+	 */
+	led_listener_t *listener;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_led_plugin_t *this)
+{
+	charon->bus->remove_listener(charon->bus, &this->listener->listener);
+	this->listener->destroy(this->listener);
+	free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *led_plugin_create()
+{
+	private_led_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.listener = led_listener_create(),
+	);
+
+	charon->bus->add_listener(charon->bus, &this->listener->listener);
+
+	return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/led/led_plugin.h b/src/libcharon/plugins/led/led_plugin.h
new file mode 100644
index 000000000..a7449addd
--- /dev/null
+++ b/src/libcharon/plugins/led/led_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup led led
+ * @ingroup cplugins
+ *
+ * @defgroup led_plugin led_plugin
+ * @{ @ingroup led
+ */
+
+#ifndef LED_PLUGIN_H_
+#define LED_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct led_plugin_t led_plugin_t;
+
+/**
+ * Linux LED control based on IKE activity/state.
+ */
+struct led_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** LED_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index d049bb41b..85db9a10b 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -170,6 +171,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -201,14 +204,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -223,24 +229,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -248,7 +261,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 43c0ef009..aece95e12 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t {
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+	   u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	*spi = ++this->spi;
 	return SUCCESS;
@@ -51,7 +51,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	   u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	   lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	   u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	   u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
@@ -61,7 +61,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	   private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	   private_load_tester_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
 	   u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src,
 	   host_t *new_dst, bool encap, bool new_encap, mark_t mark)
 {
@@ -70,14 +70,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+	   u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	return NOT_SUPPORTED;
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
-	   u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+	   u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
 	return SUCCESS;
 }
@@ -85,9 +85,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	   private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
 	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	   policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	   u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	   u_int16_t cpi, bool routed)
+	   policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	   mark_t mark, bool routed)
 {
 	return SUCCESS;
 }
diff --git a/src/libcharon/plugins/load_tester/load_tester_listener.c b/src/libcharon/plugins/load_tester/load_tester_listener.c
index 96b0cf1ec..cf6dd0562 100644
--- a/src/libcharon/plugins/load_tester/load_tester_listener.c
+++ b/src/libcharon/plugins/load_tester/load_tester_listener.c
@@ -59,7 +59,7 @@ static bool ike_state_change(private_load_tester_listener_t *this,
 
 		if (this->delete_after_established)
 		{
-			charon->processor->queue_job(charon->processor,
+			lib->processor->queue_job(lib->processor,
 									(job_t*)delete_ike_sa_job_create(id, TRUE));
 		}
 
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 15dbccb00..cb9b80c7f 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -22,6 +22,7 @@
 
 #include <unistd.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/condvar.h>
@@ -155,7 +156,7 @@ static void destroy(private_load_tester_plugin_t *this)
 		this->condvar->wait(this->condvar, this->mutex);
 	}
 	this->mutex->unlock(this->mutex);
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface,
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	charon->backends->remove_backend(charon->backends, &this->config->backend);
 	lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set);
@@ -215,13 +216,13 @@ plugin_t *load_tester_plugin_create()
 	if (lib->settings->get_bool(lib->settings,
 					"charon.plugins.load-tester.fake_kernel", FALSE))
 	{
-		charon->kernel_interface->add_ipsec_interface(charon->kernel_interface,
+		hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
 						(kernel_ipsec_constructor_t)load_tester_ipsec_create);
 	}
 	this->running = 0;
 	for (i = 0; i < this->initiators; i++)
 	{
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 					(job_t*)callback_job_create((callback_job_cb_t)do_load_test,
 												this, NULL, NULL));
 	}
diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am
new file mode 100644
index 000000000..ed6c76c0f
--- /dev/null
+++ b/src/libcharon/plugins/maemo/Makefile.am
@@ -0,0 +1,23 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-maemo.la
+else
+plugin_LTLIBRARIES = libstrongswan-maemo.la
+endif
+
+libstrongswan_maemo_la_SOURCES = \
+	maemo_plugin.h maemo_plugin.c \
+	maemo_service.h maemo_service.c
+
+libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
+libstrongswan_maemo_la_LIBADD  = ${maemo_LIBS}
+
+dbusservice_DATA = org.strongswan.charon.service
+
+EXTRA_DIST = $(dbusservice_DATA)
+
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
new file mode 100644
index 000000000..978950d22
--- /dev/null
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -0,0 +1,631 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/maemo
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)" \
+	"$(DESTDIR)$(dbusservicedir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_maemo_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_maemo_la_OBJECTS = maemo_plugin.lo maemo_service.lo
+libstrongswan_maemo_la_OBJECTS = $(am_libstrongswan_maemo_la_OBJECTS)
+libstrongswan_maemo_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_maemo_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_maemo_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_maemo_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_maemo_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_maemo_la_SOURCES)
+DATA = $(dbusservice_DATA)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon ${maemo_CFLAGS}
+
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-maemo.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-maemo.la
+libstrongswan_maemo_la_SOURCES = \
+	maemo_plugin.h maemo_plugin.c \
+	maemo_service.h maemo_service.c
+
+libstrongswan_maemo_la_LDFLAGS = -module -avoid-version
+libstrongswan_maemo_la_LIBADD = ${maemo_LIBS}
+dbusservice_DATA = org.strongswan.charon.service
+EXTRA_DIST = $(dbusservice_DATA)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/maemo/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-maemo.la: $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_DEPENDENCIES) 
+	$(libstrongswan_maemo_la_LINK) $(am_libstrongswan_maemo_la_rpath) $(libstrongswan_maemo_la_OBJECTS) $(libstrongswan_maemo_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/maemo_service.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+install-dbusserviceDATA: $(dbusservice_DATA)
+	@$(NORMAL_INSTALL)
+	test -z "$(dbusservicedir)" || $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)"
+	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \
+	  $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \
+	done
+
+uninstall-dbusserviceDATA:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(dbusservicedir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(dbusservicedir)" && rm -f $$files
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(DATA)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(dbusservicedir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-dbusserviceDATA install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dbusserviceDATA install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pluginLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-dbusserviceDATA \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.c b/src/libcharon/plugins/maemo/maemo_plugin.c
new file mode 100644
index 000000000..d4549f43a
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_plugin.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "maemo_plugin.h"
+#include "maemo_service.h"
+
+#include <daemon.h>
+
+typedef struct private_maemo_plugin_t private_maemo_plugin_t;
+
+/**
+ * private data of maemo plugin
+ */
+struct private_maemo_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	maemo_plugin_t public;
+
+	/**
+	 * service
+	 */
+	maemo_service_t *service;
+
+};
+
+METHOD(plugin_t, destroy, void,
+	   private_maemo_plugin_t *this)
+{
+	this->service->destroy(this->service);
+	free(this);
+}
+
+/*
+ * See header
+ */
+plugin_t *maemo_plugin_create()
+{
+	private_maemo_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	this->service = maemo_service_create();
+	if (!this->service)
+	{
+		return NULL;
+	}
+
+	return &this->public.plugin;
+}
+
diff --git a/src/libcharon/plugins/maemo/maemo_plugin.h b/src/libcharon/plugins/maemo/maemo_plugin.h
new file mode 100644
index 000000000..23d139b49
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup maemo maemo
+ * @ingroup cplugins
+ *
+ * @defgroup maemo_plugin maemo_plugin
+ * @{ @ingroup maemo
+ */
+
+#ifndef MAEMO_PLUGIN_H_
+#define MAEMO_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct maemo_plugin_t maemo_plugin_t;
+
+/**
+ * Maemo integration plugin.
+ */
+struct maemo_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** MAEMO_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
new file mode 100644
index 000000000..efd914a00
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -0,0 +1,510 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <glib.h>
+#include <libosso.h>
+#include <sys/stat.h>
+
+#include "maemo_service.h"
+
+#include <daemon.h>
+#include <credentials/sets/mem_cred.h>
+#include <processing/jobs/callback_job.h>
+
+#define OSSO_STATUS_NAME	"status"
+#define OSSO_STATUS_SERVICE	"org.strongswan."OSSO_STATUS_NAME
+#define OSSO_STATUS_OBJECT	"/org/strongswan/"OSSO_STATUS_NAME
+#define OSSO_STATUS_IFACE	"org.strongswan."OSSO_STATUS_NAME
+
+#define OSSO_CHARON_NAME	"charon"
+#define OSSO_CHARON_SERVICE	"org.strongswan."OSSO_CHARON_NAME
+#define OSSO_CHARON_OBJECT	"/org/strongswan/"OSSO_CHARON_NAME
+#define OSSO_CHARON_IFACE	"org.strongswan."OSSO_CHARON_NAME
+
+#define MAEMO_COMMON_CA_DIR	"/etc/certs/common-ca"
+#define MAEMO_USER_CA_DIR	"/home/user/.maemosec-certs/wifi-ca"
+/* there is also an smime-ca and an ssl-ca sub-directory and the same for
+ * ...-user, which store end user/server certificates */
+
+typedef enum {
+	VPN_STATUS_DISCONNECTED,
+	VPN_STATUS_CONNECTING,
+	VPN_STATUS_CONNECTED,
+	VPN_STATUS_AUTH_FAILED,
+	VPN_STATUS_CONNECTION_FAILED,
+} vpn_status_t;
+
+typedef struct private_maemo_service_t private_maemo_service_t;
+
+/**
+ * private data of maemo service
+ */
+struct private_maemo_service_t {
+
+	/**
+	 * public interface
+	 */
+	maemo_service_t public;
+
+	/**
+	 * credentials
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * Glib main loop for a thread, handles DBUS calls
+	 */
+	GMainLoop *loop;
+
+	/**
+	 * Context for OSSO
+	 */
+	osso_context_t *context;
+
+	/**
+	 * Current IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Status of the current connection
+	 */
+	vpn_status_t status;
+
+	/**
+	 * Name of the current connection
+	 */
+	gchar *current;
+
+};
+
+static gint change_status(private_maemo_service_t *this, int status)
+{
+	osso_rpc_t retval;
+	gint res;
+	this->status = status;
+	res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT,
+						OSSO_STATUS_IFACE, "StatusChanged", &retval,
+						DBUS_TYPE_INT32, status,
+						DBUS_TYPE_INVALID);
+	return res;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, bool up)
+{
+	/* this callback is only registered during initiation, so if the IKE_SA
+	 * goes down we assume an authentication error */
+	if (this->ike_sa == ike_sa && !up)
+	{
+		change_status(this, VPN_STATUS_AUTH_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_state_change, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	   child_sa_state_t state)
+{
+	/* this call back is only registered during initiation */
+	if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
+	{
+		change_status(this, VPN_STATUS_CONNECTION_FAILED);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, child_updown, bool,
+	   private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+	   bool up)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (up)
+		{
+			/* disable hooks registered to catch initiation failures */
+			this->public.listener.ike_updown = NULL;
+			this->public.listener.child_state_change = NULL;
+			change_status(this, VPN_STATUS_CONNECTED);
+		}
+		else
+		{
+			change_status(this, VPN_STATUS_CONNECTION_FAILED);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_rekey, bool,
+	   private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	if (this->ike_sa == old)
+	{
+		this->ike_sa = new;
+	}
+	return TRUE;
+}
+
+/**
+ * load all CA certificates in the given directory
+ */
+static void load_ca_dir(private_maemo_service_t *this, char *dir)
+{
+	enumerator_t *enumerator;
+	char *rel, *abs;
+	struct stat st;
+
+	enumerator = enumerator_create_directory(dir);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+		{
+			if (rel[0] != '.')
+			{
+				if (S_ISREG(st.st_mode))
+				{
+					certificate_t *cert;
+					cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+											  CERT_X509, BUILD_FROM_FILE, abs,
+											  BUILD_END);
+					if (!cert)
+					{
+						DBG1(DBG_CFG, "loading CA certificate '%s' failed",
+							 abs);
+						continue;
+					}
+					DBG2(DBG_CFG, "loaded CA certificate '%Y'",
+						 cert->get_subject(cert));
+					this->creds->add_cert(this->creds, TRUE, cert);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+static void disconnect(private_maemo_service_t *this)
+{
+	ike_sa_t *ike_sa;
+	u_int id;
+
+	if (!this->current)
+	{
+		return;
+	}
+
+	/* avoid status updates, as this is called from the Glib main loop */
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+
+	ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
+													  this->current, FALSE);
+	if (ike_sa)
+	{
+		id = ike_sa->get_unique_id(ike_sa);
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		charon->controller->terminate_ike(charon->controller, id,
+										  NULL, NULL);
+	}
+	this->current = (g_free(this->current), NULL);
+	this->status = VPN_STATUS_DISCONNECTED;
+}
+
+static gboolean initiate_connection(private_maemo_service_t *this,
+									GArray *arguments)
+{
+	gint i;
+	gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
+	identification_t *gateway = NULL, *user = NULL;
+	ike_sa_t *ike_sa;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
+	auth_cfg_t *auth;
+	certificate_t *cert;
+	lifetime_cfg_t lifetime = {
+		.time = {
+			.life = 10800, /* 3h */
+			.rekey = 10200, /* 2h50min */
+			.jitter = 300 /* 5min */
+		}
+	};
+
+	if (this->status == VPN_STATUS_CONNECTED ||
+		this->status == VPN_STATUS_CONNECTING)
+	{
+		DBG1(DBG_CFG, "currently connected to '%s', disconnecting first",
+			 this->current);
+		disconnect (this);
+	}
+
+	if (arguments->len != 5)
+	{
+		DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len);
+		return FALSE;
+	}
+
+	for (i = 0; i < arguments->len; i++)
+	{
+		osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i);
+		if (arg->type != DBUS_TYPE_STRING)
+		{
+			DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type);
+			return FALSE;
+		}
+		switch (i)
+		{
+			case 0: /* name */
+				this->current = (g_free(this->current), NULL);
+				this->current = g_strdup(arg->value.s);
+				break;
+			case 1: /* hostname */
+				hostname = arg->value.s;
+				break;
+			case 2: /* CA certificate path */
+				cacert = arg->value.s;
+				break;
+			case 3: /* username */
+				username = arg->value.s;
+				break;
+			case 4: /* password */
+				password = arg->value.s;
+				break;
+		}
+	}
+
+	DBG1(DBG_CFG, "received initiate for connection '%s'", this->current);
+
+	this->creds->clear(this->creds);
+
+	if (cacert && !streq(cacert, ""))
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, cacert, BUILD_END);
+		if (cert)
+		{
+			this->creds->add_cert(this->creds, TRUE, cert);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "failed to load CA certificate");
+		}
+		/* if this is a server cert we could use the cert subject as id */
+	}
+	else
+	{
+		load_ca_dir(this, MAEMO_COMMON_CA_DIR);
+		load_ca_dir(this, MAEMO_USER_CA_DIR);
+	}
+
+	gateway = identification_create_from_string(hostname);
+	DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
+
+	{
+		shared_key_t *shared_key;
+		chunk_t secret = chunk_create(password, strlen(password));
+		user = identification_create_from_string(username);
+		shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret));
+		this->creds->add_shared(this->creds, shared_key, user->clone(user),
+								NULL);
+	}
+
+	ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
+							 hostname, IKEV2_UDP_PORT);
+	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+
+	peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED,
+							   UNIQUE_REPLACE, 1, /* keyingtries */
+							   36000, 0, /* rekey 10h, reauth none */
+							   600, 600, /* jitter, over 10min */
+							   TRUE, 0, /* mobike, DPD */
+							   host_create_from_string("0.0.0.0", 0) /* virt */,
+							   NULL, FALSE, NULL, NULL); /* pool, mediation */
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+	auth->add(auth, AUTH_RULE_IDENTITY, user);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+	auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
+	child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
+								 TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
+								 FALSE, 0, 0, NULL, NULL);
+	child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
+	ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
+											 0, "255.255.255.255", 65535);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	/* get an additional reference because initiate consumes one */
+	child_cfg->get_ref(child_cfg);
+
+	/* get us an IKE_SA */
+	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+														peer_cfg);
+	if (!ike_sa->get_peer_cfg(ike_sa))
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	peer_cfg->destroy(peer_cfg);
+
+	/* store the IKE_SA, so we can track its progress */
+	this->ike_sa = ike_sa;
+	this->status = VPN_STATUS_CONNECTING;
+	this->public.listener.ike_updown = _ike_updown;
+	this->public.listener.child_state_change = _child_state_change;
+	charon->bus->add_listener(charon->bus, &this->public.listener);
+
+	if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
+	{
+		DBG1(DBG_CFG, "failed to initiate tunnel");
+		charon->bus->remove_listener(charon->bus, &this->public.listener);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+													ike_sa);
+		this->status = VPN_STATUS_CONNECTION_FAILED;
+		return FALSE;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return TRUE;
+}
+
+/**
+ * Callback for libosso dbus wrapper
+ */
+static gint dbus_req_handler(const gchar *interface, const gchar *method,
+							 GArray *arguments, private_maemo_service_t *this,
+							 osso_rpc_t *retval)
+{
+	if (streq(method, "Start"))
+	{	/* void start (void), dummy function to start charon as root */
+		return OSSO_OK;
+	}
+	else if (streq(method, "Connect"))
+	{	/* bool connect (name, host, cert, user, pass) */
+		retval->value.b = initiate_connection(this, arguments);
+		retval->type = DBUS_TYPE_BOOLEAN;
+	}
+	else if (streq(method, "Disconnect"))
+	{	/* void disconnect (void) */
+		disconnect(this);
+	}
+	else
+	{
+		return OSSO_ERROR;
+	}
+	return OSSO_OK;
+}
+
+/**
+ * Main loop to handle D-BUS messages.
+ */
+static job_requeue_t run(private_maemo_service_t *this)
+{
+	this->loop = g_main_loop_new(NULL, FALSE);
+	g_main_loop_run(this->loop);
+	return JOB_REQUEUE_NONE;
+}
+
+METHOD(maemo_service_t, destroy, void,
+	   private_maemo_service_t *this)
+{
+	if (this->loop)
+	{
+		if (g_main_loop_is_running(this->loop))
+		{
+			g_main_loop_quit(this->loop);
+		}
+		g_main_loop_unref(this->loop);
+	}
+	if (this->context)
+	{
+		osso_rpc_unset_cb_f(this->context,
+							OSSO_CHARON_SERVICE,
+							OSSO_CHARON_OBJECT,
+							OSSO_CHARON_IFACE,
+							(osso_rpc_cb_f*)dbus_req_handler,
+							this);
+		osso_deinitialize(this->context);
+	}
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	this->current = (g_free(this->current), NULL);
+	free(this);
+}
+
+/*
+ * See header
+ */
+maemo_service_t *maemo_service_create()
+{
+	osso_return_t result;
+	private_maemo_service_t *this;
+
+	INIT(this,
+		.public = {
+			.listener = {
+				.ike_updown = _ike_updown,
+				.child_state_change = _child_state_change,
+				.child_updown = _child_updown,
+				.ike_rekey = _ike_rekey,
+			},
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+
+	this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL);
+	if (!this->context)
+	{
+		DBG1(DBG_CFG, "failed to initialize OSSO context");
+		destroy(this);
+		return NULL;
+	}
+
+	result = osso_rpc_set_cb_f(this->context,
+							   OSSO_CHARON_SERVICE,
+							   OSSO_CHARON_OBJECT,
+							   OSSO_CHARON_IFACE,
+							   (osso_rpc_cb_f*)dbus_req_handler,
+							   this);
+	if (result != OSSO_OK)
+	{
+		DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result);
+		destroy(this);
+		return NULL;
+	}
+
+	this->loop = NULL;
+	if (!g_thread_supported())
+	{
+		g_thread_init(NULL);
+	}
+
+	lib->processor->queue_job(lib->processor,
+		(job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/plugins/maemo/maemo_service.h b/src/libcharon/plugins/maemo/maemo_service.h
new file mode 100644
index 000000000..b0240cbaa
--- /dev/null
+++ b/src/libcharon/plugins/maemo/maemo_service.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup maemo_service maemo_service
+ * @{ @ingroup maemo
+ */
+
+#ifndef MAEMO_SERVICE_H_
+#define MAEMO_SERVICE_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct maemo_service_t maemo_service_t;
+
+/**
+ * Maemo connection management.
+ */
+struct maemo_service_t {
+
+	/**
+	 * Implements listener_t.
+	 */
+	listener_t listener;
+
+	/**
+	 * Destroy a maemo_service_t.
+	 */
+	void (*destroy)(maemo_service_t *this);
+};
+
+/**
+ * Create an instance of maemo_service_t.
+ */
+maemo_service_t *maemo_service_create();
+
+#endif /** MAEMO_SERVICE_H_ @}*/
diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service
new file mode 100644
index 000000000..7dd31ed60
--- /dev/null
+++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service
@@ -0,0 +1,4 @@
+[D-BUS Service]
+Name=org.strongswan.charon
+Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon
+User=root
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index c26d325a9..6dcbc99dd 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 6cbaf36f2..870d87c7e 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -126,11 +126,11 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	med_cfg = peer_cfg_create(
 		"mediation", 2, ike_cfg,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-		TRUE, this->dpd, 				/* mobike, dpddelay */
-		NULL, NULL, 					/* vip, pool */
-		TRUE, NULL, NULL); 				/* mediation, med by, peer id */
+		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
+		this->rekey*5, this->rekey*3,	/* jitter, overtime */
+		TRUE, this->dpd,				/* mobike, dpddelay */
+		NULL, NULL,						/* vip, pool */
+		TRUE, NULL, NULL);				/* mediation, med by, peer id */
 	e->destroy(e);
 
 	auth = auth_cfg_create();
@@ -163,10 +163,10 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
 	peer_cfg = peer_cfg_create(
 		name, 2, this->ike->get_ref(this->ike),
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
-		1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-		this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-		TRUE, this->dpd, 				/* mobike, dpddelay */
-		NULL, NULL, 					/* vip, pool */
+		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
+		this->rekey*5, this->rekey*3,	/* jitter, overtime */
+		TRUE, this->dpd,				/* mobike, dpddelay */
+		NULL, NULL,						/* vip, pool */
 		FALSE, med_cfg,					/* mediation, med by */
 		identification_create_from_encoding(ID_KEY_ID, other));
 
@@ -243,11 +243,11 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
 	this->current = peer_cfg_create(
 				name, 2, this->ike->get_ref(this->ike),
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
-				1, this->rekey*60, 0,  			/* keytries, rekey, reauth */
-				this->rekey*5, this->rekey*3, 	/* jitter, overtime */
-				TRUE, this->dpd, 				/* mobike, dpddelay */
-				NULL, NULL, 					/* vip, pool */
-				FALSE, NULL, NULL); 			/* mediation, med by, peer id */
+				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
+				this->rekey*5, this->rekey*3,	/* jitter, overtime */
+				TRUE, this->dpd,				/* mobike, dpddelay */
+				NULL, NULL,						/* vip, pool */
+				FALSE, NULL, NULL);				/* mediation, med by, peer id */
 
 	auth = auth_cfg_create();
 	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
@@ -364,7 +364,7 @@ static void schedule_autoinit(private_medcli_config_t *this)
 			if (peer_cfg)
 			{
 				/* schedule asynchronous initiation job */
-				charon->processor->queue_job(charon->processor,
+				lib->processor->queue_job(lib->processor,
 						(job_t*)callback_job_create(
 									(callback_job_cb_t)initiate_config,
 									peer_cfg, (void*)peer_cfg->destroy, NULL));
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 4dc9c00d0..f6db7d834 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in
index 1b3e4c5a6..2f5c20971 100644
--- a/src/libcharon/plugins/nm/Makefile.in
+++ b/src/libcharon/plugins/nm/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c
index 193838e6b..638787019 100644
--- a/src/libcharon/plugins/nm/nm_creds.c
+++ b/src/libcharon/plugins/nm/nm_creds.c
@@ -51,6 +51,16 @@ struct private_nm_creds_t {
 	char *pass;
 
 	/**
+	 * Private key decryption password / smartcard pin
+	 */
+	char *keypass;
+
+	/**
+	 * private key ID of smartcard key
+	 */
+	chunk_t keyid;
+
+	/**
 	 * users certificate
 	 */
 	certificate_t *usercert;
@@ -239,8 +249,14 @@ static bool shared_enumerate(shared_enumerator_t *this, shared_key_t **key,
 		return FALSE;
 	}
 	*key = this->key;
-	*me = ID_MATCH_PERFECT;
-	*other = ID_MATCH_ANY;
+	if (me)
+	{
+		*me = ID_MATCH_PERFECT;
+	}
+	if (other)
+	{
+		*other = ID_MATCH_ANY;
+	}
 	this->done = TRUE;
 	return TRUE;
 }
@@ -262,18 +278,39 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 							identification_t *other)
 {
 	shared_enumerator_t *enumerator;
+	chunk_t key;
 
-	if (!this->pass || !this->user)
+	switch (type)
 	{
-		return NULL;
-	}
-	if (type != SHARED_EAP && type != SHARED_IKE)
-	{
-		return NULL;
-	}
-	if (me && !me->equals(me, this->user))
-	{
-		return NULL;
+		case SHARED_EAP:
+		case SHARED_IKE:
+			if (!this->pass || !this->user)
+			{
+				return NULL;
+			}
+			if (me && !me->equals(me, this->user))
+			{
+				return NULL;
+			}
+			key = chunk_create(this->pass, strlen(this->pass));
+			break;
+		case SHARED_PRIVATE_KEY_PASS:
+			if (!this->keypass)
+			{
+				return NULL;
+			}
+			key = chunk_create(this->keypass, strlen(this->keypass));
+			break;
+		case SHARED_PIN:
+			if (!this->keypass || !me ||
+				!chunk_equals(me->get_encoding(me), this->keyid))
+			{
+				return NULL;
+			}
+			key = chunk_create(this->keypass, strlen(this->keypass));
+			break;
+		default:
+			return NULL;
 	}
 
 	enumerator = malloc_thing(shared_enumerator_t);
@@ -282,9 +319,7 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 	enumerator->this = this;
 	enumerator->done = FALSE;
 	this->lock->read_lock(this->lock);
-	enumerator->key = shared_key_create(type,
-										chunk_clone(chunk_create(this->pass,
-													strlen(this->pass))));
+	enumerator->key = shared_key_create(type, chunk_clone(key));
 	return &enumerator->public;
 }
 
@@ -370,6 +405,30 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
 }
 
 /**
+ * Implementation of nm_creds_t.set_key_password
+ */
+static void set_key_password(private_nm_creds_t *this, char *password)
+{
+	this->lock->write_lock(this->lock);
+	free(this->keypass);
+	this->keypass = password ? strdup(password) : NULL;
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of nm_creds_t.set_pin
+ */
+static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin)
+{
+	this->lock->write_lock(this->lock);
+	free(this->keypass);
+	free(this->keyid.ptr);
+	this->keypass = pin ? strdup(pin) : NULL;
+	this->keyid = chunk_clone(keyid);
+	this->lock->unlock(this->lock);
+}
+
+/**
  * Implementation of nm_creds_t.set_cert_and_key
  */
 static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
@@ -396,12 +455,16 @@ static void clear(private_nm_creds_t *this)
 	}
 	DESTROY_IF(this->user);
 	free(this->pass);
+	free(this->keypass);
+	free(this->keyid.ptr);
 	DESTROY_IF(this->usercert);
 	DESTROY_IF(this->key);
 	this->key = NULL;
 	this->usercert = NULL;
 	this->pass = NULL;
 	this->user = NULL;
+	this->keypass = NULL;
+	this->keyid = chunk_empty;
 }
 
 /**
@@ -430,6 +493,8 @@ nm_creds_t *nm_creds_create()
 	this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
 	this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
 	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
+	this->public.set_key_password = (void(*)(nm_creds_t*, char *password))set_key_password;
+	this->public.set_pin = (void(*)(nm_creds_t*, chunk_t keyid, char *pin))set_pin;
 	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
 	this->public.clear = (void(*)(nm_creds_t*))clear;
 	this->public.destroy = (void(*)(nm_creds_t*))destroy;
@@ -441,6 +506,8 @@ nm_creds_t *nm_creds_create()
 	this->pass = NULL;
 	this->usercert = NULL;
 	this->key = NULL;
+	this->keypass = NULL;
+	this->keyid = chunk_empty;
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/nm/nm_creds.h b/src/libcharon/plugins/nm/nm_creds.h
index b55cff31e..91f645c7e 100644
--- a/src/libcharon/plugins/nm/nm_creds.h
+++ b/src/libcharon/plugins/nm/nm_creds.h
@@ -58,6 +58,22 @@ struct nm_creds_t {
 	 */
 	void (*set_username_password)(nm_creds_t *this, identification_t *id,
 								  char *password);
+
+	/**
+	 * Set the passphrase to use for private key decryption.
+	 *
+	 * @param password	password to use
+	 */
+	void (*set_key_password)(nm_creds_t *this, char *password);
+
+	/**
+	 * Set the PIN to unlock a smartcard.
+	 *
+	 * @param keyid		keyid of the smartcard key
+	 * @param pin		PIN
+	 */
+	void (*set_pin)(nm_creds_t *this, chunk_t keyid, char *pin);
+
 	/**
 	 * Set the certificate and private key to use for client authentication.
 	 *
@@ -66,6 +82,7 @@ struct nm_creds_t {
 	 */
 	void (*set_cert_and_key)(nm_creds_t *this, certificate_t *cert,
 							 private_key_t *key);
+
 	/**
 	 * Clear the stored credentials.
 	 */
diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c
index 250e6f7f9..fd0580bd6 100644
--- a/src/libcharon/plugins/nm/nm_plugin.c
+++ b/src/libcharon/plugins/nm/nm_plugin.c
@@ -122,7 +122,7 @@ plugin_t *nm_plugin_create()
 	/* bypass file permissions to read from users ssh-agent */
 	charon->keep_cap(charon, CAP_DAC_OVERRIDE);
 
-	charon->processor->queue_job(charon->processor,
+	lib->processor->queue_job(lib->processor,
 		 (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL));
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c
index 07318bbbf..72c5bbbb5 100644
--- a/src/libcharon/plugins/nm/nm_service.c
+++ b/src/libcharon/plugins/nm/nm_service.c
@@ -204,6 +204,59 @@ static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
 }
 
 /**
+ * Find a certificate for which we have a private key on a smartcard
+ */
+static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv,
+											char *pin)
+{
+	enumerator_t *enumerator, *sans;
+	identification_t *id = NULL;
+	certificate_t *cert;
+	x509_t *x509;
+	private_key_t *key;
+	chunk_t keyid;
+
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+											CERT_X509, KEY_ANY, NULL, FALSE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509 = (x509_t*)cert;
+
+		/* there might be a lot of certificates, filter them by usage */
+		if ((x509->get_flags(x509) & X509_CLIENT_AUTH) &&
+			!(x509->get_flags(x509) & X509_CA))
+		{
+			keyid = x509->get_subjectKeyIdentifier(x509);
+			if (keyid.ptr)
+			{
+				/* try to find a private key by the certificate keyid */
+				priv->creds->set_pin(priv->creds, keyid, pin);
+				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+								KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END);
+				if (key)
+				{
+					/* prefer a more convenient subjectAltName */
+					sans = x509->create_subjectAltName_enumerator(x509);
+					if (!sans->enumerate(sans, &id))
+					{
+						id = cert->get_subject(cert);
+					}
+					id = id->clone(id);
+					sans->destroy(sans);
+
+					DBG1(DBG_CFG, "using smartcard certificate '%Y'", id);
+					priv->creds->set_cert_and_key(priv->creds,
+												  cert->get_ref(cert), key);
+					break;
+				}
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return id;
+}
+
+/**
  * Connect function called from NM via DBUS
  */
 static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
@@ -224,7 +277,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	auth_class_t auth_class = AUTH_CLASS_EAP;
 	certificate_t *cert = NULL;
 	x509_t *x509;
-	bool agent = FALSE;
+	bool agent = FALSE, smartcard = FALSE;
 	lifetime_cfg_t lifetime = {
 		.time = {
 			.life = 10800 /* 3h */,
@@ -279,6 +332,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 		{
 			auth_class = AUTH_CLASS_PUBKEY;
 		}
+		else if (streq(str, "smartcard"))
+		{
+			auth_class = AUTH_CLASS_PUBKEY;
+			smartcard = TRUE;
+		}
 	}
 
 	/**
@@ -338,9 +396,26 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 
 	if (auth_class == AUTH_CLASS_PUBKEY)
 	{
+		if (smartcard)
+		{
+			char *pin;
+
+			pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
+			if (pin)
+			{
+				user = find_smartcard_key(priv, pin);
+			}
+			if (!user)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+							"no usable smartcard certificate found.");
+				gateway->destroy(gateway);
+				return FALSE;
+			}
+		}
 		/* ... or certificate/private key authenitcation */
-		str = nm_setting_vpn_get_data_item(vpn, "usercert");
-		if (str)
+		else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
 		{
 			public_key_t *public;
 			private_key_t *private = NULL;
@@ -380,16 +455,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 			str = nm_setting_vpn_get_data_item(vpn, "userkey");
 			if (!agent && str)
 			{
-				chunk_t secret;
+				char *secret;
 
-				secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
-				if (secret.ptr)
+				secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
+				if (secret)
 				{
-					secret.len = strlen(secret.ptr);
+					priv->creds->set_key_password(priv->creds, secret);
 				}
 				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_FROM_FILE, str,
-								BUILD_PASSPHRASE, secret, BUILD_END);
+								KEY_RSA, BUILD_FROM_FILE, str, BUILD_END);
 				if (!private)
 				{
 					g_set_error(err, NM_VPN_PLUGIN_ERROR,
@@ -524,17 +598,10 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 			if (path)
 			{
 				private_key_t *key;
-				chunk_t secret;
 
-				secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
-				if (secret.ptr)
-				{
-					secret.len = strlen(secret.ptr);
-				}
 				/* try to load/decrypt the private key */
 				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								KEY_RSA, BUILD_FROM_FILE, path,
-								BUILD_PASSPHRASE, secret, BUILD_END);
+								KEY_RSA, BUILD_FROM_FILE, path, BUILD_END);
 				if (key)
 				{
 					key->destroy(key);
@@ -542,6 +609,13 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
 				}
 			}
 		}
+		else if streq(method, "smartcard")
+		{
+			if (nm_setting_vpn_get_secret(settings, "password"))
+			{
+				return FALSE;
+			}
+		}
 	}
 	*setting_name = NM_SETTING_VPN_SETTING_NAME;
 	return TRUE;
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 35fb8367f..f24e2d1e7 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 64820eb45..60937f23d 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -702,7 +702,7 @@ static job_requeue_t dispatch(private_smp_t *this)
 	fdp = malloc_thing(int);
 	*fdp = fd;
 	job = callback_job_create((callback_job_cb_t)process, fdp, free, this->job);
-	charon->processor->queue_job(charon->processor, (job_t*)job);
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 
 	return JOB_REQUEUE_DIRECT;
 }
@@ -761,7 +761,7 @@ plugin_t *smp_plugin_create()
 	}
 
 	this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index df63d862e..bd85386b2 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/socket_default/socket_default_plugin.c b/src/libcharon/plugins/socket_default/socket_default_plugin.c
index 45390ddae..b5dea68b6 100644
--- a/src/libcharon/plugins/socket_default/socket_default_plugin.c
+++ b/src/libcharon/plugins/socket_default/socket_default_plugin.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -31,17 +33,13 @@ struct private_socket_default_plugin_t {
 	 */
 	socket_default_plugin_t public;
 
-	/**
-	 * Socket instance.
-	 */
-	socket_default_socket_t *socket;
 };
 
 METHOD(plugin_t, destroy, void,
 	private_socket_default_plugin_t *this)
 {
-	charon->socket->remove_socket(charon->socket, &this->socket->socket);
-	this->socket->destroy(this->socket);
+	charon->socket->remove_socket(charon->socket,
+						(socket_constructor_t)socket_default_socket_create);
 	free(this);
 }
 
@@ -53,16 +51,15 @@ plugin_t *socket_default_plugin_create()
 	private_socket_default_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
-		.socket = socket_default_socket_create(),
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-	charon->socket->add_socket(charon->socket, &this->socket->socket);
+	charon->socket->add_socket(charon->socket,
+						(socket_constructor_t)socket_default_socket_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index bc998182e..e95646643 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -42,11 +42,12 @@
 #include <sys/sysctl.h>
 #endif
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 
 /* Maximum size of a packet */
-#define MAX_PACKET 5000
+#define MAX_PACKET 10000
 
 /* length of non-esp marker */
 #define MARKER_LEN sizeof(u_int32_t)
@@ -116,12 +117,17 @@ struct private_socket_default_socket_t {
 	 * IPv6 socket for NATT (4500)
 	 */
 	int ipv6_natt;
+
+	/**
+	 * Maximum packet size to receive
+	 */
+	int max_packet;
 };
 
 METHOD(socket_t, receiver, status_t,
 	private_socket_default_socket_t *this, packet_t **packet)
 {
-	char buffer[MAX_PACKET];
+	char buffer[this->max_packet];
 	chunk_t data;
 	packet_t *pkt;
 	host_t *source = NULL, *dest = NULL;
@@ -195,7 +201,7 @@ METHOD(socket_t, receiver, status_t,
 		msg.msg_name = &src;
 		msg.msg_namelen = sizeof(src);
 		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
+		iov.iov_len = this->max_packet;
 		msg.msg_iov = &iov;
 		msg.msg_iovlen = 1;
 		msg.msg_control = ancillary;
@@ -207,6 +213,11 @@ METHOD(socket_t, receiver, status_t,
 			DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
 			return FAILED;
 		}
+		if (msg.msg_flags & MSG_TRUNC)
+		{
+			DBG1(DBG_NET, "receive buffer too small, packet discarded");
+			return FAILED;
+		}
 		DBG3(DBG_NET, "received packet %b", buffer, bytes_read);
 
 		if (bytes_read < MARKER_LEN)
@@ -351,12 +362,6 @@ METHOD(socket_t, sender, status_t,
 		if (data.len != 1 || data.ptr[0] != 0xFF)
 		{
 			/* add non esp marker to packet */
-			if (data.len > MAX_PACKET - MARKER_LEN)
-			{
-				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-					 data.len);
-				return FAILED;
-			}
 			marked = chunk_alloc(data.len + MARKER_LEN);
 			memset(marked.ptr, 0, MARKER_LEN);
 			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
@@ -521,8 +526,8 @@ static int open_socket(private_socket_default_socket_t *this,
 		}
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 skt, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												skt, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
@@ -541,7 +546,7 @@ static int open_socket(private_socket_default_socket_t *this,
 	return skt;
 }
 
-METHOD(socket_default_socket_t, destroy, void,
+METHOD(socket_t, destroy, void,
 	private_socket_default_socket_t *this)
 {
 	if (this->ipv4)
@@ -575,9 +580,11 @@ socket_default_socket_t *socket_default_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.destroy = _destroy,
 			},
-			.destroy = _destroy,
 		},
+		.max_packet = lib->settings->get_int(lib->settings,
+										"charon.max_packet", MAX_PACKET),
 	);
 
 #ifdef __APPLE__
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.h b/src/libcharon/plugins/socket_default/socket_default_socket.h
index 755016662..89aa6f435 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.h
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.h
@@ -35,10 +35,6 @@ struct socket_default_socket_t {
 	 */
 	socket_t socket;
 
-	/**
-	 * Destroy a socket_default_socket_t.
-	 */
-	void (*destroy)(socket_default_socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 8a3a15188..8e0790671 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
index 3410fc7a4..a6ff14efd 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_plugin.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -31,17 +33,13 @@ struct private_socket_dynamic_plugin_t {
 	 */
 	socket_dynamic_plugin_t public;
 
-	/**
-	 * Socket instance.
-	 */
-	socket_dynamic_socket_t *socket;
 };
 
 METHOD(plugin_t, destroy, void,
 	private_socket_dynamic_plugin_t *this)
 {
-	charon->socket->remove_socket(charon->socket, &this->socket->socket);
-	this->socket->destroy(this->socket);
+	charon->socket->remove_socket(charon->socket,
+						(socket_constructor_t)socket_dynamic_socket_create);
 	free(this);
 }
 
@@ -53,16 +51,15 @@ plugin_t *socket_dynamic_plugin_create()
 	private_socket_dynamic_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
-		.socket = socket_dynamic_socket_create(),
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-	charon->socket->add_socket(charon->socket, &this->socket->socket);
+	charon->socket->add_socket(charon->socket,
+						(socket_constructor_t)socket_dynamic_socket_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
index a7db59ce5..74dba82cc 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2010 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -36,13 +36,14 @@
 #include <netinet/udp.h>
 #include <net/if.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 #include <threading/rwlock.h>
 #include <utils/hashtable.h>
 
 /* Maximum size of a packet */
-#define MAX_PACKET 5000
+#define MAX_PACKET 10000
 
 /* length of non-esp marker */
 #define MARKER_LEN sizeof(u_int32_t)
@@ -100,6 +101,11 @@ struct private_socket_dynamic_socket_t {
 	 * Notification pipe to signal receiver
 	 */
 	int notify[2];
+
+	/**
+	 * Maximum packet size to receive
+	 */
+	int max_packet;
 };
 
 /**
@@ -197,7 +203,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 {
 	host_t *source = NULL, *dest = NULL;
 	ssize_t len;
-	char buffer[MAX_PACKET];
+	char buffer[this->max_packet];
 	chunk_t data;
 	packet_t *packet;
 	struct msghdr msg;
@@ -212,7 +218,7 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 	msg.msg_name = &src;
 	msg.msg_namelen = sizeof(src);
 	iov.iov_base = buffer;
-	iov.iov_len = sizeof(buffer);
+	iov.iov_len = this->max_packet;
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 	msg.msg_control = ancillary;
@@ -224,6 +230,11 @@ static packet_t *receive_packet(private_socket_dynamic_socket_t *this,
 		DBG1(DBG_NET, "error reading socket: %s", strerror(errno));
 		return NULL;
 	}
+	if (msg.msg_flags & MSG_TRUNC)
+	{
+		DBG1(DBG_NET, "receive buffer too small, packet discarded");
+		return NULL;
+	}
 	DBG3(DBG_NET, "received packet %b", buffer, len);
 
 	if (len < MARKER_LEN)
@@ -412,8 +423,8 @@ static int open_socket(private_socket_dynamic_socket_t *this,
 		return 0;
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 fd, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												fd, family))
 	{
 		DBG1(DBG_NET, "installing IKE bypass policy failed");
 	}
@@ -495,12 +506,6 @@ METHOD(socket_t, sender, status_t,
 		!(data.len == 1 && data.ptr[0] == 0xFF))
 	{
 		/* add non esp marker to packet */
-		if (data.len > MAX_PACKET - MARKER_LEN)
-		{
-			DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-				 data.len);
-			return FAILED;
-		}
 		marked = chunk_alloc(data.len + MARKER_LEN);
 		memset(marked.ptr, 0, MARKER_LEN);
 		memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
@@ -567,7 +572,7 @@ METHOD(socket_t, sender, status_t,
 	return SUCCESS;
 }
 
-METHOD(socket_dynamic_socket_t, destroy, void,
+METHOD(socket_t, destroy, void,
 	private_socket_dynamic_socket_t *this)
 {
 	enumerator_t *enumerator;
@@ -600,10 +605,12 @@ socket_dynamic_socket_t *socket_dynamic_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.destroy = _destroy,
 			},
-			.destroy = _destroy,
 		},
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.max_packet = lib->settings->get_int(lib->settings,
+										"charon.max_packet", MAX_PACKET),
 	);
 
 	if (pipe(this->notify) != 0)
diff --git a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
index 72551e545..8c93f53d6 100644
--- a/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
+++ b/src/libcharon/plugins/socket_dynamic/socket_dynamic_socket.h
@@ -35,10 +35,6 @@ struct socket_dynamic_socket_t {
 	 */
 	socket_t socket;
 
-	/**
-	 * Destroy a socket_dynamic_socket_t.
-	 */
-	void (*destroy)(socket_dynamic_socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in
index 32bd9e0a1..5f4cba131 100644
--- a/src/libcharon/plugins/socket_raw/Makefile.in
+++ b/src/libcharon/plugins/socket_raw/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
index 5b011abcf..17a3a8db7 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
+++ b/src/libcharon/plugins/socket_raw/socket_raw_plugin.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -31,17 +33,13 @@ struct private_socket_raw_plugin_t {
 	 */
 	socket_raw_plugin_t public;
 
-	/**
-	 * Raw socket instance.
-	 */
-	socket_raw_socket_t *socket;
 };
 
 METHOD(plugin_t, destroy, void,
 	private_socket_raw_plugin_t *this)
 {
-	charon->socket->remove_socket(charon->socket, &this->socket->socket);
-	this->socket->destroy(this->socket);
+	charon->socket->remove_socket(charon->socket,
+							(socket_constructor_t)socket_raw_socket_create);
 	free(this);
 }
 
@@ -53,16 +51,15 @@ plugin_t *socket_raw_plugin_create()
 	private_socket_raw_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
-		.socket = socket_raw_socket_create(),
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 	);
 
-	if (!this->socket)
-	{
-		free(this);
-		return NULL;
-	}
-	charon->socket->add_socket(charon->socket, &this->socket->socket);
+	charon->socket->add_socket(charon->socket,
+							(socket_constructor_t)socket_raw_socket_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
index 166870421..f6e87a86f 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2010 Martin Willi
+ * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -36,11 +37,12 @@
 #include <linux/filter.h>
 #include <net/if.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
 
 /* Maximum size of a packet */
-#define MAX_PACKET 5000
+#define MAX_PACKET 10000
 
 /* constants for packet handling */
 #define IP_LEN sizeof(struct iphdr)
@@ -119,12 +121,17 @@ struct private_socket_raw_socket_t {
 	 * send socket on nat-t port for IPv6
 	 */
 	int send6_natt;
+
+	/**
+	 * Maximum packet size to receive
+	 */
+	int max_packet;
 };
 
 METHOD(socket_t, receiver, status_t,
 	private_socket_raw_socket_t *this, packet_t **packet)
 {
-	char buffer[MAX_PACKET];
+	char buffer[this->max_packet];
 	chunk_t data;
 	packet_t *pkt;
 	struct udphdr *udp;
@@ -161,12 +168,17 @@ METHOD(socket_t, receiver, status_t,
 		struct iphdr *ip;
 		struct sockaddr_in src, dst;
 
-		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
+		bytes_read = recv(this->recv4, buffer, this->max_packet, 0);
 		if (bytes_read < 0)
 		{
 			DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
 			return FAILED;
 		}
+		if (bytes_read == this->max_packet)
+		{
+			DBG1(DBG_NET, "receive buffer too small, packet discarded");
+			return FAILED;
+		}
 		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
 
 		/* read source/dest from raw IP/UDP header */
@@ -216,7 +228,7 @@ METHOD(socket_t, receiver, status_t,
 		msg.msg_name = &src;
 		msg.msg_namelen = sizeof(src);
 		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
+		iov.iov_len = this->max_packet;
 		msg.msg_iov = &iov;
 		msg.msg_iovlen = 1;
 		msg.msg_control = ancillary;
@@ -343,12 +355,6 @@ METHOD(socket_t, sender, status_t,
 		if (data.len != 1 || data.ptr[0] != 0xFF)
 		{
 			/* add non esp marker to packet */
-			if (data.len > MAX_PACKET - MARKER_LEN)
-			{
-				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
-					 data.len);
-				return FAILED;
-			}
 			marked = chunk_alloc(data.len + MARKER_LEN);
 			memset(marked.ptr, 0, MARKER_LEN);
 			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
@@ -492,8 +498,8 @@ static int open_send_socket(private_socket_raw_socket_t *this,
 		}
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 skt, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												skt, family))
 	{
 		DBG1(DBG_NET, "installing bypass policy on send socket failed");
 	}
@@ -598,8 +604,8 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family)
 		return 0;
 	}
 
-	if (!charon->kernel_interface->bypass_socket(charon->kernel_interface,
-												 skt, family))
+	if (!hydra->kernel_interface->bypass_socket(hydra->kernel_interface,
+												skt, family))
 	{
 		DBG1(DBG_NET, "installing bypass policy on receive socket failed");
 	}
@@ -607,7 +613,7 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family)
 	return skt;
 }
 
-METHOD(socket_raw_socket_t, destroy, void,
+METHOD(socket_t, destroy, void,
 	private_socket_raw_socket_t *this)
 {
 	if (this->recv4)
@@ -649,9 +655,11 @@ socket_raw_socket_t *socket_raw_socket_create()
 			.socket = {
 				.send = _sender,
 				.receive = _receiver,
+				.destroy = _destroy,
 			},
-			.destroy = _destroy,
 		},
+		.max_packet = lib->settings->get_int(lib->settings,
+										"charon.max_packet", MAX_PACKET),
 	);
 
 	this->recv4 = open_recv_socket(this, AF_INET);
diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.h b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
index 94cf666e8..23ff304a8 100644
--- a/src/libcharon/plugins/socket_raw/socket_raw_socket.h
+++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.h
@@ -41,10 +41,6 @@ struct socket_raw_socket_t {
 	 */
 	socket_t socket;
 
-	/**
-	 * Destroy a socket_raw_socket_t.
-	 */
-	void (*destroy)(socket_raw_socket_t *this);
 };
 
 /**
diff --git a/src/libcharon/plugins/sql/Makefile.am b/src/libcharon/plugins/sql/Makefile.am
index 68b7e8cb2..37b87117c 100644
--- a/src/libcharon/plugins/sql/Makefile.am
+++ b/src/libcharon/plugins/sql/Makefile.am
@@ -2,9 +2,6 @@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-sql.la
 else
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index e32dc7b57..7c4521785 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -258,9 +274,6 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon
 
-AM_CFLAGS = -rdynamic \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
-
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-sql.la
 libstrongswan_sql_la_SOURCES = \
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index e094200ca..e6e98838b 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 617069432..165212a5e 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -15,6 +15,7 @@
 
 #include "stroke_config.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/mutex.h>
 #include <utils/lexparser.h>
@@ -199,8 +200,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 	host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
 	if (host)
 	{
-		interface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, host);
+		interface = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, host);
 		host->destroy(host);
 		if (interface)
 		{
@@ -215,8 +216,8 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
 			host = host_create_from_dns(msg->add_conn.me.address, 0, 0);
 			if (host)
 			{
-				interface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, host);
+				interface = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, host);
 				host->destroy(host);
 				if (!interface)
 				{
@@ -362,7 +363,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			}
 		}
 		else
-		{	/* no second authentication round, fine */
+		{	/* no second authentication round, fine. But load certificates
+			 * for other purposes (EAP-TLS) */
+			if (cert)
+			{
+				certificate = this->cred->load_peer(this->cred, cert);
+				if (certificate)
+				{
+					certificate->destroy(certificate);
+				}
+			}
 			return NULL;
 		}
 	}
@@ -502,6 +512,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			}
 			cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
 		}
+		if (msg->add_conn.aaa_identity)
+		{
+			cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
+				identification_create_from_string(msg->add_conn.aaa_identity));
+		}
 	}
 	else
 	{
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index f64421551..e0398ba78 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -354,7 +354,7 @@ static void terminate_srcip(private_stroke_control_t *this,
 		}
 
 		/* schedule delete asynchronously */
-		charon->processor->queue_job(charon->processor, (job_t*)
+		lib->processor->queue_job(lib->processor, (job_t*)
 						delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 2816b9bb2..91e71f1f4 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -14,10 +14,15 @@
  * for more details.
  */
 
+#include <sys/types.h>
 #include <sys/stat.h>
 #include <limits.h>
 #include <glob.h>
 #include <libgen.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
 
 #include "stroke_cred.h"
 #include "stroke_shared_key.h"
@@ -25,6 +30,8 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/ac.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/sets/callback_cred.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <threading/rwlock.h>
@@ -88,7 +95,8 @@ struct private_stroke_cred_t {
 typedef struct {
 	private_stroke_cred_t *this;
 	identification_t *id;
-	certificate_type_t type;
+	certificate_type_t cert;
+	key_type_t key;
 } id_data_t;
 
 /**
@@ -109,15 +117,18 @@ static bool private_filter(id_data_t *data,
 	private_key_t *key;
 
 	key = *in;
-	if (data->id == NULL)
+	if (data->key == KEY_ANY || data->key == key->get_type(key))
 	{
-		*out = key;
-		return TRUE;
-	}
-	if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
-	{
-		*out = key;
-		return TRUE;
+		if (data->id == NULL)
+		{
+			*out = key;
+			return TRUE;
+		}
+		if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
+		{
+			*out = key;
+			return TRUE;
+		}
 	}
 	return FALSE;
 }
@@ -133,6 +144,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
 	data = malloc_thing(id_data_t);
 	data->this = this;
 	data->id = id;
+	data->key = type;
 
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->private->create_enumerator(this->private),
@@ -148,7 +160,7 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
 	public_key_t *public;
 	certificate_t *cert = *in;
 
-	if (data->type != CERT_ANY && data->type != cert->get_type(cert))
+	if (data->cert != CERT_ANY && data->cert != cert->get_type(cert))
 	{
 		return FALSE;
 	}
@@ -161,11 +173,14 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
 	public = cert->get_public_key(cert);
 	if (public)
 	{
-		if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+		if (data->key == KEY_ANY || data->key != public->get_type(public))
 		{
-			public->destroy(public);
-			*out = *in;
-			return TRUE;
+			if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
+			{
+				public->destroy(public);
+				*out = *in;
+				return TRUE;
+			}
 		}
 		public->destroy(public);
 	}
@@ -188,7 +203,8 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
 	data = malloc_thing(id_data_t);
 	data->this = this;
 	data->id = id;
-	data->type = cert;
+	data->cert = cert;
+	data->key = key;
 
 	this->lock->read_lock(this->lock);
 	return enumerator_create_filter(this->certs->create_enumerator(this->certs),
@@ -667,47 +683,443 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
 }
 
 /**
- * Data to pass to passphrase_cb
+ * Data for passphrase callback
  */
 typedef struct {
 	/** socket we use for prompting */
 	FILE *prompt;
 	/** private key file */
-	char *file;
-	/** buffer for passphrase */
-	char buf[256];
+	char *path;
+	/** number of tries */
+	int try;
 } passphrase_cb_data_t;
 
 /**
- * Passphrase callback to read from whack fd
+ * Callback function to receive Passphrases
  */
-chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
+static shared_key_t* passphrase_cb(passphrase_cb_data_t *data,
+								shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other)
 {
-	chunk_t secret = chunk_empty;;
+	chunk_t secret;
+	char buf[256];
 
-	if (try > 5)
+	if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS)
 	{
-		fprintf(data->prompt, "invalid passphrase, too many trials\n");
-		return chunk_empty;
+		return NULL;
 	}
-	if (try == 1)
+
+	if (data->try > 1)
 	{
-		fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
+		if (data->try > 5)
+		{
+			fprintf(data->prompt, "PIN invalid, giving up.\n");
+			return NULL;
+		}
+		fprintf(data->prompt, "PIN invalid!\n");
 	}
-	else
+	data->try++;
+	fprintf(data->prompt, "Private key '%s' is encrypted.\n", data->path);
+	fprintf(data->prompt, "Passphrase:\n");
+	if (fgets(buf, sizeof(buf), data->prompt))
 	{
-		fprintf(data->prompt, "invalid passphrase\n");
+		secret = chunk_create(buf, strlen(buf));
+		if (secret.len > 1)
+		{	/* trim appended \n */
+			secret.len--;
+			if (match_me)
+			{
+				*match_me = ID_MATCH_PERFECT;
+			}
+			if (match_other)
+			{
+				*match_other = ID_MATCH_NONE;
+			}
+			return shared_key_create(SHARED_PRIVATE_KEY_PASS, chunk_clone(secret));
+		}
 	}
-	fprintf(data->prompt, "Passphrase:\n");
-	if (fgets(data->buf, sizeof(data->buf), data->prompt))
+	return NULL;
+}
+
+/**
+ * Data for PIN callback
+ */
+typedef struct {
+	/** socket we use for prompting */
+	FILE *prompt;
+	/** card label */
+	char *card;
+	/** card keyid */
+	chunk_t keyid;
+	/** number of tries */
+	int try;
+} pin_cb_data_t;
+
+/**
+ * Callback function to receive PINs
+ */
+static shared_key_t* pin_cb(pin_cb_data_t *data, shared_key_type_t type,
+							identification_t *me, identification_t *other,
+							id_match_t *match_me, id_match_t *match_other)
+{
+	chunk_t secret;
+	char buf[256];
+
+	if (type != SHARED_ANY && type != SHARED_PIN)
+	{
+		return NULL;
+	}
+
+	if (!me || !chunk_equals(me->get_encoding(me), data->keyid))
+	{
+		return NULL;
+	}
+
+	if (data->try > 1)
+	{
+		fprintf(data->prompt, "PIN invalid, aborting.\n");
+		return NULL;
+	}
+	data->try++;
+	fprintf(data->prompt, "Login to '%s' required\n", data->card);
+	fprintf(data->prompt, "PIN:\n");
+	if (fgets(buf, sizeof(buf), data->prompt))
 	{
-		secret = chunk_create(data->buf, strlen(data->buf));
-		if (secret.len)
+		secret = chunk_create(buf, strlen(buf));
+		if (secret.len > 1)
 		{	/* trim appended \n */
 			secret.len--;
+			if (match_me)
+			{
+				*match_me = ID_MATCH_PERFECT;
+			}
+			if (match_other)
+			{
+				*match_other = ID_MATCH_NONE;
+			}
+			return shared_key_create(SHARED_PIN, chunk_clone(secret));
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Load a smartcard with a PIN
+ */
+static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr,
+					 FILE *prompt)
+{
+	chunk_t sc = chunk_empty, secret = chunk_empty;
+	char smartcard[64], keyid[64], module[64], *pos;
+	private_key_t *key = NULL;
+	u_int slot;
+	chunk_t chunk;
+	shared_key_t *shared;
+	identification_t *id;
+	mem_cred_t *mem = NULL;
+	callback_cred_t *cb = NULL;
+	pin_cb_data_t pin_data;
+	enum {
+		SC_FORMAT_SLOT_MODULE_KEYID,
+		SC_FORMAT_SLOT_KEYID,
+		SC_FORMAT_KEYID,
+	} format;
+
+	err_t ugh = extract_value(&sc, &line);
+
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+		return FALSE;
+	}
+	if (sc.len == 0)
+	{
+		DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
+		return FALSE;
+	}
+	snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
+	smartcard[sizeof(smartcard) - 1] = '\0';
+
+	/* parse slot and key id. Three formats are supported:
+	 * - %smartcard<slot>@<module>:<keyid>
+	 * - %smartcard<slot>:<keyid>
+	 * - %smartcard:<keyid>
+	 */
+	if (sscanf(smartcard, "%%smartcard%u@%s", &slot, module) == 2)
+	{
+		pos = strchr(module, ':');
+		if (!pos)
+		{
+			DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is "
+				 "invalid", line_nr);
+			return FALSE;
+		}
+		*pos = '\0';
+		strcpy(keyid, pos + 1);
+		format = SC_FORMAT_SLOT_MODULE_KEYID;
+	}
+	else if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
+	{
+		format = SC_FORMAT_SLOT_KEYID;
+	}
+	else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
+	{
+		format = SC_FORMAT_KEYID;
+	}
+	else
+	{
+		DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
+				" supported or invalid", line_nr);
+		return FALSE;
+	}
+
+	if (!eat_whitespace(&line))
+	{
+		DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
+		return FALSE;
+	}
+	ugh = extract_secret(&secret, &line);
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
+		return FALSE;
+	}
+
+	chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	{
+		free(secret.ptr);
+		if (!prompt)
+		{	/* no IO channel to prompt, skip */
+			free(chunk.ptr);
+			return TRUE;
+		}
+		/* use callback credential set to prompt for the pin */
+		pin_data.prompt = prompt;
+		pin_data.card = smartcard;
+		pin_data.keyid = chunk;
+		pin_data.try = 1;
+		cb = callback_cred_create_shared((void*)pin_cb, &pin_data);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+	}
+	else
+	{
+		/* provide our pin in a temporary credential set */
+		shared = shared_key_create(SHARED_PIN, secret);
+		id = identification_create_from_encoding(ID_KEY_ID, chunk);
+		mem = mem_cred_create();
+		mem->add_shared(mem, shared, id, NULL);
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+	}
+
+	/* unlock: smartcard needs the pin and potentially calls public set */
+	this->lock->unlock(this->lock);
+	switch (format)
+	{
+		case SC_FORMAT_SLOT_MODULE_KEYID:
+			key = lib->creds->create(lib->creds,
+							CRED_PRIVATE_KEY, KEY_ANY,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_MODULE, module,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_SLOT_KEYID:
+			key = lib->creds->create(lib->creds,
+							CRED_PRIVATE_KEY, KEY_ANY,
+							BUILD_PKCS11_SLOT, slot,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+		case SC_FORMAT_KEYID:
+			key = lib->creds->create(lib->creds,
+							CRED_PRIVATE_KEY, KEY_ANY,
+							BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			break;
+	}
+	this->lock->write_lock(this->lock);
+	if (mem)
+	{
+		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
+	}
+	if (cb)
+	{
+		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+		cb->destroy(cb);
+	}
+
+	if (key)
+	{
+		DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
+		this->private->insert_last(this->private, key);
+	}
+	return TRUE;
+}
+
+/**
+ * Load a private key
+ */
+static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr,
+						 FILE *prompt, key_type_t key_type)
+{
+	char path[PATH_MAX];
+	chunk_t filename;
+	chunk_t secret = chunk_empty;
+	private_key_t *key;
+
+	err_t ugh = extract_value(&filename, &line);
+
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+		return FALSE;
+	}
+	if (filename.len == 0)
+	{
+		DBG1(DBG_CFG, "line %d: empty filename", line_nr);
+		return FALSE;
+	}
+	if (*filename.ptr == '/')
+	{
+		/* absolute path name */
+		snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+	}
+	else
+	{
+		/* relative path name */
+		snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+				 filename.len, filename.ptr);
+	}
+
+	/* check for optional passphrase */
+	if (eat_whitespace(&line))
+	{
+		ugh = extract_secret(&secret, &line);
+		if (ugh != NULL)
+		{
+			DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
+			return FALSE;
+		}
+	}
+	if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
+	{
+		callback_cred_t *cb = NULL;
+		passphrase_cb_data_t pp_data = {
+			.prompt = prompt,
+			.path = path,
+			.try = 1,
+		};
+
+		free(secret.ptr);
+		if (!prompt)
+		{
+			return TRUE;
+		}
+		/* use callback credential set to prompt for the passphrase */
+		pp_data.prompt = prompt;
+		pp_data.path = path;
+		pp_data.try = 1;
+		cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+
+		/* unlock, as the builder might ask for a secret */
+		this->lock->unlock(this->lock);
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		this->lock->write_lock(this->lock);
+
+		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+		cb->destroy(cb);
+	}
+	else
+	{
+		mem_cred_t *mem = NULL;
+		shared_key_t *shared;
+
+		/* provide our pin in a temporary credential set */
+		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, secret);
+		mem = mem_cred_create();
+		mem->add_shared(mem, shared, NULL);
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+
+		/* unlock, as the builder might ask for a secret */
+		this->lock->unlock(this->lock);
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		this->lock->write_lock(this->lock);
+
+		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
+	}
+	if (key)
+	{
+		DBG1(DBG_CFG, "  loaded %N private key from '%s'",
+			 key_type_names, key->get_type(key), path);
+		this->private->insert_last(this->private, key);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
+	}
+	return TRUE;
+}
+
+/**
+ * Load a shared key
+ */
+static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr,
+						shared_key_type_t type, chunk_t ids)
+{
+	stroke_shared_key_t *shared_key;
+	chunk_t secret = chunk_empty;
+	bool any = TRUE;
+
+	err_t ugh = extract_secret(&secret, &line);
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
+		return FALSE;
+	}
+	shared_key = stroke_shared_key_create(type, secret);
+	DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
+		 ids.len > 0 ? (char*)ids.ptr : "%any");
+	DBG4(DBG_CFG, "  secret: %#B", &secret);
+
+	this->shared->insert_last(this->shared, shared_key);
+	while (ids.len > 0)
+	{
+		chunk_t id;
+		identification_t *peer_id;
+
+		ugh = extract_value(&id, &ids);
+		if (ugh != NULL)
+		{
+			DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+			return FALSE;
+		}
+		if (id.len == 0)
+		{
+			continue;
+		}
+
+		/* NULL terminate the ID string */
+		*(id.ptr + id.len) = '\0';
+		peer_id = identification_create_from_string(id.ptr);
+		if (peer_id->get_type(peer_id) == ID_ANY)
+		{
+			peer_id->destroy(peer_id);
+			continue;
 		}
+
+		shared_key->add_owner(shared_key, peer_id);
+		any = FALSE;
+	}
+	if (any)
+	{
+		shared_key->add_owner(shared_key,
+					identification_create_from_encoding(ID_ANY, chunk_empty));
 	}
-	return secret;
+	return TRUE;
 }
 
 /**
@@ -716,30 +1128,36 @@ chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
 static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 						 FILE *prompt)
 {
-	size_t bytes;
-	int line_nr = 0;
-	chunk_t chunk, src, line;
-	FILE *fd;
+	int line_nr = 0, fd;
+	chunk_t src, line;
 	private_key_t *private;
 	shared_key_t *shared;
+	struct stat sb;
+	void *addr;
 
 	DBG1(DBG_CFG, "loading secrets from '%s'", file);
-
-	fd = fopen(file, "r");
-	if (fd == NULL)
+	fd = open(file, O_RDONLY);
+	if (fd == -1)
 	{
-		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
+		DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file,
+			 strerror(errno));
 		return;
 	}
-
-	/* TODO: do error checks */
-	fseek(fd, 0, SEEK_END);
-	chunk.len = ftell(fd);
-	rewind(fd);
-	chunk.ptr = malloc(chunk.len);
-	bytes = fread(chunk.ptr, 1, chunk.len, fd);
-	fclose(fd);
-	src = chunk;
+	if (fstat(fd, &sb) == -1)
+	{
+		DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file,
+			 strerror(errno));
+		close(fd);
+		return;
+	}
+	addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (addr == MAP_FAILED)
+	{
+		DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno));
+		close(fd);
+		return;
+	}
+	src = chunk_create(addr, sb.st_size);
 
 	if (level == 0)
 	{
@@ -844,223 +1262,52 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
 		else
 		{
 			DBG1(DBG_CFG, "line %d: missing ' : ' separator", line_nr);
-			goto error;
+			break;
 		}
 
 		if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
 		{
 			DBG1(DBG_CFG, "line %d: missing token", line_nr);
-			goto error;
+			break;
 		}
 		if (match("RSA", &token) || match("ECDSA", &token))
 		{
-			char path[PATH_MAX];
-			chunk_t filename;
-			chunk_t secret = chunk_empty;
-			private_key_t *key = NULL;
-			key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
-
-			err_t ugh = extract_value(&filename, &line);
-
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-				goto error;
-			}
-			if (filename.len == 0)
-			{
-				DBG1(DBG_CFG, "line %d: empty filename", line_nr);
-				goto error;
-			}
-			if (*filename.ptr == '/')
-			{
-				/* absolute path name */
-				snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
-			}
-			else
-			{
-				/* relative path name */
-				snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
-						 filename.len, filename.ptr);
-			}
-
-			/* check for optional passphrase */
-			if (eat_whitespace(&line))
-			{
-				ugh = extract_secret(&secret, &line);
-				if (ugh != NULL)
-				{
-					DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
-					goto error;
-				}
-			}
-			if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
-			{
-				if (prompt)
-				{
-					passphrase_cb_data_t data;
-
-					data.prompt = prompt;
-					data.file = path;
-					key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-											 key_type, BUILD_FROM_FILE, path,
-											 BUILD_PASSPHRASE_CALLBACK,
-											 passphrase_cb, &data, BUILD_END);
-				}
-			}
-			else
-			{
-				key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
-										 BUILD_FROM_FILE, path,
-										 BUILD_PASSPHRASE, secret, BUILD_END);
-			}
-			if (key)
+			if (!load_private(this, line, line_nr, prompt,
+							  match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
 			{
-				DBG1(DBG_CFG, "  loaded %N private key from '%s'",
-					 key_type_names, key->get_type(key), path);
-				this->private->insert_last(this->private, key);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "  loading private key from '%s' failed", path);
+				break;
 			}
-			chunk_clear(&secret);
 		}
 		else if (match("PIN", &token))
 		{
-			chunk_t sc = chunk_empty, secret = chunk_empty;
-			char smartcard[32], keyid[22], pin[32];
-			private_key_t *key;
-			u_int slot;
-
-			err_t ugh = extract_value(&sc, &line);
-
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-				goto error;
-			}
-			if (sc.len == 0)
-			{
-				DBG1(DBG_CFG, "line %d: expected %%smartcard specifier", line_nr);
-				goto error;
-			}
-			snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
-			smartcard[sizeof(smartcard) - 1] = '\0';
-
-			/* parse slot and key id. only two formats are supported.
-			 * first try %smartcard<slot>:<keyid> */
-			if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
-			{
-				snprintf(smartcard, sizeof(smartcard), "%u:%s", slot, keyid);
-			}
-			/* then try %smartcard:<keyid> */
-			else if (sscanf(smartcard, "%%smartcard:%s", keyid) == 1)
-			{
-				snprintf(smartcard, sizeof(smartcard), "%s", keyid);
-			}
-			else
-			{
-				DBG1(DBG_CFG, "line %d: the given %%smartcard specifier is not"
-						" supported or invalid", line_nr);
-				goto error;
-			}
-
-			if (!eat_whitespace(&line))
-			{
-				DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
-				goto error;
-			}
-			ugh = extract_secret(&secret, &line);
-			if (ugh != NULL)
+			if (!load_pin(this, line, line_nr, prompt))
 			{
-				DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
-				goto error;
-			}
-			snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
-			pin[sizeof(pin) - 1] = '\0';
-
-			/* we assume an RSA key */
-			key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-									 BUILD_SMARTCARD_KEYID, smartcard,
-									 BUILD_SMARTCARD_PIN, pin, BUILD_END);
-
-			if (key)
-			{
-				DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
-				this->private->insert_last(this->private, key);
+				break;
 			}
-			memset(pin, 0, sizeof(pin));
-			chunk_clear(&secret);
 		}
 		else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
 				 (match("EAP", &token) && (type = SHARED_EAP)) ||
 				 (match("NTLM", &token) && (type = SHARED_NT_HASH)) ||
 				 (match("XAUTH", &token) && (type = SHARED_EAP)))
 		{
-			stroke_shared_key_t *shared_key;
-			chunk_t secret = chunk_empty;
-			bool any = TRUE;
-
-			err_t ugh = extract_secret(&secret, &line);
-			if (ugh != NULL)
-			{
-				DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
-				goto error;
-			}
-			shared_key = stroke_shared_key_create(type, secret);
-			DBG1(DBG_CFG, "  loaded %N secret for %s", shared_key_type_names, type,
-				 ids.len > 0 ? (char*)ids.ptr : "%any");
-			DBG4(DBG_CFG, "  secret: %#B", &secret);
-
-			this->shared->insert_last(this->shared, shared_key);
-			while (ids.len > 0)
+			if (!load_shared(this, line, line_nr, type, ids))
 			{
-				chunk_t id;
-				identification_t *peer_id;
-
-				ugh = extract_value(&id, &ids);
-				if (ugh != NULL)
-				{
-					DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
-					goto error;
-				}
-				if (id.len == 0)
-				{
-					continue;
-				}
-
-				/* NULL terminate the ID string */
-				*(id.ptr + id.len) = '\0';
-				peer_id = identification_create_from_string(id.ptr);
-				if (peer_id->get_type(peer_id) == ID_ANY)
-				{
-					peer_id->destroy(peer_id);
-					continue;
-				}
-
-				shared_key->add_owner(shared_key, peer_id);
-				any = FALSE;
-			}
-			if (any)
-			{
-				shared_key->add_owner(shared_key,
-					identification_create_from_encoding(ID_ANY, chunk_empty));
+				break;
 			}
 		}
 		else
 		{
 			DBG1(DBG_CFG, "line %d: token must be either "
 				 "RSA, ECDSA, PSK, EAP, XAUTH or PIN", line_nr);
-			goto error;
+			break;
 		}
 	}
-error:
 	if (level == 0)
 	{
 		this->lock->unlock(this->lock);
 	}
-	chunk_clear(&chunk);
+	munmap(addr, sb.st_size);
+	close(fd);
 }
 
 /**
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index a6de35466..86deea490 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -21,6 +21,7 @@
 #include <malloc.h>
 #endif /* HAVE_MALLINFO */
 
+#include <hydra.h>
 #include <daemon.h>
 #include <utils/linked_list.h>
 #include <credentials/certificates/x509.h>
@@ -422,12 +423,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		}
 #endif /* HAVE_MALLINFO */
 		fprintf(out, "  worker threads: %d idle of %d,",
-				charon->processor->get_idle_threads(charon->processor),
-				charon->processor->get_total_threads(charon->processor));
+				lib->processor->get_idle_threads(lib->processor),
+				lib->processor->get_total_threads(lib->processor));
 		fprintf(out, " job queue load: %d,",
-				charon->processor->get_job_load(charon->processor));
+				lib->processor->get_job_load(lib->processor));
 		fprintf(out, " scheduled events: %d\n",
-				charon->scheduler->get_job_load(charon->scheduler));
+				lib->scheduler->get_job_load(lib->scheduler));
 		fprintf(out, "  loaded plugins: ");
 		enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
 		while (enumerator->enumerate(enumerator, &plugin))
@@ -454,8 +455,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
 		}
 		enumerator->destroy(enumerator);
 
-		enumerator = charon->kernel_interface->create_address_enumerator(
-								charon->kernel_interface, FALSE, FALSE);
+		enumerator = hydra->kernel_interface->create_address_enumerator(
+									hydra->kernel_interface, FALSE, FALSE);
 		fprintf(out, "Listening IP addresses:\n");
 		while (enumerator->enumerate(enumerator, (void**)&host))
 		{
@@ -638,7 +639,7 @@ static void list_public_key(public_key_t *public, FILE *out)
 
 	fprintf(out, "  pubkey:    %N %d bits%s\n",
 			key_type_names, public->get_type(public),
-			public->get_keysize(public) * 8,
+			public->get_keysize(public),
 			private ? ", has private key" : "");
 	if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
 	{
@@ -1026,9 +1027,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
  */
 static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 {
-	bool first = TRUE;
+	bool first = TRUE, ok;
 	enumerator_t *enumerator = list->create_enumerator(list);
 	certificate_t *cert;
+	time_t produced, usable, now = time(NULL);
 
 	while (enumerator->enumerate(enumerator, (void**)&cert))
 	{
@@ -1039,8 +1041,20 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
 			fprintf(out, "\n");
 			first = FALSE;
 		}
-
 		fprintf(out, "  signer:   \"%Y\"\n", cert->get_issuer(cert));
+
+		/* check validity */
+		ok = cert->get_validity(cert, &now, &produced, &usable);
+		fprintf(out, "  validity:  produced at %T\n", &produced, utc);
+		fprintf(out, "             usable till %T, ", &usable, utc);
+		if (ok)
+		{
+			fprintf(out, "ok\n");
+		}
+		else
+		{
+			fprintf(out, "expired (%V ago)\n", &now, &usable);
+		}
 	}
 	enumerator->destroy(enumerator);
 }
@@ -1073,6 +1087,13 @@ static void list_algs(FILE *out)
 		fprintf(out, "%N ", integrity_algorithm_names, integrity);
 	}
 	enumerator->destroy(enumerator);
+	fprintf(out, "\n  aead:       ");
+	enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &encryption))
+	{
+		fprintf(out, "%N ", encryption_algorithm_names, encryption);
+	}
+	enumerator->destroy(enumerator);
 	fprintf(out, "\n  hasher:     ");
 	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
 	while (enumerator->enumerate(enumerator, &hash))
@@ -1184,7 +1205,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
 	bool on;
 	int found = 0;
 
-	fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
+	fprintf(out, "Leases in pool '%s', usage: %u/%u, %u online\n",
 			pool, online + offline, size, online);
 	enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
 	while (enumerator && enumerator->enumerate(enumerator, &id, &lease, &on))
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 18afa5af4..0a5110fd3 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -24,10 +24,10 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <processing/jobs/callback_job.h>
 #include <hydra.h>
 #include <daemon.h>
 #include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
 
 #include "stroke_config.h"
 #include "stroke_control.h"
@@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	pop_end(msg, "left", &msg->add_conn.me);
 	pop_end(msg, "right", &msg->add_conn.other);
 	pop_string(msg, &msg->add_conn.eap_identity);
+	pop_string(msg, &msg->add_conn.aaa_identity);
 	pop_string(msg, &msg->add_conn.algorithms.ike);
 	pop_string(msg, &msg->add_conn.algorithms.esp);
 	pop_string(msg, &msg->add_conn.ikeme.mediated_by);
 	pop_string(msg, &msg->add_conn.ikeme.peerid);
 	DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
+	DBG2(DBG_CFG, "  aaa_identity=%s", msg->add_conn.aaa_identity);
 	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
 	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
 	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
@@ -353,6 +355,37 @@ static void stroke_purge(private_stroke_socket_t *this,
 }
 
 /**
+ * Export in-memory credentials
+ */
+static void stroke_export(private_stroke_socket_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	pop_string(msg, &msg->export.selector);
+
+	if (msg->purge.flags & EXPORT_X509)
+	{
+		enumerator_t *enumerator;
+		identification_t *id;
+		certificate_t *cert;
+		chunk_t encoded;
+
+		id = identification_create_from_string(msg->export.selector);
+		enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_X509, KEY_ANY, id, FALSE);
+		while (enumerator->enumerate(enumerator, &cert))
+		{
+			if (cert->get_encoding(cert, CERT_PEM, &encoded))
+			{
+				fprintf(out, "%.*s", encoded.len, encoded.ptr);
+				free(encoded.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+		id->destroy(id);
+	}
+}
+
+/**
  * list pool leases
  */
 static void stroke_leases(private_stroke_socket_t *this,
@@ -364,21 +397,6 @@ static void stroke_leases(private_stroke_socket_t *this,
 	this->list->leases(this->list, msg, out);
 }
 
-debug_t get_group_from_name(char *type)
-{
-	if (strcaseeq(type, "any")) return DBG_ANY;
-	else if (strcaseeq(type, "mgr")) return DBG_MGR;
-	else if (strcaseeq(type, "ike")) return DBG_IKE;
-	else if (strcaseeq(type, "chd")) return DBG_CHD;
-	else if (strcaseeq(type, "job")) return DBG_JOB;
-	else if (strcaseeq(type, "cfg")) return DBG_CFG;
-	else if (strcaseeq(type, "knl")) return DBG_KNL;
-	else if (strcaseeq(type, "net")) return DBG_NET;
-	else if (strcaseeq(type, "enc")) return DBG_ENC;
-	else if (strcaseeq(type, "lib")) return DBG_LIB;
-	else return -1;
-}
-
 /**
  * set the verbosity debug output
  */
@@ -394,7 +412,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
-	group = get_group_from_name(msg->loglevel.type);
+	group = enum_from_name(debug_names, msg->loglevel.type);
 	if (group < 0)
 	{
 		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
@@ -525,6 +543,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
 		case STR_PURGE:
 			stroke_purge(this, msg, out);
 			break;
+		case STR_EXPORT:
+			stroke_export(this, msg, out);
+			break;
 		case STR_LEASES:
 			stroke_leases(this, msg, out);
 			break;
@@ -565,7 +586,7 @@ static job_requeue_t receive(private_stroke_socket_t *this)
 	ctx->this = this;
 	job = callback_job_create((callback_job_cb_t)process,
 							  ctx, (void*)stroke_job_context_destroy, this->job);
-	charon->processor->queue_job(charon->processor, (job_t*)job);
+	lib->processor->queue_job(lib->processor, (job_t*)job);
 
 	return JOB_REQUEUE_FAIR;
 }
@@ -663,7 +684,7 @@ stroke_socket_t *stroke_socket_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
new file mode 100644
index 000000000..ca8869460
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnc_imc_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
+endif
+
+libstrongswan_tnc_imc_la_SOURCES = \
+	tnc_imc_plugin.h tnc_imc_plugin.c
+
+libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in
new file mode 100644
index 000000000..9a8794e93
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/Makefile.in
@@ -0,0 +1,603 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/tnc_imc
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnc_imc_la_DEPENDENCIES =
+am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo
+libstrongswan_tnc_imc_la_OBJECTS =  \
+	$(am_libstrongswan_tnc_imc_la_OBJECTS)
+libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_tnc_imc_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnc_imc_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnc_imc_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnc_imc_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnc_imc_la_LIBADD = -ltnc
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
+libstrongswan_tnc_imc_la_SOURCES = \
+	tnc_imc_plugin.h tnc_imc_plugin.c
+
+libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imc/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnc-imc.la: $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_DEPENDENCIES) 
+	$(libstrongswan_tnc_imc_la_LINK) $(am_libstrongswan_tnc_imc_la_rpath) $(libstrongswan_tnc_imc_la_OBJECTS) $(libstrongswan_tnc_imc_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
new file mode 100644
index 000000000..0ce930ba3
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imc_plugin.h"
+
+#include <libtnctncc.h>
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnc_imc_plugin_t *this)
+{
+	libtnc_tncc_Terminate();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imc_plugin_create()
+{
+	char *tnc_config, *pref_lang;
+	tnc_imc_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	pref_lang = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.preferred_language", "en");
+	tnc_config = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config");
+
+	if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+	{
+		free(this);
+		DBG1(DBG_TNC, "TNC IMC initialization failed");
+		return NULL;
+	}
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h
new file mode 100644
index 000000000..8c5521cb2
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imc tnc_imc
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imc_plugin tnc_imc_plugin
+ * @{ @ingroup tnc_imc
+ */
+
+#ifndef TNC_IMC_PLUGIN_H_
+#define TNC_IMC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imc_plugin_t tnc_imc_plugin_t;
+
+/**
+ * TNC IMC plugin
+ */
+struct tnc_imc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNC_IMC_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
new file mode 100644
index 000000000..9c3b47364
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnc_imv_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
+endif
+
+libstrongswan_tnc_imv_la_SOURCES = \
+	tnc_imv_plugin.h tnc_imv_plugin.c
+
+libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
new file mode 100644
index 000000000..f89b5e03b
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -0,0 +1,603 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/tnc_imv
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnc_imv_la_DEPENDENCIES =
+am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo
+libstrongswan_tnc_imv_la_OBJECTS =  \
+	$(am_libstrongswan_tnc_imv_la_OBJECTS)
+libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_tnc_imv_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnc_imv_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnc_imv_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnc_imv_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnc_imv_la_LIBADD = -ltnc
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
+libstrongswan_tnc_imv_la_SOURCES = \
+	tnc_imv_plugin.h tnc_imv_plugin.c
+
+libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnc_imv/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnc-imv.la: $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_DEPENDENCIES) 
+	$(libstrongswan_tnc_imv_la_LINK) $(am_libstrongswan_tnc_imv_la_rpath) $(libstrongswan_tnc_imv_la_OBJECTS) $(libstrongswan_tnc_imv_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
new file mode 100644
index 000000000..5b3d3892d
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_plugin.h"
+
+#include <libtnctncs.h>
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnc_imv_plugin_t *this)
+{
+	libtnc_tncs_Terminate();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imv_plugin_create()
+{
+	char *tnc_config;
+	tnc_imv_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	tnc_config = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config");
+	if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
+	{
+		free(this);
+		DBG1(DBG_TNC, "TNC IMV initialization failed");
+		return NULL;
+	}
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h
new file mode 100644
index 000000000..afeee2ea2
--- /dev/null
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imv tnc_imv
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imv_plugin tnc_imv_plugin
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_PLUGIN_H_
+#define TNC_IMV_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imv_plugin_t tnc_imv_plugin_t;
+
+/**
+ * TNC IMV plugin
+ */
+struct tnc_imv_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNC_IMV_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am
new file mode 100644
index 000000000..7ccd0dfee
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnccs_11_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
+libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_tnccs_11_la_SOURCES = \
+	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c
+
+libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in
new file mode 100644
index 000000000..200ff7a0a
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/Makefile.in
@@ -0,0 +1,607 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la
+subdir = src/libcharon/plugins/tnccs_11
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1)
+am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo
+libstrongswan_tnccs_11_la_OBJECTS =  \
+	$(am_libstrongswan_tnccs_11_la_OBJECTS)
+libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_11_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnccs_11_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnccs_11_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnccs_11_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1)
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la
+libstrongswan_tnccs_11_la_SOURCES = \
+	tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c
+
+libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_11/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnccs-11.la: $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_DEPENDENCIES) 
+	$(libstrongswan_tnccs_11_la_LINK) $(am_libstrongswan_tnccs_11_la_rpath) $(libstrongswan_tnccs_11_la_OBJECTS) $(libstrongswan_tnccs_11_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
new file mode 100644
index 000000000..704bf64ed
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -0,0 +1,328 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_11.h"
+
+#include <libtnctncc.h>
+#include <libtnctncs.h>
+
+#include <daemon.h>
+#include <debug.h>
+
+#define TNC_SEND_BUFFER_SIZE	32
+
+static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE];
+
+/**
+ * Buffers TNCCS batch to be sent (TODO make the buffer scalable)
+ */
+static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len)
+{
+	if (id >= TNC_SEND_BUFFER_SIZE)
+	{
+		DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in "
+					  "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE);
+		return TNC_RESULT_FATAL;
+	}
+	if (tnc_send_buffer[id].ptr)
+	{
+		DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already "
+					  "occupied", id);
+		return TNC_RESULT_FATAL;
+	}
+	tnc_send_buffer[id] = chunk_alloc(len);
+	memcpy(tnc_send_buffer[id].ptr, data, len);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * Retrieves TNCCS batch to be sent
+ */
+static bool retrieve_batch(u_int32_t id, chunk_t *batch)
+{
+	if (id >= TNC_SEND_BUFFER_SIZE)
+	{
+		DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from "
+					  "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE);
+		return FALSE;
+	}
+
+	*batch = tnc_send_buffer[id];
+	return TRUE;
+}
+
+/**
+ * Frees TNCCS batch that was sent
+ */
+static void free_batch(u_int32_t id)
+{
+	if (id < TNC_SEND_BUFFER_SIZE)
+	{
+		chunk_free(&tnc_send_buffer[id]);
+	}
+}
+
+/**
+ * Define callback functions called by the libtnc library
+ */
+TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, 
+							  const char* messageBuffer, size_t messageLength)
+{
+	return buffer_batch(conn->connectionID, messageBuffer, messageLength);
+}
+
+TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, 
+							  const char* messageBuffer, size_t messageLength)
+{
+	return buffer_batch(conn->connectionID, messageBuffer, messageLength);
+}
+
+typedef struct private_tnccs_11_t private_tnccs_11_t;
+
+/**
+ * Private data of a tnccs_11_t object.
+ */
+struct private_tnccs_11_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * TNCC if TRUE, TNCS if FALSE
+	 */
+	bool is_server;
+
+	/**
+	 * TNCC Connection to IMCs
+	 */
+	libtnc_tncc_connection* tncc_connection;
+
+	/**
+	 * TNCS Connection to IMVs
+	 */
+	libtnc_tncs_connection* tncs_connection;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tnccs_11_t *this, void *buf, size_t buflen)
+{
+	u_int32_t conn_id;
+
+	if (this->is_server && !this->tncs_connection)
+	{
+		this->tncs_connection = libtnc_tncs_CreateConnection(NULL);
+		if (!this->tncs_connection)
+		{
+			DBG1(DBG_TNC, "TNCS CreateConnection failed");
+			return FAILED;
+		}
+		DBG1(DBG_TNC, "assigned TNCS Connection ID %u",
+					   this->tncs_connection->connectionID);
+		if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCS BeginSession failed");
+			return FAILED;
+		}
+	}
+	conn_id = this->is_server ? this->tncs_connection->connectionID
+							  : this->tncc_connection->connectionID;
+
+	DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u",
+				   buflen, conn_id);
+	DBG3(DBG_TNC, "%.*s", buflen, buf);
+
+	if (this->is_server)
+	{
+		if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) !=
+			TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCS ReceiveBatch failed");
+			return FAILED;
+		}
+	}
+	else
+	{
+		if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) !=
+			TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCC ReceiveBatch failed");
+			return FAILED;
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	chunk_t batch;
+	u_int32_t conn_id;
+	size_t len;
+
+	if (!this->is_server && !this->tncc_connection)
+	{
+		this->tncc_connection = libtnc_tncc_CreateConnection(NULL);
+		if (!this->tncc_connection)
+		{
+			DBG1(DBG_TNC, "TNCC CreateConnection failed");
+			return FAILED;
+		}
+		DBG1(DBG_TNC, "assigned TNCC Connection ID %u",
+					   this->tncc_connection->connectionID);
+		if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_TNC, "TNCC BeginSession failed");
+			return FAILED;
+		}
+	}
+	conn_id = this->is_server ? this->tncs_connection->connectionID
+							  : this->tncc_connection->connectionID;
+	
+	if (!retrieve_batch(conn_id, &batch))
+	{
+		return FAILED;
+	}
+	len = *buflen;
+	len = min(len, batch.len);
+	*buflen = len;
+	if (msglen)
+	{
+		*msglen = batch.len;
+	}
+
+	if (batch.len)
+	{
+		DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u",
+					   batch.len, conn_id);
+		DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr);
+		memcpy(buf, batch.ptr, len);
+		free_batch(conn_id);
+		return ALREADY_DONE;
+	}
+	else
+	{
+		return INVALID_STATE;
+	}
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tnccs_11_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tnccs_11_t *this)
+{
+	return TLS_PURPOSE_EAP_TNC;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_11_t *this)
+{
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	char *group;
+	identification_t *id;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+	
+	if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) ==
+		TNC_RESULT_SUCCESS)
+	{
+		switch (rec)
+		{
+			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+				DBG1(DBG_TNC, "TNC recommendation is allow");
+				group = "allow";
+				break;				
+			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+				DBG1(DBG_TNC, "TNC recommendation is isolate");
+				group = "isolate";
+				break;
+			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+			default:
+				DBG1(DBG_TNC, "TNC recommendation is none");
+				return FALSE;
+		}
+		ike_sa = charon->bus->get_sa(charon->bus);
+		if (ike_sa)
+		{
+			auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+			id = identification_create_from_string(group);
+			auth->add(auth, AUTH_RULE_GROUP, id);
+			DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group);
+		}
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tnccs_11_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+	private_tnccs_11_t *this)
+{
+	if (this->is_server)
+	{
+		if (this->tncs_connection)
+		{
+			libtnc_tncs_DeleteConnection(this->tncs_connection);
+		}
+	}
+	else
+	{
+		if (this->tncc_connection)
+		{
+			libtnc_tncc_DeleteConnection(this->tncc_connection);
+		}
+		libtnc_tncc_Terminate();
+	}
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tnccs_11_create(bool is_server)
+{
+	private_tnccs_11_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h
new file mode 100644
index 000000000..7331fc8cd
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_11_h tnccs_11
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_11_H_
+#define TNCCS_11_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
+ *
+ * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
+ * @return					TNC_IF_TNCCS 1.1 protocol stack
+ */
+tls_t *tnccs_11_create(bool is_server);
+
+#endif /** TNCCS_11_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
new file mode 100644
index 000000000..03905ca37
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_11_plugin.h"
+#include "tnccs_11.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnccs_11_plugin_t *this)
+{
+	charon->tnccs->remove_method(charon->tnccs,
+								(tnccs_constructor_t)tnccs_11_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnccs_11_plugin_create()
+{
+	tnccs_11_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->tnccs->add_method(charon->tnccs, TNCCS_1_1, 
+							 (tnccs_constructor_t)tnccs_11_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h
new file mode 100644
index 000000000..619a073ad
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_11 tnccs_11
+ * @ingroup cplugins
+ *
+ * @defgroup tnccs_11_plugin tnccs_11_plugin
+ * @{ @ingroup tnccs_11
+ */
+
+#ifndef TNCCS_11_PLUGIN_H_
+#define TNCCS_11_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnccs_11_plugin_t tnccs_11_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct tnccs_11_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNCCS_11_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am
new file mode 100644
index 000000000..3018121e3
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnccs_20_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
+libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la
+endif
+
+libstrongswan_tnccs_20_la_SOURCES = \
+	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c
+
+libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version
+
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in
new file mode 100644
index 000000000..6101f91df
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/Makefile.in
@@ -0,0 +1,607 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la
+subdir = src/libcharon/plugins/tnccs_20
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1)
+am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo
+libstrongswan_tnccs_20_la_OBJECTS =  \
+	$(am_libstrongswan_tnccs_20_la_OBJECTS)
+libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tnccs_20_la_LDFLAGS) \
+	$(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_tnccs_20_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_tnccs_20_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tnccs_20_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \
+	`xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1)
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la
+libstrongswan_tnccs_20_la_SOURCES = \
+	tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c
+
+libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_20/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-tnccs-20.la: $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_DEPENDENCIES) 
+	$(libstrongswan_tnccs_20_la_LINK) $(am_libstrongswan_tnccs_20_la_rpath) $(libstrongswan_tnccs_20_la_OBJECTS) $(libstrongswan_tnccs_20_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
new file mode 100644
index 000000000..2bd1bc476
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20.h"
+
+#include <debug.h>
+
+static chunk_t tncc_output;
+
+typedef struct private_tnccs_20_t private_tnccs_20_t;
+
+/**
+ * Private data of a tnccs_20_t object.
+ */
+struct private_tnccs_20_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * TNCC if TRUE, TNCS if FALSE
+	 */
+	bool is_server;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tnccs_20_t *this, void *buf, size_t buflen)
+{
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	return ALREADY_DONE;
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tnccs_20_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tnccs_20_t *this)
+{
+	return TLS_PURPOSE_EAP_TNC;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tnccs_20_t *this)
+{
+	return FALSE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tnccs_20_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+	private_tnccs_20_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tnccs_20_create(bool is_server)
+{
+	private_tnccs_20_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+	);
+
+	return &this->public;
+}
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h
new file mode 100644
index 000000000..400d1dc12
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_h tnccs_20
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_H_
+#define TNCCS_20_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
+ *
+ * @param is_server			TRUE to act as TNC Server, FALSE for TNC Client
+ * @return					TNC_IF_TNCCS 2.0 protocol stack
+ */
+tls_t *tnccs_20_create(bool is_server);
+
+#endif /** TNCCS_20_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
new file mode 100644
index 000000000..82c78f74c
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20_plugin.h"
+#include "tnccs_20.h"
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnccs_20_plugin_t *this)
+{
+	charon->tnccs->remove_method(charon->tnccs,
+								(tnccs_constructor_t)tnccs_20_create);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnccs_20_plugin_create()
+{
+	tnccs_20_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	charon->tnccs->add_method(charon->tnccs, TNCCS_2_0, 
+							 (tnccs_constructor_t)tnccs_20_create);
+
+	return &this->plugin;
+}
+
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h
new file mode 100644
index 000000000..1c4ecf4c9
--- /dev/null
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20 tnccs_20
+ * @ingroup cplugins
+ *
+ * @defgroup tnccs_20_plugin tnccs_20_plugin
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_PLUGIN_H_
+#define TNCCS_20_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnccs_20_plugin_t tnccs_20_plugin_t;
+
+/**
+ * EAP-TNC plugin
+ */
+struct tnccs_20_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNCCS_20_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 934ab6080..9cb5f794a 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
index 3c4928be4..aee2505e3 100644
--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
@@ -294,7 +294,7 @@ uci_control_t *uci_control_create()
 	{
 		this->job = callback_job_create((callback_job_cb_t)receive,
 										this, NULL, NULL);
-		charon->processor->queue_job(charon->processor, (job_t*)this->job);
+		lib->processor->queue_job(lib->processor, (job_t*)this->job);
 	}
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in
index 47850c1c5..47fff7e1d 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/unit_tester/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
index 3b00421f8..342194a4c 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_cert.c
@@ -51,7 +51,7 @@ bool test_cert_x509()
 		return FALSE;
 	}
 
-	encoding = ca_cert->get_encoding(ca_cert);
+	ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding);
 	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_BLOB_ASN1_DER, encoding,
 						BUILD_END);
@@ -81,7 +81,7 @@ bool test_cert_x509()
 		return FALSE;
 	}
 
-	encoding = peer_cert->get_encoding(peer_cert);
+	peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding);
 	parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 						BUILD_BLOB_ASN1_DER, encoding,
 						BUILD_END);
diff --git a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
index 59da15644..6ba5769b5 100644
--- a/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
+++ b/src/libcharon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -59,12 +59,12 @@ bool test_rsa_gen()
 			return FALSE;
 		}
 		free(sig.ptr);
-		if (!public->encrypt(public, data, &crypt))
+		if (!public->encrypt(public, ENCRYPT_RSA_PKCS1, data, &crypt))
 		{
 			DBG1(DBG_CFG, "encrypting data with RSA failed");
 			return FALSE;
 		}
-		if (!private->decrypt(private, crypt, &plain))
+		if (!private->decrypt(private, ENCRYPT_RSA_PKCS1, crypt, &plain))
 		{
 			DBG1(DBG_CFG, "decrypting data with RSA failed");
 			return FALSE;
@@ -110,7 +110,7 @@ bool test_rsa_load_any()
 	public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
 								BUILD_BLOB_ASN1_DER, chunk,
 								BUILD_END);
-	if (!public || public->get_keysize(public) != 256)
+	if (!public || public->get_keysize(public) != 2048)
 	{
 		return FALSE;
 	}
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index ce233ad04..e93955d71 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index ea4a792c2..8e58b1a9b 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -18,6 +18,7 @@
 
 #include "updown_listener.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <config/child_cfg.h>
 
@@ -218,8 +219,8 @@ METHOD(listener_t, child_updown, bool,
 
 		if (up)
 		{
-			iface = charon->kernel_interface->get_interface(
-												charon->kernel_interface, me);
+			iface = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, me);
 			if (iface)
 			{
 				cache_iface(this, child_sa->get_reqid(child_sa), iface);
diff --git a/src/libcharon/processing/jobs/acquire_job.h b/src/libcharon/processing/jobs/acquire_job.h
index eff79a9b0..2b5bf4805 100644
--- a/src/libcharon/processing/jobs/acquire_job.h
+++ b/src/libcharon/processing/jobs/acquire_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup acquire_job acquire_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef ACQUIRE_JOB_H_
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index 662a7b7c7..fc0e2b518 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup delete_child_sa_job delete_child_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef DELETE_CHILD_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.h b/src/libcharon/processing/jobs/delete_ike_sa_job.h
index f641deea3..ae06b9cfc 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup delete_child_sa_job delete_child_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef DELETE_IKE_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 13fc5e3d0..1371000eb 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -87,7 +87,7 @@ METHOD(job_t, execute, void,
 				}
 				else
 				{
-					charon->scheduler->schedule_job(charon->scheduler,
+					lib->scheduler->schedule_job(lib->scheduler,
 							&this->public.job_interface, this->timeout - diff);
 					rescheduled = TRUE;
 				}
@@ -136,9 +136,11 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
 	private_inactivity_job_t *this;
 
 	INIT(this,
-		.public.job_interface = {
-			.execute = _execute,
-			.destroy = _destroy,
+		.public = {
+				.job_interface = {
+				.execute = _execute,
+				.destroy = _destroy,
+			},
 		},
 		.reqid = reqid,
 		.timeout = timeout,
diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h
index 9c9daced8..890f7704b 100644
--- a/src/libcharon/processing/jobs/inactivity_job.h
+++ b/src/libcharon/processing/jobs/inactivity_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup inactivity_job inactivity_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef INACTIVITY_JOB_H_
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.h b/src/libcharon/processing/jobs/initiate_mediation_job.h
index fddb1dd7b..d105de2b9 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.h
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup initiate_mediation_job initiate_mediation_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef INITIATE_MEDIATION_JOB_H_
diff --git a/src/libcharon/processing/jobs/mediation_job.h b/src/libcharon/processing/jobs/mediation_job.h
index 0574c65eb..41485cbc6 100644
--- a/src/libcharon/processing/jobs/mediation_job.h
+++ b/src/libcharon/processing/jobs/mediation_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup mediation_job mediation_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef MEDIATION_JOB_H_
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index de313d517..09679c734 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup migrate_job migrate_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef MIGRATE_JOB_H_
diff --git a/src/libcharon/processing/jobs/process_message_job.h b/src/libcharon/processing/jobs/process_message_job.h
index 5e3f44d1f..2c42aa577 100644
--- a/src/libcharon/processing/jobs/process_message_job.h
+++ b/src/libcharon/processing/jobs/process_message_job.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup process_message_job process_message_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef PROCESS_MESSAGE_JOB_H_
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
index 62887d6b9..fcbe65a06 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup rekey_child_sa_job rekey_child_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef REKEY_CHILD_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.h b/src/libcharon/processing/jobs/rekey_ike_sa_job.h
index a5c1028aa..3e3e13d00 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup rekey_ike_sa_job rekey_ike_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef REKEY_IKE_SA_JOB_H_
diff --git a/src/libcharon/processing/jobs/retransmit_job.h b/src/libcharon/processing/jobs/retransmit_job.h
index c8c13479b..c4545534b 100644
--- a/src/libcharon/processing/jobs/retransmit_job.h
+++ b/src/libcharon/processing/jobs/retransmit_job.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup retransmit_job retransmit_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef RETRANSMIT_JOB_H_
diff --git a/src/libcharon/processing/jobs/roam_job.h b/src/libcharon/processing/jobs/roam_job.h
index 55bdf2b28..acfb8bed8 100644
--- a/src/libcharon/processing/jobs/roam_job.h
+++ b/src/libcharon/processing/jobs/roam_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup roam_job roam_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef ROAM_JOB_H_
diff --git a/src/libcharon/processing/jobs/send_dpd_job.h b/src/libcharon/processing/jobs/send_dpd_job.h
index 8078a38bc..bd2728b9a 100644
--- a/src/libcharon/processing/jobs/send_dpd_job.h
+++ b/src/libcharon/processing/jobs/send_dpd_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup send_dpd_job send_dpd_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef SEND_DPD_JOB_H_
diff --git a/src/libcharon/processing/jobs/send_keepalive_job.h b/src/libcharon/processing/jobs/send_keepalive_job.h
index cda83cd7e..acf6d11aa 100644
--- a/src/libcharon/processing/jobs/send_keepalive_job.h
+++ b/src/libcharon/processing/jobs/send_keepalive_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup send_keepalive_job send_keepalive_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef SEND_KEEPALIVE_JOB_H_
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index 11d1ac9b6..e2344fcc4 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup update_sa_job update_sa_job
- * @{ @ingroup jobs
+ * @{ @ingroup cjobs
  */
 
 #ifndef UPDATE_SA_JOB_H_
diff --git a/src/libcharon/sa/authenticators/eap/eap_manager.c b/src/libcharon/sa/authenticators/eap/eap_manager.c
index f795183f0..bc2c4a617 100644
--- a/src/libcharon/sa/authenticators/eap/eap_manager.c
+++ b/src/libcharon/sa/authenticators/eap/eap_manager.c
@@ -68,12 +68,9 @@ struct private_eap_manager_t {
 	rwlock_t *lock;
 };
 
-/**
- * Implementation of eap_manager_t.add_method.
- */
-static void add_method(private_eap_manager_t *this, eap_type_t type,
-					   u_int32_t vendor, eap_role_t role,
-					   eap_constructor_t constructor)
+METHOD(eap_manager_t, add_method, void,
+	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	eap_role_t role, eap_constructor_t constructor)
 {
 	eap_entry_t *entry = malloc_thing(eap_entry_t);
 
@@ -87,10 +84,8 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of eap_manager_t.remove_method.
- */
-static void remove_method(private_eap_manager_t *this, eap_constructor_t constructor)
+METHOD(eap_manager_t, remove_method, void,
+	private_eap_manager_t *this, eap_constructor_t constructor)
 {
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
@@ -109,13 +104,9 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of eap_manager_t.create_instance.
- */
-static eap_method_t* create_instance(private_eap_manager_t *this,
-									 eap_type_t type, u_int32_t vendor,
-									 eap_role_t role, identification_t *server,
-									 identification_t *peer)
+METHOD(eap_manager_t, create_instance, eap_method_t*,
+	private_eap_manager_t *this, eap_type_t type, u_int32_t vendor,
+	eap_role_t role, identification_t *server, identification_t *peer)
 {
 	enumerator_t *enumerator;
 	eap_entry_t *entry;
@@ -140,10 +131,8 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
 	return method;
 }
 
-/**
- * Implementation of 2008_t.destroy
- */
-static void destroy(private_eap_manager_t *this)
+METHOD(eap_manager_t, destroy, void,
+	private_eap_manager_t *this)
 {
 	this->methods->destroy_function(this->methods, free);
 	this->lock->destroy(this->lock);
@@ -151,19 +140,22 @@ static void destroy(private_eap_manager_t *this)
 }
 
 /*
- * see header file
+ * See header
  */
 eap_manager_t *eap_manager_create()
 {
-	private_eap_manager_t *this = malloc_thing(private_eap_manager_t);
-
-	this->public.add_method = (void(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, eap_constructor_t constructor))add_method;
-	this->public.remove_method = (void(*)(eap_manager_t*, eap_constructor_t constructor))remove_method;
-	this->public.create_instance = (eap_method_t*(*)(eap_manager_t*, eap_type_t type, u_int32_t vendor, eap_role_t role, identification_t*,identification_t*))create_instance;
-	this->public.destroy = (void(*)(eap_manager_t*))destroy;
-
-	this->methods = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	private_eap_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_instance = _create_instance,
+				.destroy = _destroy,
+			},
+			.methods = linked_list_create(),
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c
index ad7b92cfa..0fa4a00c5 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.c
+++ b/src/libcharon/sa/authenticators/eap/eap_method.c
@@ -15,55 +15,8 @@
 
 #include "eap_method.h"
 
-/*
- * See header
- */
-eap_type_t eap_type_from_string(char *name)
-{
-	int i;
-	static struct {
-		char *name;
-		eap_type_t type;
-	} types[] = {
-		{"identity",	EAP_IDENTITY},
-		{"md5",			EAP_MD5},
-		{"otp",			EAP_OTP},
-		{"gtc",			EAP_GTC},
-		{"sim",			EAP_SIM},
-		{"aka",			EAP_AKA},
-		{"mschapv2",	EAP_MSCHAPV2},
-		{"radius",		EAP_RADIUS},
-	};
-
-	for (i = 0; i < countof(types); i++)
-	{
-		if (strcaseeq(name, types[i].name))
-		{
-			return types[i].type;
-		}
-	}
-	return 0;
-}
-
-ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
-	"EAP_REQUEST",
-	"EAP_RESPONSE",
-	"EAP_SUCCESS",
-	"EAP_FAILURE",
-);
-
-ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
-	"REQ",
-	"RES",
-	"SUCC",
-	"FAIL",
-);
-
 ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
 	"EAP_SERVER",
 	"EAP_PEER",
 );
 
-
-
-
diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h
index df354edb4..9961039ff 100644
--- a/src/libcharon/sa/authenticators/eap/eap_method.h
+++ b/src/libcharon/sa/authenticators/eap/eap_method.h
@@ -23,10 +23,10 @@
 
 typedef struct eap_method_t eap_method_t;
 typedef enum eap_role_t eap_role_t;
-typedef enum eap_code_t eap_code_t;
 
 #include <library.h>
 #include <utils/identification.h>
+#include <eap/eap.h>
 #include <encoding/payloads/eap_payload.h>
 
 /**
@@ -42,34 +42,6 @@ enum eap_role_t {
 extern enum_name_t *eap_role_names;
 
 /**
- * Lookup the EAP method type from a string.
- *
- * @param name		EAP method name (such as "md5", "aka")
- * @return			method type, 0 if unkown
- */
-eap_type_t eap_type_from_string(char *name);
-
-/**
- * EAP code, type of an EAP message
- */
-enum eap_code_t {
-	EAP_REQUEST = 1,
-	EAP_RESPONSE = 2,
-	EAP_SUCCESS = 3,
-	EAP_FAILURE = 4,
-};
-
-/**
- * enum names for eap_code_t.
- */
-extern enum_name_t *eap_code_names;
-
-/**
- * short string enum names for eap_code_t.
- */
-extern enum_name_t *eap_code_short_names;
-
-/**
  * Interface of an EAP method for server and client side.
  *
  * An EAP method initiates an EAP exchange and processes requests and
diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c
index 3c0f3c358..8b22fd1d7 100644
--- a/src/libcharon/sa/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/authenticators/eap_authenticator.c
@@ -99,22 +99,30 @@ struct private_eap_authenticator_t {
 static eap_method_t *load_method(private_eap_authenticator_t *this,
 							eap_type_t type, u_int32_t vendor, eap_role_t role)
 {
-	identification_t *server, *peer;
+	identification_t *server, *peer, *aaa;
+	auth_cfg_t *auth;
 
 	if (role == EAP_SERVER)
 	{
 		server = this->ike_sa->get_my_id(this->ike_sa);
 		peer = this->ike_sa->get_other_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	}
 	else
 	{
 		server = this->ike_sa->get_other_id(this->ike_sa);
 		peer = this->ike_sa->get_my_id(this->ike_sa);
+		auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
 	}
 	if (this->eap_identity)
 	{
 		peer = this->eap_identity;
 	}
+	aaa = auth->get(auth, AUTH_RULE_AAA_IDENTITY);
+	if (aaa)
+	{
+		server = aaa;
+	}
 	return charon->eap->create_instance(charon->eap, type, vendor,
 										role, server, peer);
 }
@@ -458,11 +466,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
 	chunk_free(&auth_data);
 }
 
-/**
- * Implementation of authenticator_t.process for a server
- */
-static status_t process_server(private_eap_authenticator_t *this,
-							   message_t *message)
+METHOD(authenticator_t, process_server, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	eap_payload_t *eap_payload;
 
@@ -492,11 +497,8 @@ static status_t process_server(private_eap_authenticator_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Implementation of authenticator_t.build for a server
- */
-static status_t build_server(private_eap_authenticator_t *this,
-							 message_t *message)
+METHOD(authenticator_t, build_server, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	if (this->eap_payload)
 	{
@@ -519,11 +521,8 @@ static status_t build_server(private_eap_authenticator_t *this,
 	return FAILED;
 }
 
-/**
- * Implementation of authenticator_t.process for a client
- */
-static status_t process_client(private_eap_authenticator_t *this,
-							   message_t *message)
+METHOD(authenticator_t, process_client, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	eap_payload_t *eap_payload;
 
@@ -603,11 +602,8 @@ static status_t process_client(private_eap_authenticator_t *this,
 	return FAILED;
 }
 
-/**
- * Implementation of authenticator_t.build for a client
- */
-static status_t build_client(private_eap_authenticator_t *this,
-							 message_t *message)
+METHOD(authenticator_t, build_client, status_t,
+	private_eap_authenticator_t *this, message_t *message)
 {
 	if (this->eap_payload)
 	{
@@ -623,20 +619,16 @@ static status_t build_client(private_eap_authenticator_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Implementation of authenticator_t.is_mutual.
- */
-static bool is_mutual(private_eap_authenticator_t *this)
+METHOD(authenticator_t, is_mutual, bool,
+	private_eap_authenticator_t *this)
 {
 	/* we don't know yet, but insist on it after EAP is complete */
 	this->require_mutual = TRUE;
 	return TRUE;
 }
 
-/**
- * Implementation of authenticator_t.destroy.
- */
-static void destroy(private_eap_authenticator_t *this)
+METHOD(authenticator_t, destroy, void,
+	private_eap_authenticator_t *this)
 {
 	DESTROY_IF(this->method);
 	DESTROY_IF(this->eap_payload);
@@ -652,25 +644,23 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
 									chunk_t received_init, chunk_t sent_init)
 {
-	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->received_init = received_init;
-	this->received_nonce = received_nonce;
-	this->sent_init = sent_init;
-	this->sent_nonce = sent_nonce;
-	this->msk = chunk_empty;
-	this->method = NULL;
-	this->eap_payload = NULL;
-	this->eap_complete = FALSE;
-	this->auth_complete = FALSE;
-	this->eap_identity = NULL;
-	this->require_mutual = FALSE;
+	private_eap_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build_client,
+				.process = _process_client,
+				.is_mutual = _is_mutual,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.received_init = received_init,
+		.received_nonce = received_nonce,
+		.sent_init = sent_init,
+		.sent_nonce = sent_nonce,
+	);
 
 	return &this->public;
 }
@@ -682,25 +672,23 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 									chunk_t received_nonce, chunk_t sent_nonce,
 									chunk_t received_init, chunk_t sent_init)
 {
-	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
-
-	this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
-	this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
-	this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))is_mutual;
-	this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
-
-	this->ike_sa = ike_sa;
-	this->received_init = received_init;
-	this->received_nonce = received_nonce;
-	this->sent_init = sent_init;
-	this->sent_nonce = sent_nonce;
-	this->msk = chunk_empty;
-	this->method = NULL;
-	this->eap_payload = NULL;
-	this->eap_complete = FALSE;
-	this->auth_complete = FALSE;
-	this->eap_identity = NULL;
-	this->require_mutual = FALSE;
+	private_eap_authenticator_t *this;
+
+	INIT(this,
+		.public = {
+			.authenticator = {
+				.build = _build_server,
+				.process = _process_server,
+				.is_mutual = _is_mutual,
+				.destroy = _destroy,
+			},
+		},
+		.ike_sa = ike_sa,
+		.received_init = received_init,
+		.received_nonce = received_nonce,
+		.sent_init = sent_init,
+		.sent_nonce = sent_nonce,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c
index 3c67f6db6..54b4338bb 100644
--- a/src/libcharon/sa/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c
@@ -84,15 +84,15 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message)
 			/* we try to deduct the signature scheme from the keysize */
 			switch (private->get_keysize(private))
 			{
-				case 32:
+				case 256:
 					scheme = SIGN_ECDSA_256;
 					auth_method = AUTH_ECDSA_256;
 					break;
-				case 48:
+				case 384:
 					scheme = SIGN_ECDSA_384;
 					auth_method = AUTH_ECDSA_384;
 					break;
-				case 66:
+				case 521:
 					scheme = SIGN_ECDSA_521;
 					auth_method = AUTH_ECDSA_521;
 					break;
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index bd41cba56..b6ef31da0 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005 Jan Hutter
@@ -23,6 +23,7 @@
 #include <string.h>
 #include <time.h>
 
+#include <hydra.h>
 #include <daemon.h>
 
 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
@@ -179,170 +180,144 @@ struct private_child_sa_t {
 };
 
 /**
- * Implementation of child_sa_t.get_name
+ * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
  */
-static char *get_name(private_child_sa_t *this)
+static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
+{
+	switch (protocol)
+	{
+		case PROTO_ESP:
+			return IPPROTO_ESP;
+		case PROTO_AH:
+			return IPPROTO_AH;
+		default:
+			return protocol;
+	}
+}
+
+METHOD(child_sa_t, get_name, char*,
+	   private_child_sa_t *this)
 {
 	return this->config->get_name(this->config);
 }
 
-/**
- * Implements child_sa_t.get_reqid
- */
-static u_int32_t get_reqid(private_child_sa_t *this)
+METHOD(child_sa_t, get_reqid, u_int32_t,
+	   private_child_sa_t *this)
 {
 	return this->reqid;
 }
 
-/**
- * Implements child_sa_t.get_config
- */
-static child_cfg_t* get_config(private_child_sa_t *this)
+METHOD(child_sa_t, get_config, child_cfg_t*,
+	   private_child_sa_t *this)
 {
 	return this->config;
 }
 
-/**
- * Implements child_sa_t.set_state
- */
-static void set_state(private_child_sa_t *this, child_sa_state_t state)
+METHOD(child_sa_t, set_state, void,
+	   private_child_sa_t *this, child_sa_state_t state)
 {
 	charon->bus->child_state_change(charon->bus, &this->public, state);
 	this->state = state;
 }
 
-/**
- * Implements child_sa_t.get_state
- */
-static child_sa_state_t get_state(private_child_sa_t *this)
+METHOD(child_sa_t, get_state, child_sa_state_t,
+	   private_child_sa_t *this)
 {
 	return this->state;
 }
 
-/**
- * Implements child_sa_t.get_spi
- */
-u_int32_t get_spi(private_child_sa_t *this, bool inbound)
+METHOD(child_sa_t, get_spi, u_int32_t,
+	   private_child_sa_t *this, bool inbound)
 {
 	return inbound ? this->my_spi : this->other_spi;
 }
 
-/**
- * Implements child_sa_t.get_cpi
- */
-u_int16_t get_cpi(private_child_sa_t *this, bool inbound)
+METHOD(child_sa_t, get_cpi, u_int16_t,
+	   private_child_sa_t *this, bool inbound)
 {
 	return inbound ? this->my_cpi : this->other_cpi;
 }
 
-/**
- * Implements child_sa_t.get_protocol
- */
-protocol_id_t get_protocol(private_child_sa_t *this)
+METHOD(child_sa_t, get_protocol, protocol_id_t,
+	   private_child_sa_t *this)
 {
 	return this->protocol;
 }
 
-/**
- * Implementation of child_sa_t.set_protocol
- */
-static void set_protocol(private_child_sa_t *this, protocol_id_t protocol)
+METHOD(child_sa_t, set_protocol, void,
+	   private_child_sa_t *this, protocol_id_t protocol)
 {
 	this->protocol = protocol;
 }
 
-/**
- * Implementation of child_sa_t.get_mode
- */
-static ipsec_mode_t get_mode(private_child_sa_t *this)
+METHOD(child_sa_t, get_mode, ipsec_mode_t,
+	   private_child_sa_t *this)
 {
 	return this->mode;
 }
 
-/**
- * Implementation of child_sa_t.set_mode
- */
-static void set_mode(private_child_sa_t *this, ipsec_mode_t mode)
+METHOD(child_sa_t, set_mode, void,
+	   private_child_sa_t *this, ipsec_mode_t mode)
 {
 	this->mode = mode;
 }
 
-/**
- * Implementation of child_sa_t.has_encap
- */
-static bool has_encap(private_child_sa_t *this)
+METHOD(child_sa_t, has_encap, bool,
+	   private_child_sa_t *this)
 {
 	return this->encap;
 }
 
-/**
- * Implementation of child_sa_t.get_ipcomp
- */
-static ipcomp_transform_t get_ipcomp(private_child_sa_t *this)
+METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t,
+	   private_child_sa_t *this)
 {
 	return this->ipcomp;
 }
 
-/**
- * Implementation of child_sa_t.set_ipcomp.
- */
-static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp)
+METHOD(child_sa_t, set_ipcomp, void,
+	   private_child_sa_t *this, ipcomp_transform_t ipcomp)
 {
 	this->ipcomp = ipcomp;
 }
 
-/**
- * Implementation of child_sa_t.set_close_action.
- */
-static void set_close_action(private_child_sa_t *this, action_t action)
+METHOD(child_sa_t, set_close_action, void,
+	   private_child_sa_t *this, action_t action)
 {
 	this->close_action = action;
 }
 
-/**
- * Implementation of child_sa_t.get_close_action.
- */
-static action_t get_close_action(private_child_sa_t *this)
+METHOD(child_sa_t, get_close_action, action_t,
+	   private_child_sa_t *this)
 {
 	return this->close_action;
 }
 
-/**
- * Implementation of child_sa_t.set_dpd_action.
- */
-static void set_dpd_action(private_child_sa_t *this, action_t action)
+METHOD(child_sa_t, set_dpd_action, void,
+	   private_child_sa_t *this, action_t action)
 {
 	this->dpd_action = action;
 }
 
-/**
- * Implementation of child_sa_t.get_dpd_action.
- */
-static action_t get_dpd_action(private_child_sa_t *this)
+METHOD(child_sa_t, get_dpd_action, action_t,
+	   private_child_sa_t *this)
 {
 	return this->dpd_action;
 }
 
-/**
- * Implementation of child_sa_t.get_proposal
- */
-static proposal_t* get_proposal(private_child_sa_t *this)
+METHOD(child_sa_t, get_proposal, proposal_t*,
+	   private_child_sa_t *this)
 {
 	return this->proposal;
 }
 
-/**
- * Implementation of child_sa_t.set_proposal
- */
-static void set_proposal(private_child_sa_t *this, proposal_t *proposal)
+METHOD(child_sa_t, set_proposal, void,
+	   private_child_sa_t *this, proposal_t *proposal)
 {
 	this->proposal = proposal->clone(proposal);
 }
 
-/**
- * Implementation of child_sa_t.get_traffic_selectors.
- */
-static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
+METHOD(child_sa_t, get_traffic_selectors, linked_list_t*,
+	   private_child_sa_t *this, bool local)
 {
 	return local ? this->my_ts : this->other_ts;
 }
@@ -365,11 +340,9 @@ struct policy_enumerator_t {
 	traffic_selector_t *ts;
 };
 
-/**
- * enumerator function of create_policy_enumerator()
- */
-static bool policy_enumerate(policy_enumerator_t *this,
-				 traffic_selector_t **my_out, traffic_selector_t **other_out)
+METHOD(enumerator_t, policy_enumerate, bool,
+	   policy_enumerator_t *this, traffic_selector_t **my_out,
+	   traffic_selector_t **other_out)
 {
 	traffic_selector_t *other_ts;
 
@@ -399,29 +372,29 @@ static bool policy_enumerate(policy_enumerator_t *this,
 	return FALSE;
 }
 
-/**
- * destroy function of create_policy_enumerator()
- */
-static void policy_destroy(policy_enumerator_t *this)
+METHOD(enumerator_t, policy_destroy, void,
+	   policy_enumerator_t *this)
 {
 	this->mine->destroy(this->mine);
 	this->other->destroy(this->other);
 	free(this);
 }
 
-/**
- * Implementation of child_sa_t.create_policy_enumerator
- */
-static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
+METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
+	   private_child_sa_t *this)
 {
-	policy_enumerator_t *e = malloc_thing(policy_enumerator_t);
-
-	e->public.enumerate = (void*)policy_enumerate;
-	e->public.destroy = (void*)policy_destroy;
-	e->mine = this->my_ts->create_enumerator(this->my_ts);
-	e->other = this->other_ts->create_enumerator(this->other_ts);
-	e->list = this->other_ts;
-	e->ts = NULL;
+	policy_enumerator_t *e;
+
+	INIT(e,
+		.public = {
+			.enumerate = (void*)_policy_enumerate,
+			.destroy = _policy_destroy,
+		},
+		.mine = this->my_ts->create_enumerator(this->my_ts),
+		.other = this->other_ts->create_enumerator(this->other_ts),
+		.list = this->other_ts,
+		.ts = NULL,
+	);
 
 	return &e->public;
 }
@@ -441,10 +414,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->my_spi)
 		{
-			status = charon->kernel_interface->query_sa(charon->kernel_interface,
-									this->other_addr, this->my_addr,
-									this->my_spi, this->protocol,
-									this->mark_in, &bytes);
+			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
+							this->other_addr, this->my_addr, this->my_spi,
+							proto_ike2ip(this->protocol), this->mark_in,
+							&bytes);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->my_usebytes)
@@ -460,10 +433,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
 	{
 		if (this->other_spi)
 		{
-			status = charon->kernel_interface->query_sa(charon->kernel_interface,
-									this->my_addr, this->other_addr,
-									this->other_spi, this->protocol,
-									this->mark_out,	&bytes);
+			status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
+							this->my_addr, this->other_addr, this->other_spi,
+							proto_ike2ip(this->protocol), this->mark_out,
+							&bytes);
 			if (status == SUCCESS)
 			{
 				if (bytes > this->other_usebytes)
@@ -494,14 +467,14 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 
 		if (inbound)
 		{
-			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
 						other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
 			{
 				last_use = max(last_use, in);
 			}
 			if (this->mode != MODE_TRANSPORT)
 			{
-				if (charon->kernel_interface->query_policy(charon->kernel_interface,
+				if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
 						other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
 				{
 					last_use = max(last_use, fwd);
@@ -510,7 +483,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 		}
 		else
 		{
-			if (charon->kernel_interface->query_policy(charon->kernel_interface,
+			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
 						my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
 			{
 				last_use = max(last_use, out);
@@ -533,11 +506,8 @@ static void update_usetime(private_child_sa_t *this, bool inbound)
 	}
 }
 
-/**
- * Implementation of child_sa_t.get_usestats
- */
-static void get_usestats(private_child_sa_t *this, bool inbound,
-						 time_t *time, u_int64_t *bytes)
+METHOD(child_sa_t, get_usestats, void,
+	   private_child_sa_t *this, bool inbound, time_t *time, u_int64_t *bytes)
 {
 	if (update_usebytes(this, inbound) != FAILED)
 	{
@@ -556,48 +526,41 @@ static void get_usestats(private_child_sa_t *this, bool inbound,
 	}
 }
 
-/**
- * Implementation of child_sa_t.get_lifetime
- */
-static time_t get_lifetime(private_child_sa_t *this, bool hard)
+METHOD(child_sa_t, get_lifetime, time_t,
+	   private_child_sa_t *this, bool hard)
 {
 	return hard ? this->expire_time : this->rekey_time;
 }
 
-/**
- * Implementation of child_sa_t.alloc_spi
- */
-static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
+METHOD(child_sa_t, alloc_spi, u_int32_t,
+	   private_child_sa_t *this, protocol_id_t protocol)
 {
-	if (charon->kernel_interface->get_spi(charon->kernel_interface,
-							this->other_addr, this->my_addr, protocol,
-							this->reqid, &this->my_spi) == SUCCESS)
+	if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
+										 this->other_addr, this->my_addr,
+										 proto_ike2ip(protocol), this->reqid,
+										 &this->my_spi) == SUCCESS)
 	{
 		return this->my_spi;
 	}
 	return 0;
 }
 
-/**
- * Implementation of child_sa_t.alloc_cpi
- */
-static u_int16_t alloc_cpi(private_child_sa_t *this)
+METHOD(child_sa_t, alloc_cpi, u_int16_t,
+	   private_child_sa_t *this)
 {
-	if (charon->kernel_interface->get_cpi(charon->kernel_interface,
-					this->other_addr, this->my_addr, this->reqid,
-					&this->my_cpi) == SUCCESS)
+	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
+										 this->other_addr, this->my_addr,
+										 this->reqid, &this->my_cpi) == SUCCESS)
 	{
 		return this->my_cpi;
 	}
 	return 0;
 }
 
-/**
- * Implementation of child_sa_t.install
- */
-static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
-						u_int32_t spi, u_int16_t cpi, bool inbound,
-						linked_list_t *my_ts, linked_list_t *other_ts)
+METHOD(child_sa_t, install, status_t,
+	   private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
+	   u_int16_t cpi, bool inbound, linked_list_t *my_ts,
+	   linked_list_t *other_ts)
 {
 	u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
 	traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
@@ -674,8 +637,8 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 		}
 	}
 
-	status = charon->kernel_interface->add_sa(charon->kernel_interface,
-				src, dst, spi, this->protocol, this->reqid,
+	status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
+				src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
 				inbound ? this->mark_in : this->mark_out,
 				lifetime, enc_alg, encr, int_alg, integ, this->mode,
 				this->ipcomp, cpi, this->encap, update, src_ts, dst_ts);
@@ -685,11 +648,9 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
 	return status;
 }
 
-/**
- * Implementation of child_sa_t.add_policies
- */
-static status_t add_policies(private_child_sa_t *this,
-					linked_list_t *my_ts_list, linked_list_t *other_ts_list)
+METHOD(child_sa_t, add_policies, status_t,
+	   private_child_sa_t *this, linked_list_t *my_ts_list,
+	   linked_list_t *other_ts_list)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
@@ -712,26 +673,55 @@ static status_t add_policies(private_child_sa_t *this,
 
 	if (this->config->install_policy(this->config))
 	{
+		ipsec_sa_cfg_t my_sa = {
+			.mode = this->mode,
+			.reqid = this->reqid,
+			.ipcomp = {
+				.transform = this->ipcomp,
+			},
+		}, other_sa = my_sa;
+
+		my_sa.ipcomp.cpi = this->my_cpi;
+		other_sa.ipcomp.cpi = this->other_cpi;
+
+		if (this->protocol == PROTO_ESP)
+		{
+			my_sa.esp.use = TRUE;
+			my_sa.esp.spi = this->my_spi;
+			other_sa.esp.use = TRUE;
+			other_sa.esp.spi = this->other_spi;
+		}
+		else
+		{
+			my_sa.ah.use = TRUE;
+			my_sa.ah.spi = this->my_spi;
+			other_sa.ah.use = TRUE;
+			other_sa.ah.spi = this->other_spi;
+		}
+
 		/* enumerate pairs of traffic selectors */
 		enumerator = create_policy_enumerator(this);
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
 			/* install 3 policies: out, in and forward */
-			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT,
-					this->other_spi, this->protocol, this->reqid, this->mark_out,
-					this->mode, this->ipcomp, this->other_cpi, routed);
-
-			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN,
-					this->my_spi, this->protocol, this->reqid, this->mark_in,
-					this->mode,	this->ipcomp, this->my_cpi, routed);
+			status |= hydra->kernel_interface->add_policy(
+							hydra->kernel_interface,
+							this->my_addr, this->other_addr, my_ts, other_ts,
+							POLICY_OUT, POLICY_IPSEC, &other_sa,
+							this->mark_out, routed);
+
+			status |= hydra->kernel_interface->add_policy(
+							hydra->kernel_interface,
+							this->other_addr, this->my_addr, other_ts, my_ts,
+							POLICY_IN, POLICY_IPSEC, &my_sa,
+							this->mark_in, routed);
 			if (this->mode != MODE_TRANSPORT)
 			{
-				status |= charon->kernel_interface->add_policy(charon->kernel_interface,
-					this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD,
-					this->my_spi, this->protocol, this->reqid, this->mark_in,
-					this->mode,	this->ipcomp, this->my_cpi, routed);
+				status |= hydra->kernel_interface->add_policy(
+							hydra->kernel_interface,
+							this->other_addr, this->my_addr, other_ts, my_ts,
+							POLICY_FWD, POLICY_IPSEC, &my_sa,
+							this->mark_in, routed);
 			}
 
 			if (status != SUCCESS)
@@ -749,11 +739,9 @@ static status_t add_policies(private_child_sa_t *this,
 	return status;
 }
 
-/**
- * Implementation of child_sa_t.update.
- */
-static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
-					   host_t *vip, bool encap)
+METHOD(child_sa_t, update, status_t,
+	   private_child_sa_t *this,  host_t *me, host_t *other, host_t *vip,
+	   bool encap)
 {
 	child_sa_state_t old;
 	bool transport_proxy_mode;
@@ -775,8 +763,8 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 		/* update our (initator) SA */
 		if (this->my_spi)
 		{
-			if (charon->kernel_interface->update_sa(charon->kernel_interface,
-							this->my_spi, this->protocol,
+			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+							this->my_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
 							this->other_addr, this->my_addr, other, me,
 							this->encap, encap, this->mark_in) == NOT_SUPPORTED)
@@ -788,8 +776,8 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 		/* update his (responder) SA */
 		if (this->other_spi)
 		{
-			if (charon->kernel_interface->update_sa(charon->kernel_interface,
-							this->other_spi, this->protocol,
+			if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
+							this->other_spi, proto_ike2ip(this->protocol),
 							this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
 							this->my_addr, this->other_addr, me, other,
 							this->encap, encap, this->mark_out) == NOT_SUPPORTED)
@@ -801,6 +789,32 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 
 	if (this->config->install_policy(this->config))
 	{
+		ipsec_sa_cfg_t my_sa = {
+			.mode = this->mode,
+			.reqid = this->reqid,
+			.ipcomp = {
+				.transform = this->ipcomp,
+			},
+		}, other_sa = my_sa;
+
+		my_sa.ipcomp.cpi = this->my_cpi;
+		other_sa.ipcomp.cpi = this->other_cpi;
+
+		if (this->protocol == PROTO_ESP)
+		{
+			my_sa.esp.use = TRUE;
+			my_sa.esp.spi = this->my_spi;
+			other_sa.esp.use = TRUE;
+			other_sa.esp.spi = this->other_spi;
+		}
+		else
+		{
+			my_sa.ah.use = TRUE;
+			my_sa.ah.spi = this->my_spi;
+			other_sa.ah.use = TRUE;
+			other_sa.ah.spi = this->other_spi;
+		}
+
 		/* update policies */
 		if (!me->ip_equals(me, this->my_addr) ||
 			!other->ip_equals(other, this->other_addr))
@@ -813,13 +827,13 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 			while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 			{
 				/* remove old policies first */
-				charon->kernel_interface->del_policy(charon->kernel_interface,
+				hydra->kernel_interface->del_policy(hydra->kernel_interface,
 							my_ts, other_ts, POLICY_OUT, this->mark_out, FALSE);
-				charon->kernel_interface->del_policy(charon->kernel_interface,
+				hydra->kernel_interface->del_policy(hydra->kernel_interface,
 							other_ts, my_ts,  POLICY_IN, this->mark_in, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
-					charon->kernel_interface->del_policy(charon->kernel_interface,
+					hydra->kernel_interface->del_policy(hydra->kernel_interface,
 							other_ts, my_ts, POLICY_FWD, this->mark_in, FALSE);
 				}
 
@@ -839,25 +853,22 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 				 * correctly */
 				if (vip)
 				{
-					charon->kernel_interface->del_ip(charon->kernel_interface, vip);
-					charon->kernel_interface->add_ip(charon->kernel_interface, vip, me);
+					hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
+					hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me);
 				}
 
 				/* reinstall updated policies */
-				charon->kernel_interface->add_policy(charon->kernel_interface,
-						me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
-						this->protocol, this->reqid, this->mark_out, this->mode,
-						this->ipcomp, this->other_cpi, FALSE);
-				charon->kernel_interface->add_policy(charon->kernel_interface,
-						other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
-						this->protocol, this->reqid, this->mark_in, this->mode,
-						this->ipcomp, this->my_cpi, FALSE);
+				hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC,
+						&other_sa, this->mark_out, FALSE);
+				hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC,
+						&my_sa, this->mark_in, FALSE);
 				if (this->mode != MODE_TRANSPORT)
 				{
-					charon->kernel_interface->add_policy(charon->kernel_interface,
-						other, me, other_ts, my_ts, POLICY_FWD, this->my_spi,
-						this->protocol, this->reqid, this->mark_in, this->mode,
-						this->ipcomp, this->my_cpi, FALSE);
+					hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC,
+						&my_sa, this->mark_in, FALSE);
 				}
 			}
 			enumerator->destroy(enumerator);
@@ -885,10 +896,8 @@ static status_t update(private_child_sa_t *this,  host_t *me, host_t *other,
 	return SUCCESS;
 }
 
-/**
- * Implementation of child_sa_t.destroy.
- */
-static void destroy(private_child_sa_t *this)
+METHOD(child_sa_t, destroy, void,
+	   private_child_sa_t *this)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *my_ts, *other_ts;
@@ -905,15 +914,17 @@ static void destroy(private_child_sa_t *this)
 		{
 			this->protocol = PROTO_ESP;
 		}
-		charon->kernel_interface->del_sa(charon->kernel_interface,
+		hydra->kernel_interface->del_sa(hydra->kernel_interface,
 					this->other_addr, this->my_addr, this->my_spi,
-					this->protocol, this->my_cpi, this->mark_in);
+					proto_ike2ip(this->protocol), this->my_cpi,
+					this->mark_in);
 	}
 	if (this->other_spi)
 	{
-		charon->kernel_interface->del_sa(charon->kernel_interface,
+		hydra->kernel_interface->del_sa(hydra->kernel_interface,
 					this->my_addr, this->other_addr, this->other_spi,
-					this->protocol, this->other_cpi, this->mark_out);
+					proto_ike2ip(this->protocol), this->other_cpi,
+					this->mark_out);
 	}
 
 	if (this->config->install_policy(this->config))
@@ -922,14 +933,14 @@ static void destroy(private_child_sa_t *this)
 		enumerator = create_policy_enumerator(this);
 		while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
 		{
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-							my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
-			charon->kernel_interface->del_policy(charon->kernel_interface,
-							other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted);
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						other_ts, my_ts, POLICY_IN, this->mark_in, unrouted);
 			if (this->mode != MODE_TRANSPORT)
 			{
-				charon->kernel_interface->del_policy(charon->kernel_interface,
-							other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
+				hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted);
 			}
 		}
 		enumerator->destroy(enumerator);
@@ -944,75 +955,66 @@ static void destroy(private_child_sa_t *this)
 	free(this);
 }
 
-/*
+/**
  * Described in header.
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
 							 child_cfg_t *config, u_int32_t rekey, bool encap)
 {
 	static u_int32_t reqid = 0;
-	private_child_sa_t *this = malloc_thing(private_child_sa_t);
-
-	/* public functions */
-	this->public.get_name = (char*(*)(child_sa_t*))get_name;
-	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
-	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
-	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
-	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
-	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
-	this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
-	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
-	this->public.set_protocol = (void(*)(child_sa_t*, protocol_id_t protocol))set_protocol;
-	this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
-	this->public.set_mode = (void(*)(child_sa_t*, ipsec_mode_t mode))set_mode;
-	this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
-	this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
-	this->public.get_lifetime = (time_t(*)(child_sa_t*, bool))get_lifetime;
-	this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
-	this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
-	this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
-	this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
-	this->public.get_close_action = (action_t(*)(child_sa_t*))get_close_action;
-	this->public.set_close_action = (void(*)(child_sa_t*,action_t))set_close_action;
-	this->public.get_dpd_action = (action_t(*)(child_sa_t*))get_dpd_action;
-	this->public.set_dpd_action = (void(*)(child_sa_t*,action_t))set_dpd_action;
-	this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi;
-	this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi;
-	this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install;
-	this->public.update = (status_t (*)(child_sa_t*,host_t*,host_t*,host_t*,bool))update;
-	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
-	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
-	this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
-	this->public.destroy = (void(*)(child_sa_t*))destroy;
-
-	/* private data */
-	this->my_addr = me->clone(me);
-	this->other_addr = other->clone(other);
-	this->my_spi = 0;
-	this->other_spi = 0;
-	this->my_cpi = 0;
-	this->other_cpi = 0;
-	this->encap = encap;
-	this->ipcomp = IPCOMP_NONE;
-	this->state = CHILD_CREATED;
-	this->my_usetime = 0;
-	this->other_usetime = 0;
-	this->my_usebytes = 0;
-	this->other_usebytes = 0;
-	this->my_ts = linked_list_create();
-	this->other_ts = linked_list_create();
-	this->protocol = PROTO_NONE;
-	this->mode = MODE_TUNNEL;
-	this->close_action = config->get_close_action(config);
-	this->dpd_action = config->get_dpd_action(config);
-	this->proposal = NULL;
-	this->rekey_time = 0;
-	this->expire_time = 0;
+	private_child_sa_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.get_reqid = _get_reqid,
+			.get_config = _get_config,
+			.get_state = _get_state,
+			.set_state = _set_state,
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.get_protocol = _get_protocol,
+			.set_protocol = _set_protocol,
+			.get_mode = _get_mode,
+			.set_mode = _set_mode,
+			.get_proposal = _get_proposal,
+			.set_proposal = _set_proposal,
+			.get_lifetime = _get_lifetime,
+			.get_usestats = _get_usestats,
+			.has_encap = _has_encap,
+			.get_ipcomp = _get_ipcomp,
+			.set_ipcomp = _set_ipcomp,
+			.get_close_action = _get_close_action,
+			.set_close_action = _set_close_action,
+			.get_dpd_action = _get_dpd_action,
+			.set_dpd_action = _set_dpd_action,
+			.alloc_spi = _alloc_spi,
+			.alloc_cpi = _alloc_cpi,
+			.install = _install,
+			.update = _update,
+			.add_policies = _add_policies,
+			.get_traffic_selectors = _get_traffic_selectors,
+			.create_policy_enumerator = _create_policy_enumerator,
+			.destroy = _destroy,
+		},
+		.my_addr = me->clone(me),
+		.other_addr = other->clone(other),
+		.encap = encap,
+		.ipcomp = IPCOMP_NONE,
+		.state = CHILD_CREATED,
+		.my_ts = linked_list_create(),
+		.other_ts = linked_list_create(),
+		.protocol = PROTO_NONE,
+		.mode = MODE_TUNNEL,
+		.close_action = config->get_close_action(config),
+		.dpd_action = config->get_dpd_action(config),
+		.reqid = config->get_reqid(config),
+		.mark_in = config->get_mark(config, TRUE),
+		.mark_out = config->get_mark(config, FALSE),
+	);
+
 	this->config = config;
 	config->get_ref(config);
-	this->reqid = config->get_reqid(config);
-	this->mark_in = config->get_mark(config, TRUE);
-	this->mark_out = config->get_mark(config, FALSE);
 
 	if (!this->reqid)
 	{
diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c
index b78ba070d..1fb286863 100644
--- a/src/libcharon/sa/connect_manager.c
+++ b/src/libcharon/sa/connect_manager.c
@@ -932,7 +932,7 @@ static void update_checklist_state(private_connect_manager_t *this,
 
 		callback_data_t *data = callback_data_create(this, checklist->connect_id);
 		job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-		charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ME_WAIT_TO_FINISH);
 		checklist->is_finishing = TRUE;
 	}
 
@@ -1031,7 +1031,7 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
 	DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms",
 		 retransmission, pair->id, rto);
 
-	charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
+	lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)job, rto);
 }
 
 /**
@@ -1064,7 +1064,7 @@ static void send_check(private_connect_manager_t *this, check_list_t *checklist,
 	DBG2(DBG_IKE, "send ME_CONNECTAUTH %#B", &check->auth);
 
 	packet_t *packet;
-	if (message->generate(message, NULL, NULL, &packet) == SUCCESS)
+	if (message->generate(message, NULL, &packet) == SUCCESS)
 	{
 		charon->sender->send(charon->sender, packet->clone(packet));
 
@@ -1170,7 +1170,7 @@ static void schedule_checks(private_connect_manager_t *this, check_list_t *check
 {
 	callback_data_t *data = callback_data_create(this, checklist->connect_id);
 	checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
-	charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time);
+	lib->scheduler->schedule_job_ms(lib->scheduler, checklist->sender, time);
 }
 
 /**
@@ -1222,7 +1222,7 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
 
 			initiate_data_t *data = initiate_data_create(checklist, initiated);
 			job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiate_mediated, data, (callback_job_cleanup_t)initiate_data_destroy, NULL);
-			charon->processor->queue_job(charon->processor, job);
+			lib->processor->queue_job(lib->processor, job);
 			return;
 		}
 		else
@@ -1357,7 +1357,7 @@ static void process_request(private_connect_manager_t *this, check_t *check,
  */
 static void process_check(private_connect_manager_t *this, message_t *message)
 {
-	if (message->parse_body(message, NULL, NULL) != SUCCESS)
+	if (message->parse_body(message, NULL) != SUCCESS)
 	{
 		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
 			 exchange_type_names, message->get_exchange_type(message),
@@ -1477,7 +1477,7 @@ static void check_and_initiate(private_connect_manager_t *this,
 	{
 		job_t *job = (job_t*)reinitiate_mediation_job_create(mediation_sa,
 															 waiting_sa);
-		charon->processor->queue_job(charon->processor, job);
+		lib->processor->queue_job(lib->processor, job);
 	}
 	iterator->destroy(iterator);
 
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 7536662ca..a4e4028ab 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -24,8 +24,8 @@
 #include "ike_sa.h"
 
 #include <library.h>
-#include <daemon.h>
 #include <hydra.h>
+#include <daemon.h>
 #include <utils/linked_list.h>
 #include <utils/lexparser.h>
 #include <sa/task_manager.h>
@@ -470,8 +470,8 @@ METHOD(ike_sa_t, send_keepalive, void,
 		diff = 0;
 	}
 	job = send_keepalive_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
-									this->keepalive_interval - diff);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
+								 this->keepalive_interval - diff);
 }
 
 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
@@ -605,7 +605,7 @@ METHOD(ike_sa_t, send_dpd, status_t,
 	}
 	/* recheck in "interval" seconds */
 	job = (job_t*)send_dpd_job_create(this->ike_sa_id);
-	charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
+	lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
 	return SUCCESS;
 }
 
@@ -644,7 +644,7 @@ METHOD(ike_sa_t, set_state, void,
 				{
 					this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
 				}
 				t = this->peer_cfg->get_reauth_time(this->peer_cfg);
@@ -653,7 +653,7 @@ METHOD(ike_sa_t, set_state, void,
 				{
 					this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
 					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
 				}
 				t = this->peer_cfg->get_over_time(this->peer_cfg);
@@ -675,7 +675,7 @@ METHOD(ike_sa_t, set_state, void,
 					this->stats[STAT_DELETE] += t;
 					t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
 					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-					charon->scheduler->schedule_job(charon->scheduler, job, t);
+					lib->scheduler->schedule_job(lib->scheduler, job, t);
 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
 				}
 
@@ -688,8 +688,8 @@ METHOD(ike_sa_t, set_state, void,
 		{
 			/* delete may fail if a packet gets lost, so set a timeout */
 			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job,
-											HALF_OPEN_IKE_SA_TIMEOUT);
+			lib->scheduler->schedule_job(lib->scheduler, job,
+										 HALF_OPEN_IKE_SA_TIMEOUT);
 			break;
 		}
 		default:
@@ -730,14 +730,14 @@ METHOD(ike_sa_t, set_virtual_ip, void,
 	if (local)
 	{
 		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
-											 this->my_host) == SUCCESS)
+		if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
+											this->my_host) == SUCCESS)
 		{
 			if (this->my_virtual_ip)
 			{
 				DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
-				charon->kernel_interface->del_ip(charon->kernel_interface,
-												 this->my_virtual_ip);
+				hydra->kernel_interface->del_ip(hydra->kernel_interface,
+												this->my_virtual_ip);
 			}
 			DESTROY_IF(this->my_virtual_ip);
 			this->my_virtual_ip = ip->clone(ip);
@@ -810,6 +810,20 @@ METHOD(ike_sa_t, get_pending_updates, u_int32_t,
 	return this->pending_updates;
 }
 
+METHOD(ike_sa_t, float_ports, void,
+	   private_ike_sa_t *this)
+{
+	/* do not switch if we have a custom port from MOBIKE/NAT */
+	if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+	{
+		this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
+	}
+	if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
+	{
+		this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
+	}
+}
+
 METHOD(ike_sa_t, update_hosts, void,
 	private_ike_sa_t *this, host_t *me, host_t *other)
 {
@@ -843,10 +857,8 @@ METHOD(ike_sa_t, update_hosts, void,
 
 		if (!other->equals(other, this->other_host))
 		{
-			/* update others adress if we are NOT NATed,
-			 * and allow port changes if we are NATed */
-			if (!has_condition(this, COND_NAT_HERE) ||
-				other->ip_equals(other, this->other_host))
+			/* update others adress if we are NOT NATed */
+			if (!has_condition(this, COND_NAT_HERE))
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -882,8 +894,7 @@ METHOD(ike_sa_t, generate_message, status_t,
 	this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
 	message->set_ike_sa_id(message, this->ike_sa_id);
 	return message->generate(message,
-				this->keymat->get_crypter(this->keymat, FALSE),
-				this->keymat->get_signer(this->keymat, FALSE), packet);
+				this->keymat->get_aead(this->keymat, FALSE), packet);
 }
 
 /**
@@ -1049,8 +1060,8 @@ static void resolve_hosts(private_ike_sa_t *this)
 			!this->other_host->is_anyaddr(this->other_host))
 		{
 			host->destroy(host);
-			host = charon->kernel_interface->get_source_addr(
-							charon->kernel_interface, this->other_host, NULL);
+			host = hydra->kernel_interface->get_source_addr(
+							hydra->kernel_interface, this->other_host, NULL);
 			if (host)
 			{
 				host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
@@ -1150,7 +1161,7 @@ METHOD(ike_sa_t, initiate, status_t,
 		{
 			/* mediated connection, initiate mediation process */
 			job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
-			charon->processor->queue_job(charon->processor, job);
+			lib->processor->queue_job(lib->processor, job);
 			return SUCCESS;
 		}
 #endif /* ME */
@@ -1173,8 +1184,7 @@ METHOD(ike_sa_t, process_message, status_t,
 	is_request = message->get_request(message);
 
 	status = message->parse_body(message,
-								 this->keymat->get_crypter(this->keymat, TRUE),
-								 this->keymat->get_signer(this->keymat, TRUE));
+								 this->keymat->get_aead(this->keymat, TRUE));
 	if (status != SUCCESS)
 	{
 
@@ -1229,15 +1239,12 @@ METHOD(ike_sa_t, process_message, status_t,
 	}
 	else
 	{
-		host_t *me, *other;
-
-		me = message->get_destination(message);
-		other = message->get_source(message);
-
 		/* if this IKE_SA is virgin, we check for a config */
 		if (this->ike_cfg == NULL)
 		{
 			job_t *job;
+			host_t *me = message->get_destination(message),
+				   *other = message->get_source(message);
 			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
 														  me, other);
 			if (this->ike_cfg == NULL)
@@ -1250,20 +1257,12 @@ METHOD(ike_sa_t, process_message, status_t,
 			}
 			/* add a timeout if peer does not establish it completely */
 			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
-			charon->scheduler->schedule_job(charon->scheduler, job,
-											HALF_OPEN_IKE_SA_TIMEOUT);
+			lib->scheduler->schedule_job(lib->scheduler, job,
+										 HALF_OPEN_IKE_SA_TIMEOUT);
 		}
 		this->stats[STAT_INBOUND] = time_monotonic(NULL);
-		/* check if message is trustworthy, and update host information */
-		if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
-			message->get_exchange_type(message) != IKE_SA_INIT)
-		{
-			if (!supports_extension(this, EXT_MOBIKE))
-			{	/* with MOBIKE, we do no implicit updates */
-				update_hosts(this, me, other);
-			}
-		}
-		status = this->task_manager->process_message(this->task_manager, message);
+		status = this->task_manager->process_message(this->task_manager,
+													 message);
 		if (message->get_exchange_type(message) == IKE_AUTH &&
 			this->state == IKE_ESTABLISHED &&
 			lib->settings->get_bool(lib->settings,
@@ -1697,7 +1696,7 @@ METHOD(ike_sa_t, set_auth_lifetime, void,
 	{
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
 			 lifetime);
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 					(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
 	}
 	else if (this->stats[STAT_REAUTH] == 0 ||
@@ -1706,7 +1705,7 @@ METHOD(ike_sa_t, set_auth_lifetime, void,
 		this->stats[STAT_REAUTH] = reauth_time;
 		DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
 			 " in %ds", lifetime, lifetime - reduction);
-		charon->scheduler->schedule_job(charon->scheduler,
+		lib->scheduler->schedule_job(lib->scheduler,
 						(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
 						lifetime - reduction);
 	}
@@ -1718,10 +1717,65 @@ METHOD(ike_sa_t, set_auth_lifetime, void,
 	}
 }
 
+/**
+ * Check if the current combination of source and destination address is still
+ * valid.
+ */
+static bool is_current_path_valid(private_ike_sa_t *this)
+{
+	bool valid = FALSE;
+	host_t *src;
+	src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+											this->other_host, this->my_host);
+	if (src)
+	{
+		if (src->ip_equals(src, this->my_host))
+		{
+			valid = TRUE;
+		}
+		src->destroy(src);
+	}
+	return valid;
+}
+
+/**
+ * Check if we have any path avialable for this IKE SA.
+ */
+static bool is_any_path_valid(private_ike_sa_t *this)
+{
+	bool valid = FALSE;
+	enumerator_t *enumerator;
+	host_t *src, *addr;
+	DBG1(DBG_IKE, "old path is not available anymore, try to find another");
+	src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+												   this->other_host, NULL);
+	if (!src)
+	{
+		enumerator = this->additional_addresses->create_enumerator(
+												this->additional_addresses);
+		while (enumerator->enumerate(enumerator, &addr))
+		{
+			DBG1(DBG_IKE, "looking for a route to %H ...", addr);
+			src = hydra->kernel_interface->get_source_addr(
+									hydra->kernel_interface, addr, NULL);
+			if (src)
+			{
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	if (src)
+	{
+		valid = TRUE;
+		src->destroy(src);
+	}
+	return valid;
+}
+
 METHOD(ike_sa_t, roam, status_t,
 	private_ike_sa_t *this, bool address)
 {
-	host_t *src;
 	ike_mobike_t *mobike;
 
 	switch (this->state)
@@ -1734,81 +1788,61 @@ METHOD(ike_sa_t, roam, status_t,
 		default:
 			break;
 	}
-	/* responder just updates the peer about changed address config */
-	if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
+
+	/* keep existing path if possible */
+	if (is_current_path_valid(this))
 	{
+		DBG2(DBG_IKE, "keeping connection path %H - %H",
+			 this->my_host, this->other_host);
+		set_condition(this, COND_STALE, FALSE);
+
 		if (supports_extension(this, EXT_MOBIKE) && address)
-		{
+		{	/* if any addresses changed, send an updated list */
 			DBG1(DBG_IKE, "sending address list update using MOBIKE");
 			mobike = ike_mobike_create(&this->public, TRUE);
-			this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
+			mobike->addresses(mobike);
+			this->task_manager->queue_task(this->task_manager,
+										   (task_t*)mobike);
 			return this->task_manager->initiate(this->task_manager);
 		}
 		return SUCCESS;
 	}
 
-	/* keep existing path if possible */
-	src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-											this->other_host, this->my_host);
-	if (src)
+	if (!is_any_path_valid(this))
 	{
-		if (src->ip_equals(src, this->my_host))
-		{
-			DBG2(DBG_IKE, "keeping connection path %H - %H",
-				 src, this->other_host);
-			src->destroy(src);
-			set_condition(this, COND_STALE, FALSE);
-			return SUCCESS;
-		}
-		src->destroy(src);
-
-	}
-	else
-	{
-		/* check if we find a route at all */
-		enumerator_t *enumerator;
-		host_t *addr;
-
-		src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
-														this->other_host, NULL);
-		if (!src)
-		{
-			enumerator = this->additional_addresses->create_enumerator(
-													this->additional_addresses);
-			while (enumerator->enumerate(enumerator, &addr))
-			{
-				DBG1(DBG_IKE, "looking for a route to %H ...", addr);
-				src = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, addr, NULL);
-				if (src)
-				{
-					break;
-				}
-			}
-			enumerator->destroy(enumerator);
-		}
-		if (!src)
-		{
-			DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
-				 this->other_host);
-			set_condition(this, COND_STALE, TRUE);
-			return SUCCESS;
-		}
-		src->destroy(src);
+		DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
+			 this->other_host);
+		set_condition(this, COND_STALE, TRUE);
+		return SUCCESS;
 	}
 	set_condition(this, COND_STALE, FALSE);
 
 	/* update addresses with mobike, if supported ... */
 	if (supports_extension(this, EXT_MOBIKE))
 	{
-		DBG1(DBG_IKE, "requesting address change using MOBIKE");
+		if (!has_condition(this, COND_ORIGINAL_INITIATOR))
+		{	/* responder updates the peer about changed address config */
+			DBG1(DBG_IKE, "sending address list update using MOBIKE, "
+				 "implicitly requesting an address change");
+			address = TRUE;
+		}
+		else
+		{
+			DBG1(DBG_IKE, "requesting address change using MOBIKE");
+		}
 		mobike = ike_mobike_create(&this->public, TRUE);
 		mobike->roam(mobike, address);
 		this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
 		return this->task_manager->initiate(this->task_manager);
 	}
-	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
+
 	/* ... reauth if not */
+	if (!has_condition(this, COND_ORIGINAL_INITIATOR))
+	{	/* responder does not reauthenticate */
+		set_condition(this, COND_STALE, TRUE);
+		return SUCCESS;
+	}
+	DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
 	return reauth(this);
 }
 
@@ -1907,9 +1941,9 @@ METHOD(ike_sa_t, inherit, status_t,
 		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
 		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
 			 "lifetime reduced to %ds", reauth, delete);
-		charon->scheduler->schedule_job(charon->scheduler,
+		lib->scheduler->schedule_job(lib->scheduler,
 				(job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
-		charon->scheduler->schedule_job(charon->scheduler,
+		lib->scheduler->schedule_job(lib->scheduler,
 				(job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
 	}
 	/* we have to initate here, there may be new tasks to handle */
@@ -1946,8 +1980,8 @@ METHOD(ike_sa_t, destroy, void,
 
 	if (this->my_virtual_ip)
 	{
-		charon->kernel_interface->del_ip(charon->kernel_interface,
-										 this->my_virtual_ip);
+		hydra->kernel_interface->del_ip(hydra->kernel_interface,
+										this->my_virtual_ip);
 		this->my_virtual_ip->destroy(this->my_virtual_ip);
 	}
 	if (this->other_virtual_ip)
@@ -2025,6 +2059,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 			.get_other_host = _get_other_host,
 			.set_other_host = _set_other_host,
 			.set_message_id = _set_message_id,
+			.float_ports = _float_ports,
 			.update_hosts = _update_hosts,
 			.get_my_id = _get_my_id,
 			.set_my_id = _set_my_id,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 34842a573..c0007e27d 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -329,6 +329,14 @@ struct ike_sa_t {
 	void (*set_other_host) (ike_sa_t *this, host_t *other);
 
 	/**
+	 * Float to port 4500 (e.g. if a NAT is detected).
+	 *
+	 * The port of either endpoint is changed only if it is currently
+	 * set to the default value of 500.
+	 */
+	void (*float_ports)(ike_sa_t *this);
+
+	/**
 	 * Update the IKE_SAs host.
 	 *
 	 * Hosts may be NULL to use current host.
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index c71c3b297..fa94bb86d 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1613,6 +1613,9 @@ static void flush(private_ike_sa_manager_t *this)
 	enumerator->destroy(enumerator);
 	charon->bus->set_sa(charon->bus, NULL);
 	unlock_all_segments(this);
+
+	this->rng->destroy(this->rng);
+	this->hasher->destroy(this->hasher);
 }
 
 /**
@@ -1652,8 +1655,6 @@ static void destroy(private_ike_sa_manager_t *this)
 	free(this->half_open_segments);
 	free(this->connected_peers_segments);
 
-	this->rng->destroy(this->rng);
-	this->hasher->destroy(this->hasher);
 	free(this);
 }
 
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index 38f5454e1..f4eabf808 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -199,6 +199,8 @@ struct ike_sa_manager_t {
 	 * Delete all existing IKE_SAs and destroy them immediately.
 	 *
 	 * Threads will be driven out, so all SAs can be deleted cleanly.
+	 * To a flush(), an immediate call to destroy() is mandatory; no other
+	 * method may be used.
 	 */
 	void (*flush)(ike_sa_manager_t *this);
 
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c
index 837cbe428..878ad124f 100644
--- a/src/libcharon/sa/keymat.c
+++ b/src/libcharon/sa/keymat.c
@@ -36,24 +36,14 @@ struct private_keymat_t {
 	bool initiator;
 
 	/**
-	 * inbound signer (verify)
+	 * inbound AEAD
 	 */
-	signer_t *signer_in;
+	aead_t *aead_in;
 
 	/**
-	 * outbound signer (sign)
+	 * outbound AEAD
 	 */
-	signer_t *signer_out;
-
-	/**
-	 * inbound crypter (decrypt)
-	 */
-	crypter_t *crypter_in;
-
-	/**
-	 * outbound crypter (encrypt)
-	 */
-	crypter_t *crypter_out;
+	aead_t *aead_out;
 
 	/**
 	 * General purpose PRF
@@ -134,30 +124,135 @@ static int lookup_keylen(keylen_entry_t *list, int algo)
 	return 0;
 }
 
+METHOD(keymat_t, create_dh, diffie_hellman_t*,
+	private_keymat_t *this, diffie_hellman_group_t group)
+{
+	return lib->crypto->create_dh(lib->crypto, group);;
+}
+
 /**
- * Implementation of keymat_t.create_dh
+ * Derive IKE keys for a combined AEAD algorithm
  */
-static diffie_hellman_t* create_dh(private_keymat_t *this,
-								   diffie_hellman_group_t group)
+static bool derive_ike_aead(private_keymat_t *this, u_int16_t alg,
+							u_int16_t key_size, prf_plus_t *prf_plus)
 {
-	return lib->crypto->create_dh(lib->crypto, group);;
+	aead_t *aead_i, *aead_r;
+	chunk_t key;
+
+	/* SK_ei/SK_er used for encryption */
+	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
+	if (aead_i == NULL || aead_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, alg, key_size);
+		return FALSE;
+	}
+	key_size = aead_i->get_key_size(aead_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	aead_i->set_key(aead_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	aead_r->set_key(aead_r, key);
+	chunk_clear(&key);
+
+	if (this->initiator)
+	{
+		this->aead_in = aead_r;
+		this->aead_out = aead_i;
+	}
+	else
+	{
+		this->aead_in = aead_i;
+		this->aead_out = aead_r;
+	}
+	return TRUE;
 }
 
 /**
- * Implementation of keymat_t.derive_keys
+ * Derive IKE keys for traditional encryption and MAC algorithms
  */
-static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
-							diffie_hellman_t *dh, chunk_t nonce_i,
-							chunk_t nonce_r, ike_sa_id_t *id,
-							pseudo_random_function_t rekey_function,
-							chunk_t rekey_skd)
+static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg,
+					u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
 {
-	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
-	chunk_t spi_i, spi_r;
 	crypter_t *crypter_i, *crypter_r;
 	signer_t *signer_i, *signer_r;
+	size_t key_size;
+	chunk_t key;
+
+	/* SK_ai/SK_ar used for integrity protection */
+	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N not supported!",
+			 transform_type_names, INTEGRITY_ALGORITHM,
+			 integrity_algorithm_names, int_alg);
+		return FALSE;
+	}
+	key_size = signer_i->get_key_size(signer_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
+	signer_i->set_key(signer_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
+	signer_r->set_key(signer_r, key);
+	chunk_clear(&key);
+
+	/* SK_ei/SK_er used for encryption */
+	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+			 transform_type_names, ENCRYPTION_ALGORITHM,
+			 encryption_algorithm_names, enc_alg, key_size);
+		signer_i->destroy(signer_i);
+		signer_r->destroy(signer_r);
+		return FALSE;
+	}
+	key_size = crypter_i->get_key_size(crypter_i);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	crypter_i->set_key(crypter_i, key);
+	chunk_clear(&key);
+
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	crypter_r->set_key(crypter_r, key);
+	chunk_clear(&key);
+
+	if (this->initiator)
+	{
+		this->aead_in = aead_create(crypter_r, signer_r);
+		this->aead_out = aead_create(crypter_i, signer_i);
+	}
+	else
+	{
+		this->aead_in = aead_create(crypter_i, signer_i);
+		this->aead_out = aead_create(crypter_r, signer_r);
+	}
+	return TRUE;
+}
+
+METHOD(keymat_t, derive_ike_keys, bool,
+	private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+{
+	chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
+	chunk_t spi_i, spi_r;
 	prf_plus_t *prf_plus;
-	u_int16_t alg, key_size;
+	u_int16_t alg, key_size, int_alg;
 	prf_t *rekey_prf = NULL;
 
 	spi_i = chunk_alloca(sizeof(u_int64_t));
@@ -195,6 +290,9 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 			/* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
 			 * not and therefore fixed key semantics apply to XCBC for key
 			 * derivation. */
+		case PRF_CAMELLIA128_XCBC:
+			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
+			 * assume fixed key length. */
 			key_size = this->prf->get_key_size(this->prf)/2;
 			nonce_i.len = min(nonce_i.len, key_size);
 			nonce_r.len = min(nonce_r.len, key_size);
@@ -255,50 +353,6 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
 	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
 
-	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
-	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
-	{
-		DBG1(DBG_IKE, "no %N selected",
-			 transform_type_names, INTEGRITY_ALGORITHM);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	signer_i = lib->crypto->create_signer(lib->crypto, alg);
-	signer_r = lib->crypto->create_signer(lib->crypto, alg);
-	if (signer_i == NULL || signer_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N not supported!",
-			 transform_type_names, INTEGRITY_ALGORITHM,
-			 integrity_algorithm_names ,alg);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	key_size = signer_i->get_key_size(signer_i);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
-	signer_i->set_key(signer_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
-	signer_r->set_key(signer_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
-	{
-		this->signer_in = signer_r;
-		this->signer_out = signer_i;
-	}
-	else
-	{
-		this->signer_in = signer_i;
-		this->signer_out = signer_r;
-	}
-
-	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
 	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
 	{
 		DBG1(DBG_IKE, "no %N selected",
@@ -307,38 +361,33 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 		DESTROY_IF(rekey_prf);
 		return FALSE;
 	}
-	crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
-	if (crypter_i == NULL || crypter_r == NULL)
-	{
-		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
-			 transform_type_names, ENCRYPTION_ALGORITHM,
-			 encryption_algorithm_names, alg, key_size);
-		prf_plus->destroy(prf_plus);
-		DESTROY_IF(rekey_prf);
-		return FALSE;
-	}
-	key_size = crypter_i->get_key_size(crypter_i);
 
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
-	crypter_i->set_key(crypter_i, key);
-	chunk_clear(&key);
-
-	prf_plus->allocate_bytes(prf_plus, key_size, &key);
-	DBG4(DBG_IKE, "Sk_er secret %B", &key);
-	crypter_r->set_key(crypter_r, key);
-	chunk_clear(&key);
-
-	if (this->initiator)
+	if (encryption_algorithm_is_aead(alg))
 	{
-		this->crypter_in = crypter_r;
-		this->crypter_out = crypter_i;
+		if (!derive_ike_aead(this, alg, key_size, prf_plus))
+		{
+			prf_plus->destroy(prf_plus);
+			DESTROY_IF(rekey_prf);
+			return FALSE;
+		}
 	}
 	else
 	{
-		this->crypter_in = crypter_i;
-		this->crypter_out = crypter_r;
+		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+									 &int_alg, NULL))
+		{
+			DBG1(DBG_IKE, "no %N selected",
+				 transform_type_names, INTEGRITY_ALGORITHM);
+			prf_plus->destroy(prf_plus);
+			DESTROY_IF(rekey_prf);
+			return FALSE;
+		}
+		if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
+		{
+			prf_plus->destroy(prf_plus);
+			DESTROY_IF(rekey_prf);
+			return FALSE;
+		}
 	}
 
 	/* SK_pi/SK_pr used for authentication => stored for later */
@@ -371,14 +420,10 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
 	return TRUE;
 }
 
-/**
- * Implementation of keymat_t.derive_child_keys
- */
-static bool derive_child_keys(private_keymat_t *this,
-							  proposal_t *proposal, diffie_hellman_t *dh,
-							  chunk_t nonce_i, chunk_t nonce_r,
-							  chunk_t *encr_i, chunk_t *integ_i,
-							  chunk_t *encr_r, chunk_t *integ_r)
+METHOD(keymat_t, derive_child_keys, bool,
+	private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+	chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
+	chunk_t *encr_r, chunk_t *integ_r)
 {
 	u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
 	chunk_t seed, secret = chunk_empty;
@@ -480,37 +525,22 @@ static bool derive_child_keys(private_keymat_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of keymat_t.get_skd
- */
-static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
+METHOD(keymat_t, get_skd, pseudo_random_function_t,
+	private_keymat_t *this, chunk_t *skd)
 {
 	*skd = this->skd;
 	return this->prf_alg;
 }
 
-/**
- * Implementation of keymat_t.get_signer
- */
-static signer_t* get_signer(private_keymat_t *this, bool in)
-{
-	return in ? this->signer_in : this->signer_out;
-}
-
-/**
- * Implementation of keymat_t.get_crypter
- */
-static crypter_t* get_crypter(private_keymat_t *this, bool in)
+METHOD(keymat_t, get_aead, aead_t*,
+	private_keymat_t *this, bool in)
 {
-	return in ? this->crypter_in : this->crypter_out;
+	return in ? this->aead_in : this->aead_out;
 }
 
-/**
- * Implementation of keymat_t.get_auth_octets
- */
-static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
-							   chunk_t ike_sa_init, chunk_t nonce,
-							   identification_t *id)
+METHOD(keymat_t, get_auth_octets, chunk_t,
+	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, identification_t *id)
 {
 	chunk_t chunk, idx, octets;
 	chunk_t skp;
@@ -538,12 +568,9 @@ static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
 #define IKEV2_KEY_PAD_LENGTH 17
 
-/**
- * Implementation of keymat_t.get_psk_sig
- */
-static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
-						   chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
-						   identification_t *id)
+METHOD(keymat_t, get_psk_sig, chunk_t,
+	private_keymat_t *this, bool verify, chunk_t ike_sa_init,
+	chunk_t nonce, chunk_t secret, identification_t *id)
 {
 	chunk_t key_pad, key, sig, octets;
 
@@ -567,15 +594,11 @@ static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
 	return sig;
 }
 
-/**
- * Implementation of keymat_t.destroy.
- */
-static void destroy(private_keymat_t *this)
+METHOD(keymat_t, destroy, void,
+	private_keymat_t *this)
 {
-	DESTROY_IF(this->signer_in);
-	DESTROY_IF(this->signer_out);
-	DESTROY_IF(this->crypter_in);
-	DESTROY_IF(this->crypter_out);
+	DESTROY_IF(this->aead_in);
+	DESTROY_IF(this->aead_out);
 	DESTROY_IF(this->prf);
 	chunk_clear(&this->skd);
 	chunk_clear(&this->skp_verify);
@@ -588,29 +611,22 @@ static void destroy(private_keymat_t *this)
  */
 keymat_t *keymat_create(bool initiator)
 {
-	private_keymat_t *this = malloc_thing(private_keymat_t);
-
-	this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
-	this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
-	this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
-	this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
-	this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
-	this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
-	this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
-	this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
-	this->public.destroy = (void(*)(keymat_t*))destroy;
-
-	this->initiator = initiator;
-
-	this->signer_in = NULL;
-	this->signer_out = NULL;
-	this->crypter_in = NULL;
-	this->crypter_out = NULL;
-	this->prf = NULL;
-	this->prf_alg = PRF_UNDEFINED;
-	this->skd = chunk_empty;
-	this->skp_verify = chunk_empty;
-	this->skp_build = chunk_empty;
+	private_keymat_t *this;
+
+	INIT(this,
+		.public = {
+			.create_dh = _create_dh,
+			.derive_ike_keys = _derive_ike_keys,
+			.derive_child_keys = _derive_child_keys,
+			.get_skd = _get_skd,
+			.get_aead = _get_aead,
+			.get_auth_octets = _get_auth_octets,
+			.get_psk_sig = _get_psk_sig,
+			.destroy = _destroy,
+		},
+		.initiator = initiator,
+		.prf_alg = PRF_UNDEFINED,
+	);
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h
index e51709e8d..4f01aa411 100644
--- a/src/libcharon/sa/keymat.h
+++ b/src/libcharon/sa/keymat.h
@@ -24,8 +24,7 @@
 #include <library.h>
 #include <utils/identification.h>
 #include <crypto/prfs/prf.h>
-#include <crypto/crypters/crypter.h>
-#include <crypto/signers/signer.h>
+#include <crypto/aead.h>
 #include <config/proposal.h>
 #include <sa/ike_sa_id.h>
 
@@ -99,21 +98,13 @@ struct keymat_t {
 	 */
 	pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
 
-	/**
-	 * Get a signer to sign/verify IKE messages.
-	 *
-	 * @param in		TRUE for inbound (verify), FALSE for outbound (sign)
-	 * @return			signer
-	 */
-	signer_t* (*get_signer)(keymat_t *this, bool in);
-
 	/*
-	 * Get a crypter to en-/decrypt IKE messages.
+	 * Get a AEAD transform to en-/decrypt and sign/verify IKE messages.
 	 *
 	 * @param in		TRUE for inbound (decrypt), FALSE for outbound (encrypt)
 	 * @return			crypter
 	 */
-	crypter_t* (*get_crypter)(keymat_t *this, bool in);
+	aead_t* (*get_aead)(keymat_t *this, bool in);
 
 	/**
 	 * Generate octets to use for authentication procedure (RFC4306 2.15).
diff --git a/src/libcharon/sa/mediation_manager.c b/src/libcharon/sa/mediation_manager.c
index 035f49053..2fbab7c7c 100644
--- a/src/libcharon/sa/mediation_manager.c
+++ b/src/libcharon/sa/mediation_manager.c
@@ -241,7 +241,7 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
 										  (void**)&requester) == SUCCESS)
 	{
 		job_t *job = (job_t*)mediation_callback_job_create(requester, peer_id);
-		charon->processor->queue_job(charon->processor, job);
+		lib->processor->queue_job(lib->processor, job);
 		requester->destroy(requester);
 	}
 
diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c
index a68826440..18703ce36 100644
--- a/src/libcharon/sa/task_manager.c
+++ b/src/libcharon/sa/task_manager.c
@@ -274,7 +274,7 @@ METHOD(task_manager_t, retransmit, status_t,
 		this->initiating.retransmitted++;
 		job = (job_t*)retransmit_job_create(this->initiating.mid,
 											this->ike_sa->get_id(this->ike_sa));
-		charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
 	}
 	return SUCCESS;
 }
@@ -883,11 +883,21 @@ METHOD(task_manager_t, process_message, status_t,
 	private_task_manager_t *this, message_t *msg)
 {
 	u_int32_t mid = msg->get_message_id(msg);
+	host_t *me = msg->get_destination(msg), *other = msg->get_source(msg);
 
 	if (msg->get_request(msg))
 	{
 		if (mid == this->responding.mid)
 		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other);
+				}
+			}
 			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_request(this, msg) != SUCCESS)
 			{
@@ -920,6 +930,15 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->initiating.mid)
 		{
+			if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
+				this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
+				msg->get_exchange_type(msg) != IKE_SA_INIT)
+			{	/* only do host updates based on verified messages */
+				if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+				{	/* with MOBIKE, we do no implicit updates */
+					this->ike_sa->update_hosts(this->ike_sa, me, other);
+				}
+			}
 			charon->bus->message(charon->bus, msg, TRUE);
 			if (process_response(this, msg) != SUCCESS)
 			{
diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index 3de27ee3f..57beedba9 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -261,7 +261,7 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	{
 		close_ike = lib->settings->get_bool(lib->settings,
 										"charon.inactivity_close_ike", FALSE);
-		charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+		lib->scheduler->schedule_job(lib->scheduler, (job_t*)
 				inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
 									  timeout, close_ike), timeout);
 	}
@@ -871,7 +871,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
 		/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
 		 * first */
 		DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
-		charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
+		lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
 			delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
 			100);
 	}
diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c
index b0cd30e1e..45e97e4cd 100644
--- a/src/libcharon/sa/tasks/child_delete.c
+++ b/src/libcharon/sa/tasks/child_delete.c
@@ -117,11 +117,10 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
  */
 static void process_payloads(private_child_delete_t *this, message_t *message)
 {
-	enumerator_t *payloads;
-	iterator_t *spis;
+	enumerator_t *payloads, *spis;
 	payload_t *payload;
 	delete_payload_t *delete_payload;
-	u_int32_t *spi;
+	u_int32_t spi;
 	protocol_id_t protocol;
 	child_sa_t *child_sa;
 
@@ -136,19 +135,19 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 			{
 				continue;
 			}
-			spis = delete_payload->create_spi_iterator(delete_payload);
-			while (spis->iterate(spis, (void**)&spi))
+			spis = delete_payload->create_spi_enumerator(delete_payload);
+			while (spis->enumerate(spis, &spi))
 			{
 				child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
-													  *spi, FALSE);
+													  spi, FALSE);
 				if (child_sa == NULL)
 				{
 					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
-						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
+						 "but no such SA", protocol_id_names, protocol, ntohl(spi));
 					continue;
 				}
 				DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
-						protocol_id_names, protocol, ntohl(*spi));
+					 protocol_id_names, protocol, ntohl(spi));
 
 				switch (child_sa->get_state(child_sa))
 				{
@@ -161,7 +160,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
 						if (!this->initiator)
 						{
 							this->ike_sa->destroy_child_sa(this->ike_sa,
-														   protocol, *spi);
+														   protocol, spi);
 							continue;
 						}
 					case CHILD_INSTALLED:
diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c
index fb3452efd..fdaaea4b8 100644
--- a/src/libcharon/sa/tasks/child_rekey.c
+++ b/src/libcharon/sa/tasks/child_rekey.c
@@ -75,6 +75,15 @@ struct private_child_rekey_t {
 	 * colliding task, may be delete or rekey
 	 */
 	task_t *collision;
+
+	/**
+	 * Indicate that peer destroyed the redundant child from collision.
+	 * This happens if a peer's delete notification for the redundant
+	 * child gets processed before the rekey job. If so, we must not
+	 * touch the child created in the collision since it points to
+	 * memory already freed.
+	 */
+	bool other_child_destroyed;
 };
 
 /**
@@ -239,9 +248,13 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
 			DBG1(DBG_IKE, "CHILD_SA rekey collision won, "
 				 "deleting rekeyed child");
 			to_delete = this->child_sa;
-			/* disable close action for the redundand child */
-			child_sa = other->child_create->get_child(other->child_create);
-			child_sa->set_close_action(child_sa, ACTION_NONE);
+			/* don't touch child other created, it has already been deleted */
+			if (!this->other_child_destroyed)
+			{
+				/* disable close action for the redundand child */
+				child_sa = other->child_create->get_child(other->child_create);
+				child_sa->set_close_action(child_sa, ACTION_NONE);
+			}
 		}
 		else
 		{
@@ -286,7 +299,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 		DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
 			 "starting reauthentication");
 		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 				(job_t*)rekey_ike_sa_job_create(
 							this->ike_sa->get_id(this->ike_sa), TRUE));
 		return SUCCESS;
@@ -316,7 +329,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
 								"trying again in %d seconds", retry);
 			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
-			charon->scheduler->schedule_job(charon->scheduler, job, retry);
+			lib->scheduler->schedule_job(lib->scheduler, job, retry);
 		}
 		return SUCCESS;
 	}
@@ -380,6 +393,13 @@ static void collide(private_child_rekey_t *this, task_t *other)
 	else if (other->get_type(other) == CHILD_DELETE)
 	{
 		child_delete_t *del = (child_delete_t*)other;
+		if (del->get_child(del) == this->child_create->get_child(this->child_create))
+		{
+			/* peer deletes redundant child created in collision */
+			this->other_child_destroyed = TRUE;
+			other->destroy(other);
+			return;
+		}
 		if (del == NULL || del->get_child(del) != this->child_sa)
 		{
 			/* not the same child => no collision */
@@ -466,6 +486,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
 	this->spi = spi;
 	this->collision = NULL;
 	this->child_delete = NULL;
+	this->other_child_destroyed = FALSE;
 
 	return &this->public;
 }
diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c
index a954782f2..b440ec811 100644
--- a/src/libcharon/sa/tasks/ike_auth.c
+++ b/src/libcharon/sa/tasks/ike_auth.c
@@ -481,9 +481,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		{
 			this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
 		}
-		if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN) &&
-			message->get_notify(message, EAP_ONLY_AUTHENTICATION))
-		{	/* EAP-only has no official notify, accept only from strongSwan */
+		if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+		{
 			this->ike_sa->enable_extension(this->ike_sa,
 										   EXT_EAP_ONLY_AUTHENTICATION);
 		}
@@ -538,6 +537,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 			{
 				cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
 			}
+			id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
+			if (id)
+			{
+				cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
+			}
 		}
 
 		/* verify authentication data */
@@ -821,7 +825,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
 					break;
 				default:
 				{
-					if (type < 16383)
+					if (type <= 16383)
 					{
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c
index 38fb572f4..dd4a5f5c0 100644
--- a/src/libcharon/sa/tasks/ike_init.c
+++ b/src/libcharon/sa/tasks/ike_init.c
@@ -468,7 +468,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 				}
 				default:
 				{
-					if (type < 16383)
+					if (type <= 16383)
 					{
 						DBG1(DBG_IKE, "received %N notify error",
 							 notify_type_names, type);
diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/tasks/ike_me.c
index 2d2847ae0..1de6ae8fc 100644
--- a/src/libcharon/sa/tasks/ike_me.c
+++ b/src/libcharon/sa/tasks/ike_me.c
@@ -17,6 +17,7 @@
 
 #include <string.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <encoding/payloads/id_payload.h>
@@ -134,8 +135,8 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
 	host = this->ike_sa->get_my_host(this->ike_sa);
 	port = host->get_port(host);
 
-	enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
+	enumerator = hydra->kernel_interface->create_address_enumerator(
+										hydra->kernel_interface, FALSE, FALSE);
 	while (enumerator->enumerate(enumerator, (void**)&addr))
 	{
 		host = addr->clone(addr);
@@ -454,6 +455,9 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 				DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
 				return FAILED;
 			}
+			/* if we are on a mediation connection we switch to port 4500 even
+			 * if no NAT is detected. */
+			this->ike_sa->float_ports(this->ike_sa);
 			return NEED_MORE;
 		}
 		case IKE_AUTH:
@@ -689,7 +693,7 @@ static status_t build_r_ms(private_ike_me_t *this, message_t *message)
 			job_t *job = (job_t*)mediation_job_create(this->peer_id,
 					this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
 					this->connect_key, this->remote_endpoints, this->response);
-			charon->processor->queue_job(charon->processor, job);
+			lib->processor->queue_job(lib->processor, job);
 			break;
 		}
 		default:
diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c
index a62886f02..5b12eaaac 100644
--- a/src/libcharon/sa/tasks/ike_mobike.c
+++ b/src/libcharon/sa/tasks/ike_mobike.c
@@ -17,6 +17,7 @@
 
 #include <string.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <sa/tasks/ike_natd.h>
 #include <encoding/payloads/notify_payload.h>
@@ -70,6 +71,11 @@ struct private_ike_mobike_t {
 	 * include address list update
 	 */
 	bool address;
+
+	/**
+	 * additional addresses got updated
+	 */
+	bool addresses_updated;
 };
 
 /**
@@ -153,6 +159,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 				host = host_create_from_chunk(family, data, 0);
 				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
 				this->ike_sa->add_additional_address(this->ike_sa, host);
+				this->addresses_updated = TRUE;
 				break;
 			}
 			case UPDATE_SA_ADDRESSES:
@@ -163,6 +170,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 			case NO_ADDITIONAL_ADDRESSES:
 			{
 				flush_additional_addresses(this);
+				this->addresses_updated = TRUE;
 				break;
 			}
 			case NAT_DETECTION_SOURCE_IP:
@@ -193,8 +201,8 @@ static void build_address_list(private_ike_mobike_t *this, message_t *message)
 	int added = 0;
 
 	me = this->ike_sa->get_my_host(this->ike_sa);
-	enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
+	enumerator = hydra->kernel_interface->create_address_enumerator(
+										hydra->kernel_interface, FALSE, FALSE);
 	while (enumerator->enumerate(enumerator, (void**)&host))
 	{
 		if (me->ip_equals(me, host))
@@ -269,32 +277,23 @@ static void update_children(private_ike_mobike_t *this)
 }
 
 /**
- * Apply port of old address if it equals new, port otherwise
+ * Apply the port of the old host, if its ip equals the new, use port otherwise.
  */
-static void apply_port(private_ike_mobike_t *this, host_t *host, host_t *old,
-					   u_int16_t port)
+static void apply_port(host_t *host, host_t *old, u_int16_t port)
 {
 	if (host->ip_equals(host, old))
 	{
-		host->set_port(host, old->get_port(old));
+		port = old->get_port(old);
 	}
-	else
+	else if (port == IKEV2_UDP_PORT)
 	{
-		if (port == IKEV2_UDP_PORT)
-		{
-			host->set_port(host, IKEV2_NATT_PORT);
-		}
-		else
-		{
-			host->set_port(host, port);
-		}
+		port = IKEV2_NATT_PORT;
 	}
+	host->set_port(host, port);
 }
 
-/**
- * Implementation of ike_mobike_t.transmit
- */
-static void transmit(private_ike_mobike_t *this, packet_t *packet)
+METHOD(ike_mobike_t, transmit, void,
+	   private_ike_mobike_t *this, packet_t *packet)
 {
 	host_t *me, *other, *me_old, *other_old;
 	iterator_t *iterator;
@@ -310,11 +309,11 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	other_old = this->ike_sa->get_other_host(this->ike_sa);
 	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 
-	me = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, other_old, NULL);
+	me = hydra->kernel_interface->get_source_addr(
+									hydra->kernel_interface, other_old, NULL);
 	if (me)
 	{
-		apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg));
+		apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
 		DBG1(DBG_IKE, "checking original path %#H - %#H", me, other_old);
 		copy = packet->clone(packet);
 		copy->set_source(copy, me);
@@ -324,8 +323,8 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
 	while (iterator->iterate(iterator, (void**)&other))
 	{
-		me = charon->kernel_interface->get_source_addr(
-										charon->kernel_interface, other, NULL);
+		me = hydra->kernel_interface->get_source_addr(
+										hydra->kernel_interface, other, NULL);
 		if (me)
 		{
 			if (me->get_family(me) != other->get_family(other))
@@ -334,9 +333,9 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 				continue;
 			}
 			/* reuse port for an active address, 4500 otherwise */
-			apply_port(this, me, me_old, ike_cfg->get_my_port(ike_cfg));
+			apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg));
 			other = other->clone(other);
-			apply_port(this, other, other_old, ike_cfg->get_other_port(ike_cfg));
+			apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg));
 			DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
 			copy = packet->clone(packet);
 			copy->set_source(copy, me);
@@ -347,12 +346,11 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
 	iterator->destroy(iterator);
 }
 
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t build_i(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, build_i, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
-	if (message->get_message_id(message) == 1)
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_message_id(message) == 1)
 	{	/* only in first IKE_AUTH */
 		message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
 		build_address_list(this, message);
@@ -363,7 +361,7 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 
 		/* we check if the existing address is still valid */
 		old = message->get_source(message);
-		new = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+		new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
 										message->get_destination(message), old);
 		if (new)
 		{
@@ -379,11 +377,12 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 		}
 		if (this->update)
 		{
-			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
+			message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
+								chunk_empty);
 			build_cookie(this, message);
 			update_children(this);
 		}
-		if (this->address)
+		if (this->address && !this->check)
 		{
 			build_address_list(this, message);
 		}
@@ -395,12 +394,11 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for responder
- */
-static status_t process_r(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, process_r, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
-	if (message->get_message_id(message) == 1)
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_message_id(message) == 1)
 	{	/* only first IKE_AUTH */
 		process_payloads(this, message);
 	}
@@ -421,14 +419,25 @@ static status_t process_r(private_ike_mobike_t *this, message_t *message)
 		{
 			this->natd->task.process(&this->natd->task, message);
 		}
+		if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
+												COND_ORIGINAL_INITIATOR))
+		{
+			host_t *other = message->get_source(message);
+			host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
+			if (!other->equals(other, other_old))
+			{
+				DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
+					 other);
+				this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+				this->update = TRUE;
+			}
+		}
 	}
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.build for responder
- */
-static status_t build_r(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, build_r, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
@@ -460,10 +469,8 @@ static status_t build_r(private_ike_mobike_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of task_t.process for initiator
- */
-static status_t process_i(private_ike_mobike_t *this, message_t *message)
+METHOD(task_t, process_i, status_t,
+	   private_ike_mobike_t *this, message_t *message)
 {
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
@@ -536,14 +543,22 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 			}
 			if (this->update)
 			{
-				/* start the update with the same task */
-				this->check = FALSE;
-				this->address = FALSE;
-				if (this->natd)
-				{
-					this->natd->task.destroy(&this->natd->task);
+				/* use the same task to ... */
+				if (!this->ike_sa->has_condition(this->ike_sa,
+												 COND_ORIGINAL_INITIATOR))
+				{	/*... send an updated list of addresses as responder */
+					update_children(this);
+					this->update = FALSE;
+				}
+				else
+				{	/* ... send the update as original initiator */
+					if (this->natd)
+					{
+						this->natd->task.destroy(&this->natd->task);
+					}
+					this->natd = ike_natd_create(this->ike_sa, this->initiator);
 				}
-				this->natd = ike_natd_create(this->ike_sa, this->initiator);
+				this->check = FALSE;
 				this->ike_sa->set_pending_updates(this->ike_sa, 1);
 				return NEED_MORE;
 			}
@@ -553,51 +568,48 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 	return NEED_MORE;
 }
 
-/**
- * Implementation of ike_mobike_t.roam.
- */
-static void roam(private_ike_mobike_t *this, bool address)
+METHOD(ike_mobike_t, addresses, void,
+	   private_ike_mobike_t *this)
+{
+	this->address = TRUE;
+	this->ike_sa->set_pending_updates(this->ike_sa,
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+METHOD(ike_mobike_t, roam, void,
+	   private_ike_mobike_t *this, bool address)
 {
 	this->check = TRUE;
 	this->address = address;
 	this->ike_sa->set_pending_updates(this->ike_sa,
-							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
-/**
- * Implementation of ike_mobike_t.dpd
- */
-static void dpd(private_ike_mobike_t *this)
+METHOD(ike_mobike_t, dpd, void,
+	   private_ike_mobike_t *this)
 {
 	if (!this->natd)
 	{
 		this->natd = ike_natd_create(this->ike_sa, this->initiator);
 	}
-	this->address = FALSE;
 	this->ike_sa->set_pending_updates(this->ike_sa,
-							this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+						this->ike_sa->get_pending_updates(this->ike_sa) + 1);
 }
 
-/**
- * Implementation of ike_mobike_t.is_probing.
- */
-static bool is_probing(private_ike_mobike_t *this)
+METHOD(ike_mobike_t, is_probing, bool,
+	   private_ike_mobike_t *this)
 {
 	return this->check;
 }
 
-/**
- * Implementation of task_t.get_type
- */
-static task_type_t get_type(private_ike_mobike_t *this)
+METHOD(task_t, get_type, task_type_t,
+	   private_ike_mobike_t *this)
 {
 	return IKE_MOBIKE;
 }
 
-/**
- * Implementation of task_t.migrate
- */
-static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
+METHOD(task_t, migrate, void,
+	   private_ike_mobike_t *this, ike_sa_t *ike_sa)
 {
 	chunk_free(&this->cookie2);
 	this->ike_sa = ike_sa;
@@ -607,10 +619,8 @@ static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
 	}
 }
 
-/**
- * Implementation of task_t.destroy
- */
-static void destroy(private_ike_mobike_t *this)
+METHOD(task_t, destroy, void,
+	   private_ike_mobike_t *this)
 {
 	chunk_free(&this->cookie2);
 	if (this->natd)
@@ -625,35 +635,36 @@ static void destroy(private_ike_mobike_t *this)
  */
 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
 {
-	private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
-
-	this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
-	this->public.dpd = (void(*)(ike_mobike_t*))dpd;
-	this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
-	this->public.is_probing = (bool(*)(ike_mobike_t*))is_probing;
-	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
-	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
-	this->public.task.destroy = (void(*)(task_t*))destroy;
+	private_ike_mobike_t *this;
+
+	INIT(this,
+		.public = {
+			.task = {
+				.get_type = _get_type,
+				.migrate = _migrate,
+				.destroy = _destroy,
+			},
+			.addresses = _addresses,
+			.roam = _roam,
+			.dpd = _dpd,
+			.transmit = _transmit,
+			.is_probing = _is_probing,
+		},
+		.ike_sa = ike_sa,
+		.initiator = initiator,
+	);
 
 	if (initiator)
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->public.task.build = _build_i;
+		this->public.task.process = _process_i;
 	}
 	else
 	{
-		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
-		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->public.task.build = _build_r;
+		this->public.task.process = _process_r;
 	}
 
-	this->ike_sa = ike_sa;
-	this->initiator = initiator;
-	this->update = FALSE;
-	this->check = FALSE;
-	this->address = TRUE;
-	this->cookie2 = chunk_empty;
-	this->natd = NULL;
-
 	return &this->public;
 }
 
diff --git a/src/libcharon/sa/tasks/ike_mobike.h b/src/libcharon/sa/tasks/ike_mobike.h
index 05b2224d1..16611939e 100644
--- a/src/libcharon/sa/tasks/ike_mobike.h
+++ b/src/libcharon/sa/tasks/ike_mobike.h
@@ -46,6 +46,11 @@ struct ike_mobike_t {
 	task_t task;
 
 	/**
+	 * Use the task to update the list of additional addresses.
+	 */
+	void (*addresses)(ike_mobike_t *this);
+
+	/**
 	 * Use the task to roam to other addresses.
 	 *
 	 * @param address		TRUE to include address list update
diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c
index 9ea20ba36..7839b52eb 100644
--- a/src/libcharon/sa/tasks/ike_natd.c
+++ b/src/libcharon/sa/tasks/ike_natd.c
@@ -18,6 +18,7 @@
 
 #include <string.h>
 
+#include <hydra.h>
 #include <daemon.h>
 #include <config/peer_cfg.h>
 #include <crypto/hashers/hasher.h>
@@ -265,41 +266,15 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
-#ifdef ME
-		/* if we are on a mediated connection we have already switched to
-		 * port 4500 and the correct destination port is already configured,
-		 * therefore we must not switch again */
-		if (peer_cfg->get_mediated_by(peer_cfg))
-		{
-			return SUCCESS;
-		}
-#endif /* ME */
-
 		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
-#ifdef ME
-			/* if we are on a mediation connection we switch to port 4500 even
-			 * if no NAT is detected. */
-			peer_cfg->is_mediation(peer_cfg) ||
-#endif /* ME */
 			/* if peer supports NAT-T, we switch to port 4500 even
-			 * if no NAT is detected. MOBIKE requires this. */
+			 * if no NAT is detected. can't be done later (when we would know
+			 * whether the peer supports MOBIKE) because there would be no
+			 * exchange to actually do the switch (other than a forced DPD). */
 			(peer_cfg->use_mobike(peer_cfg) &&
 			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
 		{
-			host_t *me, *other;
-
-			/* do not switch if we have a custom port from mobike/NAT */
-			me = this->ike_sa->get_my_host(this->ike_sa);
-			if (me->get_port(me) == IKEV2_UDP_PORT)
-			{
-				me->set_port(me, IKEV2_NATT_PORT);
-			}
-			other = this->ike_sa->get_other_host(this->ike_sa);
-			if (other->get_port(other) == IKEV2_UDP_PORT)
-			{
-				other->set_port(other, IKEV2_NATT_PORT);
-			}
+			this->ike_sa->float_ports(this->ike_sa);
 		}
 	}
 
@@ -342,7 +317,7 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 	}
 	else
 	{
-		host = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+		host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
 							this->ike_sa->get_other_host(this->ike_sa), NULL);
 		if (host)
 		{	/* 2. */
@@ -353,8 +328,8 @@ static status_t build_i(private_ike_natd_t *this, message_t *message)
 		}
 		else
 		{	/* 3. */
-			enumerator = charon->kernel_interface->create_address_enumerator(
-										charon->kernel_interface, FALSE, FALSE);
+			enumerator = hydra->kernel_interface->create_address_enumerator(
+										hydra->kernel_interface, FALSE, FALSE);
 			while (enumerator->enumerate(enumerator, (void**)&host))
 			{
 				/* apply port 500 to host, but work on a copy */
diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c
index a2275e796..1a6c140c4 100644
--- a/src/libcharon/sa/tasks/ike_rekey.c
+++ b/src/libcharon/sa/tasks/ike_rekey.c
@@ -196,7 +196,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 		DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
 			 "starting reauthentication");
 		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-		charon->processor->queue_job(charon->processor,
+		lib->processor->queue_job(lib->processor,
 				(job_t*)rekey_ike_sa_job_create(
 							this->ike_sa->get_id(this->ike_sa), TRUE));
 		return SUCCESS;
@@ -217,7 +217,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
 										"trying again in %d seconds", retry);
 				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-				charon->scheduler->schedule_job(charon->scheduler, job, retry);
+				lib->scheduler->schedule_job(lib->scheduler, job, retry);
 			}
 			return SUCCESS;
 		case NEED_MORE:
@@ -241,51 +241,56 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	if (this->collision &&
 		this->collision->get_type(this->collision) == IKE_REKEY)
 	{
-		chunk_t this_nonce, other_nonce;
-		host_t *host;
 		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
 
-		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
-		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
-
-		/* if we have the lower nonce, delete rekeyed SA. If not, delete
-		 * the redundant. */
-		if (memcmp(this_nonce.ptr, other_nonce.ptr,
-				   min(this_nonce.len, other_nonce.len)) < 0)
-		{
-			/* peer should delete this SA. Add a timeout just in case. */
-			job_t *job = (job_t*)delete_ike_sa_job_create(
-									other->new_sa->get_id(other->new_sa), TRUE);
-			charon->scheduler->schedule_job(charon->scheduler, job, 10);
-			DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
-			charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
-			other->new_sa = NULL;
-		}
-		else
+		/* ike_init can be NULL, if child_sa is half-open */
+		if (other->ike_init)
 		{
-			DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
-			/* apply host for a proper delete */
-			host = this->ike_sa->get_my_host(this->ike_sa);
-			this->new_sa->set_my_host(this->new_sa, host->clone(host));
-			host = this->ike_sa->get_other_host(this->ike_sa);
-			this->new_sa->set_other_host(this->new_sa, host->clone(host));
-			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+			host_t *host;
+			chunk_t this_nonce, other_nonce;
+
+			this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
+			other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
+
+			/* if we have the lower nonce, delete rekeyed SA. If not, delete
+			 * the redundant. */
+			if (memcmp(this_nonce.ptr, other_nonce.ptr,
+						min(this_nonce.len, other_nonce.len)) < 0)
 			{
-				charon->ike_sa_manager->checkin_and_destroy(
-										charon->ike_sa_manager, this->new_sa);
+				/* peer should delete this SA. Add a timeout just in case. */
+				job_t *job = (job_t*)delete_ike_sa_job_create(
+						other->new_sa->get_id(other->new_sa), TRUE);
+				lib->scheduler->schedule_job(lib->scheduler, job, 10);
+				DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+				other->new_sa = NULL;
 			}
 			else
 			{
-				charon->ike_sa_manager->checkin(
-										charon->ike_sa_manager, this->new_sa);
+				DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
+				/* apply host for a proper delete */
+				host = this->ike_sa->get_my_host(this->ike_sa);
+				this->new_sa->set_my_host(this->new_sa, host->clone(host));
+				host = this->ike_sa->get_other_host(this->ike_sa);
+				this->new_sa->set_other_host(this->new_sa, host->clone(host));
+				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+				if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+				{
+					charon->ike_sa_manager->checkin_and_destroy(
+								charon->ike_sa_manager, this->new_sa);
+				}
+				else
+				{
+					charon->ike_sa_manager->checkin(
+								charon->ike_sa_manager, this->new_sa);
+				}
+				/* set threads active IKE_SA after checkin */
+				charon->bus->set_sa(charon->bus, this->ike_sa);
+				/* inherit to other->new_sa in destroy() */
+				this->new_sa = other->new_sa;
+				other->new_sa = NULL;
+				return SUCCESS;
 			}
-			/* set threads active IKE_SA after checkin */
-			charon->bus->set_sa(charon->bus, this->ike_sa);
-			/* inherit to other->new_sa in destroy() */
-			this->new_sa = other->new_sa;
-			other->new_sa = NULL;
-			return SUCCESS;
 		}
 		/* set threads active IKE_SA after checkin */
 		charon->bus->set_sa(charon->bus, this->ike_sa);
diff --git a/src/libcharon/sa/tasks/ike_vendor.c b/src/libcharon/sa/tasks/ike_vendor.c
index 7c435b6d1..1c14ee06b 100644
--- a/src/libcharon/sa/tasks/ike_vendor.c
+++ b/src/libcharon/sa/tasks/ike_vendor.c
@@ -123,12 +123,14 @@ ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
 	private_ike_vendor_t *this;
 
 	INIT(this,
-		.public.task = {
-			.build = _build,
-			.process = _process,
-			.migrate = _migrate,
-			.get_type = _get_type,
-			.destroy = _destroy,
+		.public = {
+			.task = {
+				.build = _build,
+				.process = _process,
+				.migrate = _migrate,
+				.get_type = _get_type,
+				.destroy = _destroy,
+			},
 		},
 		.initiator = initiator,
 		.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 80bf647cd..f91eff077 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -15,6 +15,7 @@
 
 #include "trap_manager.h"
 
+#include <hydra.h>
 #include <daemon.h>
 #include <threading/rwlock.h>
 #include <utils/linked_list.h>
@@ -138,8 +139,8 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
 	if (!me || me->is_anyaddr(me))
 	{
 		DESTROY_IF(me);
-		me = charon->kernel_interface->get_source_addr(
-									charon->kernel_interface, other, NULL);
+		me = hydra->kernel_interface->get_source_addr(
+									hydra->kernel_interface, other, NULL);
 		if (!me)
 		{
 			DBG1(DBG_CFG, "installing trap failed, local address unknown");
diff --git a/src/pluto/kernel_noklips.h b/src/libcharon/tnccs/tnccs.c
index 3da55d80b..2facf02c8 100644
--- a/src/pluto/kernel_noklips.h
+++ b/src/libcharon/tnccs/tnccs.c
@@ -1,6 +1,6 @@
-/* declarations of routines that interface with the kernel's pfkey mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2003  Herbert Xu
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,5 +13,10 @@
  * for more details.
  */
 
-extern void init_noklips(void);
-extern const struct kernel_ops noklips_kernel_ops;
+#include "tnccs.h"
+
+ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0,
+	"TNCCS 1.1",
+	"TNCCS SOH",
+	"TNCCS 2.0",
+);
diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h
new file mode 100644
index 000000000..583512e82
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs tnccs
+ * @{ @ingroup libcharon
+ */
+
+#ifndef TNCCS_H_
+#define TNCCS_H_
+
+typedef enum tnccs_type_t tnccs_type_t;
+
+#include <library.h>
+
+/**
+ * Type of TNC Client/Server protocol
+ */
+enum tnccs_type_t {
+	TNCCS_1_1,
+	TNCCS_SOH,
+	TNCCS_2_0
+};
+
+/**
+ * enum names for tnccs_type_t.
+ */
+extern enum_name_t *tnccs_type_names;
+
+typedef struct tnccs_t tnccs_t;
+
+/**
+ * Constructor definition for a pluggable TNCCS protocol implementation.
+ *
+ * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+ * @return				implementation of the tnccs_t interface
+ */
+typedef tnccs_t* (*tnccs_constructor_t)(bool is_server);
+
+#endif /** TNC_H_ @}*/
diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c
new file mode 100644
index 000000000..0fd6737c0
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs_manager.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_manager.h"
+
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_tnccs_manager_t private_tnccs_manager_t;
+typedef struct tnccs_entry_t tnccs_entry_t;
+
+/**
+ * TNCCS constructor entry
+ */
+struct tnccs_entry_t {
+
+	/**
+	 * TNCCS protocol type
+	 */
+	tnccs_type_t type;
+
+	/**
+	 * constructor function to create instance
+	 */
+	tnccs_constructor_t constructor;
+};
+
+/**
+ * private data of tnccs_manager
+ */
+struct private_tnccs_manager_t {
+
+	/**
+	 * public functions
+	 */
+	tnccs_manager_t public;
+
+	/**
+	 * list of tnccs_entry_t's
+	 */
+	linked_list_t *protocols;
+
+	/**
+	 * rwlock to lock methods
+	 */
+	rwlock_t *lock;
+};
+
+METHOD(tnccs_manager_t, add_method, void,
+	private_tnccs_manager_t *this, tnccs_type_t type,
+	tnccs_constructor_t constructor)
+{
+	tnccs_entry_t *entry = malloc_thing(tnccs_entry_t);
+
+	entry->type = type;
+	entry->constructor = constructor;
+
+	this->lock->write_lock(this->lock);
+	this->protocols->insert_last(this->protocols, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(tnccs_manager_t, remove_method, void,
+	private_tnccs_manager_t *this, tnccs_constructor_t constructor)
+{
+	enumerator_t *enumerator;
+	tnccs_entry_t *entry;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->protocols->create_enumerator(this->protocols);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (constructor == entry->constructor)
+		{
+			this->protocols->remove_at(this->protocols, enumerator);
+			free(entry);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(tnccs_manager_t, create_instance, tnccs_t*,
+	private_tnccs_manager_t *this, tnccs_type_t type, bool is_server)
+{
+	enumerator_t *enumerator;
+	tnccs_entry_t *entry;
+	tnccs_t *protocol = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->protocols->create_enumerator(this->protocols);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (type == entry->type)
+		{
+			protocol = entry->constructor(is_server);
+			if (protocol)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return protocol;
+}
+
+METHOD(tnccs_manager_t, destroy, void,
+	private_tnccs_manager_t *this)
+{
+	this->protocols->destroy_function(this->protocols, free);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/*
+ * See header
+ */
+tnccs_manager_t *tnccs_manager_create()
+{
+	private_tnccs_manager_t *this;
+
+	INIT(this,
+			.public = {
+				.add_method = _add_method,
+				.remove_method = _remove_method,
+				.create_instance = _create_instance,
+				.destroy = _destroy,
+			},
+			.protocols = linked_list_create(),
+			.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
+
diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h
new file mode 100644
index 000000000..2f4a961a7
--- /dev/null
+++ b/src/libcharon/tnccs/tnccs_manager.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_manager tnccs_manager
+ * @{ @ingroup tnccs
+ */
+
+#ifndef TNCCS_MANAGER_H_
+#define TNCCS_MANAGER_H_
+
+#include "tnccs.h"
+
+typedef struct tnccs_manager_t tnccs_manager_t;
+
+/**
+ * The TNCCS manager manages all TNCCS implementations and creates instances.
+ *
+ * A plugin registers its implemented TNCCS protocol with the manager by
+ * providing type and a constructor function. The manager then creates
+ * TNCCS protocol instances via the provided constructor.
+ */
+struct tnccs_manager_t {
+
+	/**
+	 * Register a TNCCS protocol implementation.
+	 *
+	 * @param type			TNCCS protocol type
+	 * @param constructor	constructor, returns a TNCCS protocol implementation
+	 */
+	void (*add_method)(tnccs_manager_t *this, tnccs_type_t type,
+					   tnccs_constructor_t constructor);
+
+	/**
+	 * Unregister a TNCCS protocol implementation using it's constructor.
+	 *
+	 * @param constructor	constructor function to remove, as added in add_method
+	 */
+	void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor);
+
+	/**
+	 * Create a new TNCCS protocol instance.
+	 *
+	 * @param type			type of the TNCCS protocol
+	 * @param is_server		TRUE if TNC Server, FALSE if TNC Client
+	 * @return				TNCCS protocol instance, NULL if no constructor found
+	 */
+	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
+								bool is_server);
+
+	/**
+	 * Destroy a tnccs_manager instance.
+	 */
+	void (*destroy)(tnccs_manager_t *this);
+};
+
+/**
+ * Create a tnccs_manager instance.
+ */
+tnccs_manager_t *tnccs_manager_create();
+
+#endif /** TNCCS_MANAGER_H_ @}*/
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index a84b272dc..777f1fd10 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -162,6 +163,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -193,14 +196,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -215,24 +221,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -240,7 +253,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am
index 44dd31577..5fee39da9 100644
--- a/src/libfreeswan/Makefile.am
+++ b/src/libfreeswan/Makefile.am
@@ -11,6 +11,7 @@ libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c ato
 
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 6d640d778..28ba035c6 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -179,6 +180,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -210,14 +213,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -232,24 +238,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -257,7 +270,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -282,6 +298,7 @@ libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c ato
 
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index caad7447a..2418e76ad 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -7,13 +7,21 @@ hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h
+attributes/mem_pool.c attributes/mem_pool.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+kernel/kernel_listener.h
 
 # adding the plugin source files
 
 LOCAL_SRC_FILES += $(call add_plugin, attr)
 
-# build libcharon --------------------------------------------------------------
+LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
+
+LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
+
+# build libhydra ---------------------------------------------------------------
 
 LOCAL_C_INCLUDES += \
 	$(libvstr_PATH) \
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 4e5c55d3f..d0698d0f5 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -5,7 +5,11 @@ hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h
+attributes/mem_pool.c attributes/mem_pool.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+kernel/kernel_listener.h
 
 libhydra_la_LIBADD =
 
@@ -40,6 +44,34 @@ if MONOLITHIC
 endif
 endif
 
+if USE_KERNEL_PFKEY
+  SUBDIRS += plugins/kernel_pfkey
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+endif
+endif
+
+if USE_KERNEL_PFROUTE
+  SUBDIRS += plugins/kernel_pfroute
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+endif
+endif
+
+if USE_KERNEL_KLIPS
+  SUBDIRS += plugins/kernel_klips
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_klips/libstrongswan-kernel-klips.la
+endif
+endif
+
+if USE_KERNEL_NETLINK
+  SUBDIRS += plugins/kernel_netlink
+if MONOLITHIC
+  libhydra_la_LIBADD += plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+endif
+endif
+
 if USE_RESOLVE
   SUBDIRS += plugins/resolve
 if MONOLITHIC
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index a3aec26c9..8e5697b79 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -38,8 +38,16 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la
 @USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql
 @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la
-@USE_RESOLVE_TRUE@am__append_5 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_6 = plugins/resolve/libstrongswan-resolve.la
+@USE_KERNEL_PFKEY_TRUE@am__append_5 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_7 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_8 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_KLIPS_TRUE@am__append_9 = plugins/kernel_klips
+@MONOLITHIC_TRUE@@USE_KERNEL_KLIPS_TRUE@am__append_10 = plugins/kernel_klips/libstrongswan-kernel-klips.la
+@USE_KERNEL_NETLINK_TRUE@am__append_11 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_12 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+@USE_RESOLVE_TRUE@am__append_13 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_14 = plugins/resolve/libstrongswan-resolve.la
 subdir = src/libhydra
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -50,6 +58,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -80,9 +89,10 @@ am__base_list = \
 am__installdirs = "$(DESTDIR)$(libdir)"
 LTLIBRARIES = $(lib_LTLIBRARIES)
 libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \
-	$(am__append_6)
+	$(am__append_6) $(am__append_8) $(am__append_10) \
+	$(am__append_12) $(am__append_14)
 am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \
-	mem_pool.lo
+	mem_pool.lo kernel_interface.lo kernel_ipsec.lo
 libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -113,7 +123,9 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/resolve
+DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/kernel_pfkey \
+	plugins/kernel_pfroute plugins/kernel_klips \
+	plugins/kernel_netlink plugins/resolve
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -205,6 +217,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -236,14 +250,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -258,24 +275,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -283,7 +307,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -301,9 +328,15 @@ hydra.c hydra.h \
 attributes/attributes.c attributes/attributes.h \
 attributes/attribute_provider.h attributes/attribute_handler.h \
 attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h
-
-libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6)
+attributes/mem_pool.c attributes/mem_pool.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
+kernel/kernel_net.h \
+kernel/kernel_listener.h
+
+libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_10) $(am__append_12) \
+	$(am__append_14)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
 -DIPSEC_DIR=\"${ipsecdir}\" \
@@ -312,12 +345,16 @@ AM_CFLAGS = \
 
 EXTRA_DIST = Android.mk
 @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \
-@MONOLITHIC_FALSE@	$(am__append_5)
+@MONOLITHIC_FALSE@	$(am__append_5) $(am__append_7) \
+@MONOLITHIC_FALSE@	$(am__append_9) $(am__append_11) \
+@MONOLITHIC_FALSE@	$(am__append_13)
 
 # build optional plugins
 ########################
 @MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) \
-@MONOLITHIC_TRUE@	$(am__append_5)
+@MONOLITHIC_TRUE@	$(am__append_5) $(am__append_7) \
+@MONOLITHIC_TRUE@	$(am__append_9) $(am__append_11) \
+@MONOLITHIC_TRUE@	$(am__append_13)
 all: all-recursive
 
 .SUFFIXES:
@@ -395,6 +432,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attributes.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_ipsec.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_pool.Plo@am__quote@
 
 .c.o:
@@ -439,6 +478,20 @@ mem_pool.lo: attributes/mem_pool.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_pool.lo `test -f 'attributes/mem_pool.c' || echo '$(srcdir)/'`attributes/mem_pool.c
 
+kernel_interface.lo: kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.lo -MD -MP -MF $(DEPDIR)/kernel_interface.Tpo -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_interface.Tpo $(DEPDIR)/kernel_interface.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.lo `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
+
+kernel_ipsec.lo: kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_ipsec.lo -MD -MP -MF $(DEPDIR)/kernel_ipsec.Tpo -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/kernel_ipsec.Tpo $(DEPDIR)/kernel_ipsec.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_ipsec.c' object='kernel_ipsec.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_ipsec.lo `test -f 'kernel/kernel_ipsec.c' || echo '$(srcdir)/'`kernel/kernel_ipsec.c
+
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c
index e1d69fd6b..8af97dc78 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libhydra/attributes/mem_pool.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -18,7 +18,8 @@
 
 #include <debug.h>
 #include <utils/hashtable.h>
-#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
 
 #define POOL_LIMIT (sizeof(uintptr_t)*8)
 
@@ -54,27 +55,29 @@ struct private_mem_pool_t {
 	u_int unused;
 
 	/**
-	 * hashtable [identity => offset], for online leases
+	 * lease hashtable [identity => entry]
 	 */
-	hashtable_t *online;
-
-	/**
-	 * hashtable [identity => offset], for offline leases
-	 */
-	hashtable_t *offline;
-
-	/**
-	 * hashtable [identity => identity], handles identity references
-	 */
-	hashtable_t *ids;
+	hashtable_t *leases;
 
 	/**
 	 * lock to safely access the pool
 	 */
-	rwlock_t *lock;
+	mutex_t *mutex;
 };
 
 /**
+ * Lease entry.
+ */
+typedef struct {
+	/* identitiy reference */
+	identification_t *id;
+	/* list of online leases, as offset */
+	linked_list_t *online;
+	/* list of offline leases, as offset */
+	linked_list_t *offline;
+} entry_t;
+
+/**
  * hashtable hash function for identities
  */
 static u_int id_hash(identification_t *id)
@@ -154,43 +157,61 @@ static int host2offset(private_mem_pool_t *pool, host_t *addr)
 }
 
 METHOD(mem_pool_t, get_name, const char*,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
 	return this->name;
 }
 
 METHOD(mem_pool_t, get_size, u_int,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
 	return this->size;
 }
 
 METHOD(mem_pool_t, get_online, u_int,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
-	u_int count;
-	this->lock->read_lock(this->lock);
-	count = this->online->get_count(this->online);
-	this->lock->unlock(this->lock);
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int count = 0;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		count += entry->online->get_count(entry->online);
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
 	return count;
 }
 
 METHOD(mem_pool_t, get_offline, u_int,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
-	u_int count;
-	this->lock->read_lock(this->lock);
-	count = this->offline->get_count(this->offline);
-	this->lock->unlock(this->lock);
+	enumerator_t *enumerator;
+	entry_t *entry;
+	u_int count = 0;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
+	{
+		count += entry->offline->get_count(entry->offline);
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+
 	return count;
 }
 
 METHOD(mem_pool_t, acquire_address, host_t*,
-	   private_mem_pool_t *this, identification_t *id, host_t *requested)
+	private_mem_pool_t *this, identification_t *id, host_t *requested)
 {
-	uintptr_t offset = 0;
+	uintptr_t offset = 0, current;
 	enumerator_t *enumerator;
-	identification_t *old_id;
+	entry_t *entry, *old;
 
 	/* if the pool is empty (e.g. in the %config case) we simply return the
 	 * requested address */
@@ -207,108 +228,114 @@ METHOD(mem_pool_t, acquire_address, host_t*,
 		return NULL;
 	}
 
-	this->lock->write_lock(this->lock);
+	this->mutex->lock(this->mutex);
 	while (TRUE)
 	{
-		/* check for a valid offline lease, refresh */
-		offset = (uintptr_t)this->offline->remove(this->offline, id);
-		if (offset)
+		entry = this->leases->get(this->leases, id);
+		if (entry)
 		{
-			id = this->ids->get(this->ids, id);
-			if (id)
+			/* check for a valid offline lease, refresh */
+			enumerator = entry->offline->create_enumerator(entry->offline);
+			if (enumerator->enumerate(enumerator, &current))
+			{
+				entry->offline->remove_at(entry->offline, enumerator);
+				entry->online->insert_last(entry->online, (void*)current);
+				offset = current;
+			}
+			enumerator->destroy(enumerator);
+			if (offset)
 			{
 				DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
-				this->online->put(this->online, id, (void*)offset);
 				break;
 			}
-		}
-
-		/* check for a valid online lease, reassign */
-		offset = (uintptr_t)this->online->get(this->online, id);
-		if (offset)
-		{
-			if (offset == host2offset(this, requested))
+			/* check for a valid online lease to reassign */
+			enumerator = entry->online->create_enumerator(entry->online);
+			while (enumerator->enumerate(enumerator, &current))
 			{
-				DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+				if (current == host2offset(this, requested))
+				{
+					offset = current;
+					break;
+				}
 			}
-			else
+			enumerator->destroy(enumerator);
+			if (offset)
 			{
-				DBG1(DBG_CFG, "'%Y' already has an online lease, "
-					 "unable to assign address", id);
-				offset = 0;
+				DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
+				break;
 			}
-			break;
 		}
-
+		else
+		{
+			INIT(entry,
+				.id = id->clone(id),
+				.online = linked_list_create(),
+				.offline = linked_list_create(),
+			);
+			this->leases->put(this->leases, entry->id, entry);
+		}
 		if (this->unused < this->size)
 		{
-			/* assigning offset, starting by 1. Handling 0 in hashtable
-			 * is difficult. */
+			/* assigning offset, starting by 1 */
 			offset = ++this->unused;
-			id = id->clone(id);
-			this->ids->put(this->ids, id, id);
-			this->online->put(this->online, id, (void*)offset);
+			entry->online->insert_last(entry->online, (void*)offset);
 			DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
 			break;
 		}
 
 		/* no more addresses, replace the first found offline lease */
-		enumerator = this->offline->create_enumerator(this->offline);
-		if (enumerator->enumerate(enumerator, &old_id, &offset))
+		enumerator = this->leases->create_enumerator(this->leases);
+		while (enumerator->enumerate(enumerator, NULL, &old))
 		{
-			offset = (uintptr_t)this->offline->remove(this->offline, old_id);
-			if (offset)
+			if (old->offline->remove_first(old->offline,
+										   (void**)&current) == SUCCESS)
 			{
-				/* destroy reference to old ID */
-				old_id = this->ids->remove(this->ids, old_id);
+				offset = current;
+				entry->online->insert_last(entry->online, (void*)offset);
 				DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
-					 " to '%Y'", old_id, id);
-				if (old_id)
-				{
-					old_id->destroy(old_id);
-				}
-				id = id->clone(id);
-				this->ids->put(this->ids, id, id);
-				this->online->put(this->online, id, (void*)offset);
-				enumerator->destroy(enumerator);
+					 " to '%Y'", old->id, id);
 				break;
 			}
 		}
 		enumerator->destroy(enumerator);
-
-		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
-			 this->name);
 		break;
 	}
-	this->lock->unlock(this->lock);
+	this->mutex->unlock(this->mutex);
 
 	if (offset)
 	{
 		return offset2host(this, offset);
 	}
+	else
+	{
+		DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
+			 this->name);
+	}
 	return NULL;
 }
 
 METHOD(mem_pool_t, release_address, bool,
-	   private_mem_pool_t *this, host_t *address, identification_t *id)
+	private_mem_pool_t *this, host_t *address, identification_t *id)
 {
 	bool found = FALSE;
+	entry_t *entry;
+	uintptr_t offset;
+
 	if (this->size != 0)
 	{
-		uintptr_t offset;
-		this->lock->write_lock(this->lock);
-		offset = (uintptr_t)this->online->remove(this->online, id);
-		if (offset)
+		this->mutex->lock(this->mutex);
+		entry = this->leases->get(this->leases, id);
+		if (entry)
 		{
-			id = this->ids->get(this->ids, id);
-			if (id)
+			offset = host2offset(this, address);
+			if (entry->online->remove(entry->online, (void*)offset, NULL) > 0)
 			{
 				DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
-				this->offline->put(this->offline, id, (void*)offset);
+				entry->offline->insert_last(entry->offline, (void*)offset);
 				found = TRUE;
 			}
 		}
-		this->lock->unlock(this->lock);
+		this->mutex->unlock(this->mutex);
 	}
 	return found;
 }
@@ -319,52 +346,69 @@ METHOD(mem_pool_t, release_address, bool,
 typedef struct {
 	/** implemented enumerator interface */
 	enumerator_t public;
-	/** inner hash-table enumerator */
-	enumerator_t *inner;
+	/** hash-table enumerator */
+	enumerator_t *entries;
+	/** online enumerator */
+	enumerator_t *online;
+	/** offline enumerator */
+	enumerator_t *offline;
 	/** enumerated pool */
 	private_mem_pool_t *pool;
+	/** currently enumerated entry */
+	entry_t *entry;
 	/** currently enumerated lease address */
-	host_t *current;
+	host_t *addr;
 } lease_enumerator_t;
 
 METHOD(enumerator_t, lease_enumerate, bool,
-	   lease_enumerator_t *this, identification_t **id_out, host_t **addr_out,
-	   bool *online)
+	lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online)
 {
-	identification_t *id;
 	uintptr_t offset;
 
-	DESTROY_IF(this->current);
-	this->current = NULL;
+	DESTROY_IF(this->addr);
+	this->addr = NULL;
 
-	if (this->inner->enumerate(this->inner, &id, NULL))
+	while (TRUE)
 	{
-		offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
-		if (offset)
+		if (this->entry)
 		{
-			*id_out = id;
-			*addr_out = this->current = offset2host(this->pool, offset);
-			*online = TRUE;
-			return TRUE;
+			if (this->online->enumerate(this->online, (void**)&offset))
+			{
+				*id = this->entry->id;
+				*addr = this->addr = offset2host(this->pool, offset);
+				*online = TRUE;
+				return TRUE;
+			}
+			if (this->offline->enumerate(this->offline, (void**)&offset))
+			{
+				*id = this->entry->id;
+				*addr = this->addr = offset2host(this->pool, offset);
+				*online = FALSE;
+				return TRUE;
+			}
+			this->online->destroy(this->online);
+			this->offline->destroy(this->offline);
+			this->online = this->offline = NULL;
 		}
-		offset = (uintptr_t)this->pool->offline->get(this->pool->offline, id);
-		if (offset)
+		if (!this->entries->enumerate(this->entries, NULL, &this->entry))
 		{
-			*id_out = id;
-			*addr_out = this->current = offset2host(this->pool, offset);
-			*online = FALSE;
-			return TRUE;
+			return FALSE;
 		}
+		this->online = this->entry->online->create_enumerator(
+														this->entry->online);
+		this->offline = this->entry->offline->create_enumerator(
+														this->entry->offline);
 	}
-	return FALSE;
 }
 
 METHOD(enumerator_t, lease_enumerator_destroy, void,
-	   lease_enumerator_t *this)
+	lease_enumerator_t *this)
 {
-	DESTROY_IF(this->current);
-	this->inner->destroy(this->inner);
-	this->pool->lock->unlock(this->pool->lock);
+	DESTROY_IF(this->addr);
+	DESTROY_IF(this->online);
+	DESTROY_IF(this->offline);
+	this->entries->destroy(this->entries);
+	this->pool->mutex->unlock(this->pool->mutex);
 	free(this);
 }
 
@@ -372,35 +416,37 @@ METHOD(mem_pool_t, create_lease_enumerator, enumerator_t*,
 	   private_mem_pool_t *this)
 {
 	lease_enumerator_t *enumerator;
-	this->lock->read_lock(this->lock);
+
+	this->mutex->lock(this->mutex);
 	INIT(enumerator,
 		.public = {
 			.enumerate = (void*)_lease_enumerate,
-			.destroy = (void*)_lease_enumerator_destroy,
+			.destroy = _lease_enumerator_destroy,
 		},
 		.pool = this,
-		.inner = this->ids->create_enumerator(this->ids),
+		.entries = this->leases->create_enumerator(this->leases),
 	);
 	return &enumerator->public;
 }
 
 METHOD(mem_pool_t, destroy, void,
-	   private_mem_pool_t *this)
+	private_mem_pool_t *this)
 {
 	enumerator_t *enumerator;
-	identification_t *id;
+	entry_t *entry;
 
-	enumerator = this->ids->create_enumerator(this->ids);
-	while (enumerator->enumerate(enumerator, &id, NULL))
+	enumerator = this->leases->create_enumerator(this->leases);
+	while (enumerator->enumerate(enumerator, NULL, &entry))
 	{
-		id->destroy(id);
+		entry->id->destroy(entry->id);
+		entry->online->destroy(entry->online);
+		entry->offline->destroy(entry->offline);
+		free(entry);
 	}
 	enumerator->destroy(enumerator);
 
-	this->ids->destroy(this->ids);
-	this->online->destroy(this->online);
-	this->offline->destroy(this->offline);
-	this->lock->destroy(this->lock);
+	this->leases->destroy(this->leases);
+	this->mutex->destroy(this->mutex);
 	DESTROY_IF(this->base);
 	free(this->name);
 	free(this);
@@ -412,6 +458,7 @@ METHOD(mem_pool_t, destroy, void,
 mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 {
 	private_mem_pool_t *this;
+	int addr_bits;
 
 	INIT(this,
 		.public = {
@@ -425,18 +472,14 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
 			.destroy = _destroy,
 		},
 		.name = strdup(name),
-		.online = hashtable_create((hashtable_hash_t)id_hash,
+		.leases = hashtable_create((hashtable_hash_t)id_hash,
 								   (hashtable_equals_t)id_equals, 16),
-		.offline = hashtable_create((hashtable_hash_t)id_hash,
-									(hashtable_equals_t)id_equals, 16),
-		.ids = hashtable_create((hashtable_hash_t)id_hash,
-								(hashtable_equals_t)id_equals, 16),
-		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	if (base)
 	{
-		int addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
+		addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
 		/* net bits -> host bits */
 		bits = addr_bits - bits;
 		if (bits > POOL_LIMIT)
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index 16a8193ea..f180e36bb 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -42,6 +42,7 @@ void libhydra_deinit()
 {
 	private_hydra_t *this = (private_hydra_t*)hydra;
 	this->public.attributes->destroy(this->public.attributes);
+	this->public.kernel_interface->destroy(this->public.kernel_interface);
 	free((void*)this->public.daemon);
 	free(this);
 	hydra = NULL;
@@ -57,6 +58,7 @@ bool libhydra_init(const char *daemon)
 	INIT(this,
 		.public = {
 			.attributes = attribute_manager_create(),
+			.kernel_interface = kernel_interface_create(),
 			.daemon = strdup(daemon ?: "libhydra"),
 		},
 	);
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index 8670f3969..d7a7d8de4 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -19,6 +19,9 @@
  * @defgroup attributes attributes
  * @ingroup libhydra
  *
+ * @defgroup hkernel kernel
+ * @ingroup libhydra
+ *
  * @defgroup hplugins plugins
  * @ingroup libhydra
  *
@@ -32,6 +35,7 @@
 typedef struct hydra_t hydra_t;
 
 #include <attributes/attribute_manager.h>
+#include <kernel/kernel_interface.h>
 
 #include <library.h>
 
@@ -46,6 +50,11 @@ struct hydra_t {
 	attribute_manager_t *attributes;
 
 	/**
+	 * kernel interface to communicate with kernel
+	 */
+	kernel_interface_t *kernel_interface;
+
+	/**
 	 * name of the daemon that initialized the library
 	 */
 	const char *daemon;
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 837e628bc..3e6d46205 100644
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2010 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
@@ -17,7 +17,9 @@
 
 #include "kernel_interface.h"
 
-#include <daemon.h>
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
 
 typedef struct private_kernel_interface_t private_kernel_interface_t;
 
@@ -40,11 +42,21 @@ struct private_kernel_interface_t {
 	 * network interface
 	 */
 	kernel_net_t *net;
+
+	/**
+	 * mutex for listeners
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * list of registered listeners
+	 */
+	linked_list_t *listeners;
 };
 
 METHOD(kernel_interface_t, get_spi, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	if (!this->ipsec)
 	{
@@ -66,7 +78,7 @@ METHOD(kernel_interface_t, get_cpi, status_t,
 
 METHOD(kernel_interface_t, add_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid,
 	mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts,
@@ -82,7 +94,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
 }
 
 METHOD(kernel_interface_t, update_sa, status_t,
-	private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol,
+	private_kernel_interface_t *this, u_int32_t spi, u_int8_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
 	bool encap, bool new_encap, mark_t mark)
 {
@@ -96,7 +108,7 @@ METHOD(kernel_interface_t, update_sa, status_t,
 
 METHOD(kernel_interface_t, query_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	if (!this->ipsec)
 	{
@@ -107,7 +119,7 @@ METHOD(kernel_interface_t, query_sa, status_t,
 
 METHOD(kernel_interface_t, del_sa, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+	u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
 	if (!this->ipsec)
 	{
@@ -119,16 +131,15 @@ METHOD(kernel_interface_t, del_sa, status_t,
 METHOD(kernel_interface_t, add_policy, status_t,
 	private_kernel_interface_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi,	bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	if (!this->ipsec)
 	{
 		return NOT_SUPPORTED;
 	}
 	return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
-			direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed);
+								   direction, type, sa, mark, routed);
 }
 
 METHOD(kernel_interface_t, query_policy, status_t,
@@ -338,11 +349,124 @@ METHOD(kernel_interface_t, remove_net_interface, void,
 	/* TODO: replace if interface currently in use */
 }
 
+METHOD(kernel_interface_t, add_listener, void,
+	private_kernel_interface_t *this, kernel_listener_t *listener)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->insert_last(this->listeners, listener);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, remove_listener, void,
+	private_kernel_interface_t *this, kernel_listener_t *listener)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->remove(this->listeners, listener, NULL);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, acquire, void,
+	private_kernel_interface_t *this, u_int32_t reqid,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->acquire &&
+			!listener->acquire(listener, reqid, src_ts, dst_ts))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, expire, void,
+	private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol,
+	u_int32_t spi, bool hard)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->expire &&
+			!listener->expire(listener, reqid, protocol, spi, hard))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, mapping, void,
+	private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
+	host_t *remote)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->mapping &&
+			!listener->mapping(listener, reqid, spi, remote))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(kernel_interface_t, migrate, void,
+	private_kernel_interface_t *this, u_int32_t reqid,
+	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+	policy_dir_t direction, host_t *local, host_t *remote)
+{
+	kernel_listener_t *listener;
+	enumerator_t *enumerator;
+	this->mutex->lock(this->mutex);
+	enumerator = this->listeners->create_enumerator(this->listeners);
+	while (enumerator->enumerate(enumerator, &listener))
+	{
+		if (listener->migrate &&
+			!listener->migrate(listener, reqid, src_ts, dst_ts, direction,
+							   local, remote))
+		{
+			this->listeners->remove_at(this->listeners, enumerator);
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+static bool call_roam(kernel_listener_t *listener, bool *roam)
+{
+	return listener->roam && !listener->roam(listener, *roam);
+}
+
+METHOD(kernel_interface_t, roam, void,
+	private_kernel_interface_t *this, bool address)
+{
+	this->mutex->lock(this->mutex);
+	this->listeners->remove(this->listeners, &address, (void*)call_roam);
+	this->mutex->unlock(this->mutex);
+}
+
 METHOD(kernel_interface_t, destroy, void,
 	private_kernel_interface_t *this)
 {
 	DESTROY_IF(this->ipsec);
 	DESTROY_IF(this->net);
+	this->mutex->destroy(this->mutex);
+	this->listeners->destroy(this->listeners);
 	free(this);
 }
 
@@ -379,8 +503,18 @@ kernel_interface_t *kernel_interface_create()
 			.remove_ipsec_interface = _remove_ipsec_interface,
 			.add_net_interface = _add_net_interface,
 			.remove_net_interface = _remove_net_interface,
+
+			.add_listener = _add_listener,
+			.remove_listener = _remove_listener,
+			.acquire = _acquire,
+			.expire = _expire,
+			.mapping = _mapping,
+			.migrate = _migrate,
+			.roam = _roam,
 			.destroy = _destroy,
 		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.listeners = linked_list_create(),
 	);
 
 	return &this->public;
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index 92d85f9c9..8b0c7a296 100644
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -18,7 +18,7 @@
 
 /**
  * @defgroup kernel_interface kernel_interface
- * @{ @ingroup kernel
+ * @{ @ingroup hkernel
  */
 
 #ifndef KERNEL_INTERFACE_H_
@@ -28,8 +28,8 @@ typedef struct kernel_interface_t kernel_interface_t;
 
 #include <utils/host.h>
 #include <crypto/prf_plus.h>
-#include <encoding/payloads/proposal_substructure.h>
 
+#include <kernel/kernel_listener.h>
 #include <kernel/kernel_ipsec.h>
 #include <kernel/kernel_net.h>
 
@@ -62,7 +62,7 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
 
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
@@ -107,7 +107,7 @@ struct kernel_interface_t {
 	 */
 	status_t (*add_sa) (kernel_interface_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+						u_int8_t protocol, u_int32_t reqid, mark_t mark,
 						lifetime_cfg_t *lifetime,
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
@@ -137,7 +137,7 @@ struct kernel_interface_t {
 	 *					  the kernel interface can't update the SA
 	 */
 	status_t (*update_sa)(kernel_interface_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst,
 						  host_t *new_src, host_t *new_dst,
 						  bool encap, bool new_encap, mark_t mark);
@@ -154,7 +154,7 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, mark_t mark,
+						  u_int32_t spi, u_int8_t protocol, mark_t mark,
 						  u_int64_t *bytes);
 
 	/**
@@ -169,7 +169,7 @@ struct kernel_interface_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
 						mark_t mark);
 
 	/**
@@ -182,14 +182,10 @@ struct kernel_interface_t {
 	 * @param dst			dest address of SA
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param spi			SPI of SA
-	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			mark for this policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
 	 * @param routed		TRUE, if this policy is routed in the kernel
 	 * @return				SUCCESS if operation completed
 	 */
@@ -197,10 +193,8 @@ struct kernel_interface_t {
 							host_t *src, host_t *dst,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							protocol_id_t protocol, u_int32_t reqid,
-							mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-							u_int16_t cpi, bool routed);
+							policy_dir_t direction, policy_type_t type,
+							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
 
 	/**
 	 * Query the use time of a policy.
@@ -210,7 +204,7 @@ struct kernel_interface_t {
 	 *
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
 	 * @param mark			optional mark
 	 * @param[out] use_time	the time of this SA's last use
 	 * @return				SUCCESS if operation completed
@@ -231,7 +225,7 @@ struct kernel_interface_t {
 	 *
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
 	 * @param mark			optional mark
 	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
 	 * @return				SUCCESS if operation completed
@@ -272,7 +266,7 @@ struct kernel_interface_t {
 	 * Get the interface name of a local address.
 	 *
 	 * @param host			address to get interface name from
-	 * @return 				allocated interface name, or NULL if not found
+	 * @return				allocated interface name, or NULL if not found
 	 */
 	char* (*get_interface) (kernel_interface_t *this, host_t *host);
 
@@ -324,10 +318,11 @@ struct kernel_interface_t {
 	 * @param src_ip		sourc ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
-	 * 						ALREADY_DONE if the route already exists
+	 *						ALREADY_DONE if the route already exists
 	 */
-	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
+	status_t (*add_route) (kernel_interface_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
 
 	/**
 	 * Delete a route.
@@ -339,8 +334,9 @@ struct kernel_interface_t {
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
+	status_t (*del_route) (kernel_interface_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
 
 	/**
 	 * Set up a bypass policy for a given socket.
@@ -363,36 +359,108 @@ struct kernel_interface_t {
 	 * @param ip			returned ip (has to be destroyed)
 	 * @return				SUCCESS if address found
 	 */
-	status_t (*get_address_by_ts) (kernel_interface_t *this,
-										traffic_selector_t *ts, host_t **ip);
+	status_t (*get_address_by_ts)(kernel_interface_t *this,
+								  traffic_selector_t *ts, host_t **ip);
 
 	/**
 	 * Register an ipsec kernel interface constructor on the manager.
 	 *
 	 * @param create			constructor to register
 	 */
-	void (*add_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
+	void (*add_ipsec_interface)(kernel_interface_t *this,
+								kernel_ipsec_constructor_t create);
 
 	/**
 	 * Unregister an ipsec kernel interface constructor.
 	 *
 	 * @param create			constructor to unregister
 	 */
-	void (*remove_ipsec_interface)(kernel_interface_t *this, kernel_ipsec_constructor_t create);
+	void (*remove_ipsec_interface)(kernel_interface_t *this,
+								   kernel_ipsec_constructor_t create);
 
 	/**
 	 * Register a network kernel interface constructor on the manager.
 	 *
 	 * @param create			constructor to register
 	 */
-	void (*add_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
+	void (*add_net_interface)(kernel_interface_t *this,
+							  kernel_net_constructor_t create);
 
 	/**
 	 * Unregister a network kernel interface constructor.
 	 *
 	 * @param create			constructor to unregister
 	 */
-	void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
+	void (*remove_net_interface)(kernel_interface_t *this,
+								 kernel_net_constructor_t create);
+
+	/**
+	 * Add a listener to the kernel interface.
+	 *
+	 * @param listener			listener to add
+	 */
+	void (*add_listener)(kernel_interface_t *this,
+						 kernel_listener_t *listener);
+
+	/**
+	 * Remove a listener from the kernel interface.
+	 *
+	 * @param listener			listener to remove
+	 */
+	void (*remove_listener)(kernel_interface_t *this,
+							kernel_listener_t *listener);
+
+	/**
+	 * Raise an acquire event.
+	 *
+	 * @param reqid			reqid of the policy to acquire
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 */
+	void (*acquire)(kernel_interface_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Raise an expire event.
+	 *
+	 * @param reqid			reqid of the expired SA
+	 * @param protocol		protocol of the expired SA
+	 * @param spi			spi of the expired SA
+	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
+	 */
+	void (*expire)(kernel_interface_t *this, u_int32_t reqid,
+				   u_int8_t protocol, u_int32_t spi, bool hard);
+
+	/**
+	 * Raise a mapping event.
+	 *
+	 * @param reqid			reqid of the SA
+	 * @param spi			spi of the SA
+	 * @param remote		new remote host
+	 */
+	void (*mapping)(kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
+					host_t *remote);
+
+	/**
+	 * Raise a migrate event.
+	 *
+	 * @param reqid			reqid of the policy
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @param direction		direction of the policy (in|out)
+	 * @param local			local host address to be used in the IKE_SA
+	 * @param remote		remote host address to be used in the IKE_SA
+	 */
+	void (*migrate)(kernel_interface_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					policy_dir_t direction, host_t *local, host_t *remote);
+
+	/**
+	 * Raise a roam event.
+	 *
+	 * @param address		TRUE if address list, FALSE if routing changed
+	 */
+	void (*roam)(kernel_interface_t *this, bool address);
 
 	/**
 	 * Destroys a kernel_interface_manager_t object.
diff --git a/src/libcharon/kernel/kernel_ipsec.c b/src/libhydra/kernel/kernel_ipsec.c
index 5b0335b16..383685426 100644
--- a/src/libcharon/kernel/kernel_ipsec.c
+++ b/src/libhydra/kernel/kernel_ipsec.c
@@ -27,3 +27,11 @@ ENUM(policy_dir_names, POLICY_IN, POLICY_FWD,
 	"fwd"
 );
 
+ENUM(ipcomp_transform_names, IPCOMP_NONE, IPCOMP_LZJH,
+	"IPCOMP_NONE",
+	"IPCOMP_OUI",
+	"IPCOMP_DEFLATE",
+	"IPCOMP_LZS",
+	"IPCOMP_LZJH"
+);
+
diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index d09265cc9..49d9cc07a 100644
--- a/src/libcharon/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2006 Daniel Roethlisberger
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
@@ -18,7 +18,7 @@
 
 /**
  * @defgroup kernel_ipsec kernel_ipsec
- * @{ @ingroup kernel
+ * @{ @ingroup hkernel
  */
 
 #ifndef KERNEL_IPSEC_H_
@@ -26,15 +26,19 @@
 
 typedef enum ipsec_mode_t ipsec_mode_t;
 typedef enum policy_dir_t policy_dir_t;
+typedef enum policy_type_t policy_type_t;
+typedef enum ipcomp_transform_t ipcomp_transform_t;
 typedef struct kernel_ipsec_t kernel_ipsec_t;
+typedef struct ipsec_sa_cfg_t ipsec_sa_cfg_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
+typedef struct mark_t mark_t;
 
 #include <utils/host.h>
 #include <crypto/prf_plus.h>
-#include <config/proposal.h>
-#include <config/child_cfg.h>
+#include <selectors/traffic_selector.h>
 
 /**
- * Mode of a CHILD_SA.
+ * Mode of an IPsec SA.
  */
 enum ipsec_mode_t {
 	/** transport mode, no inner address */
@@ -70,6 +74,84 @@ enum policy_dir_t {
 extern enum_name_t *policy_dir_names;
 
 /**
+ * Type of a policy.
+ */
+enum policy_type_t {
+	/** Normal IPsec policy */
+	POLICY_IPSEC = 1,
+	/** Passthrough policy (traffic is ignored by IPsec) */
+	POLICY_PASS,
+	/** Drop policy (traffic is discarded) */
+	POLICY_DROP,
+};
+
+/**
+ * IPComp transform IDs, as in RFC 4306
+ */
+enum ipcomp_transform_t {
+	IPCOMP_NONE = 0,
+	IPCOMP_OUI = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS = 3,
+	IPCOMP_LZJH = 4,
+};
+
+/**
+ * enum strings for ipcomp_transform_t.
+ */
+extern enum_name_t *ipcomp_transform_names;
+
+/**
+ * This struct contains details about IPsec SA(s) tied to a policy.
+ */
+struct ipsec_sa_cfg_t {
+	/** mode of SA (tunnel, transport) */
+	ipsec_mode_t mode;
+	/** unique ID */
+	u_int32_t reqid;
+	/** details about ESP/AH */
+	struct {
+		/** TRUE if this protocol is used */
+		bool use;
+		/** SPI for ESP/AH */
+		u_int32_t spi;
+	} esp, ah;
+	/** details about IPComp */
+	struct {
+		/** the IPComp transform used */
+		u_int16_t transform;
+		/** CPI for IPComp */
+		u_int16_t cpi;
+	} ipcomp;
+};
+
+/**
+ * A lifetime_cfg_t defines the lifetime limits of an SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
+ * A mark_t defines an optional mark in an IPsec SA.
+ */
+struct mark_t {
+	/** Mark value */
+	u_int32_t value;
+	/** Mark mask */
+	u_int32_t mask;
+};
+
+/**
  * Interface to the ipsec subsystem of the kernel.
  *
  * The kernel ipsec interface handles the communication with the kernel
@@ -93,7 +175,7 @@ struct kernel_ipsec_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
-						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+						u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
 
 	/**
 	 * Get a Compression Parameter Index (CPI) from the kernel.
@@ -138,7 +220,7 @@ struct kernel_ipsec_t {
 	 */
 	status_t (*add_sa) (kernel_ipsec_t *this,
 						host_t *src, host_t *dst, u_int32_t spi,
-						protocol_id_t protocol, u_int32_t reqid,
+						u_int8_t protocol, u_int32_t reqid,
 						mark_t mark, lifetime_cfg_t *lifetime,
 						u_int16_t enc_alg, chunk_t enc_key,
 						u_int16_t int_alg, chunk_t int_key,
@@ -168,7 +250,7 @@ struct kernel_ipsec_t {
 	 *					  the kernel interface can't update the SA
 	 */
 	status_t (*update_sa)(kernel_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						  u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
 						  host_t *src, host_t *dst,
 						  host_t *new_src, host_t *new_dst,
 						  bool encap, bool new_encap, mark_t mark);
@@ -185,7 +267,7 @@ struct kernel_ipsec_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						  u_int32_t spi, protocol_id_t protocol, mark_t mark,
+						  u_int32_t spi, u_int8_t protocol, mark_t mark,
 						  u_int64_t *bytes);
 
 	/**
@@ -200,7 +282,7 @@ struct kernel_ipsec_t {
 	 * @return				SUCCESS if operation completed
 	 */
 	status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
-						u_int32_t spi, protocol_id_t protocol, u_int16_t cpi,
+						u_int32_t spi, u_int8_t protocol, u_int16_t cpi,
 						mark_t mark);
 
 	/**
@@ -213,14 +295,10 @@ struct kernel_ipsec_t {
 	 * @param dst			dest address of SA
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
-	 * @param spi			SPI of SA
-	 * @param protocol		protocol to use to protect traffic (AH/ESP)
-	 * @param reqid			unique ID of an SA to use to enforce policy
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
+	 * @param type			type of policy, POLICY_(IPSEC|PASS|DROP)
+	 * @param sa			details about the SA(s) tied to this policy
 	 * @param mark			mark for this policy
-	 * @param mode			mode of SA (tunnel, transport)
-	 * @param ipcomp		the IPComp transform used
-	 * @param cpi			CPI for IPComp
 	 * @param routed		TRUE, if this policy is routed in the kernel
 	 * @return				SUCCESS if operation completed
 	 */
@@ -228,10 +306,8 @@ struct kernel_ipsec_t {
 							host_t *src, host_t *dst,
 							traffic_selector_t *src_ts,
 							traffic_selector_t *dst_ts,
-							policy_dir_t direction, u_int32_t spi,
-							protocol_id_t protocol, u_int32_t reqid,
-							mark_t mark, ipsec_mode_t mode,
-							u_int16_t ipcomp, u_int16_t cpi, bool routed);
+							policy_dir_t direction, policy_type_t type,
+							ipsec_sa_cfg_t *sa, mark_t mark, bool routed);
 
 	/**
 	 * Query the use time of a policy.
@@ -242,7 +318,7 @@ struct kernel_ipsec_t {
 	 *
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
 	 * @param mark			optional mark
 	 * @param[out] use_time	the monotonic timestamp of this SA's last use
 	 * @return				SUCCESS if operation completed
@@ -263,7 +339,7 @@ struct kernel_ipsec_t {
 	 *
 	 * @param src_ts		traffic selector to match traffic source
 	 * @param dst_ts		traffic selector to match traffic dest
-	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param direction		direction of traffic, POLICY_(IN|OUT|FWD)
 	 * @param mark			optional mark
 	 * @param unrouted		TRUE, if this policy is unrouted from the kernel
 	 * @return				SUCCESS if operation completed
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
new file mode 100644
index 000000000..6f2dbd23b
--- /dev/null
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_listener kernel_listener
+ * @{ @ingroup hkernel
+ */
+
+#ifndef KERNEL_LISTENER_H_
+#define KERNEL_LISTENER_H_
+
+typedef struct kernel_listener_t kernel_listener_t;
+
+#include <kernel/kernel_ipsec.h>
+#include <selectors/traffic_selector.h>
+#include <utils/host.h>
+
+/**
+ * Interface for components interested in kernel events.
+ *
+ * All hooks are optional.
+ */
+struct kernel_listener_t {
+
+	/**
+	 * Hook called if an acquire event for a policy is received.
+	 *
+	 * @param reqid			reqid of the policy to acquire
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*acquire)(kernel_listener_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+
+	/**
+	 * Hook called if an exire event for an IPsec SA is received.
+	 *
+	 * @param reqid			reqid of the expired SA
+	 * @param protocol		protocol of the expired SA
+	 * @param spi			spi of the expired SA
+	 * @param hard			TRUE if it is a hard expire, FALSE otherwise
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*expire)(kernel_listener_t *this, u_int32_t reqid,
+				   u_int8_t protocol, u_int32_t spi, bool hard);
+
+	/**
+	 * Hook called if the NAT mappings of an IPsec SA changed.
+	 *
+	 * @param reqid			reqid of the SA
+	 * @param spi			spi of the SA
+	 * @param remote		new remote host
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*mapping)(kernel_listener_t *this, u_int32_t reqid, u_int32_t spi,
+					host_t *remote);
+
+	/**
+	 * Hook called if a migrate event for a policy is received.
+	 *
+	 * @param reqid			reqid of the policy
+	 * @param src_ts		source traffic selector
+	 * @param dst_ts		destination traffic selector
+	 * @param direction		direction of the policy (in|out)
+	 * @param local			local host address to be used in the IKE_SA
+	 * @param remote		remote host address to be used in the IKE_SA
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*migrate)(kernel_listener_t *this, u_int32_t reqid,
+					traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
+					policy_dir_t direction, host_t *local, host_t *remote);
+
+	/**
+	 * Hook called if changes in the networking layer occured (interfaces
+	 * up/down, routes added/deleted etc.).
+	 *
+	 * @param address		TRUE if address list, FALSE if routing changed
+	 * @return				TRUE to remain registered, FALSE to unregister
+	 */
+	bool (*roam)(kernel_listener_t *this, bool address);
+};
+
+#endif /** KERNEL_LISTENER_H_ @}*/
diff --git a/src/libcharon/kernel/kernel_net.h b/src/libhydra/kernel/kernel_net.h
index efb221f88..69e01f43f 100644
--- a/src/libcharon/kernel/kernel_net.h
+++ b/src/libhydra/kernel/kernel_net.h
@@ -16,7 +16,7 @@
 
 /**
  * @defgroup kernel_net kernel_net
- * @{ @ingroup kernel
+ * @{ @ingroup hkernel
  */
 
 #ifndef KERNEL_NET_H_
@@ -64,7 +64,7 @@ struct kernel_net_t {
 	 * Get the interface name of a local address.
 	 *
 	 * @param host			address to get interface name from
-	 * @return 				allocated interface name, or NULL if not found
+	 * @return				allocated interface name, or NULL if not found
 	 */
 	char* (*get_interface) (kernel_net_t *this, host_t *host);
 
@@ -116,10 +116,11 @@ struct kernel_net_t {
 	 * @param src_ip		sourc ip of the route
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
-	 * 						ALREADY_DONE if the route already exists
+	 *						ALREADY_DONE if the route already exists
 	 */
-	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
+	status_t (*add_route) (kernel_net_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
 
 	/**
 	 * Delete a route.
@@ -131,8 +132,9 @@ struct kernel_net_t {
 	 * @param if_name		name of the interface the route is bound to
 	 * @return				SUCCESS if operation completed
 	 */
-	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net, u_int8_t prefixlen,
-								host_t *gateway, host_t *src_ip, char *if_name);
+	status_t (*del_route) (kernel_net_t *this, chunk_t dst_net,
+						   u_int8_t prefixlen, host_t *gateway, host_t *src_ip,
+						   char *if_name);
 
 	/**
 	 * Destroy the implementation.
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libhydra/plugins/attr/Makefile.am
index 71401648e..fe0c39ebd 100644
--- a/src/libhydra/plugins/attr/Makefile.am
+++ b/src/libhydra/plugins/attr/Makefile.am
@@ -1,6 +1,5 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in
index 71402fc7f..72182e57f 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libhydra/plugins/attr/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -254,9 +270,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr.la
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am
index a3dac863f..7491debcd 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libhydra/plugins/attr_sql/Makefile.am
@@ -3,7 +3,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = \
 	-rdynamic \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pool_plugins}\""
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-attr-sql.la
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in
index edf51059b..dfb41cc02 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libhydra/plugins/attr_sql/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -177,6 +178,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -208,14 +211,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -230,24 +236,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -255,7 +268,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -270,7 +286,7 @@ xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = \
 	-rdynamic \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pool_plugins}\""
 
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-attr-sql.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.am b/src/libhydra/plugins/kernel_klips/Makefile.am
index 540bbe106..df639b255 100644
--- a/src/libcharon/plugins/kernel_klips/Makefile.am
+++ b/src/libhydra/plugins/kernel_klips/Makefile.am
@@ -1,6 +1,5 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in
index 9cac89ec3..a451bd6f5 100644
--- a/src/libcharon/plugins/kernel_klips/Makefile.in
+++ b/src/libhydra/plugins/kernel_klips/Makefile.in
@@ -34,7 +34,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_klips
+subdir = src/libhydra/plugins/kernel_klips
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -258,9 +274,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-klips.la
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
@@ -282,9 +296,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_klips/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_klips/Makefile
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_klips/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
index 6b5aeb342..0ccb2ac5f 100644
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -28,14 +28,12 @@
 
 #include "kernel_klips_ipsec.h"
 
-#include <daemon.h>
+#include <hydra.h>
+#include <debug.h>
+#include <utils/linked_list.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
 
 /** default timeout for generated SPIs (in seconds) */
 #define SPI_TIMEOUT 30
@@ -318,7 +316,8 @@ static status_t attach_ipsec_dev(char* name, char *phys_name)
 	}
 
 	mtu = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel-klips.ipsec_dev_mtu", 0);
+						"%s.plugins.kernel-klips.ipsec_dev_mtu", 0,
+						hydra->daemon);
 	if (mtu <= 0)
 	{
 		/* guess MTU as physical MTU - ESP overhead [- NAT-T overhead]
@@ -587,7 +586,7 @@ typedef struct sa_entry_t sa_entry_t;
 struct sa_entry_t {
 
 	/** protocol of this SA */
-	protocol_id_t protocol;
+	u_int8_t protocol;
 
 	/** reqid of this SA */
 	u_int32_t reqid;
@@ -611,7 +610,7 @@ struct sa_entry_t {
 /**
  * create an sa_entry_t object
  */
-static sa_entry_t *create_sa_entry(protocol_id_t protocol, u_int32_t spi,
+static sa_entry_t *create_sa_entry(u_int8_t protocol, u_int32_t spi,
 								   u_int32_t reqid, host_t *src, host_t *dst,
 								   bool encap, bool inbound)
 {
@@ -649,7 +648,7 @@ static inline bool sa_entry_match_encapbysrc(sa_entry_t *current, u_int32_t *spi
 /**
  * match an sa_entry_t by protocol, spi and dst address (as the kernel does it)
  */
-static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *protocol,
+static inline bool sa_entry_match_bydst(sa_entry_t *current, u_int8_t *protocol,
 		u_int32_t *spi, host_t *dst)
 {
 	return current->protocol == *protocol && current->spi == *spi && dst->ip_equals(dst, current->dst);
@@ -658,7 +657,7 @@ static inline bool sa_entry_match_bydst(sa_entry_t *current, protocol_id_t *prot
 /**
  * match an sa_entry_t by protocol, reqid and spi
  */
-static inline bool sa_entry_match_byid(sa_entry_t *current, protocol_id_t *protocol,
+static inline bool sa_entry_match_byid(sa_entry_t *current, u_int8_t *protocol,
 		u_int32_t *spi, u_int32_t *reqid)
 {
 	return current->protocol == *protocol && current->spi == *spi && current->reqid == *reqid;
@@ -716,15 +715,15 @@ struct pfkey_msg_t
 };
 
 /**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ * convert a protocol identifier to the PF_KEY sa type
  */
-static u_int8_t proto_ike2satype(protocol_id_t proto)
+static u_int8_t proto2satype(u_int8_t proto)
 {
 	switch (proto)
 	{
-		case PROTO_ESP:
+		case IPPROTO_ESP:
 			return SADB_SATYPE_ESP;
-		case PROTO_AH:
+		case IPPROTO_AH:
 			return SADB_SATYPE_AH;
 		case IPPROTO_COMP:
 			return SADB_X_SATYPE_COMP;
@@ -734,20 +733,20 @@ static u_int8_t proto_ike2satype(protocol_id_t proto)
 }
 
 /**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ * convert a PF_KEY sa type to a protocol identifier
  */
-static protocol_id_t proto_satype2ike(u_int8_t proto)
+static u_int8_t satype2proto(u_int8_t satype)
 {
-	switch (proto)
+	switch (satype)
 	{
 		case SADB_SATYPE_ESP:
-			return PROTO_ESP;
+			return IPPROTO_ESP;
 		case SADB_SATYPE_AH:
-			return PROTO_AH;
+			return IPPROTO_AH;
 		case SADB_X_SATYPE_COMP:
 			return IPPROTO_COMP;
 		default:
-			return proto;
+			return satype;
 	}
 }
 
@@ -1236,7 +1235,6 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 	u_int32_t reqid;
 	u_int8_t proto;
 	policy_entry_t *policy;
-	job_t *job;
 
 	switch (msg->sadb_msg_satype)
 	{
@@ -1297,10 +1295,8 @@ static void process_acquire(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 
 	this->mutex->unlock(this->mutex);
 
-	DBG2(DBG_KNL, "received an SADB_ACQUIRE");
-	DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid {%d}", reqid);
-	job = (job_t*)acquire_job_create(reqid, NULL, NULL);
-	charon->processor->queue_job(charon->processor, job);
+	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, NULL,
+									 NULL);
 }
 
 /**
@@ -1311,7 +1307,6 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 	pfkey_msg_t response;
 	u_int32_t spi, reqid;
 	host_t *old_src, *new_src;
-	job_t *job;
 
 	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
 
@@ -1323,7 +1318,7 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 
 	spi = response.sa->sadb_sa_spi;
 
-	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+	if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
 	{
 		sa_entry_t *sa;
 		sockaddr_t *addr = (sockaddr_t*)(response.src + 1);
@@ -1360,10 +1355,8 @@ static void process_mapping(private_kernel_klips_ipsec_t *this, struct sadb_msg*
 		new_src = host_create_from_sockaddr(addr);
 		if (new_src)
 		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and"
-				" reqid {%d} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, new_src);
-			charon->processor->queue_job(charon->processor, job);
+			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
+											 spi, new_src);
 		}
 	}
 }
@@ -1421,12 +1414,14 @@ static job_requeue_t receive_events(private_kernel_klips_ipsec_t *this)
 			process_acquire(this, msg);
 			break;
 		case SADB_EXPIRE:
-			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even for
-			 * the time based limits). So if there is no traffic for a longer
-			 * period than configured as hard limit, we wouldn't be able to rekey
-			 * the SA and just receive the hard expire and thus delete the SA.
-			 * To avoid this behavior and to make charon behave as with the other
-			 * kernel plugins, we implement the expiration of SAs ourselves. */
+			/* SADB_EXPIRE events in KLIPS are only triggered by traffic (even
+			 * for the time based limits). So if there is no traffic for a
+			 * longer period than configured as hard limit, we wouldn't be able
+			 * to rekey the SA and just receive the hard expire and thus delete
+			 * the SA.
+			 * To avoid this behavior and to make the daemon behave as with the
+			 * other kernel plugins, we implement the expiration of SAs
+			 * ourselves. */
 			break;
 		case SADB_X_NAT_T_NEW_MAPPING:
 			process_mapping(this, msg);
@@ -1455,7 +1450,7 @@ struct sa_expire_t {
 	/** the SPI of the expiring SA */
 	u_int32_t spi;
 	/** the protocol of the expiring SA */
-	protocol_id_t protocol;
+	u_int8_t protocol;
 	/** the reqid of the expiring SA*/
 	u_int32_t reqid;
 	/** what type of expire this is */
@@ -1468,12 +1463,11 @@ struct sa_expire_t {
 static job_requeue_t sa_expires(sa_expire_t *expire)
 {
 	private_kernel_klips_ipsec_t *this = expire->this;
-	protocol_id_t protocol = expire->protocol;
+	u_int8_t protocol = expire->protocol;
 	u_int32_t spi = expire->spi, reqid = expire->reqid;
 	bool hard = expire->type != EXPIRE_TYPE_SOFT;
 	sa_entry_t *cached_sa;
 	linked_list_t *list;
-	job_t *job;
 
 	/* for an expired SPI we first check whether the CHILD_SA got installed
 	 * in the meantime, for expired SAs we check whether they are still installed */
@@ -1496,21 +1490,8 @@ static job_requeue_t sa_expires(sa_expire_t *expire)
 	}
 	this->mutex->unlock(this->mutex);
 
-	DBG2(DBG_KNL, "%N CHILD_SA with SPI %.8x and reqid {%d} expired",
-			protocol_id_names, protocol, ntohl(spi), reqid);
-
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
-		 hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, hard);
 	return JOB_REQUEUE_NONE;
 }
 
@@ -1518,7 +1499,7 @@ static job_requeue_t sa_expires(sa_expire_t *expire)
  * Schedule an expire job for an SA. Time is in seconds.
  */
 static void schedule_expire(private_kernel_klips_ipsec_t *this,
-							protocol_id_t protocol, u_int32_t spi,
+							u_int8_t protocol, u_int32_t spi,
 							u_int32_t reqid, expire_type_t type, u_int32_t time)
 {
 	callback_job_t *job;
@@ -1529,12 +1510,12 @@ static void schedule_expire(private_kernel_klips_ipsec_t *this,
 	expire->reqid = reqid;
 	expire->type = type;
 	job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
-	charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time);
+	lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, time);
 }
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	/* we cannot use SADB_GETSPI because KLIPS does not allow us to set the
 	 * NAT-T type in an SADB_UPDATE which we would have to use to update the
@@ -1552,12 +1533,9 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	rng->get_bytes(rng, sizeof(spi_gen), (void*)&spi_gen);
 	rng->destroy(rng);
 
-	/* charon's SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
+	/* allocated SPIs lie within the range from 0xc0000000 to 0xcFFFFFFF */
 	spi_gen = 0xc0000000 | (spi_gen & 0x0FFFFFFF);
 
-	DBG2(DBG_KNL, "allocated SPI %.8x for %N SA between %#H..%#H",
-			spi_gen, protocol_id_names, protocol, src, dst);
-
 	*spi = htonl(spi_gen);
 
 	this->mutex->lock(this->mutex);
@@ -1629,7 +1607,7 @@ static status_t add_ipip_sa(private_kernel_klips_ipsec_t *this,
  */
 static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 					   host_t *src, host_t *dst, u_int32_t spi,
-					   protocol_id_t protocol, u_int32_t reqid)
+					   u_int8_t protocol, u_int32_t reqid)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1659,7 +1637,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 	satype = (struct sadb_x_satype*)PFKEY_EXT_ADD_NEXT(msg);
 	satype->sadb_x_satype_exttype = SADB_X_EXT_SATYPE2;
 	satype->sadb_x_satype_len = PFKEY_LEN(sizeof(struct sadb_x_satype));
-	satype->sadb_x_satype_satype = proto_ike2satype(protocol);
+	satype->sadb_x_satype_satype = proto2satype(protocol);
 	PFKEY_EXT_ADD(msg, satype);
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1690,7 +1668,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
@@ -1731,7 +1709,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_ADD;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1848,7 +1826,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	private_kernel_klips_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
 	bool encap, bool new_encap, mark_t mark)
 {
@@ -1885,7 +1863,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1921,14 +1899,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	return NOT_SUPPORTED;  /* TODO */
 }
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1957,7 +1935,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1992,13 +1970,13 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
 	policy_entry_t *policy, *found = NULL;
+	u_int32_t spi;
 	u_int8_t satype;
 	size_t len;
 
@@ -2009,8 +1987,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	/* tunnel mode policies direct the packets into the pseudo IPIP SA */
-	satype = (mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP :
-									 proto_ike2satype(protocol);
+	satype = (sa->mode == MODE_TUNNEL) ? SADB_X_SATYPE_IPIP
+									   : proto2satype(sa->esp.use ? IPPROTO_ESP
+																  : IPPROTO_AH);
+	spi = sa->esp.use ? sa->esp.spi : sa->ah.spi;
 
 	/* create a policy */
 	policy = create_policy_entry(src_ts, dst_ts, direction);
@@ -2042,7 +2022,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 		/* the reqid is always set to the latest child SA that trapped this
 		 * policy. we will need this reqid upon receiving an acquire. */
-		policy->reqid = reqid;
+		policy->reqid = sa->reqid;
 
 		/* increase the trap counter */
 		policy->trapcount++;
@@ -2120,11 +2100,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		route_entry_t *route = malloc_thing(route_entry_t);
 		route->src_ip = NULL;
 
-		if (mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		if (sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
 			this->install_routes)
 		{
-			charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
-						src_ts, &route->src_ip);
+			hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
+													   src_ts, &route->src_ip);
 		}
 
 		if (!route->src_ip)
@@ -2133,8 +2113,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		}
 
 		/* find the virtual interface */
-		iface = charon->kernel_interface->get_interface(charon->kernel_interface,
-														src);
+		iface = hydra->kernel_interface->get_interface(hydra->kernel_interface,
+													   src);
 		if (find_ipsec_dev(this, iface, &dev) == SUCCESS)
 		{
 			/* above, we got either the name of a virtual or a physical
@@ -2180,12 +2160,12 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 		route->if_name = strdup(dev->name);
 
 		/* get the nexthop to dst */
-		route->gateway = charon->kernel_interface->get_nexthop(
-										charon->kernel_interface, dst);
+		route->gateway = hydra->kernel_interface->get_nexthop(
+												hydra->kernel_interface, dst);
 		route->dst_net = chunk_clone(policy->dst.net->get_address(policy->dst.net));
 		route->prefixlen = policy->dst.mask;
 
-		switch (charon->kernel_interface->add_route(charon->kernel_interface,
+		switch (hydra->kernel_interface->add_route(hydra->kernel_interface,
 				route->dst_net, route->prefixlen, route->gateway,
 				route->src_ip, route->if_name))
 		{
@@ -2467,7 +2447,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 	{
 		ipsec_dev_t *dev;
 
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
 				route->dst_net, route->prefixlen, route->gateway,
 				route->src_ip, route->if_name) != SUCCESS)
 		{
@@ -2509,8 +2489,8 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 static void init_ipsec_devices(private_kernel_klips_ipsec_t *this)
 {
 	int i, count = lib->settings->get_int(lib->settings,
-						"charon.plugins.kernel-klips.ipsec_dev_count",
-						DEFAULT_IPSEC_DEV_COUNT);
+						"%s.plugins.kernel-klips.ipsec_dev_count",
+						DEFAULT_IPSEC_DEV_COUNT, hydra->daemon);
 
 	for (i = 0; i < count; ++i)
 	{
@@ -2598,18 +2578,20 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 	private_kernel_klips_ipsec_t *this;
 
 	INIT(this,
-		.public.interface = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa  = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.bypass_socket = _bypass_socket,
-			.destroy = _destroy,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
 		},
 		.policies = linked_list_create(),
 		.allocated_spis = linked_list_create(),
@@ -2618,7 +2600,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE),
+												  "%s.install_routes", TRUE,
+												  hydra->daemon),
 	);
 
 	/* initialize ipsec devices */
@@ -2653,7 +2636,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h
index 306ec0ada..306ec0ada 100644
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.h
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.h
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
index fa5e9eb29..1a22835c0 100644
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.c
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c
@@ -18,7 +18,7 @@
 
 #include "kernel_klips_ipsec.h"
 
-#include <daemon.h>
+#include <hydra.h>
 
 typedef struct private_kernel_klips_plugin_t private_kernel_klips_plugin_t;
 
@@ -37,7 +37,8 @@ struct private_kernel_klips_plugin_t {
  */
 static void destroy(private_kernel_klips_plugin_t *this)
 {
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
 	free(this);
 }
 
@@ -50,7 +51,8 @@ plugin_t *kernel_klips_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
+	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_klips_ipsec_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h
index 6086217ad..8dd386a66 100644
--- a/src/libcharon/plugins/kernel_klips/kernel_klips_plugin.h
+++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_klips kernel_klips
- * @ingroup cplugins
+ * @ingroup hplugins
  *
  * @defgroup kernel_klips_plugin kernel_klips_plugin
  * @{ @ingroup kernel_klips
diff --git a/src/libcharon/plugins/kernel_klips/pfkeyv2.h b/src/libhydra/plugins/kernel_klips/pfkeyv2.h
index 20d1c298d..20d1c298d 100644
--- a/src/libcharon/plugins/kernel_klips/pfkeyv2.h
+++ b/src/libhydra/plugins/kernel_klips/pfkeyv2.h
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am
index 2bb00ec0d..1ad379421 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.am
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.am
@@ -1,6 +1,6 @@
 
 INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic \
 -DROUTING_TABLE=${routing_table} \
@@ -14,7 +14,8 @@ endif
 
 libstrongswan_kernel_netlink_la_SOURCES = \
 	kernel_netlink_plugin.h kernel_netlink_plugin.c \
-	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c \
+	kernel_netlink_net.h kernel_netlink_net.c \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
 libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index 49cc895bc..d41ee1456 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -34,7 +34,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_netlink
+subdir = src/libhydra/plugins/kernel_netlink
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -169,6 +170,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -200,14 +203,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -222,24 +228,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -247,7 +260,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -260,7 +276,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic \
 -DROUTING_TABLE=${routing_table} \
@@ -270,7 +286,8 @@ AM_CFLAGS = -rdynamic \
 @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
 libstrongswan_kernel_netlink_la_SOURCES = \
 	kernel_netlink_plugin.h kernel_netlink_plugin.c \
-	kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
+	kernel_netlink_ipsec.h kernel_netlink_ipsec.c \
+	kernel_netlink_net.h kernel_netlink_net.c \
 	kernel_netlink_shared.h kernel_netlink_shared.c
 
 libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
@@ -287,9 +304,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_netlink/Makefile
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_netlink/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 019ec93f8..8cc9a6283 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2010 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008 Andreas Steffen
  * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@@ -35,16 +35,12 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_shared.h"
 
-#include <daemon.h>
+#include <hydra.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <utils/hashtable.h>
 #include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/migrate_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
 
 /** required for Linux 2.6.26 kernel and later */
 #ifndef XFRM_STATE_AF_UNSPEC
@@ -187,6 +183,8 @@ static kernel_algorithm_t encryption_algs[] = {
 /*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
 /*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
 /*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
+	{ENCR_SERPENT_CBC,			"serpent"			},
+	{ENCR_TWOFISH_CBC,			"twofish"			},
 	{END_OF_LIST,				NULL				}
 };
 
@@ -296,7 +294,7 @@ struct policy_entry_t {
 static u_int policy_hash(policy_entry_t *key)
 {
 	chunk_t chunk = chunk_create((void*)&key->sel,
-						 	sizeof(struct xfrm_selector) + sizeof(u_int32_t));
+							sizeof(struct xfrm_selector) + sizeof(u_int32_t));
 	return chunk_hash(chunk);
 }
 
@@ -305,7 +303,7 @@ static u_int policy_hash(policy_entry_t *key)
  */
 static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key)
 {
-	return memeq(&key->sel, &other_key->sel, 
+	return memeq(&key->sel, &other_key->sel,
 				 sizeof(struct xfrm_selector) + sizeof(u_int32_t)) &&
 		   key->direction == other_key->direction;
 }
@@ -353,38 +351,6 @@ struct private_kernel_netlink_ipsec_t {
 };
 
 /**
- * convert a IKEv2 specific protocol identifier to the kernel one
- */
-static u_int8_t proto_ike2kernel(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return IPPROTO_ESP;
-		case PROTO_AH:
-			return IPPROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
- * reverse of ike2kernel
- */
-static protocol_id_t proto_kernel2ike(u_int8_t proto)
-{
-	switch (proto)
-	{
-		case IPPROTO_ESP:
-			return PROTO_ESP;
-		case IPPROTO_AH:
-			return PROTO_AH;
-		default:
-			return proto;
-	}
-}
-
-/**
  * convert the general ipsec mode to the one defined in xfrm.h
  */
 static u_int8_t mode2kernel(ipsec_mode_t mode)
@@ -556,7 +522,6 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 	struct xfrm_user_acquire *acquire;
 	struct rtattr *rta;
 	size_t rtasize;
-	job_t *job;
 
 	acquire = (struct xfrm_user_acquire*)NLMSG_DATA(hdr);
 	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
@@ -590,10 +555,9 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 	}
 	src_ts = selector2ts(&acquire->sel, TRUE);
 	dst_ts = selector2ts(&acquire->sel, FALSE);
-	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
-					src_ts, dst_ts, reqid);
-	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
-	charon->processor->queue_job(charon->processor, job);
+
+	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
+									 dst_ts);
 }
 
 /**
@@ -601,37 +565,26 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this, struct nlmsghd
  */
 static void process_expire(private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr)
 {
-	job_t *job;
-	protocol_id_t protocol;
+	u_int8_t protocol;
 	u_int32_t spi, reqid;
 	struct xfrm_user_expire *expire;
 
 	expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
-	protocol = proto_kernel2ike(expire->state.id.proto);
+	protocol = expire->state.id.proto;
 	spi = expire->state.id.spi;
 	reqid = expire->state.reqid;
 
 	DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
 
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
+	if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
 	{
-		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and reqid {%u} "
-					  "which is not a CHILD_SA", ntohl(spi), reqid);
+		DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
+					  "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
 		return;
 	}
 
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%d}",
-		 expire->hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (expire->hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, expire->hard != 0);
 }
 
 /**
@@ -648,7 +601,6 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 	size_t rtasize;
 	u_int32_t reqid = 0;
 	policy_dir_t dir;
-	job_t *job;
 
 	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
 	rta     = XFRM_RTA(hdr, struct xfrm_userpolicy_id);
@@ -677,18 +629,15 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 		else if (rta->rta_type == XFRMA_MIGRATE)
 		{
 			struct xfrm_user_migrate *migrate;
-			protocol_id_t proto;
 
 			migrate = (struct xfrm_user_migrate*)RTA_DATA(rta);
 			old_src = xfrm2host(migrate->old_family, &migrate->old_saddr, 0);
 			old_dst = xfrm2host(migrate->old_family, &migrate->old_daddr, 0);
 			new_src = xfrm2host(migrate->new_family, &migrate->new_saddr, 0);
 			new_dst = xfrm2host(migrate->new_family, &migrate->new_daddr, 0);
-			proto = proto_kernel2ike(migrate->proto);
 			reqid = migrate->reqid;
-			DBG2(DBG_KNL, "  migrate %N %H...%H to %H...%H, reqid {%u}",
-							 protocol_id_names, proto, old_src, old_dst,
-							 new_src, new_dst, reqid);
+			DBG2(DBG_KNL, "  migrate %H...%H to %H...%H, reqid {%u}",
+						  old_src, old_dst, new_src, new_dst, reqid);
 			DESTROY_IF(old_src);
 			DESTROY_IF(old_dst);
 			DESTROY_IF(new_src);
@@ -699,11 +648,8 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 
 	if (src_ts && dst_ts && local && remote)
 	{
-		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
-					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
-		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
-										 local, remote);
-		charon->processor->queue_job(charon->processor, job);
+		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
+										 src_ts, dst_ts, dir, local, remote);
 	}
 	else
 	{
@@ -720,7 +666,6 @@ static void process_migrate(private_kernel_netlink_ipsec_t *this, struct nlmsghd
 static void process_mapping(private_kernel_netlink_ipsec_t *this,
 							struct nlmsghdr *hdr)
 {
-	job_t *job;
 	u_int32_t spi, reqid;
 	struct xfrm_user_mapping *mapping;
 	host_t *host;
@@ -731,16 +676,14 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
 
 	DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
 
-	if (proto_kernel2ike(mapping->id.proto) == PROTO_ESP)
+	if (mapping->id.proto == IPPROTO_ESP)
 	{
 		host = xfrm2host(mapping->id.family, &mapping->new_saddr,
 						 mapping->new_sport);
 		if (host)
 		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, host);
-			charon->processor->queue_job(charon->processor, job);
+			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
+											 spi, host);
 		}
 	}
 }
@@ -882,11 +825,11 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
 
-	if (get_spi_internal(this, src, dst, proto_ike2kernel(protocol),
+	if (get_spi_internal(this, src, dst, protocol,
 			0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
 	{
 		DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
@@ -922,9 +865,9 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
-	u_int16_t int_alg, chunk_t int_key,	ipsec_mode_t mode, u_int16_t ipcomp,
+	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
 	u_int16_t cpi, bool encap, bool inbound,
 	traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
 {
@@ -968,7 +911,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	host2xfrm(src, &sa->saddr);
 	host2xfrm(dst, &sa->id.daddr);
 	sa->id.spi = spi;
-	sa->id.proto = proto_ike2kernel(protocol);
+	sa->id.proto = protocol;
 	sa->family = src->get_family(src);
 	sa->mode = mode2kernel(mode);
 	switch (mode)
@@ -1080,7 +1023,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		}
 	}
 
-	if (int_alg  != AUTH_UNDEFINED)
+	if (int_alg != AUTH_UNDEFINED)
 	{
 		alg_name = lookup_algorithm(integrity_algs, int_alg);
 		if (alg_name == NULL)
@@ -1230,7 +1173,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
  * Get the replay state (i.e. sequence numbers) of an SA.
  */
 static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
-						  u_int32_t spi, protocol_id_t protocol, host_t *dst,
+						  u_int32_t spi, u_int8_t protocol, host_t *dst,
 						  struct xfrm_replay_state *replay)
 {
 	netlink_buf_t request;
@@ -1254,7 +1197,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 
 	host2xfrm(dst, &aevent_id->sa_id.daddr);
 	aevent_id->sa_id.spi = spi;
-	aevent_id->sa_id.proto = proto_ike2kernel(protocol);
+	aevent_id->sa_id.proto = protocol;
 	aevent_id->sa_id.family = dst->get_family(dst);
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -1316,7 +1259,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *out = NULL, *hdr;
@@ -1343,7 +1286,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
 	if (mark.value)
@@ -1379,7 +1322,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 				case NLMSG_ERROR:
 				{
 					struct nlmsgerr *err = NLMSG_DATA(hdr);
-					
+
 					if (mark.value)
 					{
 						DBG1(DBG_KNL, "querying SAD entry with SPI %.8x  "
@@ -1419,7 +1362,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
 	netlink_buf_t request;
 	struct nlmsghdr *hdr;
@@ -1450,7 +1393,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
 	if (mark.value)
@@ -1497,7 +1440,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	private_kernel_netlink_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
 	bool old_encap, bool new_encap, mark_t mark)
 {
@@ -1533,7 +1476,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
 	host2xfrm(dst, &sa_id->daddr);
 	sa_id->spi = spi;
-	sa_id->proto = proto_ike2kernel(protocol);
+	sa_id->proto = protocol;
 	sa_id->family = dst->get_family(dst);
 
 	if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
@@ -1676,15 +1619,15 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi,	bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	policy_entry_t *current, *policy;
 	bool found = FALSE;
 	netlink_buf_t request;
 	struct xfrm_userpolicy_info *policy_info;
 	struct nlmsghdr *hdr;
+	int i;
 
 	/* create a policy */
 	policy = malloc_thing(policy_entry_t);
@@ -1705,7 +1648,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 			DBG2(DBG_KNL, "policy %R === %R %N  (mark %u/0x%8x) "
 						  "already exists, increasing refcount",
 						   src_ts, dst_ts, policy_dir_names, direction,
-					  	   mark.value, mark.mask);
+						   mark.value, mark.mask);
 		}
 		else
 		{
@@ -1749,7 +1692,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	policy_info->priority -= policy->sel.prefixlen_s * 10;
 	policy_info->priority -= policy->sel.proto ? 2 : 0;
 	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
-	policy_info->action = XFRM_POLICY_ALLOW;
+	policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW
+											  : XFRM_POLICY_BLOCK;
 	policy_info->share = XFRM_SHARE_ANY;
 	this->mutex->unlock(this->mutex);
 
@@ -1764,55 +1708,59 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	policy_info->lft.hard_use_expires_seconds = 0;
 
 	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
-	rthdr->rta_type = XFRMA_TMPL;
-	rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
 
-	hdr->nlmsg_len += rthdr->rta_len;
-	if (hdr->nlmsg_len > sizeof(request))
+	if (type == POLICY_IPSEC)
 	{
-		return FAILED;
-	}
+		struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+		struct {
+			u_int8_t proto;
+			bool use;
+		} protos[] = {
+			{ IPPROTO_COMP, sa->ipcomp.transform != IPCOMP_NONE },
+			{ IPPROTO_ESP, sa->esp.use },
+			{ IPPROTO_AH, sa->ah.use },
+		};
+		ipsec_mode_t proto_mode = sa->mode;
 
-	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+		rthdr->rta_type = XFRMA_TMPL;
+		rthdr->rta_len = 0; /* actual length is set below */
 
-	if (ipcomp != IPCOMP_NONE)
-	{
-		tmpl->reqid = reqid;
-		tmpl->id.proto = IPPROTO_COMP;
-		tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-		tmpl->mode = mode2kernel(mode);
-		tmpl->optional = direction != POLICY_OUT;
-		tmpl->family = src->get_family(src);
+		for (i = 0; i < countof(protos); i++)
+		{
+			if (!protos[i].use)
+			{
+				continue;
+			}
 
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
+			rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+			hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
+			if (hdr->nlmsg_len > sizeof(request))
+			{
+				return FAILED;
+			}
 
-		/* add an additional xfrm_user_tmpl */
-		rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl));
-		if (hdr->nlmsg_len > sizeof(request))
-		{
-			return FAILED;
-		}
+			tmpl->reqid = sa->reqid;
+			tmpl->id.proto = protos[i].proto;
+			tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+			tmpl->mode = mode2kernel(proto_mode);
+			tmpl->optional = protos[i].proto == IPPROTO_COMP &&
+							 direction != POLICY_OUT;
+			tmpl->family = src->get_family(src);
+
+			if (proto_mode == MODE_TUNNEL)
+			{	/* only for tunnel mode */
+				host2xfrm(src, &tmpl->saddr);
+				host2xfrm(dst, &tmpl->id.daddr);
+			}
 
-		tmpl++;
+			tmpl++;
 
-		/* use transport mode for ESP if we have a tunnel mode IPcomp SA */
-		mode = MODE_TRANSPORT;
-	}
-	else
-	{
-		/* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
-		host2xfrm(src, &tmpl->saddr);
-		host2xfrm(dst, &tmpl->id.daddr);
-	}
+			/* use transport mode for other SAs */
+			proto_mode = MODE_TRANSPORT;
+		}
 
-	tmpl->reqid = reqid;
-	tmpl->id.proto = proto_ike2kernel(protocol);
-	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
-	tmpl->mode = mode2kernel(mode);
-	tmpl->family = src->get_family(src);
-	rthdr = XFRM_RTA_NEXT(rthdr);
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
 
 	if (mark.value)
 	{
@@ -1846,27 +1794,27 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	 * - routing is not disabled via strongswan.conf
 	 */
 	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && this->install_routes)
+		sa->mode != MODE_TRANSPORT && this->install_routes)
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);
 
-		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
 				dst_ts, &route->src_ip) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = charon->kernel_interface->get_nexthop(
-												charon->kernel_interface, src);
+			route->gateway = hydra->kernel_interface->get_nexthop(
+												hydra->kernel_interface, src);
 			/* install route via outgoing interface */
-			route->if_name = charon->kernel_interface->get_interface(
-												charon->kernel_interface, dst);
+			route->if_name = hydra->kernel_interface->get_interface(
+												hydra->kernel_interface, dst);
 			route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
 			memcpy(route->dst_net.ptr, &policy->sel.saddr, route->dst_net.len);
 			route->prefixlen = policy->sel.prefixlen_s;
 
 			if (route->if_name)
 			{
-				switch (charon->kernel_interface->add_route(
-									charon->kernel_interface, route->dst_net,
+				switch (hydra->kernel_interface->add_route(
+									hydra->kernel_interface, route->dst_net,
 									route->prefixlen, route->gateway,
 									route->src_ip, route->if_name))
 				{
@@ -2002,7 +1950,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t,
 
 METHOD(kernel_ipsec_t, del_policy, status_t,
 	private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts,
-	traffic_selector_t *dst_ts, policy_dir_t direction,	mark_t mark,
+	traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark,
 	bool unrouted)
 {
 	policy_entry_t *current, policy, *to_delete = NULL;
@@ -2112,7 +2060,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 
 	if (route)
 	{
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
 				route->dst_net, route->prefixlen, route->gateway,
 				route->src_ip, route->if_name) != SUCCESS)
 		{
@@ -2202,26 +2150,34 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	int fd;
 
 	INIT(this,
-		.public.interface = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa  = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.bypass_socket = _bypass_socket,
-			.destroy = _destroy,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
 		},
 		.policies = hashtable_create((hashtable_hash_t)policy_hash,
 									 (hashtable_equals_t)policy_equals, 32),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE),
+												  "%s.install_routes", TRUE,
+												  hydra->daemon),
 	);
 
+	if (streq(hydra->daemon, "pluto"))
+	{	/* no routes for pluto, they are installed via updown script */
+		this->install_routes = FALSE;
+	}
+
 	/* disable lifetimes for allocated SPIs in kernel */
 	fd = open("/proc/sys/net/core/xfrm_acq_expires", O_WRONLY);
 	if (fd)
@@ -2258,7 +2214,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
 	}
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
index 3a45cce06..3a45cce06 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.h
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 6750458cf..314c1acc1 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -47,15 +47,15 @@
 #include "kernel_netlink_net.h"
 #include "kernel_netlink_shared.h"
 
-#include <daemon.h>
+#include <hydra.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
 
-/** delay before firing roam jobs (ms) */
+/** delay before firing roam events (ms) */
 #define ROAM_DELAY 100
 
 typedef struct addr_entry_t addr_entry_t;
@@ -158,7 +158,7 @@ struct private_kernel_netlink_net_t {
 	int socket_events;
 
 	/**
-	 * time of the last roam_job
+	 * time of the last roam event
 	 */
 	timeval_t last_roam;
 
@@ -223,12 +223,58 @@ static int get_vip_refcount(private_kernel_netlink_net_t *this, host_t* ip)
 }
 
 /**
- * start a roaming job. We delay it for a second and fire only one job
- * for multiple events. Otherwise we would create two many jobs.
+ * get the first non-virtual ip address on the given interface.
+ * returned host is a clone, has to be freed by caller.
  */
-static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
+static host_t *get_interface_address(private_kernel_netlink_net_t *this,
+									 int ifindex, int family)
+{
+	enumerator_t *ifaces, *addrs;
+	iface_entry_t *iface;
+	addr_entry_t *addr;
+	host_t *ip = NULL;
+
+	this->mutex->lock(this->mutex);
+	ifaces = this->ifaces->create_enumerator(this->ifaces);
+	while (ifaces->enumerate(ifaces, &iface))
+	{
+		if (iface->ifindex == ifindex)
+		{
+			addrs = iface->addrs->create_enumerator(iface->addrs);
+			while (addrs->enumerate(addrs, &addr))
+			{
+				if (!addr->virtual && addr->ip->get_family(addr->ip) == family)
+				{
+					ip = addr->ip->clone(addr->ip);
+					break;
+				}
+			}
+			addrs->destroy(addrs);
+			break;
+		}
+	}
+	ifaces->destroy(ifaces);
+	this->mutex->unlock(this->mutex);
+	return ip;
+}
+
+/**
+ * callback function that raises the delayed roam event
+ */
+static job_requeue_t roam_event(uintptr_t address)
+{
+	hydra->kernel_interface->roam(hydra->kernel_interface, address != 0);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * fire a roaming event. we delay it for a bit and fire only one event
+ * for multiple calls. otherwise we would create too many events.
+ */
+static void fire_roam_event(private_kernel_netlink_net_t *this, bool address)
 {
 	timeval_t now;
+	job_t *job;
 
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_roam, >))
@@ -240,8 +286,11 @@ static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
 			now.tv_usec -= 1000000;
 		}
 		this->last_roam = now;
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-				(job_t*)roam_job_create(address), ROAM_DELAY);
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
+										  (void*)(uintptr_t)(address ? 1 : 0),
+										  NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
 	}
 }
 
@@ -341,7 +390,7 @@ static void process_link(private_kernel_netlink_net_t *this,
 	/* send an update to all IKE_SAs */
 	if (update && event)
 	{
-		fire_roam_job(this, TRUE);
+		fire_roam_event(this, TRUE);
 	}
 }
 
@@ -458,7 +507,7 @@ static void process_addr(private_kernel_netlink_net_t *this,
 	/* send an update to all IKE_SAs */
 	if (update && event && changed)
 	{
-		fire_roam_job(this, TRUE);
+		fire_roam_event(this, TRUE);
 	}
 }
 
@@ -470,10 +519,12 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 	struct rtmsg* msg = (struct rtmsg*)(NLMSG_DATA(hdr));
 	struct rtattr *rta = RTM_RTA(msg);
 	size_t rtasize = RTM_PAYLOAD(hdr);
+	u_int32_t rta_oif = 0;
 	host_t *host = NULL;
 
-	/* ignore routes added by us */
-	if (msg->rtm_table && msg->rtm_table == this->routing_table)
+	/* ignore routes added by us or in the local routing table (local addrs) */
+	if (msg->rtm_table && (msg->rtm_table == this->routing_table ||
+						   msg->rtm_table == RT_TABLE_LOCAL))
 	{
 		return;
 	}
@@ -486,15 +537,25 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h
 				host = host_create_from_chunk(msg->rtm_family,
 							chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0);
 				break;
+			case RTA_OIF:
+				if (RTA_PAYLOAD(rta) == sizeof(rta_oif))
+				{
+					rta_oif = *(u_int32_t*)RTA_DATA(rta);
+				}
+				break;
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}
+	if (!host && rta_oif)
+	{
+		host = get_interface_address(this, rta_oif, msg->rtm_family);
+	}
 	if (host)
 	{
 		this->mutex->lock(this->mutex);
 		if (!get_vip_refcount(this, host))
 		{	/* ignore routes added for virtual IPs */
-			fire_roam_job(this, FALSE);
+			fire_roam_event(this, FALSE);
 		}
 		this->mutex->unlock(this->mutex);
 		host->destroy(host);
@@ -912,8 +973,7 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 					continue;
 				}
 				if (rta_src.ptr)
-				{
-					/* got a source address */
+				{	/* got a source address */
 					new_src = host_create_from_chunk(msg->rtm_family, rta_src, 0);
 					if (new_src)
 					{
@@ -930,6 +990,18 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
 					}
 					continue;
 				}
+				if (rta_oif)
+				{	/* no src or gtw, but an interface. Get address from it. */
+					new_src = get_interface_address(this, rta_oif,
+													msg->rtm_family);
+					if (new_src)
+					{
+						DESTROY_IF(src);
+						src = new_src;
+						best = msg->rtm_dst_len;
+					}
+					continue;
+				}
 				if (rta_gtw.ptr)
 				{	/* no source, but a gateway. Lookup source to reach gtw. */
 					new_gtw = host_create_from_chunk(msg->rtm_family, rta_gtw, 0);
@@ -1424,17 +1496,17 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 	timerclear(&this->last_roam);
 	this->routing_table = lib->settings->get_int(lib->settings,
-					"charon.routing_table", ROUTING_TABLE);
+					"%s.routing_table", ROUTING_TABLE, hydra->daemon);
 	this->routing_table_prio = lib->settings->get_int(lib->settings,
-					"charon.routing_table_prio", ROUTING_TABLE_PRIO);
+					"%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon);
 	this->process_route = lib->settings->get_bool(lib->settings,
-					"charon.process_route", TRUE);
+					"%s.process_route", TRUE, hydra->daemon);
 	this->install_virtual_ip = lib->settings->get_bool(lib->settings,
-					"charon.install_virtual_ip", TRUE);
+					"%s.install_virtual_ip", TRUE, hydra->daemon);
 
 	this->rt_exclude = linked_list_create();
 	exclude = lib->settings->get_str(lib->settings,
-					"charon.ignore_routing_tables", NULL);
+					"%s.ignore_routing_tables", NULL, hydra->daemon);
 	if (exclude)
 	{
 		char *token;
@@ -1479,7 +1551,7 @@ kernel_netlink_net_t *kernel_netlink_net_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	if (init_address_list(this) != SUCCESS)
 	{
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
index ff9831d3c..ff9831d3c 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.h
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 4c61265aa..212675d1a 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -19,7 +19,7 @@
 #include "kernel_netlink_ipsec.h"
 #include "kernel_netlink_net.h"
 
-#include <daemon.h>
+#include <hydra.h>
 
 typedef struct private_kernel_netlink_plugin_t private_kernel_netlink_plugin_t;
 
@@ -38,8 +38,10 @@ struct private_kernel_netlink_plugin_t {
  */
 static void destroy(private_kernel_netlink_plugin_t *this)
 {
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
-	charon->kernel_interface->remove_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
+					(kernel_net_constructor_t)kernel_netlink_net_create);
 	free(this);
 }
 
@@ -52,8 +54,10 @@ plugin_t *kernel_netlink_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
-	charon->kernel_interface->add_net_interface(charon->kernel_interface, (kernel_net_constructor_t)kernel_netlink_net_create);
+	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+					(kernel_ipsec_constructor_t)kernel_netlink_ipsec_create);
+	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
+					(kernel_net_constructor_t)kernel_netlink_net_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
index 74c9ae24f..a795486ca 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_netlink kernel_netlink
- * @ingroup cplugins
+ * @ingroup hplugins
  *
  * @defgroup kernel_netlink_plugin kernel_netlink_plugin
  * @{ @ingroup kernel_netlink
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index 5ed568150..c26fd2e51 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -21,7 +21,7 @@
 
 #include "kernel_netlink_shared.h"
 
-#include <daemon.h>
+#include <debug.h>
 #include <threading/mutex.h>
 
 typedef struct private_netlink_socket_t private_netlink_socket_t;
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
index dfd27a21a..dfd27a21a 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.am b/src/libhydra/plugins/kernel_pfkey/Makefile.am
index 778a7f9a9..1d1488a6b 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.am
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.am
@@ -1,6 +1,6 @@
 
 INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 1dda6827b..a98ae42d1 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -34,7 +34,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_pfkey
+subdir = src/libhydra/plugins/kernel_pfkey
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -259,7 +275,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfkey.la
@@ -282,9 +298,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfkey/Makefile
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfkey/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index a64c27f6f..f5786447b 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -54,16 +54,13 @@
 
 #include "kernel_pfkey_ipsec.h"
 
-#include <daemon.h>
+#include <hydra.h>
+#include <debug.h>
 #include <utils/host.h>
+#include <utils/linked_list.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <processing/jobs/callback_job.h>
-#include <processing/jobs/acquire_job.h>
-#include <processing/jobs/migrate_job.h>
-#include <processing/jobs/rekey_child_sa_job.h>
-#include <processing/jobs/delete_child_sa_job.h>
-#include <processing/jobs/update_sa_job.h>
 
 /** non linux specific */
 #ifndef IPPROTO_COMP
@@ -398,15 +395,15 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
 );
 
 /**
- * convert a IKEv2 specific protocol identifier to the PF_KEY sa type
+ * convert a protocol identifier to the PF_KEY sa type
  */
-static u_int8_t proto_ike2satype(protocol_id_t proto)
+static u_int8_t proto2satype(u_int8_t proto)
 {
 	switch (proto)
 	{
-		case PROTO_ESP:
+		case IPPROTO_ESP:
 			return SADB_SATYPE_ESP;
-		case PROTO_AH:
+		case IPPROTO_AH:
 			return SADB_SATYPE_AH;
 		case IPPROTO_COMP:
 			return SADB_X_SATYPE_IPCOMP;
@@ -416,36 +413,20 @@ static u_int8_t proto_ike2satype(protocol_id_t proto)
 }
 
 /**
- * convert a PF_KEY sa type to a IKEv2 specific protocol identifier
+ * convert a PF_KEY sa type to a protocol identifier
  */
-static protocol_id_t proto_satype2ike(u_int8_t proto)
+static u_int8_t satype2proto(u_int8_t satype)
 {
-	switch (proto)
+	switch (satype)
 	{
 		case SADB_SATYPE_ESP:
-			return PROTO_ESP;
+			return IPPROTO_ESP;
 		case SADB_SATYPE_AH:
-			return PROTO_AH;
+			return IPPROTO_AH;
 		case SADB_X_SATYPE_IPCOMP:
 			return IPPROTO_COMP;
 		default:
-			return proto;
-	}
-}
-
-/**
- * convert a IKEv2 specific protocol identifier to the IP protocol identifier
- */
-static u_int8_t proto_ike2ip(protocol_id_t proto)
-{
-	switch (proto)
-	{
-		case PROTO_ESP:
-			return IPPROTO_ESP;
-		case PROTO_AH:
-			return IPPROTO_AH;
-		default:
-			return proto;
+			return satype;
 	}
 }
 
@@ -901,7 +882,6 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	u_int32_t index, reqid = 0;
 	traffic_selector_t *src_ts, *dst_ts;
 	policy_entry_t *policy;
-	job_t *job;
 
 	switch (msg->sadb_msg_satype)
 	{
@@ -930,17 +910,15 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	}
 	else
 	{
-		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no matching policy found",
-					   index);
+		DBG1(DBG_KNL, "received an SADB_ACQUIRE with policy id %d but no"
+					  " matching policy found", index);
 	}
 	src_ts = sadb_address2ts(response.src);
 	dst_ts = sadb_address2ts(response.dst);
 	this->mutex->unlock(this->mutex);
 
-	DBG1(DBG_KNL, "creating acquire job for policy %R === %R with reqid {%u}",
-				   src_ts, dst_ts, reqid);
-	job = (job_t*)acquire_job_create(reqid, src_ts, dst_ts);
-	charon->processor->queue_job(charon->processor, job);
+	hydra->kernel_interface->acquire(hydra->kernel_interface, reqid, src_ts,
+									 dst_ts);
 }
 
 /**
@@ -949,10 +927,9 @@ static void process_acquire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
 {
 	pfkey_msg_t response;
-	protocol_id_t protocol;
+	u_int8_t protocol;
 	u_int32_t spi, reqid;
 	bool hard;
-	job_t *job;
 
 	DBG2(DBG_KNL, "received an SADB_EXPIRE");
 
@@ -962,30 +939,20 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		return;
 	}
 
-	protocol = proto_satype2ike(msg->sadb_msg_satype);
+	protocol = satype2proto(msg->sadb_msg_satype);
 	spi = response.sa->sadb_sa_spi;
 	reqid = response.x_sa2->sadb_x_sa2_reqid;
 	hard = response.lft_hard != NULL;
 
-	if (protocol != PROTO_ESP && protocol != PROTO_AH)
+	if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
 	{
 		DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and reqid {%u} "
 					  "which is not a CHILD_SA", ntohl(spi), reqid);
 		return;
 	}
 
-	DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
-		 hard ? "delete" : "rekey",  protocol_id_names,
-		 protocol, ntohl(spi), reqid);
-	if (hard)
-	{
-		job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
-	}
-	else
-	{
-		job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
-	}
-	charon->processor->queue_job(charon->processor, job);
+	hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
+									spi, hard);
 }
 
 #ifdef SADB_X_MIGRATE
@@ -999,7 +966,6 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	policy_dir_t dir;
 	u_int32_t reqid = 0;
 	host_t *local = NULL, *remote = NULL;
-	job_t *job;
 
 	DBG2(DBG_KNL, "received an SADB_X_MIGRATE");
 
@@ -1031,11 +997,8 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 
 	if (src_ts && dst_ts && local && remote)
 	{
-		DBG1(DBG_KNL, "creating migrate job for policy %R === %R %N with reqid {%u}",
-					   src_ts, dst_ts, policy_dir_names, dir, reqid, local);
-		job = (job_t*)migrate_job_create(reqid, src_ts, dst_ts, dir,
-										 local, remote);
-		charon->processor->queue_job(charon->processor, job);
+		hydra->kernel_interface->migrate(hydra->kernel_interface, reqid,
+										 src_ts, dst_ts, dir, local, remote);
 	}
 	else
 	{
@@ -1056,7 +1019,6 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 	pfkey_msg_t response;
 	u_int32_t spi, reqid;
 	host_t *host;
-	job_t *job;
 
 	DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
 
@@ -1068,14 +1030,15 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 
 	if (!response.x_sa2)
 	{
-		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required information");
+		DBG1(DBG_KNL, "received SADB_X_NAT_T_NEW_MAPPING is missing required "
+					  "information");
 		return;
 	}
 
 	spi = response.sa->sadb_sa_spi;
 	reqid = response.x_sa2->sadb_x_sa2_reqid;
 
-	if (proto_satype2ike(msg->sadb_msg_satype) == PROTO_ESP)
+	if (satype2proto(msg->sadb_msg_satype) == IPPROTO_ESP)
 	{
 		sockaddr_t *sa = (sockaddr_t*)(response.dst + 1);
 		switch (sa->sa_family)
@@ -1096,10 +1059,8 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
 		host = host_create_from_sockaddr(sa);
 		if (host)
 		{
-			DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and "
-				"reqid {%u} changed, queuing update job", ntohl(spi), reqid);
-			job = (job_t*)update_sa_job_create(reqid, host);
-			charon->processor->queue_job(charon->processor, job);
+			hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
+											 spi, host);
 		}
 	}
 }
@@ -1179,7 +1140,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
 
 METHOD(kernel_ipsec_t, get_spi, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
+	u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1194,7 +1155,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GETSPI;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1245,7 +1206,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t,
 
 METHOD(kernel_ipsec_t, add_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi,
-	protocol_id_t protocol, u_int32_t reqid, mark_t mark,
+	u_int8_t protocol, u_int32_t reqid, mark_t mark,
 	lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
 	u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
 	u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound,
@@ -1266,7 +1227,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 #ifdef __APPLE__
@@ -1391,7 +1352,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 }
 
 METHOD(kernel_ipsec_t, update_sa, status_t,
-	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol,
+	private_kernel_pfkey_ipsec_t *this, u_int32_t spi, u_int8_t protocol,
 	u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
 	bool encap, bool new_encap, mark_t mark)
 {
@@ -1419,7 +1380,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1462,7 +1423,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_UPDATE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 #ifdef __APPLE__
@@ -1526,7 +1487,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 
 METHOD(kernel_ipsec_t, query_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes)
+	u_int32_t spi, u_int8_t protocol, mark_t mark, u_int64_t *bytes)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1541,7 +1502,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_GET;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1582,7 +1543,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t,
 
 METHOD(kernel_ipsec_t, del_sa, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
-	u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark)
+	u_int32_t spi, u_int8_t protocol, u_int16_t cpi, mark_t mark)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1596,7 +1557,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 	msg = (struct sadb_msg*)request;
 	msg->sadb_msg_version = PF_KEY_V2;
 	msg->sadb_msg_type = SADB_DELETE;
-	msg->sadb_msg_satype = proto_ike2satype(protocol);
+	msg->sadb_msg_satype = proto2satype(protocol);
 	msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
 
 	sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
@@ -1632,9 +1593,8 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
 METHOD(kernel_ipsec_t, add_policy, status_t,
 	private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
 	traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
-	policy_dir_t direction, u_int32_t spi, protocol_id_t protocol,
-	u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp,
-	u_int16_t cpi, bool routed)
+	policy_dir_t direction, policy_type_t type, ipsec_sa_cfg_t *sa,
+	mark_t mark, bool routed)
 {
 	unsigned char request[PFKEY_BUFFER_SIZE];
 	struct sadb_msg *msg, *out;
@@ -1651,7 +1611,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	}
 
 	/* create a policy */
-	policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
+	policy = create_policy_entry(src_ts, dst_ts, direction, sa->reqid);
 
 	/* find a matching policy */
 	this->mutex->lock(this->mutex);
@@ -1700,13 +1660,13 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 	/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
 	req = (struct sadb_x_ipsecrequest*)(pol + 1);
-	req->sadb_x_ipsecrequest_proto = proto_ike2ip(protocol);
+	req->sadb_x_ipsecrequest_proto = sa->esp.use ? IPPROTO_ESP : IPPROTO_AH;
 	/* !!! the length of this struct MUST be in octets instead of 64 bit words */
 	req->sadb_x_ipsecrequest_len = sizeof(struct sadb_x_ipsecrequest);
-	req->sadb_x_ipsecrequest_mode = mode2kernel(mode);
-	req->sadb_x_ipsecrequest_reqid = reqid;
+	req->sadb_x_ipsecrequest_mode = mode2kernel(sa->mode);
+	req->sadb_x_ipsecrequest_reqid = sa->reqid;
 	req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
-	if (mode == MODE_TUNNEL)
+	if (sa->mode == MODE_TUNNEL)
 	{
 		len = hostcpy(req + 1, src);
 		req->sadb_x_ipsecrequest_len += len;
@@ -1780,26 +1740,26 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 	 * - routing is not disabled via strongswan.conf
 	 */
 	if (policy->route == NULL && direction == POLICY_FWD &&
-		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
+		sa->mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6 &&
 		this->install_routes)
 	{
 		route_entry_t *route = malloc_thing(route_entry_t);
 
-		if (charon->kernel_interface->get_address_by_ts(charon->kernel_interface,
+		if (hydra->kernel_interface->get_address_by_ts(hydra->kernel_interface,
 				dst_ts, &route->src_ip) == SUCCESS)
 		{
 			/* get the nexthop to src (src as we are in POLICY_FWD).*/
-			route->gateway = charon->kernel_interface->get_nexthop(
-									charon->kernel_interface, src);
-			route->if_name = charon->kernel_interface->get_interface(
-									charon->kernel_interface, dst);
+			route->gateway = hydra->kernel_interface->get_nexthop(
+									hydra->kernel_interface, src);
+			route->if_name = hydra->kernel_interface->get_interface(
+									hydra->kernel_interface, dst);
 			route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net));
 			route->prefixlen = policy->src.mask;
 
 			if (route->if_name)
 			{
-				switch (charon->kernel_interface->add_route(
-									charon->kernel_interface, route->dst_net,
+				switch (hydra->kernel_interface->add_route(
+									hydra->kernel_interface, route->dst_net,
 									route->prefixlen, route->gateway,
 									route->src_ip, route->if_name))
 				{
@@ -2031,7 +1991,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
 
 	if (route)
 	{
-		if (charon->kernel_interface->del_route(charon->kernel_interface,
+		if (hydra->kernel_interface->del_route(hydra->kernel_interface,
 				route->dst_net, route->prefixlen, route->gateway,
 				route->src_ip, route->if_name) != SUCCESS)
 		{
@@ -2154,26 +2114,34 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 	private_kernel_pfkey_ipsec_t *this;
 
 	INIT(this,
-		.public.interface = {
-			.get_spi = _get_spi,
-			.get_cpi = _get_cpi,
-			.add_sa  = _add_sa,
-			.update_sa = _update_sa,
-			.query_sa = _query_sa,
-			.del_sa = _del_sa,
-			.add_policy = _add_policy,
-			.query_policy = _query_policy,
-			.del_policy = _del_policy,
-			.bypass_socket = _bypass_socket,
-			.destroy = _destroy,
+		.public = {
+			.interface = {
+				.get_spi = _get_spi,
+				.get_cpi = _get_cpi,
+				.add_sa  = _add_sa,
+				.update_sa = _update_sa,
+				.query_sa = _query_sa,
+				.del_sa = _del_sa,
+				.add_policy = _add_policy,
+				.query_policy = _query_policy,
+				.del_policy = _del_policy,
+				.bypass_socket = _bypass_socket,
+				.destroy = _destroy,
+			},
 		},
 		.policies = linked_list_create(),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT),
 		.install_routes = lib->settings->get_bool(lib->settings,
-												"charon.install_routes", TRUE),
+												  "%s.install_routes", TRUE,
+												  hydra->daemon),
 	);
 
+	if (streq(hydra->daemon, "pluto"))
+	{	/* no routes for pluto, they are installed via updown script */
+		this->install_routes = FALSE;
+	}
+
 	/* create a PF_KEY socket to communicate with the kernel */
 	this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
 	if (this->socket <= 0)
@@ -2203,7 +2171,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
index 649f93733..649f93733 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index b84ccf150..781ba5008 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -18,7 +18,7 @@
 
 #include "kernel_pfkey_ipsec.h"
 
-#include <daemon.h>
+#include <hydra.h>
 
 typedef struct private_kernel_pfkey_plugin_t private_kernel_pfkey_plugin_t;
 
@@ -37,7 +37,8 @@ struct private_kernel_pfkey_plugin_t {
  */
 static void destroy(private_kernel_pfkey_plugin_t *this)
 {
-	charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+	hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
 	free(this);
 }
 
@@ -50,7 +51,8 @@ plugin_t *kernel_pfkey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	charon->kernel_interface->add_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
+	hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface,
+						(kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
index ecccc6303..51db4d8d3 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_pfkey kernel_pfkey
- * @ingroup cplugins
+ * @ingroup hplugins
  *
  * @defgroup kernel_pfkey_plugin kernel_pfkey_plugin
  * @{ @ingroup kernel_pfkey
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.am b/src/libhydra/plugins/kernel_pfroute/Makefile.am
index 83db48160..df3109eb8 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.am
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.am
@@ -1,6 +1,6 @@
 
 INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index f78a97013..b0bc00c70 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -34,7 +34,7 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-subdir = src/libcharon/plugins/kernel_pfroute
+subdir = src/libhydra/plugins/kernel_pfroute
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -259,7 +275,7 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra -I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic
 @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-kernel-pfroute.la
@@ -282,9 +298,9 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile'; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --gnu src/libcharon/plugins/kernel_pfroute/Makefile
+	  $(AUTOMAKE) --gnu src/libhydra/plugins/kernel_pfroute/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 97c019b58..59fc915fd 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -23,19 +23,19 @@
 
 #include "kernel_pfroute_net.h"
 
-#include <daemon.h>
+#include <hydra.h>
+#include <debug.h>
 #include <utils/host.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include <utils/linked_list.h>
 #include <processing/jobs/callback_job.h>
-#include <processing/jobs/roam_job.h>
 
 #ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
 #error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
 #endif
 
-/** delay before firing roam jobs (ms) */
+/** delay before firing roam events (ms) */
 #define ROAM_DELAY 100
 
 /** buffer size for PF_ROUTE messages */
@@ -145,18 +145,28 @@ struct private_kernel_pfroute_net_t
 	int seq;
 
 	/**
-	 * time of last roam job
+	 * time of last roam event
 	 */
 	timeval_t last_roam;
 };
 
 /**
- * Start a roaming job. We delay it a bit and fire only one job
- * for multiple events. Otherwise we would create too many jobs.
+ * callback function that raises the delayed roam event
  */
-static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+static job_requeue_t roam_event(uintptr_t address)
+{
+	hydra->kernel_interface->roam(hydra->kernel_interface, address != 0);
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * fire a roaming event. we delay it for a bit and fire only one event
+ * for multiple calls. otherwise we would create too many events.
+ */
+static void fire_roam_event(private_kernel_pfroute_net_t *this, bool address)
 {
 	timeval_t now;
+	job_t *job;
 
 	time_monotonic(&now);
 	if (timercmp(&now, &this->last_roam, >))
@@ -168,8 +178,11 @@ static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
 			now.tv_usec -= 1000000;
 		}
 		this->last_roam = now;
-		charon->scheduler->schedule_job_ms(charon->scheduler,
-			(job_t*)roam_job_create(address), ROAM_DELAY);
+
+		job = (job_t*)callback_job_create((callback_job_cb_t)roam_event,
+										  (void*)(uintptr_t)(address ? 1 : 0),
+										  NULL, NULL);
+		lib->scheduler->schedule_job_ms(lib->scheduler, job, ROAM_DELAY);
 	}
 }
 
@@ -261,7 +274,7 @@ static void process_addr(private_kernel_pfroute_net_t *this,
 
 	if (roam)
 	{
-		fire_roam_job(this, TRUE);
+		fire_roam_event(this, TRUE);
 	}
 }
 
@@ -306,7 +319,7 @@ static void process_link(private_kernel_pfroute_net_t *this,
 
 	if (roam)
 	{
-		fire_roam_job(this, TRUE);
+		fire_roam_event(this, TRUE);
 	}
 }
 
@@ -716,7 +729,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
 
 	this->job = callback_job_create((callback_job_cb_t)receive_events,
 									this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	if (init_address_list(this) != SUCCESS)
 	{
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
index 10c3c9eb7..10c3c9eb7 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.h
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.h
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
index 97139fb56..5f351bd72 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -18,7 +18,7 @@
 
 #include "kernel_pfroute_net.h"
 
-#include <daemon.h>
+#include <hydra.h>
 
 typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
 
@@ -37,7 +37,7 @@ struct private_kernel_pfroute_plugin_t {
  */
 static void destroy(private_kernel_pfroute_plugin_t *this)
 {
-	charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+	hydra->kernel_interface->remove_net_interface(hydra->kernel_interface,
 						(kernel_net_constructor_t)kernel_pfroute_net_create);
 	free(this);
 }
@@ -51,7 +51,7 @@ plugin_t *kernel_pfroute_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	charon->kernel_interface->add_net_interface(charon->kernel_interface,
+	hydra->kernel_interface->add_net_interface(hydra->kernel_interface,
 						(kernel_net_constructor_t)kernel_pfroute_net_create);
 
 	return &this->public.plugin;
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
index 50642a572..b8ee31a1d 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -15,7 +15,7 @@
 
 /**
  * @defgroup kernel_pfroute kernel_pfroute
- * @ingroup cplugins
+ * @ingroup hplugins
  *
  * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
  * @{ @ingroup kernel_pfroute
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am
index f8830d42e..a05c84061 100644
--- a/src/libhydra/plugins/resolve/Makefile.am
+++ b/src/libhydra/plugins/resolve/Makefile.am
@@ -1,6 +1,5 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 
 AM_CFLAGS = -rdynamic \
 	-DRESOLV_CONF=\"${resolv_conf}\"
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in
index e16c66923..aedc8fdb7 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libhydra/plugins/resolve/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -257,9 +273,7 @@ top_srcdir = @top_srcdir@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
-
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra
 AM_CFLAGS = -rdynamic \
 	-DRESOLV_CONF=\"${resolv_conf}\"
 
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index d53df9bb2..0aa509acc 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -137,6 +138,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -168,14 +171,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -190,24 +196,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -215,7 +228,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index e0319e918..3a8f4beaf 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -741,6 +741,7 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
 
 		crypter = this->crypto->get_crypter(this->crypto);
 		bs = crypter->get_block_size(crypter);
+		iv.len = crypter->get_iv_size(crypter);
 
 		/* add AT_PADDING attribute */
 		padding = bs - ((sizeof(encr_buf) - encr.len) % bs);
@@ -757,15 +758,15 @@ static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata)
 		/* add IV attribute */
 		hdr = (attr_hdr_t*)out.ptr;
 		hdr->type = AT_IV;
-		hdr->length = bs / 4 + 1;
+		hdr->length = iv.len / 4 + 1;
 		memset(out.ptr + 2, 0, 2);
 		out = chunk_skip(out, 4);
 
 		rng = this->crypto->get_rng(this->crypto);
-		rng->get_bytes(rng, bs, out.ptr);
+		rng->get_bytes(rng, iv.len, out.ptr);
 
-		iv = chunk_clonea(chunk_create(out.ptr, bs));
-		out = chunk_skip(out, bs);
+		iv = chunk_clonea(chunk_create(out.ptr, iv.len));
+		out = chunk_skip(out, iv.len);
 
 		/* inline encryption */
 		crypter->encrypt(crypter, encr, iv, NULL);
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 1931dfa45..431543151 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -23,6 +23,7 @@ crypto/signers/signer.c crypto/signers/signer.h \
 crypto/crypto_factory.c crypto/crypto_factory.h \
 crypto/crypto_tester.c crypto/crypto_tester.h \
 crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/aead.c crypto/aead.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
@@ -43,10 +44,18 @@ credentials/credential_manager.c credentials/credential_manager.h \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
 credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+eap/eap.h eap/eap.c \
+plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
+processing/jobs/job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
+processing/processor.c processing/processor.h \
+processing/scheduler.c processing/scheduler.h \
 selectors/traffic_selector.c selectors/traffic_selector.h \
 threading/thread.h threading/thread.c \
 threading/thread_value.h threading/thread_value.c \
@@ -62,8 +71,7 @@ utils/linked_list.c utils/linked_list.h \
 utils/hashtable.c utils/hashtable.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
-utils/backtrace.c utils/backtrace.h \
-plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
+utils/backtrace.c utils/backtrace.h
 
 # adding the plugin source files
 
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 3678abd5d..2ab8aa636 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -21,6 +21,7 @@ crypto/signers/signer.c crypto/signers/signer.h \
 crypto/crypto_factory.c crypto/crypto_factory.h \
 crypto/crypto_tester.c crypto/crypto_tester.h \
 crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/aead.c crypto/aead.h \
 crypto/transform.c crypto/transform.h \
 credentials/credential_factory.c credentials/credential_factory.h \
 credentials/builder.c credentials/builder.h \
@@ -41,10 +42,18 @@ credentials/credential_manager.c credentials/credential_manager.h \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
 credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
+credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+credentials/sets/callback_cred.c credentials/sets/callback_cred.h \
 credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \
 credentials/cert_validator.h \
 database/database.h database/database_factory.h database/database_factory.c \
 fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+eap/eap.h eap/eap.c \
+plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h \
+processing/jobs/job.h \
+processing/jobs/callback_job.c processing/jobs/callback_job.h \
+processing/processor.c processing/processor.h \
+processing/scheduler.c processing/scheduler.h \
 selectors/traffic_selector.c selectors/traffic_selector.h \
 threading/thread.h threading/thread.c \
 threading/thread_value.h threading/thread_value.c \
@@ -60,8 +69,10 @@ utils/linked_list.c utils/linked_list.h \
 utils/hashtable.c utils/hashtable.h \
 utils/enumerator.c utils/enumerator.h \
 utils/optionsfrom.c utils/optionsfrom.h \
-utils/backtrace.c utils/backtrace.h \
-plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
+utils/backtrace.c utils/backtrace.h
+
+
+library.lo :	$(top_builddir)/config.status
 
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB)
 
@@ -314,6 +325,34 @@ if MONOLITHIC
 endif
 endif
 
+if USE_PKCS11
+  SUBDIRS += plugins/pkcs11
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/pkcs11/libstrongswan-pkcs11.la
+endif
+endif
+
+if USE_CTR
+  SUBDIRS += plugins/ctr
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ctr/libstrongswan-ctr.la
+endif
+endif
+
+if USE_CCM
+  SUBDIRS += plugins/ccm
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ccm/libstrongswan-ccm.la
+endif
+endif
+
+if USE_GCM
+  SUBDIRS += plugins/gcm
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/gcm/libstrongswan-gcm.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index b6dcf6be5..8be6dd9b8 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -98,8 +98,16 @@ host_triplet = @host@
 @MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la
 @USE_AGENT_TRUE@am__append_59 = plugins/agent
 @MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la
-@USE_TEST_VECTORS_TRUE@am__append_61 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_62 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_63 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_65 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_67 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la
+@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -110,6 +118,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -152,7 +161,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_62)
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70)
 am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
 	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \
@@ -166,7 +176,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	crypto/signers/signer.h crypto/crypto_factory.c \
 	crypto/crypto_factory.h crypto/crypto_tester.c \
 	crypto/crypto_tester.h crypto/diffie_hellman.c \
-	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+	crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \
+	crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
 	credentials/builder.h credentials/cred_encoding.c \
@@ -193,11 +204,19 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	credentials/sets/ocsp_response_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/auth_cfg.c credentials/auth_cfg.h \
-	credentials/credential_set.h credentials/cert_validator.h \
-	database/database.h database/database_factory.h \
-	database/database_factory.c fetcher/fetcher.h \
-	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+	credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+	credentials/sets/callback_cred.c \
+	credentials/sets/callback_cred.h credentials/auth_cfg.c \
+	credentials/auth_cfg.h credentials/credential_set.h \
+	credentials/cert_validator.h database/database.h \
+	database/database_factory.h database/database_factory.c \
+	fetcher/fetcher.h fetcher/fetcher_manager.h \
+	fetcher/fetcher_manager.c eap/eap.h eap/eap.c \
+	plugins/plugin_loader.c plugins/plugin_loader.h \
+	plugins/plugin.h processing/jobs/job.h \
+	processing/jobs/callback_job.c processing/jobs/callback_job.h \
+	processing/processor.c processing/processor.h \
+	processing/scheduler.c processing/scheduler.h \
 	selectors/traffic_selector.c selectors/traffic_selector.h \
 	threading/thread.h threading/thread.c threading/thread_value.h \
 	threading/thread_value.c threading/mutex.h threading/mutex.c \
@@ -208,27 +227,27 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
 	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
 	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
 	utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \
-	utils/backtrace.h plugins/plugin_loader.c \
-	plugins/plugin_loader.h plugins/plugin.h \
-	utils/leak_detective.c utils/leak_detective.h \
-	integrity_checker.c integrity_checker.h
+	utils/backtrace.h utils/leak_detective.c \
+	utils/leak_detective.h integrity_checker.c integrity_checker.h
 @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
 @USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
 am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
 	settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
 	crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \
 	rng.lo prf_plus.lo signer.lo crypto_factory.lo \
-	crypto_tester.lo diffie_hellman.lo transform.lo \
+	crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \
 	credential_factory.lo builder.lo cred_encoding.lo \
 	private_key.lo public_key.lo shared_key.lo certificate.lo \
 	x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \
 	credential_manager.lo auth_cfg_wrapper.lo \
-	ocsp_response_wrapper.lo cert_cache.lo auth_cfg.lo \
-	database_factory.lo fetcher_manager.lo traffic_selector.lo \
-	thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
+	ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \
+	callback_cred.lo auth_cfg.lo database_factory.lo \
+	fetcher_manager.lo eap.lo plugin_loader.lo callback_job.lo \
+	processor.lo scheduler.lo traffic_selector.lo thread.lo \
+	thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \
 	identification.lo lexparser.lo linked_list.lo hashtable.lo \
-	enumerator.lo optionsfrom.lo backtrace.lo plugin_loader.lo \
-	$(am__objects_1) $(am__objects_2)
+	enumerator.lo optionsfrom.lo backtrace.lo $(am__objects_1) \
+	$(am__objects_2)
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
 DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -265,8 +284,8 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
 	plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \
 	plugins/dnskey plugins/pem plugins/curl plugins/ldap \
 	plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
-	plugins/gcrypt plugins/fips_prf plugins/agent \
-	plugins/test_vectors
+	plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \
+	plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -358,6 +377,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -389,14 +410,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -411,24 +435,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -436,7 +467,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -462,7 +496,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	crypto/signers/signer.h crypto/crypto_factory.c \
 	crypto/crypto_factory.h crypto/crypto_tester.c \
 	crypto/crypto_tester.h crypto/diffie_hellman.c \
-	crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+	crypto/diffie_hellman.h crypto/aead.c crypto/aead.h \
+	crypto/transform.c crypto/transform.h \
 	credentials/credential_factory.c \
 	credentials/credential_factory.h credentials/builder.c \
 	credentials/builder.h credentials/cred_encoding.c \
@@ -489,11 +524,19 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	credentials/sets/ocsp_response_wrapper.c \
 	credentials/sets/ocsp_response_wrapper.h \
 	credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
-	credentials/auth_cfg.c credentials/auth_cfg.h \
-	credentials/credential_set.h credentials/cert_validator.h \
-	database/database.h database/database_factory.h \
-	database/database_factory.c fetcher/fetcher.h \
-	fetcher/fetcher_manager.h fetcher/fetcher_manager.c \
+	credentials/sets/mem_cred.c credentials/sets/mem_cred.h \
+	credentials/sets/callback_cred.c \
+	credentials/sets/callback_cred.h credentials/auth_cfg.c \
+	credentials/auth_cfg.h credentials/credential_set.h \
+	credentials/cert_validator.h database/database.h \
+	database/database_factory.h database/database_factory.c \
+	fetcher/fetcher.h fetcher/fetcher_manager.h \
+	fetcher/fetcher_manager.c eap/eap.h eap/eap.c \
+	plugins/plugin_loader.c plugins/plugin_loader.h \
+	plugins/plugin.h processing/jobs/job.h \
+	processing/jobs/callback_job.c processing/jobs/callback_job.h \
+	processing/processor.c processing/processor.h \
+	processing/scheduler.c processing/scheduler.h \
 	selectors/traffic_selector.c selectors/traffic_selector.h \
 	threading/thread.h threading/thread.c threading/thread_value.h \
 	threading/thread_value.c threading/mutex.h threading/mutex.c \
@@ -504,9 +547,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
 	utils/linked_list.c utils/linked_list.h utils/hashtable.c \
 	utils/hashtable.h utils/enumerator.c utils/enumerator.h \
 	utils/optionsfrom.c utils/optionsfrom.h utils/backtrace.c \
-	utils/backtrace.h plugins/plugin_loader.c \
-	plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
-	$(am__append_5)
+	utils/backtrace.h $(am__append_2) $(am__append_5)
 libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(RTLIB) $(am__append_6) $(am__append_8) $(am__append_10) \
 	$(am__append_12) $(am__append_14) $(am__append_16) \
@@ -517,7 +558,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \
 	$(am__append_42) $(am__append_44) $(am__append_46) \
 	$(am__append_48) $(am__append_50) $(am__append_52) \
 	$(am__append_54) $(am__append_56) $(am__append_58) \
-	$(am__append_60) $(am__append_62)
+	$(am__append_60) $(am__append_62) $(am__append_64) \
+	$(am__append_66) $(am__append_68) $(am__append_70)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \
 	-DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \
@@ -548,7 +590,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_FALSE@	$(am__append_47) $(am__append_49) \
 @MONOLITHIC_FALSE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_FALSE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61)
+@MONOLITHIC_FALSE@	$(am__append_59) $(am__append_61) \
+@MONOLITHIC_FALSE@	$(am__append_63) $(am__append_65) \
+@MONOLITHIC_FALSE@	$(am__append_67) $(am__append_69)
 
 # build plugins with their own Makefile
 #######################################
@@ -565,7 +609,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
 @MONOLITHIC_TRUE@	$(am__append_47) $(am__append_49) \
 @MONOLITHIC_TRUE@	$(am__append_51) $(am__append_53) \
 @MONOLITHIC_TRUE@	$(am__append_55) $(am__append_57) \
-@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61)
+@MONOLITHIC_TRUE@	$(am__append_59) $(am__append_61) \
+@MONOLITHIC_TRUE@	$(am__append_63) $(am__append_65) \
+@MONOLITHIC_TRUE@	$(am__append_67) $(am__append_69)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
 
@@ -641,12 +687,15 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aead.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
@@ -660,6 +709,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/database_factory.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/debug.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@
@@ -673,6 +723,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mem_cred.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@
@@ -684,10 +735,12 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/processor.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_keywords.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/public_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rng.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rwlock.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/settings.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shared_key.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
@@ -817,6 +870,13 @@ diffie_hellman.lo: crypto/diffie_hellman.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
+aead.lo: crypto/aead.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aead.lo -MD -MP -MF $(DEPDIR)/aead.Tpo -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aead.Tpo $(DEPDIR)/aead.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/aead.c' object='aead.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aead.lo `test -f 'crypto/aead.c' || echo '$(srcdir)/'`crypto/aead.c
+
 transform.lo: crypto/transform.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform.lo -MD -MP -MF $(DEPDIR)/transform.Tpo -c -o transform.lo `test -f 'crypto/transform.c' || echo '$(srcdir)/'`crypto/transform.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/transform.Tpo $(DEPDIR)/transform.Plo
@@ -929,6 +989,20 @@ cert_cache.lo: credentials/sets/cert_cache.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c
 
+mem_cred.lo: credentials/sets/mem_cred.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT mem_cred.lo -MD -MP -MF $(DEPDIR)/mem_cred.Tpo -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/mem_cred.Tpo $(DEPDIR)/mem_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/mem_cred.c' object='mem_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o mem_cred.lo `test -f 'credentials/sets/mem_cred.c' || echo '$(srcdir)/'`credentials/sets/mem_cred.c
+
+callback_cred.lo: credentials/sets/callback_cred.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_cred.lo -MD -MP -MF $(DEPDIR)/callback_cred.Tpo -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_cred.Tpo $(DEPDIR)/callback_cred.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='credentials/sets/callback_cred.c' object='callback_cred.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_cred.lo `test -f 'credentials/sets/callback_cred.c' || echo '$(srcdir)/'`credentials/sets/callback_cred.c
+
 auth_cfg.lo: credentials/auth_cfg.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo
@@ -950,6 +1024,41 @@ fetcher_manager.lo: fetcher/fetcher_manager.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher_manager.lo `test -f 'fetcher/fetcher_manager.c' || echo '$(srcdir)/'`fetcher/fetcher_manager.c
 
+eap.lo: eap/eap.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap.lo -MD -MP -MF $(DEPDIR)/eap.Tpo -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/eap.Tpo $(DEPDIR)/eap.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='eap/eap.c' object='eap.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap.lo `test -f 'eap/eap.c' || echo '$(srcdir)/'`eap/eap.c
+
+plugin_loader.lo: plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
+
+callback_job.lo: processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT callback_job.lo -MD -MP -MF $(DEPDIR)/callback_job.Tpo -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/callback_job.Tpo $(DEPDIR)/callback_job.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/callback_job.c' object='callback_job.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o callback_job.lo `test -f 'processing/jobs/callback_job.c' || echo '$(srcdir)/'`processing/jobs/callback_job.c
+
+processor.lo: processing/processor.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT processor.lo -MD -MP -MF $(DEPDIR)/processor.Tpo -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/processor.Tpo $(DEPDIR)/processor.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/processor.c' object='processor.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o processor.lo `test -f 'processing/processor.c' || echo '$(srcdir)/'`processing/processor.c
+
+scheduler.lo: processing/scheduler.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.lo -MD -MP -MF $(DEPDIR)/scheduler.Tpo -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/scheduler.Tpo $(DEPDIR)/scheduler.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.lo `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
+
 traffic_selector.lo: selectors/traffic_selector.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.lo -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.lo `test -f 'selectors/traffic_selector.c' || echo '$(srcdir)/'`selectors/traffic_selector.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Plo
@@ -1041,13 +1150,6 @@ backtrace.lo: utils/backtrace.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backtrace.lo `test -f 'utils/backtrace.c' || echo '$(srcdir)/'`utils/backtrace.c
 
-plugin_loader.lo: plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT plugin_loader.lo -MD -MP -MF $(DEPDIR)/plugin_loader.Tpo -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/plugin_loader.Tpo $(DEPDIR)/plugin_loader.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='plugins/plugin_loader.c' object='plugin_loader.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o plugin_loader.lo `test -f 'plugins/plugin_loader.c' || echo '$(srcdir)/'`plugins/plugin_loader.c
-
 leak_detective.lo: utils/leak_detective.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
@@ -1383,6 +1485,8 @@ uninstall-am: uninstall-libLTLIBRARIES
 	uninstall-libLTLIBRARIES
 
 
+library.lo :	$(top_builddir)/config.status
+
 $(srcdir)/asn1/oid.c :	$(srcdir)/asn1/oid.pl $(srcdir)/asn1/oid.txt
 		(cd $(srcdir)/asn1/ && $(PERL) oid.pl)
 
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 8f91a2e2b..1e5dec8a5 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -171,12 +171,12 @@ const oid_t oid_names[] = {
  {              0x02,       159, 0,  7, "ecdsa-with-SHA256"         }, /* 158 */
  {              0x03,       160, 0,  7, "ecdsa-with-SHA384"         }, /* 159 */
  {              0x04,         0, 0,  7, "ecdsa-with-SHA512"         }, /* 160 */
- {0x2B,                     307, 1,  0, ""                          }, /* 161 */
- {  0x06,                   221, 1,  1, "dod"                       }, /* 162 */
+ {0x2B,                     309, 1,  0, ""                          }, /* 161 */
+ {  0x06,                   223, 1,  1, "dod"                       }, /* 162 */
  {    0x01,                   0, 1,  2, "internet"                  }, /* 163 */
- {      0x04,               182, 1,  3, "private"                   }, /* 164 */
+ {      0x04,               183, 1,  3, "private"                   }, /* 164 */
  {        0x01,               0, 1,  4, "enterprise"                }, /* 165 */
- {          0x82,           175, 1,  5, ""                          }, /* 166 */
+ {          0x82,           176, 1,  5, ""                          }, /* 166 */
  {            0x37,           0, 1,  6, "Microsoft"                 }, /* 167 */
  {              0x0A,       172, 1,  7, ""                          }, /* 168 */
  {                0x03,       0, 1,  8, ""                          }, /* 169 */
@@ -184,184 +184,186 @@ const oid_t oid_names[] = {
  {                  0x04,     0, 0,  9, "msEncryptingFileSystem"    }, /* 171 */
  {              0x14,         0, 1,  7, "msEnrollmentInfrastructure"}, /* 172 */
  {                0x02,       0, 1,  8, "msCertificateTypeExtension"}, /* 173 */
- {                  0x02,     0, 0,  9, "msSmartcardLogon"          }, /* 174 */
- {          0x89,             0, 1,  5, ""                          }, /* 175 */
- {            0x31,           0, 1,  6, ""                          }, /* 176 */
- {              0x01,         0, 1,  7, ""                          }, /* 177 */
- {                0x01,       0, 1,  8, ""                          }, /* 178 */
- {                  0x02,     0, 1,  9, ""                          }, /* 179 */
- {                    0x02, 181, 0, 10, ""                          }, /* 180 */
- {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 181 */
- {      0x05,                 0, 1,  3, "security"                  }, /* 182 */
- {        0x05,               0, 1,  4, "mechanisms"                }, /* 183 */
- {          0x07,             0, 1,  5, "id-pkix"                   }, /* 184 */
- {            0x01,         188, 1,  6, "id-pe"                     }, /* 185 */
- {              0x01,       187, 0,  7, "authorityInfoAccess"       }, /* 186 */
- {              0x07,         0, 0,  7, "ipAddrBlocks"              }, /* 187 */
- {            0x02,         191, 1,  6, "id-qt"                     }, /* 188 */
- {              0x01,       190, 0,  7, "cps"                       }, /* 189 */
- {              0x02,         0, 0,  7, "unotice"                   }, /* 190 */
- {            0x03,         201, 1,  6, "id-kp"                     }, /* 191 */
- {              0x01,       193, 0,  7, "serverAuth"                }, /* 192 */
- {              0x02,       194, 0,  7, "clientAuth"                }, /* 193 */
- {              0x03,       195, 0,  7, "codeSigning"               }, /* 194 */
- {              0x04,       196, 0,  7, "emailProtection"           }, /* 195 */
- {              0x05,       197, 0,  7, "ipsecEndSystem"            }, /* 196 */
- {              0x06,       198, 0,  7, "ipsecTunnel"               }, /* 197 */
- {              0x07,       199, 0,  7, "ipsecUser"                 }, /* 198 */
- {              0x08,       200, 0,  7, "timeStamping"              }, /* 199 */
- {              0x09,         0, 0,  7, "ocspSigning"               }, /* 200 */
- {            0x08,         203, 1,  6, "id-otherNames"             }, /* 201 */
- {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 202 */
- {            0x0A,         208, 1,  6, "id-aca"                    }, /* 203 */
- {              0x01,       205, 0,  7, "authenticationInfo"        }, /* 204 */
- {              0x02,       206, 0,  7, "accessIdentity"            }, /* 205 */
- {              0x03,       207, 0,  7, "chargingIdentity"          }, /* 206 */
- {              0x04,         0, 0,  7, "group"                     }, /* 207 */
- {            0x0B,         209, 0,  6, "subjectInfoAccess"         }, /* 208 */
- {            0x30,           0, 1,  6, "id-ad"                     }, /* 209 */
- {              0x01,       218, 1,  7, "ocsp"                      }, /* 210 */
- {                0x01,     212, 0,  8, "basic"                     }, /* 211 */
- {                0x02,     213, 0,  8, "nonce"                     }, /* 212 */
- {                0x03,     214, 0,  8, "crl"                       }, /* 213 */
- {                0x04,     215, 0,  8, "response"                  }, /* 214 */
- {                0x05,     216, 0,  8, "noCheck"                   }, /* 215 */
- {                0x06,     217, 0,  8, "archiveCutoff"             }, /* 216 */
- {                0x07,       0, 0,  8, "serviceLocator"            }, /* 217 */
- {              0x02,       219, 0,  7, "caIssuers"                 }, /* 218 */
- {              0x03,       220, 0,  7, "timeStamping"              }, /* 219 */
- {              0x05,         0, 0,  7, "caRepository"              }, /* 220 */
- {  0x0E,                   227, 1,  1, "oiw"                       }, /* 221 */
- {    0x03,                   0, 1,  2, "secsig"                    }, /* 222 */
- {      0x02,                 0, 1,  3, "algorithms"                }, /* 223 */
- {        0x07,             225, 0,  4, "des-cbc"                   }, /* 224 */
- {        0x1A,             226, 0,  4, "sha-1"                     }, /* 225 */
- {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 226 */
- {  0x24,                   273, 1,  1, "TeleTrusT"                 }, /* 227 */
- {    0x03,                   0, 1,  2, "algorithm"                 }, /* 228 */
- {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 229 */
- {        0x01,             234, 1,  4, "rsaSignature"              }, /* 230 */
- {          0x02,           232, 0,  5, "rsaSigWithripemd160"       }, /* 231 */
- {          0x03,           233, 0,  5, "rsaSigWithripemd128"       }, /* 232 */
- {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 233 */
- {        0x02,               0, 1,  4, "ecSign"                    }, /* 234 */
- {          0x01,           236, 0,  5, "ecSignWithsha1"            }, /* 235 */
- {          0x02,           237, 0,  5, "ecSignWithripemd160"       }, /* 236 */
- {          0x03,           238, 0,  5, "ecSignWithmd2"             }, /* 237 */
- {          0x04,           239, 0,  5, "ecSignWithmd5"             }, /* 238 */
- {          0x05,           256, 1,  5, "ttt-ecg"                   }, /* 239 */
- {            0x01,         244, 1,  6, "fieldType"                 }, /* 240 */
- {              0x01,         0, 1,  7, "characteristictwoField"    }, /* 241 */
- {                0x01,       0, 1,  8, "basisType"                 }, /* 242 */
- {                  0x01,     0, 0,  9, "ipBasis"                   }, /* 243 */
- {            0x02,         246, 1,  6, "keyType"                   }, /* 244 */
- {              0x01,         0, 0,  7, "ecgPublicKey"              }, /* 245 */
- {            0x03,         247, 0,  6, "curve"                     }, /* 246 */
- {            0x04,         254, 1,  6, "signatures"                }, /* 247 */
- {              0x01,       249, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 248 */
- {              0x02,       250, 0,  7, "ecgdsa-with-SHA1"          }, /* 249 */
- {              0x03,       251, 0,  7, "ecgdsa-with-SHA224"        }, /* 250 */
- {              0x04,       252, 0,  7, "ecgdsa-with-SHA256"        }, /* 251 */
- {              0x05,       253, 0,  7, "ecgdsa-with-SHA384"        }, /* 252 */
- {              0x06,         0, 0,  7, "ecgdsa-with-SHA512"        }, /* 253 */
- {            0x05,           0, 1,  6, "module"                    }, /* 254 */
- {              0x01,         0, 0,  7, "1"                         }, /* 255 */
- {          0x08,             0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 256 */
- {            0x01,           0, 1,  6, "ellipticCurve"             }, /* 257 */
- {              0x01,         0, 1,  7, "versionOne"                }, /* 258 */
- {                0x01,     260, 0,  8, "brainpoolP160r1"           }, /* 259 */
- {                0x02,     261, 0,  8, "brainpoolP160t1"           }, /* 260 */
- {                0x03,     262, 0,  8, "brainpoolP192r1"           }, /* 261 */
- {                0x04,     263, 0,  8, "brainpoolP192t1"           }, /* 262 */
- {                0x05,     264, 0,  8, "brainpoolP224r1"           }, /* 263 */
- {                0x06,     265, 0,  8, "brainpoolP224t1"           }, /* 264 */
- {                0x07,     266, 0,  8, "brainpoolP256r1"           }, /* 265 */
- {                0x08,     267, 0,  8, "brainpoolP256t1"           }, /* 266 */
- {                0x09,     268, 0,  8, "brainpoolP320r1"           }, /* 267 */
- {                0x0A,     269, 0,  8, "brainpoolP320t1"           }, /* 268 */
- {                0x0B,     270, 0,  8, "brainpoolP384r1"           }, /* 269 */
- {                0x0C,     271, 0,  8, "brainpoolP384t1"           }, /* 270 */
- {                0x0D,     272, 0,  8, "brainpoolP512r1"           }, /* 271 */
- {                0x0E,       0, 0,  8, "brainpoolP512t1"           }, /* 272 */
- {  0x81,                     0, 1,  1, ""                          }, /* 273 */
- {    0x04,                   0, 1,  2, "Certicom"                  }, /* 274 */
- {      0x00,                 0, 1,  3, "curve"                     }, /* 275 */
- {        0x01,             277, 0,  4, "sect163k1"                 }, /* 276 */
- {        0x02,             278, 0,  4, "sect163r1"                 }, /* 277 */
- {        0x03,             279, 0,  4, "sect239k1"                 }, /* 278 */
- {        0x04,             280, 0,  4, "sect113r1"                 }, /* 279 */
- {        0x05,             281, 0,  4, "sect113r2"                 }, /* 280 */
- {        0x06,             282, 0,  4, "secp112r1"                 }, /* 281 */
- {        0x07,             283, 0,  4, "secp112r2"                 }, /* 282 */
- {        0x08,             284, 0,  4, "secp160r1"                 }, /* 283 */
- {        0x09,             285, 0,  4, "secp160k1"                 }, /* 284 */
- {        0x0A,             286, 0,  4, "secp256k1"                 }, /* 285 */
- {        0x0F,             287, 0,  4, "sect163r2"                 }, /* 286 */
- {        0x10,             288, 0,  4, "sect283k1"                 }, /* 287 */
- {        0x11,             289, 0,  4, "sect283r1"                 }, /* 288 */
- {        0x16,             290, 0,  4, "sect131r1"                 }, /* 289 */
- {        0x17,             291, 0,  4, "sect131r2"                 }, /* 290 */
- {        0x18,             292, 0,  4, "sect193r1"                 }, /* 291 */
- {        0x19,             293, 0,  4, "sect193r2"                 }, /* 292 */
- {        0x1A,             294, 0,  4, "sect233k1"                 }, /* 293 */
- {        0x1B,             295, 0,  4, "sect233r1"                 }, /* 294 */
- {        0x1C,             296, 0,  4, "secp128r1"                 }, /* 295 */
- {        0x1D,             297, 0,  4, "secp128r2"                 }, /* 296 */
- {        0x1E,             298, 0,  4, "secp160r2"                 }, /* 297 */
- {        0x1F,             299, 0,  4, "secp192k1"                 }, /* 298 */
- {        0x20,             300, 0,  4, "secp224k1"                 }, /* 299 */
- {        0x21,             301, 0,  4, "secp224r1"                 }, /* 300 */
- {        0x22,             302, 0,  4, "secp384r1"                 }, /* 301 */
- {        0x23,             303, 0,  4, "secp521r1"                 }, /* 302 */
- {        0x24,             304, 0,  4, "sect409k1"                 }, /* 303 */
- {        0x25,             305, 0,  4, "sect409r1"                 }, /* 304 */
- {        0x26,             306, 0,  4, "sect571k1"                 }, /* 305 */
- {        0x27,               0, 0,  4, "sect571r1"                 }, /* 306 */
- {0x60,                       0, 1,  0, ""                          }, /* 307 */
- {  0x86,                     0, 1,  1, ""                          }, /* 308 */
- {    0x48,                   0, 1,  2, ""                          }, /* 309 */
- {      0x01,                 0, 1,  3, "organization"              }, /* 310 */
- {        0x65,             329, 1,  4, "gov"                       }, /* 311 */
- {          0x03,             0, 1,  5, "csor"                      }, /* 312 */
- {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 313 */
- {              0x01,       324, 1,  7, "aes"                       }, /* 314 */
- {                0x02,     316, 0,  8, "id-aes128-CBC"             }, /* 315 */
- {                0x06,     317, 0,  8, "id-aes128-GCM"             }, /* 316 */
- {                0x07,     318, 0,  8, "id-aes128-CCM"             }, /* 317 */
- {                0x16,     319, 0,  8, "id-aes192-CBC"             }, /* 318 */
- {                0x1A,     320, 0,  8, "id-aes192-GCM"             }, /* 319 */
- {                0x1B,     321, 0,  8, "id-aes192-CCM"             }, /* 320 */
- {                0x2A,     322, 0,  8, "id-aes256-CBC"             }, /* 321 */
- {                0x2E,     323, 0,  8, "id-aes256-GCM"             }, /* 322 */
- {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 323 */
- {              0x02,         0, 1,  7, "hashalgs"                  }, /* 324 */
- {                0x01,     326, 0,  8, "id-SHA-256"                }, /* 325 */
- {                0x02,     327, 0,  8, "id-SHA-384"                }, /* 326 */
- {                0x03,     328, 0,  8, "id-SHA-512"                }, /* 327 */
- {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 328 */
- {        0x86,               0, 1,  4, ""                          }, /* 329 */
- {          0xf8,             0, 1,  5, ""                          }, /* 330 */
- {            0x42,         343, 1,  6, "netscape"                  }, /* 331 */
- {              0x01,       338, 1,  7, ""                          }, /* 332 */
- {                0x01,     334, 0,  8, "nsCertType"                }, /* 333 */
- {                0x03,     335, 0,  8, "nsRevocationUrl"           }, /* 334 */
- {                0x04,     336, 0,  8, "nsCaRevocationUrl"         }, /* 335 */
- {                0x08,     337, 0,  8, "nsCaPolicyUrl"             }, /* 336 */
- {                0x0d,       0, 0,  8, "nsComment"                 }, /* 337 */
- {              0x03,       341, 1,  7, "directory"                 }, /* 338 */
- {                0x01,       0, 1,  8, ""                          }, /* 339 */
- {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 340 */
- {              0x04,         0, 1,  7, "policy"                    }, /* 341 */
- {                0x01,       0, 0,  8, "nsSGC"                     }, /* 342 */
- {            0x45,           0, 1,  6, "verisign"                  }, /* 343 */
- {              0x01,         0, 1,  7, "pki"                       }, /* 344 */
- {                0x09,       0, 1,  8, "attributes"                }, /* 345 */
- {                  0x02,   347, 0,  9, "messageType"               }, /* 346 */
- {                  0x03,   348, 0,  9, "pkiStatus"                 }, /* 347 */
- {                  0x04,   349, 0,  9, "failInfo"                  }, /* 348 */
- {                  0x05,   350, 0,  9, "senderNonce"               }, /* 349 */
- {                  0x06,   351, 0,  9, "recipientNonce"            }, /* 350 */
- {                  0x07,   352, 0,  9, "transID"                   }, /* 351 */
- {                  0x08,   353, 0,  9, "extensionReq"              }, /* 352 */
- {                  0x08,     0, 0,  9, "extensionReq"              }  /* 353 */
+ {                  0x02,   175, 0,  9, "msSmartcardLogon"          }, /* 174 */
+ {                  0x03,     0, 0,  9, "msUPN"                     }, /* 175 */
+ {          0x89,             0, 1,  5, ""                          }, /* 176 */
+ {            0x31,           0, 1,  6, ""                          }, /* 177 */
+ {              0x01,         0, 1,  7, ""                          }, /* 178 */
+ {                0x01,       0, 1,  8, ""                          }, /* 179 */
+ {                  0x02,     0, 1,  9, ""                          }, /* 180 */
+ {                    0x02, 182, 0, 10, ""                          }, /* 181 */
+ {                    0x4B,   0, 0, 10, "TCGID"                     }, /* 182 */
+ {      0x05,                 0, 1,  3, "security"                  }, /* 183 */
+ {        0x05,               0, 1,  4, "mechanisms"                }, /* 184 */
+ {          0x07,             0, 1,  5, "id-pkix"                   }, /* 185 */
+ {            0x01,         190, 1,  6, "id-pe"                     }, /* 186 */
+ {              0x01,       188, 0,  7, "authorityInfoAccess"       }, /* 187 */
+ {              0x03,       189, 0,  7, "qcStatements"              }, /* 188 */
+ {              0x07,         0, 0,  7, "ipAddrBlocks"              }, /* 189 */
+ {            0x02,         193, 1,  6, "id-qt"                     }, /* 190 */
+ {              0x01,       192, 0,  7, "cps"                       }, /* 191 */
+ {              0x02,         0, 0,  7, "unotice"                   }, /* 192 */
+ {            0x03,         203, 1,  6, "id-kp"                     }, /* 193 */
+ {              0x01,       195, 0,  7, "serverAuth"                }, /* 194 */
+ {              0x02,       196, 0,  7, "clientAuth"                }, /* 195 */
+ {              0x03,       197, 0,  7, "codeSigning"               }, /* 196 */
+ {              0x04,       198, 0,  7, "emailProtection"           }, /* 197 */
+ {              0x05,       199, 0,  7, "ipsecEndSystem"            }, /* 198 */
+ {              0x06,       200, 0,  7, "ipsecTunnel"               }, /* 199 */
+ {              0x07,       201, 0,  7, "ipsecUser"                 }, /* 200 */
+ {              0x08,       202, 0,  7, "timeStamping"              }, /* 201 */
+ {              0x09,         0, 0,  7, "ocspSigning"               }, /* 202 */
+ {            0x08,         205, 1,  6, "id-otherNames"             }, /* 203 */
+ {              0x05,         0, 0,  7, "xmppAddr"                  }, /* 204 */
+ {            0x0A,         210, 1,  6, "id-aca"                    }, /* 205 */
+ {              0x01,       207, 0,  7, "authenticationInfo"        }, /* 206 */
+ {              0x02,       208, 0,  7, "accessIdentity"            }, /* 207 */
+ {              0x03,       209, 0,  7, "chargingIdentity"          }, /* 208 */
+ {              0x04,         0, 0,  7, "group"                     }, /* 209 */
+ {            0x0B,         211, 0,  6, "subjectInfoAccess"         }, /* 210 */
+ {            0x30,           0, 1,  6, "id-ad"                     }, /* 211 */
+ {              0x01,       220, 1,  7, "ocsp"                      }, /* 212 */
+ {                0x01,     214, 0,  8, "basic"                     }, /* 213 */
+ {                0x02,     215, 0,  8, "nonce"                     }, /* 214 */
+ {                0x03,     216, 0,  8, "crl"                       }, /* 215 */
+ {                0x04,     217, 0,  8, "response"                  }, /* 216 */
+ {                0x05,     218, 0,  8, "noCheck"                   }, /* 217 */
+ {                0x06,     219, 0,  8, "archiveCutoff"             }, /* 218 */
+ {                0x07,       0, 0,  8, "serviceLocator"            }, /* 219 */
+ {              0x02,       221, 0,  7, "caIssuers"                 }, /* 220 */
+ {              0x03,       222, 0,  7, "timeStamping"              }, /* 221 */
+ {              0x05,         0, 0,  7, "caRepository"              }, /* 222 */
+ {  0x0E,                   229, 1,  1, "oiw"                       }, /* 223 */
+ {    0x03,                   0, 1,  2, "secsig"                    }, /* 224 */
+ {      0x02,                 0, 1,  3, "algorithms"                }, /* 225 */
+ {        0x07,             227, 0,  4, "des-cbc"                   }, /* 226 */
+ {        0x1A,             228, 0,  4, "sha-1"                     }, /* 227 */
+ {        0x1D,               0, 0,  4, "sha-1WithRSASignature"     }, /* 228 */
+ {  0x24,                   275, 1,  1, "TeleTrusT"                 }, /* 229 */
+ {    0x03,                   0, 1,  2, "algorithm"                 }, /* 230 */
+ {      0x03,                 0, 1,  3, "signatureAlgorithm"        }, /* 231 */
+ {        0x01,             236, 1,  4, "rsaSignature"              }, /* 232 */
+ {          0x02,           234, 0,  5, "rsaSigWithripemd160"       }, /* 233 */
+ {          0x03,           235, 0,  5, "rsaSigWithripemd128"       }, /* 234 */
+ {          0x04,             0, 0,  5, "rsaSigWithripemd256"       }, /* 235 */
+ {        0x02,               0, 1,  4, "ecSign"                    }, /* 236 */
+ {          0x01,           238, 0,  5, "ecSignWithsha1"            }, /* 237 */
+ {          0x02,           239, 0,  5, "ecSignWithripemd160"       }, /* 238 */
+ {          0x03,           240, 0,  5, "ecSignWithmd2"             }, /* 239 */
+ {          0x04,           241, 0,  5, "ecSignWithmd5"             }, /* 240 */
+ {          0x05,           258, 1,  5, "ttt-ecg"                   }, /* 241 */
+ {            0x01,         246, 1,  6, "fieldType"                 }, /* 242 */
+ {              0x01,         0, 1,  7, "characteristictwoField"    }, /* 243 */
+ {                0x01,       0, 1,  8, "basisType"                 }, /* 244 */
+ {                  0x01,     0, 0,  9, "ipBasis"                   }, /* 245 */
+ {            0x02,         248, 1,  6, "keyType"                   }, /* 246 */
+ {              0x01,         0, 0,  7, "ecgPublicKey"              }, /* 247 */
+ {            0x03,         249, 0,  6, "curve"                     }, /* 248 */
+ {            0x04,         256, 1,  6, "signatures"                }, /* 249 */
+ {              0x01,       251, 0,  7, "ecgdsa-with-RIPEMD160"     }, /* 250 */
+ {              0x02,       252, 0,  7, "ecgdsa-with-SHA1"          }, /* 251 */
+ {              0x03,       253, 0,  7, "ecgdsa-with-SHA224"        }, /* 252 */
+ {              0x04,       254, 0,  7, "ecgdsa-with-SHA256"        }, /* 253 */
+ {              0x05,       255, 0,  7, "ecgdsa-with-SHA384"        }, /* 254 */
+ {              0x06,         0, 0,  7, "ecgdsa-with-SHA512"        }, /* 255 */
+ {            0x05,           0, 1,  6, "module"                    }, /* 256 */
+ {              0x01,         0, 0,  7, "1"                         }, /* 257 */
+ {          0x08,             0, 1,  5, "ecStdCurvesAndGeneration"  }, /* 258 */
+ {            0x01,           0, 1,  6, "ellipticCurve"             }, /* 259 */
+ {              0x01,         0, 1,  7, "versionOne"                }, /* 260 */
+ {                0x01,     262, 0,  8, "brainpoolP160r1"           }, /* 261 */
+ {                0x02,     263, 0,  8, "brainpoolP160t1"           }, /* 262 */
+ {                0x03,     264, 0,  8, "brainpoolP192r1"           }, /* 263 */
+ {                0x04,     265, 0,  8, "brainpoolP192t1"           }, /* 264 */
+ {                0x05,     266, 0,  8, "brainpoolP224r1"           }, /* 265 */
+ {                0x06,     267, 0,  8, "brainpoolP224t1"           }, /* 266 */
+ {                0x07,     268, 0,  8, "brainpoolP256r1"           }, /* 267 */
+ {                0x08,     269, 0,  8, "brainpoolP256t1"           }, /* 268 */
+ {                0x09,     270, 0,  8, "brainpoolP320r1"           }, /* 269 */
+ {                0x0A,     271, 0,  8, "brainpoolP320t1"           }, /* 270 */
+ {                0x0B,     272, 0,  8, "brainpoolP384r1"           }, /* 271 */
+ {                0x0C,     273, 0,  8, "brainpoolP384t1"           }, /* 272 */
+ {                0x0D,     274, 0,  8, "brainpoolP512r1"           }, /* 273 */
+ {                0x0E,       0, 0,  8, "brainpoolP512t1"           }, /* 274 */
+ {  0x81,                     0, 1,  1, ""                          }, /* 275 */
+ {    0x04,                   0, 1,  2, "Certicom"                  }, /* 276 */
+ {      0x00,                 0, 1,  3, "curve"                     }, /* 277 */
+ {        0x01,             279, 0,  4, "sect163k1"                 }, /* 278 */
+ {        0x02,             280, 0,  4, "sect163r1"                 }, /* 279 */
+ {        0x03,             281, 0,  4, "sect239k1"                 }, /* 280 */
+ {        0x04,             282, 0,  4, "sect113r1"                 }, /* 281 */
+ {        0x05,             283, 0,  4, "sect113r2"                 }, /* 282 */
+ {        0x06,             284, 0,  4, "secp112r1"                 }, /* 283 */
+ {        0x07,             285, 0,  4, "secp112r2"                 }, /* 284 */
+ {        0x08,             286, 0,  4, "secp160r1"                 }, /* 285 */
+ {        0x09,             287, 0,  4, "secp160k1"                 }, /* 286 */
+ {        0x0A,             288, 0,  4, "secp256k1"                 }, /* 287 */
+ {        0x0F,             289, 0,  4, "sect163r2"                 }, /* 288 */
+ {        0x10,             290, 0,  4, "sect283k1"                 }, /* 289 */
+ {        0x11,             291, 0,  4, "sect283r1"                 }, /* 290 */
+ {        0x16,             292, 0,  4, "sect131r1"                 }, /* 291 */
+ {        0x17,             293, 0,  4, "sect131r2"                 }, /* 292 */
+ {        0x18,             294, 0,  4, "sect193r1"                 }, /* 293 */
+ {        0x19,             295, 0,  4, "sect193r2"                 }, /* 294 */
+ {        0x1A,             296, 0,  4, "sect233k1"                 }, /* 295 */
+ {        0x1B,             297, 0,  4, "sect233r1"                 }, /* 296 */
+ {        0x1C,             298, 0,  4, "secp128r1"                 }, /* 297 */
+ {        0x1D,             299, 0,  4, "secp128r2"                 }, /* 298 */
+ {        0x1E,             300, 0,  4, "secp160r2"                 }, /* 299 */
+ {        0x1F,             301, 0,  4, "secp192k1"                 }, /* 300 */
+ {        0x20,             302, 0,  4, "secp224k1"                 }, /* 301 */
+ {        0x21,             303, 0,  4, "secp224r1"                 }, /* 302 */
+ {        0x22,             304, 0,  4, "secp384r1"                 }, /* 303 */
+ {        0x23,             305, 0,  4, "secp521r1"                 }, /* 304 */
+ {        0x24,             306, 0,  4, "sect409k1"                 }, /* 305 */
+ {        0x25,             307, 0,  4, "sect409r1"                 }, /* 306 */
+ {        0x26,             308, 0,  4, "sect571k1"                 }, /* 307 */
+ {        0x27,               0, 0,  4, "sect571r1"                 }, /* 308 */
+ {0x60,                       0, 1,  0, ""                          }, /* 309 */
+ {  0x86,                     0, 1,  1, ""                          }, /* 310 */
+ {    0x48,                   0, 1,  2, ""                          }, /* 311 */
+ {      0x01,                 0, 1,  3, "organization"              }, /* 312 */
+ {        0x65,             331, 1,  4, "gov"                       }, /* 313 */
+ {          0x03,             0, 1,  5, "csor"                      }, /* 314 */
+ {            0x04,           0, 1,  6, "nistalgorithm"             }, /* 315 */
+ {              0x01,       326, 1,  7, "aes"                       }, /* 316 */
+ {                0x02,     318, 0,  8, "id-aes128-CBC"             }, /* 317 */
+ {                0x06,     319, 0,  8, "id-aes128-GCM"             }, /* 318 */
+ {                0x07,     320, 0,  8, "id-aes128-CCM"             }, /* 319 */
+ {                0x16,     321, 0,  8, "id-aes192-CBC"             }, /* 320 */
+ {                0x1A,     322, 0,  8, "id-aes192-GCM"             }, /* 321 */
+ {                0x1B,     323, 0,  8, "id-aes192-CCM"             }, /* 322 */
+ {                0x2A,     324, 0,  8, "id-aes256-CBC"             }, /* 323 */
+ {                0x2E,     325, 0,  8, "id-aes256-GCM"             }, /* 324 */
+ {                0x2F,       0, 0,  8, "id-aes256-CCM"             }, /* 325 */
+ {              0x02,         0, 1,  7, "hashalgs"                  }, /* 326 */
+ {                0x01,     328, 0,  8, "id-SHA-256"                }, /* 327 */
+ {                0x02,     329, 0,  8, "id-SHA-384"                }, /* 328 */
+ {                0x03,     330, 0,  8, "id-SHA-512"                }, /* 329 */
+ {                0x04,       0, 0,  8, "id-SHA-224"                }, /* 330 */
+ {        0x86,               0, 1,  4, ""                          }, /* 331 */
+ {          0xf8,             0, 1,  5, ""                          }, /* 332 */
+ {            0x42,         345, 1,  6, "netscape"                  }, /* 333 */
+ {              0x01,       340, 1,  7, ""                          }, /* 334 */
+ {                0x01,     336, 0,  8, "nsCertType"                }, /* 335 */
+ {                0x03,     337, 0,  8, "nsRevocationUrl"           }, /* 336 */
+ {                0x04,     338, 0,  8, "nsCaRevocationUrl"         }, /* 337 */
+ {                0x08,     339, 0,  8, "nsCaPolicyUrl"             }, /* 338 */
+ {                0x0d,       0, 0,  8, "nsComment"                 }, /* 339 */
+ {              0x03,       343, 1,  7, "directory"                 }, /* 340 */
+ {                0x01,       0, 1,  8, ""                          }, /* 341 */
+ {                  0x03,     0, 0,  9, "employeeNumber"            }, /* 342 */
+ {              0x04,         0, 1,  7, "policy"                    }, /* 343 */
+ {                0x01,       0, 0,  8, "nsSGC"                     }, /* 344 */
+ {            0x45,           0, 1,  6, "verisign"                  }, /* 345 */
+ {              0x01,         0, 1,  7, "pki"                       }, /* 346 */
+ {                0x09,       0, 1,  8, "attributes"                }, /* 347 */
+ {                  0x02,   349, 0,  9, "messageType"               }, /* 348 */
+ {                  0x03,   350, 0,  9, "pkiStatus"                 }, /* 349 */
+ {                  0x04,   351, 0,  9, "failInfo"                  }, /* 350 */
+ {                  0x05,   352, 0,  9, "senderNonce"               }, /* 351 */
+ {                  0x06,   353, 0,  9, "recipientNonce"            }, /* 352 */
+ {                  0x07,   354, 0,  9, "transID"                   }, /* 353 */
+ {                  0x08,   355, 0,  9, "extensionReq"              }, /* 354 */
+ {                  0x08,     0, 0,  9, "extensionReq"              }  /* 355 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index aa1fd31b0..16c9e854b 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -116,92 +116,93 @@ extern const oid_t oid_names[];
 #define OID_ECDSA_WITH_SHA256				158
 #define OID_ECDSA_WITH_SHA384				159
 #define OID_ECDSA_WITH_SHA512				160
-#define OID_TCGID							181
-#define OID_AUTHORITY_INFO_ACCESS			186
-#define OID_IP_ADDR_BLOCKS					187
-#define OID_SERVER_AUTH						192
-#define OID_CLIENT_AUTH						193
-#define OID_OCSP_SIGNING					200
-#define OID_XMPP_ADDR						202
-#define OID_AUTHENTICATION_INFO				204
-#define OID_ACCESS_IDENTITY					205
-#define OID_CHARGING_IDENTITY				206
-#define OID_GROUP							207
-#define OID_OCSP							210
-#define OID_BASIC							211
-#define OID_NONCE							212
-#define OID_CRL								213
-#define OID_RESPONSE						214
-#define OID_NO_CHECK						215
-#define OID_ARCHIVE_CUTOFF					216
-#define OID_SERVICE_LOCATOR					217
-#define OID_CA_ISSUERS						218
-#define OID_DES_CBC							224
-#define OID_SHA1							225
-#define OID_SHA1_WITH_RSA_OIW				226
-#define OID_ECGDSA_PUBKEY					245
-#define OID_ECGDSA_SIG_WITH_RIPEMD160		248
-#define OID_ECGDSA_SIG_WITH_SHA1			249
-#define OID_ECGDSA_SIG_WITH_SHA224			250
-#define OID_ECGDSA_SIG_WITH_SHA256			251
-#define OID_ECGDSA_SIG_WITH_SHA384			252
-#define OID_ECGDSA_SIG_WITH_SHA512			253
-#define OID_SECT163K1						276
-#define OID_SECT163R1						277
-#define OID_SECT239K1						278
-#define OID_SECT113R1						279
-#define OID_SECT113R2						280
-#define OID_SECT112R1						281
-#define OID_SECT112R2						282
-#define OID_SECT160R1						283
-#define OID_SECT160K1						284
-#define OID_SECT256K1						285
-#define OID_SECT163R2						286
-#define OID_SECT283K1						287
-#define OID_SECT283R1						288
-#define OID_SECT131R1						289
-#define OID_SECT131R2						290
-#define OID_SECT193R1						291
-#define OID_SECT193R2						292
-#define OID_SECT233K1						293
-#define OID_SECT233R1						294
-#define OID_SECT128R1						295
-#define OID_SECT128R2						296
-#define OID_SECT160R2						297
-#define OID_SECT192K1						298
-#define OID_SECT224K1						299
-#define OID_SECT224R1						300
-#define OID_SECT384R1						301
-#define OID_SECT521R1						302
-#define OID_SECT409K1						303
-#define OID_SECT409R1						304
-#define OID_SECT571K1						305
-#define OID_SECT571R1						306
-#define OID_AES128_CBC						315
-#define OID_AES128_GCM						316
-#define OID_AES128_CCM						317
-#define OID_AES192_CBC						318
-#define OID_AES192_GCM						319
-#define OID_AES192_CCM						320
-#define OID_AES256_CBC						321
-#define OID_AES256_GCM						322
-#define OID_AES256_CCM						323
-#define OID_SHA256							325
-#define OID_SHA384							326
-#define OID_SHA512							327
-#define OID_SHA224							328
-#define OID_NS_REVOCATION_URL				334
-#define OID_NS_CA_REVOCATION_URL			335
-#define OID_NS_CA_POLICY_URL				336
-#define OID_NS_COMMENT						337
-#define OID_EMPLOYEE_NUMBER					340
-#define OID_PKI_MESSAGE_TYPE				346
-#define OID_PKI_STATUS						347
-#define OID_PKI_FAIL_INFO					348
-#define OID_PKI_SENDER_NONCE				349
-#define OID_PKI_RECIPIENT_NONCE				350
-#define OID_PKI_TRANS_ID					351
+#define OID_USER_PRINCIPAL_NAME				175
+#define OID_TCGID							182
+#define OID_AUTHORITY_INFO_ACCESS			187
+#define OID_IP_ADDR_BLOCKS					189
+#define OID_SERVER_AUTH						194
+#define OID_CLIENT_AUTH						195
+#define OID_OCSP_SIGNING					202
+#define OID_XMPP_ADDR						204
+#define OID_AUTHENTICATION_INFO				206
+#define OID_ACCESS_IDENTITY					207
+#define OID_CHARGING_IDENTITY				208
+#define OID_GROUP							209
+#define OID_OCSP							212
+#define OID_BASIC							213
+#define OID_NONCE							214
+#define OID_CRL								215
+#define OID_RESPONSE						216
+#define OID_NO_CHECK						217
+#define OID_ARCHIVE_CUTOFF					218
+#define OID_SERVICE_LOCATOR					219
+#define OID_CA_ISSUERS						220
+#define OID_DES_CBC							226
+#define OID_SHA1							227
+#define OID_SHA1_WITH_RSA_OIW				228
+#define OID_ECGDSA_PUBKEY					247
+#define OID_ECGDSA_SIG_WITH_RIPEMD160		250
+#define OID_ECGDSA_SIG_WITH_SHA1			251
+#define OID_ECGDSA_SIG_WITH_SHA224			252
+#define OID_ECGDSA_SIG_WITH_SHA256			253
+#define OID_ECGDSA_SIG_WITH_SHA384			254
+#define OID_ECGDSA_SIG_WITH_SHA512			255
+#define OID_SECT163K1						278
+#define OID_SECT163R1						279
+#define OID_SECT239K1						280
+#define OID_SECT113R1						281
+#define OID_SECT113R2						282
+#define OID_SECT112R1						283
+#define OID_SECT112R2						284
+#define OID_SECT160R1						285
+#define OID_SECT160K1						286
+#define OID_SECT256K1						287
+#define OID_SECT163R2						288
+#define OID_SECT283K1						289
+#define OID_SECT283R1						290
+#define OID_SECT131R1						291
+#define OID_SECT131R2						292
+#define OID_SECT193R1						293
+#define OID_SECT193R2						294
+#define OID_SECT233K1						295
+#define OID_SECT233R1						296
+#define OID_SECT128R1						297
+#define OID_SECT128R2						298
+#define OID_SECT160R2						299
+#define OID_SECT192K1						300
+#define OID_SECT224K1						301
+#define OID_SECT224R1						302
+#define OID_SECT384R1						303
+#define OID_SECT521R1						304
+#define OID_SECT409K1						305
+#define OID_SECT409R1						306
+#define OID_SECT571K1						307
+#define OID_SECT571R1						308
+#define OID_AES128_CBC						317
+#define OID_AES128_GCM						318
+#define OID_AES128_CCM						319
+#define OID_AES192_CBC						320
+#define OID_AES192_GCM						321
+#define OID_AES192_CCM						322
+#define OID_AES256_CBC						323
+#define OID_AES256_GCM						324
+#define OID_AES256_CCM						325
+#define OID_SHA256							327
+#define OID_SHA384							328
+#define OID_SHA512							329
+#define OID_SHA224							330
+#define OID_NS_REVOCATION_URL				336
+#define OID_NS_CA_REVOCATION_URL			337
+#define OID_NS_CA_POLICY_URL				338
+#define OID_NS_COMMENT						339
+#define OID_EMPLOYEE_NUMBER					342
+#define OID_PKI_MESSAGE_TYPE				348
+#define OID_PKI_STATUS						349
+#define OID_PKI_FAIL_INFO					350
+#define OID_PKI_SENDER_NONCE				351
+#define OID_PKI_RECIPIENT_NONCE				352
+#define OID_PKI_TRANS_ID					353
 
-#define OID_MAX								354
+#define OID_MAX								356
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 5d729c2eb..36db0299c 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -173,6 +173,7 @@
               0x14           "msEnrollmentInfrastructure"
                 0x02         "msCertificateTypeExtension"
                   0x02       "msSmartcardLogon"
+                  0x03       "msUPN"					OID_USER_PRINCIPAL_NAME
           0x89               ""
             0x31             ""
               0x01           ""
@@ -185,6 +186,7 @@
           0x07               "id-pkix"
             0x01             "id-pe"
               0x01           "authorityInfoAccess"		OID_AUTHORITY_INFO_ACCESS
+              0x03           "qcStatements"
               0x07           "ipAddrBlocks"				OID_IP_ADDR_BLOCKS
             0x02             "id-qt"
               0x01           "cps"
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index 4d115a816..9a4152145 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -307,24 +307,46 @@ static char hex2bin(char hex)
 chunk_t chunk_from_hex(chunk_t hex, char *buf)
 {
 	int i, len;
+	u_char *ptr;
 	bool odd = FALSE;
 
-	len = (hex.len / 2);
-	if (hex.len % 2)
+   /* subtract the number of optional ':' separation characters */
+	len = hex.len;
+	ptr = hex.ptr;
+ 	for (i = 0; i < hex.len; i++)
+	{
+		if (*ptr++ == ':')
+		{
+			len--;
+		}
+	}
+
+	/* compute the number of binary bytes */
+	if (len % 2)
 	{
 		odd = TRUE;
 		len++;
 	}
+	len /= 2;
+
+	/* allocate buffer memory unless provided by caller */
 	if (!buf)
 	{
 		buf = malloc(len);
 	}
+
 	/* buffer is filled from the right */
 	memset(buf, 0, len);
 	hex.ptr += hex.len;
+
 	for (i = len - 1; i >= 0; i--)
 	{
-		buf[i] = hex2bin(*(--hex.ptr));
+		/* skip separation characters */
+		if (*(--hex.ptr) == ':')
+		{
+			--hex.ptr;
+		}
+		buf[i] = hex2bin(*hex.ptr);
 		if (i > 0 || !odd)
 		{
 			buf[i] |= hex2bin(*(--hex.ptr)) << 4;
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 5441ccf3c..f94bdfbf2 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -193,12 +193,12 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Allocate a chunk on the heap
  */
-#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(malloc(x), x);})
+#define chunk_alloc(bytes) ({size_t x = (bytes); chunk_create(x ? malloc(x) : NULL, x);})
 
 /**
  * Allocate a chunk on the stack
  */
-#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(alloca(x), x);})
+#define chunk_alloca(bytes) ({size_t x = (bytes); chunk_create(x ? alloca(x) : NULL, x);})
 
 /**
  * Clone a chunk on heap
@@ -208,7 +208,7 @@ static inline void chunk_clear(chunk_t *chunk)
 /**
  * Clone a chunk on stack
  */
-#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(alloca(x.len), x);})
+#define chunk_clonea(chunk) ({chunk_t x = (chunk); chunk_create_clone(x.len ? alloca(x.len) : NULL, x);})
 
 /**
  * Concatenate chunks into a chunk on heap
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 2573d0327..ce718b9cb 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -20,6 +20,7 @@
 #include <debug.h>
 #include <utils/linked_list.h>
 #include <utils/identification.h>
+#include <eap/eap.h>
 #include <credentials/certificates/certificate.h>
 
 ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
@@ -29,62 +30,6 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
 	"EAP",
 );
 
-ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
-	"EAP_IDENTITY",
-	"EAP_NOTIFICATION",
-	"EAP_NAK",
-	"EAP_MD5",
-	"EAP_OTP",
-	"EAP_GTC");
-ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"EAP_SIM");
-ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"EAP_AKA");
-ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"EAP_MSCHAPV2");
-ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"EAP_RADIUS",
-	"EAP_EXPANDED",
-	"EAP_EXPERIMENTAL");
-ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
-
-ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
-	"ID",
-	"NTF",
-	"NAK",
-	"MD5",
-	"OTP",
-	"GTC");
-ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC,
-	"SIM");
-ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM,
-	"AKA");
-ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
-	"MSCHAPV2");
-ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
-	"RAD",
-	"EXP",
-	"XP");
-ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
-
-ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
-	"RULE_IDENTITY",
-	"RULE_AUTH_CLASS",
-	"RULE_EAP_IDENTITY",
-	"RULE_EAP_TYPE",
-	"RULE_EAP_VENDOR",
-	"RULE_CA_CERT",
-	"RULE_IM_CERT",
-	"RULE_SUBJECT_CERT",
-	"RULE_CRL_VALIDATION",
-	"RULE_OCSP_VALIDATION",
-	"RULE_GROUP",
-	"HELPER_IM_CERT",
-	"HELPER_SUBJECT_CERT",
-	"HELPER_IM_HASH_URL",
-	"HELPER_SUBJECT_HASH_URL",
-);
-
 typedef struct private_auth_cfg_t private_auth_cfg_t;
 
 /**
@@ -174,6 +119,7 @@ static void destroy_entry_value(entry_t *entry)
 	{
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
 		{
 			identification_t *id = (identification_t*)entry->value;
@@ -231,6 +177,7 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
 				break;
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AAA_IDENTITY:
 			case AUTH_RULE_GROUP:
 			case AUTH_RULE_CA_CERT:
 			case AUTH_RULE_IM_CERT:
@@ -296,6 +243,7 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type)
 			return (void*)VALIDATION_FAILED;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
@@ -331,6 +279,7 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
 			break;
 		case AUTH_RULE_IDENTITY:
 		case AUTH_RULE_EAP_IDENTITY:
+		case AUTH_RULE_AAA_IDENTITY:
 		case AUTH_RULE_GROUP:
 		case AUTH_RULE_CA_CERT:
 		case AUTH_RULE_IM_CERT:
@@ -445,6 +394,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
 			}
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AAA_IDENTITY:
 			{
 				identification_t *id1, *id2;
 
@@ -590,6 +540,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				}
 				case AUTH_RULE_IDENTITY:
 				case AUTH_RULE_EAP_IDENTITY:
+				case AUTH_RULE_AAA_IDENTITY:
 				case AUTH_RULE_GROUP:
 				{
 					identification_t *id = (identification_t*)value;
@@ -677,6 +628,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
 					}
 					case AUTH_RULE_IDENTITY:
 					case AUTH_RULE_EAP_IDENTITY:
+					case AUTH_RULE_AAA_IDENTITY:
 					case AUTH_RULE_GROUP:
 					{
 						identification_t *id1, *id2;
@@ -761,6 +713,7 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this)
 		{
 			case AUTH_RULE_IDENTITY:
 			case AUTH_RULE_EAP_IDENTITY:
+			case AUTH_RULE_AAA_IDENTITY:
 			case AUTH_RULE_GROUP:
 			{
 				identification_t *id = (identification_t*)entry->value;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 713e16372..19624a2fe 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -27,7 +27,6 @@
 typedef struct auth_cfg_t auth_cfg_t;
 typedef enum auth_rule_t auth_rule_t;
 typedef enum auth_class_t auth_class_t;
-typedef enum eap_type_t eap_type_t;
 
 /**
  * Class of authentication to use. This is different to auth_method_t in that
@@ -51,35 +50,6 @@ enum auth_class_t {
 extern enum_name_t *auth_class_names;
 
 /**
- * EAP types, defines the EAP method implementation
- */
-enum eap_type_t {
-	EAP_IDENTITY = 1,
-	EAP_NOTIFICATION = 2,
-	EAP_NAK = 3,
-	EAP_MD5 = 4,
-	EAP_OTP = 5,
-	EAP_GTC = 6,
-	EAP_SIM = 18,
-	EAP_AKA = 23,
-	EAP_MSCHAPV2 = 26,
-	/** not a method, but an implementation providing different methods */
-	EAP_RADIUS = 253,
-	EAP_EXPANDED = 254,
-	EAP_EXPERIMENTAL = 255,
-};
-
-/**
- * enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_names;
-
-/**
- * short string enum names for eap_type_t.
- */
-extern enum_name_t *eap_type_short_names;
-
-/**
  * Authentication config to use during authentication process.
  *
  * Each authentication config contains a set of rules. These rule-sets are used
@@ -98,6 +68,8 @@ enum auth_rule_t {
 	AUTH_RULE_IDENTITY,
 	/** authentication class, auth_class_t */
 	AUTH_RULE_AUTH_CLASS,
+	/** AAA-backend identity for EAP methods supporting it, identification_t* */
+	AUTH_RULE_AAA_IDENTITY,
 	/** EAP identity to use within EAP-Identity exchange, identification_t* */
 	AUTH_RULE_EAP_IDENTITY,
 	/** EAP type to propose for peer authentication, eap_type_t */
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index cfb708e33..c43e5fd5d 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -45,8 +45,10 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
 	"BUILD_PATHLEN",
 	"BUILD_X509_FLAG",
 	"BUILD_REVOKED_ENUMERATOR",
-	"BUILD_SMARTCARD_KEYID",
-	"BUILD_SMARTCARD_PIN",
+	"BUILD_CHALLENGE_PWD",
+	"BUILD_PKCS11_MODULE",
+	"BUILD_PKCS11_SLOT",
+	"BUILD_PKCS11_KEYID",
 	"BUILD_RSA_MODULUS",
 	"BUILD_RSA_PUB_EXP",
 	"BUILD_RSA_PRIV_EXP",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index ffb09f72a..dc87da2a4 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -57,12 +57,6 @@ enum builder_part_t {
 	BUILD_BLOB_PGP,
 	/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
 	BUILD_BLOB_DNSKEY,
-	/** passphrase for e.g. PEM decryption, chunk_t */
-	BUILD_PASSPHRASE,
-	/** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
-	 *  The callback is invoked until the returned passphrase is accepted, or
-	 *  a zero-length passphrase is returned. Try starts at 1. */
-	BUILD_PASSPHRASE_CALLBACK,
 	/** key size in bits, as used for key generation, u_int */
 	BUILD_KEY_SIZE,
 	/** private key to use for signing, private_key_t* */
@@ -103,10 +97,14 @@ enum builder_part_t {
 	BUILD_X509_FLAG,
 	/** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */
 	BUILD_REVOKED_ENUMERATOR,
-	/** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */
-	BUILD_SMARTCARD_KEYID,
-	/** pin to access a key on a smartcard, null terminated char* */
-	BUILD_SMARTCARD_PIN,
+	/** PKCS#10 challenge password */
+	BUILD_CHALLENGE_PWD,
+	/** friendly name of a PKCS#11 module, null terminated char* */
+	BUILD_PKCS11_MODULE,
+	/** slot specifier for a token in a PKCS#11 module, int */
+	BUILD_PKCS11_SLOT,
+	/** key ID of a key on a token, chunk_t */
+	BUILD_PKCS11_KEYID,
 	/** modulus (n) of a RSA key, chunk_t */
 	BUILD_RSA_MODULUS,
 	/** public exponent (e) of a RSA key, chunk_t */
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 7cc7dbe0e..ff621012f 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -64,32 +64,29 @@ struct entry_t {
 	credential_type_t type;
 	/** subtype of credential, e.g. certificate_type_t */
 	int subtype;
+	/** registered with final flag? */
+	bool final;
 	/** builder function */
 	builder_function_t constructor;
 };
 
-/**
- * Implementation of credential_factory_t.add_builder_constructor.
- */
-static void add_builder(private_credential_factory_t *this,
-						credential_type_t type, int subtype,
-						builder_function_t constructor)
+METHOD(credential_factory_t, add_builder, void,
+	private_credential_factory_t *this, credential_type_t type, int subtype,
+	bool final, builder_function_t constructor)
 {
 	entry_t *entry = malloc_thing(entry_t);
 
 	entry->type = type;
 	entry->subtype = subtype;
+	entry->final = final;
 	entry->constructor = constructor;
 	this->lock->write_lock(this->lock);
 	this->constructors->insert_last(this->constructors, entry);
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of credential_factory_t.remove_builder.
- */
-static void remove_builder(private_credential_factory_t *this,
-						   builder_function_t constructor)
+METHOD(credential_factory_t, remove_builder, void,
+	private_credential_factory_t *this, builder_function_t constructor)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -108,11 +105,8 @@ static void remove_builder(private_credential_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of credential_factory_t.create.
- */
-static void* create(private_credential_factory_t *this, credential_type_t type,
-					int subtype, ...)
+METHOD(credential_factory_t, create, void*,
+	private_credential_factory_t *this, credential_type_t type, int subtype, ...)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -159,9 +153,31 @@ static void* create(private_credential_factory_t *this, credential_type_t type,
 }
 
 /**
- * Implementation of credential_factory_t.destroy
+ * Filter function for builder enumerator
  */
-static void destroy(private_credential_factory_t *this)
+static bool builder_filter(void *null, entry_t **entry, credential_type_t *type,
+						   void *dummy1, int *subtype)
+{
+	if ((*entry)->final)
+	{
+		*type = (*entry)->type;
+		*subtype = (*entry)->subtype;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(credential_factory_t, create_builder_enumerator, enumerator_t*,
+	private_credential_factory_t *this)
+{
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+				this->constructors->create_enumerator(this->constructors),
+				(void*)builder_filter, this->lock, (void*)this->lock->unlock);
+}
+
+METHOD(credential_factory_t, destroy, void,
+	private_credential_factory_t *this)
 {
 	this->constructors->destroy_function(this->constructors, free);
 	this->recursive->destroy(this->recursive);
@@ -174,16 +190,20 @@ static void destroy(private_credential_factory_t *this)
  */
 credential_factory_t *credential_factory_create()
 {
-	private_credential_factory_t *this = malloc_thing(private_credential_factory_t);
-
-	this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create;
-	this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_function_t constructor))add_builder;
-	this->public.remove_builder = (void(*)(credential_factory_t*,builder_function_t constructor))remove_builder;
-	this->public.destroy = (void(*)(credential_factory_t*))destroy;
-
-	this->constructors = linked_list_create();
-	this->recursive = thread_value_create(NULL);
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+	private_credential_factory_t *this;
+
+	INIT(this,
+		.public = {
+			.create = _create,
+			.create_builder_enumerator = _create_builder_enumerator,
+			.add_builder = _add_builder,
+			.remove_builder = _remove_builder,
+			.destroy = _destroy,
+		},
+		.constructors = linked_list_create(),
+		.recursive = thread_value_create(NULL),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
index e8ffb6b9d..709dc916a 100644
--- a/src/libstrongswan/credentials/credential_factory.h
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -68,11 +68,17 @@ struct credential_factory_t {
 	/**
 	 * Register a credential builder function.
 	 *
+	 * The final flag indicates if the registered builder can build such
+	 * a credential itself the most common encoding, without the need
+	 * for an additional builder.
+	 *
 	 * @param type			type of credential the builder creates
+	 * @param subtype		subtype of the credential, type specific
+	 * @param final			TRUE if this build does not invoke other builders
 	 * @param constructor	builder constructor function to register
 	 */
 	void (*add_builder)(credential_factory_t *this,
-						credential_type_t type, int subtype,
+						credential_type_t type, int subtype, bool final,
 						builder_function_t constructor);
 	/**
 	 * Unregister a credential builder function.
@@ -83,6 +89,16 @@ struct credential_factory_t {
 						   builder_function_t constructor);
 
 	/**
+	 * Create an enumerator over registered builder types.
+	 *
+	 * The enumerator returns only builder types registered with the final
+	 * flag set.
+	 *
+	 * @return				enumerator (credential_type_t, int subtype)
+	 */
+	enumerator_t* (*create_builder_enumerator)(credential_factory_t *this);
+
+	/**
 	 * Destroy a credential_factory instance.
 	 */
 	void (*destroy)(credential_factory_t *this);
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 46c36c941..97e8d8887 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -157,8 +157,10 @@ static enumerator_t *create_sets_enumerator(private_credential_manager_t *this)
 	linked_list_t *local;
 
 	INIT(enumerator,
-		.public.enumerate = (void*)_sets_enumerate,
-		.public.destroy = _sets_destroy,
+		.public = {
+			.enumerate = (void*)_sets_enumerate,
+			.destroy = _sets_destroy,
+		},
 		.global = this->sets->create_enumerator(this->sets),
 	);
 	local = this->local_sets->get(this->local_sets);
@@ -822,7 +824,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
 }
 
 /**
- * Check if a certificate's keyid is contained in the auth helper
+ * Check if an helper contains a certificate as trust anchor
  */
 static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
 {
@@ -854,17 +856,10 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 	certificate_t *issuer, *current;
 	auth_cfg_t *trustchain;
 	int pathlen = 0;
+	bool has_anchor;
 
 	trustchain = auth_cfg_create();
-
-	current = auth->get(auth, AUTH_RULE_CA_CERT);
-	if (!current)
-	{
-		/* no trust anchor specified, return this cert only */
-		trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
-						subject->get_ref(subject));
-		return trustchain;
-	}
+	has_anchor = auth->get(auth, AUTH_RULE_CA_CERT) != NULL;
 	current = subject->get_ref(subject);
 	while (TRUE)
 	{
@@ -879,17 +874,33 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
 		}
 		else
 		{
+			if (!has_anchor &&
+				this->cache->issued_by(this->cache, current, current))
+			{	/* If no trust anchor specified, accept any CA */
+				trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
+				return trustchain;
+			}
 			trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
 		}
+		if (pathlen++ > MAX_TRUST_PATH_LEN)
+		{
+			break;
+		}
 		issuer = get_issuer_cert(this, current, FALSE);
-		if (!issuer || issuer->equals(issuer, current) ||
-			pathlen > MAX_TRUST_PATH_LEN)
+		if (!issuer)
 		{
-			DESTROY_IF(issuer);
+			if (!has_anchor)
+			{	/* If no trust anchor specified, accept incomplete chains */
+				return trustchain;
+			}
+			break;
+		}
+		if (has_anchor && issuer->equals(issuer, current))
+		{
+			issuer->destroy(issuer);
 			break;
 		}
 		current = issuer;
-		pathlen++;
 	}
 	trustchain->destroy(trustchain);
 	return NULL;
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
index 27f4ab098..e57d3f5a5 100644
--- a/src/libstrongswan/credentials/keys/private_key.h
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -51,18 +51,20 @@ struct private_key_t {
 	/**
 	 * Decrypt a chunk of data.
 	 *
+	 * @param scheme	expected encryption scheme used
 	 * @param crypto	chunk containing encrypted data
 	 * @param plain		where to allocate decrypted data
 	 * @return			TRUE if data decrypted and plaintext allocated
 	 */
-	bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain);
+	bool (*decrypt)(private_key_t *this, encryption_scheme_t scheme,
+					chunk_t crypto, chunk_t *plain);
 
 	/**
-	 * Get the strength of the key in bytes.
+	 * Get the strength of the key in bits.
 	 *
-	 * @return			strength of the key in bytes
+	 * @return			strength of the key in bits
 	 */
-	size_t (*get_keysize) (private_key_t *this);
+	int (*get_keysize) (private_key_t *this);
 
 	/**
 	 * Get the public part from the private key.
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index ce342de33..22df5dd1b 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -42,6 +42,16 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
 	"ECDSA-521",
 );
 
+ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
+	"ENCRYPT_UNKNOWN",
+	"ENCRYPT_RSA_PKCS1",
+	"ENCRYPT_RSA_OAEP_SHA1",
+	"ENCRYPT_RSA_OAEP_SHA224",
+	"ENCRYPT_RSA_OAEP_SHA256",
+	"ENCRYPT_RSA_OAEP_SHA384",
+	"ENCRYPT_RSA_OAEP_SHA512",
+);
+
 /**
  * See header.
  */
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index ff827a189..d20d2736b 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -24,6 +24,7 @@
 typedef struct public_key_t public_key_t;
 typedef enum key_type_t key_type_t;
 typedef enum signature_scheme_t signature_scheme_t;
+typedef enum encryption_scheme_t encryption_scheme_t;
 
 #include <library.h>
 #include <utils/identification.h>
@@ -97,6 +98,31 @@ enum signature_scheme_t {
 extern enum_name_t *signature_scheme_names;
 
 /**
+ * Encryption scheme for public key data encryption.
+ */
+enum encryption_scheme_t {
+	/** Unknown encryption scheme                                      */
+	ENCRYPT_UNKNOWN,
+	/** RSAES-PKCS1-v1_5 as in PKCS#1                                  */
+	ENCRYPT_RSA_PKCS1,
+	/** RSAES-OAEP as in PKCS#1, using SHA1 as hash, no label          */
+	ENCRYPT_RSA_OAEP_SHA1,
+	/** RSAES-OAEP as in PKCS#1, using SHA-224 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA224,
+	/** RSAES-OAEP as in PKCS#1, using SHA-256 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA256,
+	/** RSAES-OAEP as in PKCS#1, using SHA-384 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA384,
+	/** RSAES-OAEP as in PKCS#1, using SHA-512 as hash, no label       */
+	ENCRYPT_RSA_OAEP_SHA512,
+};
+
+/**
+ * Enum names for encryption_scheme_t
+ */
+extern enum_name_t *encryption_scheme_names;
+
+/**
  * Abstract interface of a public key.
  */
 struct public_key_t {
@@ -122,11 +148,13 @@ struct public_key_t {
 	/**
 	 * Encrypt a chunk of data.
 	 *
+	 * @param scheme	encryption scheme to use
 	 * @param plain		chunk containing plaintext data
 	 * @param crypto	where to allocate encrypted data
 	 * @return 			TRUE if data successfully encrypted
 	 */
-	bool (*encrypt)(public_key_t *this, chunk_t plain, chunk_t *crypto);
+	bool (*encrypt)(public_key_t *this, encryption_scheme_t scheme,
+					chunk_t plain, chunk_t *crypto);
 
 	/**
 	 * Check if two public keys are equal.
@@ -137,11 +165,11 @@ struct public_key_t {
 	bool (*equals)(public_key_t *this, public_key_t *other);
 
 	/**
-	 * Get the strength of the key in bytes.
+	 * Get the strength of the key in bits.
 	 *
-	 * @return			strength of the key in bytes
+	 * @return			strength of the key in bits
 	 */
-	size_t (*get_keysize) (public_key_t *this);
+	int (*get_keysize) (public_key_t *this);
 
 	/**
 	 * Get the fingerprint of the key.
diff --git a/src/libstrongswan/credentials/sets/callback_cred.c b/src/libstrongswan/credentials/sets/callback_cred.c
new file mode 100644
index 000000000..bff33f029
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/callback_cred.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "callback_cred.h"
+
+typedef struct private_callback_cred_t private_callback_cred_t;
+
+/**
+ * Private data of an callback_cred_t object.
+ */
+struct private_callback_cred_t {
+
+	/**
+	 * Public callback_cred_t interface.
+	 */
+	callback_cred_t public;
+
+	/**
+	 * Callback of this set, for all types, and generic
+	 */
+	union {
+		void *generic;
+		callback_cred_shared_cb_t shared;
+	} cb;
+
+	/**
+	 * Data to pass to callback
+	 */
+	void *data;
+};
+
+/**
+ * Shared key enumerator on callbacks
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* backref to this */
+	private_callback_cred_t *this;
+	/* type if requested key */
+	shared_key_type_t type;
+	/* own identity to match */
+	identification_t *me;
+	/* other identity to match */
+	identification_t *other;
+	/* current shared key */
+	shared_key_t *current;
+} shared_enumerator_t;
+
+METHOD(enumerator_t, shared_enumerate, bool,
+	shared_enumerator_t *this, shared_key_t **out,
+	id_match_t *match_me, id_match_t *match_other)
+{
+	DESTROY_IF(this->current);
+	this->current = this->this->cb.shared(this->this->data, this->type,
+								this->me, this->other, match_me, match_other);
+	if (this->current)
+	{
+		*out = this->current;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, shared_destroy, void,
+	shared_enumerator_t *this)
+{
+	DESTROY_IF(this->current);
+	free(this);
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+	private_callback_cred_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
+{
+	shared_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_shared_enumerate,
+			.destroy = _shared_destroy,
+		},
+		.this = this,
+		.type = type,
+		.me = me,
+		.other = other,
+	);
+	return &enumerator->public;
+}
+
+METHOD(callback_cred_t, destroy, void,
+	private_callback_cred_t *this)
+{
+	free(this);
+}
+
+/**
+ * Create a generic callback credential set
+ */
+static private_callback_cred_t* create_generic(void *cb, void *data)
+{
+	private_callback_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)return_null,
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_cdp_enumerator  = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.destroy = _destroy,
+		},
+		.cb.generic = cb,
+		.data = data,
+	);
+	return this;
+}
+
+/**
+ * See header
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+											 void *data)
+{
+	private_callback_cred_t *this = create_generic(cb, data);
+
+	this->public.set.create_shared_enumerator = _create_shared_enumerator;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/callback_cred.h b/src/libstrongswan/credentials/sets/callback_cred.h
new file mode 100644
index 000000000..efc4c7fa5
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/callback_cred.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup callback_cred callback_cred
+ * @{ @ingroup sets
+ */
+
+#ifndef CALLBACK_CRED_H_
+#define CALLBACK_CRED_H_
+
+typedef struct callback_cred_t callback_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * Callback function to get shared keys.
+ *
+ * @param type			type of requested shared key
+ * @param me			own identity
+ * @param other			other identity
+ * @param match_me		match result of own identity
+ * @param match_other	match result of other identity
+ */
+typedef shared_key_t* (*callback_cred_shared_cb_t)(
+								void *data, shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other);
+
+/**
+ * Generic callbcack using user specified callback functions.
+ */
+struct callback_cred_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Destroy a callback_cred_t.
+	 */
+	void (*destroy)(callback_cred_t *this);
+};
+
+/**
+ * Create a callback_cred instance, for a shared key.
+ *
+ * @param cb		callback function
+ * @param data		data to pass to callback
+ */
+callback_cred_t *callback_cred_create_shared(callback_cred_shared_cb_t cb,
+											 void *data);
+
+#endif /** CALLBACK_CRED_H_ @}*/
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
new file mode 100644
index 000000000..c29a99f1f
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mem_cred.h"
+
+#include <threading/rwlock.h>
+#include <utils/linked_list.h>
+
+typedef struct private_mem_cred_t private_mem_cred_t;
+
+/**
+ * Private data of an mem_cred_t object.
+ */
+struct private_mem_cred_t {
+
+	/**
+	 * Public mem_cred_t interface.
+	 */
+	mem_cred_t public;
+
+	/**
+	 * Lock for this set
+	 */
+	rwlock_t *lock;
+
+	/**
+	 * List of trusted certificates, certificate_t
+	 */
+	linked_list_t *trusted;
+
+	/**
+	 * List of trusted and untrusted certificates, certificate_t
+	 */
+	linked_list_t *untrusted;
+
+	/**
+	 * List of private keys, private_key_t
+	 */
+	linked_list_t *keys;
+
+	/**
+	 * List of shared keys, as shared_entry_t
+	 */
+	linked_list_t *shared;
+};
+
+/**
+ * Data for the certificate enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	certificate_type_t cert;
+	key_type_t key;
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * destroy cert_data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(cert_data_t *data, certificate_t **in, certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = *in;
+
+	if (data->cert == CERT_ANY || data->cert == cert->get_type(cert))
+	{
+		public = cert->get_public_key(cert);
+		if (public)
+		{
+			if (data->key == KEY_ANY || data->key == public->get_type(public))
+			{
+				if (data->id && public->has_fingerprint(public,
+											data->id->get_encoding(data->id)))
+				{
+					public->destroy(public);
+					*out = *in;
+					return TRUE;
+				}
+			}
+			public->destroy(public);
+		}
+		else if (data->key != KEY_ANY)
+		{
+			return FALSE;
+		}
+		if (data->id == NULL || cert->has_subject(cert, data->id))
+		{
+			*out = *in;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_mem_cred_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	cert_data_t *data;
+	enumerator_t *enumerator;
+
+	INIT(data,
+		.lock = this->lock,
+		.cert = cert,
+		.key = key,
+		.id = id,
+	);
+	this->lock->read_lock(this->lock);
+	if (trusted)
+	{
+		enumerator = this->trusted->create_enumerator(this->trusted);
+	}
+	else
+	{
+		enumerator = this->untrusted->create_enumerator(this->untrusted);
+	}
+	return enumerator_create_filter(enumerator, (void*)certs_filter, data,
+									(void*)cert_data_destroy);
+}
+
+static bool certificate_equals(certificate_t *item, certificate_t *cert)
+{
+	return item->equals(item, cert);
+}
+
+METHOD(mem_cred_t, add_cert, void,
+	private_mem_cred_t *this, bool trusted, certificate_t *cert)
+{
+	this->lock->write_lock(this->lock);
+	if (this->untrusted->find_last(this->untrusted,
+				(linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS)
+	{
+		if (trusted)
+		{
+			this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+		}
+		this->untrusted->insert_last(this->untrusted, cert->get_ref(cert));
+	}
+	cert->destroy(cert);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Data for key enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	key_type_t type;
+	identification_t *id;
+} key_data_t;
+
+/**
+ * Destroy key enumerator data
+ */
+static void key_data_destroy(key_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * filter function for private key enumerator
+ */
+static bool key_filter(key_data_t *data, private_key_t **in, private_key_t **out)
+{
+	private_key_t *key;
+
+	key = *in;
+	if (data->type == KEY_ANY || data->type == key->get_type(key))
+	{
+		if (data->id == NULL ||
+			key->has_fingerprint(key, data->id->get_encoding(data->id)))
+		{
+			*out = key;
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_private_enumerator, enumerator_t*,
+	private_mem_cred_t *this, key_type_t type, identification_t *id)
+{
+	key_data_t *data;
+
+	INIT(data,
+		.lock = this->lock,
+		.type = type,
+		.id = id,
+	);
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(this->keys->create_enumerator(this->keys),
+							(void*)key_filter, data, (void*)key_data_destroy);
+}
+
+METHOD(mem_cred_t, add_key, void,
+	private_mem_cred_t *this, private_key_t *key)
+{
+	this->lock->write_lock(this->lock);
+	this->keys->insert_last(this->keys, key);
+	this->lock->unlock(this->lock);
+}
+
+/**
+ * Shared key entry
+ */
+typedef struct {
+	/* shared key */
+	shared_key_t *shared;
+	/* list of owners, identification_t */
+	linked_list_t *owners;
+} shared_entry_t;
+
+/**
+ * Clean up a shared entry
+ */
+static void shared_entry_destroy(shared_entry_t *entry)
+{
+	entry->owners->destroy_offset(entry->owners,
+								  offsetof(identification_t, destroy));
+	entry->shared->destroy(entry->shared);
+	free(entry);
+}
+
+/**
+ * Data for the shared_key enumerator
+ */
+typedef struct {
+	rwlock_t *lock;
+	identification_t *me;
+	identification_t *other;
+	shared_key_type_t type;
+} shared_data_t;
+
+/**
+ * free shared key enumerator data and unlock list
+ */
+static void shared_data_destroy(shared_data_t *data)
+{
+	data->lock->unlock(data->lock);
+	free(data);
+}
+
+/**
+ * Get the best match of an owner in an entry.
+ */
+static id_match_t has_owner(shared_entry_t *entry, identification_t *owner)
+{
+	enumerator_t *enumerator;
+	id_match_t match, best = ID_MATCH_NONE;
+	identification_t *current;
+
+	enumerator = entry->owners->create_enumerator(entry->owners);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		match  = owner->matches(owner, current);
+		if (match > best)
+		{
+			best = match;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return best;
+}
+
+/**
+ * enumerator filter function for shared entries
+ */
+static bool shared_filter(shared_data_t *data,
+						  shared_entry_t **in, shared_key_t **out,
+						  void **unused1, id_match_t *me,
+						  void **unused2, id_match_t *other)
+{
+	id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
+	shared_entry_t *entry = *in;
+
+	if (data->type != SHARED_ANY &&
+		entry->shared->get_type(entry->shared) != data->type)
+	{
+		return FALSE;
+	}
+	if (data->me)
+	{
+		my_match = has_owner(entry, data->me);
+	}
+	if (data->other)
+	{
+		other_match = has_owner(entry, data->other);
+	}
+	if ((data->me || data->other) && (!my_match && !other_match))
+	{
+		return FALSE;
+	}
+	*out = entry->shared;
+	if (me)
+	{
+		*me = my_match;
+	}
+	if (other)
+	{
+		*other = other_match;
+	}
+	return TRUE;
+}
+
+METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
+	private_mem_cred_t *this, shared_key_type_t type,
+	identification_t *me, identification_t *other)
+{
+	shared_data_t *data;
+
+	INIT(data,
+		.lock = this->lock,
+		.me = me,
+		.other = other,
+		.type = type,
+	);
+	data->lock->read_lock(data->lock);
+	return enumerator_create_filter(
+						this->shared->create_enumerator(this->shared),
+						(void*)shared_filter, data, (void*)shared_data_destroy);
+}
+
+METHOD(mem_cred_t, add_shared, void,
+	private_mem_cred_t *this, shared_key_t *shared, ...)
+{
+	shared_entry_t *entry;
+	identification_t *id;
+	va_list args;
+
+	INIT(entry,
+		.shared = shared,
+		.owners = linked_list_create(),
+	);
+
+	va_start(args, shared);
+	do
+	{
+		id = va_arg(args, identification_t*);
+		if (id)
+		{
+			entry->owners->insert_last(entry->owners, id);
+		}
+	}
+	while (id);
+	va_end(args);
+
+	this->lock->write_lock(this->lock);
+	this->shared->insert_last(this->shared, entry);
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, clear_, void,
+	private_mem_cred_t *this)
+{
+	this->lock->write_lock(this->lock);
+	this->trusted->destroy_offset(this->trusted,
+								  offsetof(certificate_t, destroy));
+	this->untrusted->destroy_offset(this->untrusted,
+									offsetof(certificate_t, destroy));
+	this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy));
+	this->shared->destroy_function(this->shared, (void*)shared_entry_destroy);
+	this->trusted = linked_list_create();
+	this->untrusted = linked_list_create();
+	this->keys = linked_list_create();
+	this->shared = linked_list_create();
+	this->lock->unlock(this->lock);
+}
+
+METHOD(mem_cred_t, destroy, void,
+	private_mem_cred_t *this)
+{
+	clear_(this);
+	this->trusted->destroy(this->trusted);
+	this->untrusted->destroy(this->untrusted);
+	this->keys->destroy(this->keys);
+	this->shared->destroy(this->shared);
+	this->lock->destroy(this->lock);
+	free(this);
+}
+
+/**
+ * See header
+ */
+mem_cred_t *mem_cred_create()
+{
+	private_mem_cred_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = _create_shared_enumerator,
+				.create_private_enumerator = _create_private_enumerator,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_cdp_enumerator  = (void*)return_null,
+				.cache_cert = (void*)nop,
+			},
+			.add_cert = _add_cert,
+			.add_key = _add_key,
+			.add_shared = _add_shared,
+			.clear = _clear_,
+			.destroy = _destroy,
+		},
+		.trusted = linked_list_create(),
+		.untrusted = linked_list_create(),
+		.keys = linked_list_create(),
+		.shared = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
new file mode 100644
index 000000000..b26e43d6c
--- /dev/null
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mem_cred mem_cred
+ * @{ @ingroup sets
+ */
+
+#ifndef MEM_CRED_H_
+#define MEM_CRED_H_
+
+typedef struct mem_cred_t mem_cred_t;
+
+#include <credentials/credential_set.h>
+
+/**
+ * Generic in-memory credential set.
+ */
+struct mem_cred_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Add a certificate to the credential set.
+	 *
+	 * @param trusted		TRUE to serve certificate as trusted
+	 * @param cert			certificate, reference gets owned by set
+	 */
+	void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert);
+
+	/**
+	 * Add a private key to the credential set.
+	 *
+	 * @param key			key, reference gets owned by set
+	 */
+	void (*add_key)(mem_cred_t *this, private_key_t *key);
+
+	/**
+	 * Add a shared key to the credential set.
+	 *
+	 * @param shared		shared key to add, gets owned by set
+	 * @param ...			NULL terminated list of owners identification_t*
+	 */
+	void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...);
+
+	/**
+	 * Clear all credentials from the credential set.
+	 */
+	void (*clear)(mem_cred_t *this);
+
+	/**
+	 * Destroy a mem_cred_t.
+	 */
+	void (*destroy)(mem_cred_t *this);
+};
+
+/**
+ * Create a mem_cred instance.
+ */
+mem_cred_t *mem_cred_create();
+
+#endif /** MEM_CRED_H_ @}*/
diff --git a/src/libstrongswan/crypto/aead.c b/src/libstrongswan/crypto/aead.c
new file mode 100644
index 000000000..51cb05909
--- /dev/null
+++ b/src/libstrongswan/crypto/aead.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "aead.h"
+
+#include <debug.h>
+
+typedef struct private_aead_t private_aead_t;
+
+/**
+ * Private data of an aead_t object.
+ */
+struct private_aead_t {
+
+	/**
+	 * Public aead_t interface.
+	 */
+	aead_t public;
+
+	/**
+	 * traditional crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * draditional signer
+	 */
+	signer_t *signer;
+};
+
+METHOD(aead_t, encrypt, void,
+	private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	chunk_t encr, sig;
+
+	this->signer->get_signature(this->signer, assoc, NULL);
+	this->signer->get_signature(this->signer, iv, NULL);
+
+	if (encrypted)
+	{
+		this->crypter->encrypt(this->crypter, plain, iv, &encr);
+		this->signer->allocate_signature(this->signer, encr, &sig);
+		*encrypted = chunk_cat("cmm", iv, encr, sig);
+	}
+	else
+	{
+		this->crypter->encrypt(this->crypter, plain, iv, NULL);
+		this->signer->get_signature(this->signer, plain, plain.ptr + plain.len);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	chunk_t sig;
+	size_t bs;
+
+	bs = this->crypter->get_block_size(this->crypter);
+	sig.len = this->signer->get_block_size(this->signer);
+	if (sig.len > encrypted.len || (encrypted.len - sig.len) % bs)
+	{
+		DBG1(DBG_LIB, "invalid encrypted data length %d with block size %d",
+			encrypted.len - sig.len, bs);
+		return FALSE;
+	}
+	chunk_split(encrypted, "mm", encrypted.len - sig.len,
+				&encrypted, sig.len, &sig);
+
+	this->signer->get_signature(this->signer, assoc, NULL);
+	this->signer->get_signature(this->signer, iv, NULL);
+	if (!this->signer->verify_signature(this->signer, encrypted, sig))
+	{
+		DBG1(DBG_LIB, "MAC verification failed");
+		return FALSE;
+	}
+	this->crypter->decrypt(this->crypter, encrypted, iv, plain);
+	return TRUE;
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_block_size(this->crypter);
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_aead_t *this)
+{
+	return this->signer->get_block_size(this->signer);
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_iv_size(this->crypter);
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) +
+			this->signer->get_key_size(this->signer);
+}
+
+METHOD(aead_t, set_key, void,
+	private_aead_t *this, chunk_t key)
+{
+	chunk_t sig, enc;
+
+	chunk_split(key, "mm", this->signer->get_key_size(this->signer), &sig,
+				this->crypter->get_key_size(this->crypter), &enc);
+
+	this->signer->set_key(this->signer, sig);
+	this->crypter->set_key(this->crypter, enc);
+}
+
+METHOD(aead_t, destroy, void,
+	private_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	this->signer->destroy(this->signer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+aead_t *aead_create(crypter_t *crypter, signer_t *signer)
+{
+	private_aead_t *this;
+
+	INIT(this,
+		.public = {
+			.encrypt = _encrypt,
+			.decrypt = _decrypt,
+			.get_block_size = _get_block_size,
+			.get_icv_size = _get_icv_size,
+			.get_iv_size = _get_iv_size,
+			.get_key_size = _get_key_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.crypter = crypter,
+		.signer = signer,
+	);
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/aead.h b/src/libstrongswan/crypto/aead.h
new file mode 100644
index 000000000..d560381d9
--- /dev/null
+++ b/src/libstrongswan/crypto/aead.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup aead aead
+ * @{ @ingroup crypto
+ */
+
+#ifndef AEAD_H_
+#define AEAD_H_
+
+typedef struct aead_t aead_t;
+
+#include <library.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * Authenticated encryption / authentication decryption interface.
+ */
+struct aead_t {
+
+	/**
+	 * Encrypt and sign data, sign associated data.
+	 *
+	 * The plain data must be a multiple of get_block_size(), the IV must
+	 * have a length of get_iv_size().
+	 * If encrypted is NULL, the encryption is done inline. The buffer must
+	 * have space for additional get_icv_size() data, the ICV value is
+	 * appended silently to the plain chunk.
+	 *
+	 * @param plain			data to encrypt and sign
+	 * @param assoc			associated data to sign
+	 * @param iv			initialization vector
+	 * @param encrypted		allocated encryption result
+	 */
+	void (*encrypt)(aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+					chunk_t *encrypted);
+
+	/**
+	 * Decrypt and verify data, verify associated data.
+	 *
+	 * The IV must have a length of get_iv_size().
+	 * If plain is NULL, the decryption is done inline. The decrypted data
+	 * is returned in the encrypted chunk, the last get_icv_size() bytes
+	 * contain the verified ICV.
+	 *
+	 * @param encrypted		data to encrypt and verify
+	 * @param assoc			associated data to verify
+	 * @param iv			initialization vector
+	 * @param plain			allocated result, if successful
+	 * @return				TRUE if MAC verification successful
+	 */
+	bool (*decrypt)(aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+					chunk_t *plain);
+
+	/**
+	 * Get the block size for encryption.
+	 *
+	 * @return				block size in bytes
+	 */
+	size_t (*get_block_size)(aead_t *this);
+
+	/**
+	 * Get the integrity check value size of the algorithm.
+	 *
+	 * @return				ICV size in bytes
+	 */
+	size_t (*get_icv_size)(aead_t *this);
+
+	/**
+	 * Get the size of the initialization vector.
+	 *
+	 * @return				IV size in bytes
+	 */
+	size_t (*get_iv_size)(aead_t *this);
+
+	/**
+	 * Get the size of the key material (for encryption and authentication).
+	 *
+	 * @return				key size in bytes
+	 */
+	size_t (*get_key_size)(aead_t *this);
+
+	/**
+	 * Set the key for encryption and authentication.
+	 *
+	 * @param key			encryption and authentication key
+	 */
+	void (*set_key)(aead_t *this, chunk_t key);
+
+	/**
+	 * Destroy a aead_t.
+	 */
+	void (*destroy)(aead_t *this);
+};
+
+/**
+ * Create a aead instance using traditional transforms.
+ *
+ * @param crypter		encryption transform for this aead
+ * @param signer		integrity tranform for this aead
+ * @return				aead transform
+ */
+aead_t *aead_create(crypter_t *crypter, signer_t *signer);
+
+#endif /** AEAD_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index ebd35a8a0..0730c707c 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -159,4 +159,25 @@ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
 	return oid;
 }
 
-
+/*
+ * Described in header.
+ */
+bool encryption_algorithm_is_aead(encryption_algorithm_t alg)
+{
+	switch (alg)
+	{
+		case ENCR_AES_CCM_ICV8:
+		case ENCR_AES_CCM_ICV12:
+		case ENCR_AES_CCM_ICV16:
+		case ENCR_AES_GCM_ICV8:
+		case ENCR_AES_GCM_ICV12:
+		case ENCR_AES_GCM_ICV16:
+		case ENCR_NULL_AUTH_AES_GMAC:
+		case ENCR_CAMELLIA_CCM_ICV8:
+		case ENCR_CAMELLIA_CCM_ICV12:
+		case ENCR_CAMELLIA_CCM_ICV16:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index f052a181d..3bf039681 100644
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -42,6 +42,7 @@ enum encryption_algorithm_t {
 	ENCR_DES_IV32 =            9,
 	ENCR_NULL =               11,
 	ENCR_AES_CBC =            12,
+	/** CTR as specified for IPsec (RFC5930/RFC3686), nonce appended to key */
 	ENCR_AES_CTR =            13,
 	ENCR_AES_CCM_ICV8 =       14,
 	ENCR_AES_CCM_ICV12 =      15,
@@ -51,6 +52,7 @@ enum encryption_algorithm_t {
 	ENCR_AES_GCM_ICV16 =      20,
 	ENCR_NULL_AUTH_AES_GMAC = 21,
 	ENCR_CAMELLIA_CBC =       23,
+	/* CTR as specified for IPsec (RFC5529), nonce appended to key */
 	ENCR_CAMELLIA_CTR =       24,
 	ENCR_CAMELLIA_CCM_ICV8 =  25,
 	ENCR_CAMELLIA_CCM_ICV12 = 26,
@@ -81,8 +83,8 @@ struct crypter_t {
 	/**
 	 * Encrypt a chunk of data and allocate space for the encrypted value.
 	 *
-	 * The length of the iv must equal to get_block_size(), while the length
-	 * of data must be a multiple it.
+	 * The length of the iv must equal to get_iv_size(), while the length
+	 * of data must be a multiple of get_block_size().
 	 * If encrypted is NULL, the encryption is done in-place (overwriting data).
 	 *
 	 * @param data			data to encrypt
@@ -95,8 +97,8 @@ struct crypter_t {
 	/**
 	 * Decrypt a chunk of data and allocate space for the decrypted value.
 	 *
-	 * The length of the iv must equal to get_block_size(), while the length
-	 * of data must be a multiple it.
+	 * The length of the iv must equal to get_iv_size(), while the length
+	 * of data must be a multiple of get_block_size().
 	 * If decrpyted is NULL, the encryption is done in-place (overwriting data).
 	 *
 	 * @param data			data to decrypt
@@ -109,14 +111,29 @@ struct crypter_t {
 	/**
 	 * Get the block size of the crypto algorithm.
 	 *
-	 * @return					block size in bytes
+	 * get_block_size() returns the smallest block the crypter can handle,
+	 * not the block size of the underlying crypto algorithm. For counter mode,
+	 * it is usually 1.
+	 *
+	 * @return				block size in bytes
 	 */
 	size_t (*get_block_size) (crypter_t *this);
 
 	/**
+	 * Get the IV size of the crypto algorithm.
+	 *
+	 * @return				initialization vector size in bytes
+	 */
+	size_t (*get_iv_size)(crypter_t *this);
+
+	/**
 	 * Get the key size of the crypto algorithm.
 	 *
-	 * @return					key size in bytes
+	 * get_key_size() might return a key length different from the key
+	 * size passed to the factory constructor. For Counter Mode, the nonce
+	 * is handled as a part of the key material and is passed to set_key().
+	 *
+	 * @return				key size in bytes
 	 */
 	size_t (*get_key_size) (crypter_t *this);
 
@@ -125,7 +142,7 @@ struct crypter_t {
 	 *
 	 * The length of the key must match get_key_size().
 	 *
-	 * @param key				key to set
+	 * @param key			key to set
 	 */
 	void (*set_key) (crypter_t *this, chunk_t key);
 
@@ -153,4 +170,12 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size);
  */
 int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size);
 
+/**
+ * Check if an encryption algorithm identifier is an AEAD algorithm.
+ *
+ * @param alg			algorithm identifier
+ * @return				TRUE if it is an AEAD algorithm
+ */
+bool encryption_algorithm_is_aead(encryption_algorithm_t alg);
+
 #endif /** CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index fee71953d..f2f01987d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -22,16 +22,20 @@
 
 typedef struct entry_t entry_t;
 struct entry_t {
-	/** algorithm */
+	/* algorithm */
 	u_int algo;
+	/* benchmarked speed */
+	u_int speed;
 	/* constructor */
 	union {
 		crypter_constructor_t create_crypter;
+		aead_constructor_t create_aead;
 		signer_constructor_t create_signer;
 		hasher_constructor_t create_hasher;
 		prf_constructor_t create_prf;
 		rng_constructor_t create_rng;
 		dh_constructor_t create_dh;
+		void *create;
 	};
 };
 
@@ -53,6 +57,11 @@ struct private_crypto_factory_t {
 	linked_list_t *crypters;
 
 	/**
+	 * registered aead transforms, as entry_t
+	 */
+	linked_list_t *aeads;
+
+	/**
 	 * registered signers, as entry_t
 	 */
 	linked_list_t *signers;
@@ -93,16 +102,19 @@ struct private_crypto_factory_t {
 	bool test_on_create;
 
 	/**
+	 * run algorithm benchmark during registration
+	 */
+	bool bench;
+
+	/**
 	 * rwlock to lock access to modules
 	 */
 	rwlock_t *lock;
 };
 
-/**
- * Implementation of crypto_factory_t.create_crypter.
- */
-static crypter_t* create_crypter(private_crypto_factory_t *this,
-								 encryption_algorithm_t algo, size_t key_size)
+METHOD(crypto_factory_t, create_crypter, crypter_t*,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	size_t key_size)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -116,7 +128,7 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_crypter(this->tester, algo, key_size,
-											entry->create_crypter))
+											entry->create_crypter, NULL))
 			{
 				continue;
 			}
@@ -132,11 +144,40 @@ static crypter_t* create_crypter(private_crypto_factory_t *this,
 	return crypter;
 }
 
-/**
- * Implementation of crypto_factory_t.create_signer.
- */
-static signer_t* create_signer(private_crypto_factory_t *this,
-							   integrity_algorithm_t algo)
+METHOD(crypto_factory_t, create_aead, aead_t*,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	size_t key_size)
+{
+	enumerator_t *enumerator;
+	entry_t *entry;
+	aead_t *aead = NULL;
+
+	this->lock->read_lock(this->lock);
+	enumerator = this->aeads->create_enumerator(this->aeads);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->algo == algo)
+		{
+			if (this->test_on_create &&
+				!this->tester->test_aead(this->tester, algo, key_size,
+										 entry->create_aead, NULL))
+			{
+				continue;
+			}
+			aead = entry->create_aead(algo, key_size);
+			if (aead)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
+	return aead;
+}
+
+METHOD(crypto_factory_t, create_signer, signer_t*,
+	private_crypto_factory_t *this, integrity_algorithm_t algo)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -150,7 +191,7 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create &&
 				!this->tester->test_signer(this->tester, algo,
-										   entry->create_signer))
+										   entry->create_signer, NULL))
 			{
 				continue;
 			}
@@ -167,11 +208,8 @@ static signer_t* create_signer(private_crypto_factory_t *this,
 	return signer;
 }
 
-/**
- * Implementation of crypto_factory_t.create_hasher.
- */
-static hasher_t* create_hasher(private_crypto_factory_t *this,
-							   hash_algorithm_t algo)
+METHOD(crypto_factory_t, create_hasher, hasher_t*,
+	private_crypto_factory_t *this, hash_algorithm_t algo)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -185,7 +223,7 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 		{
 			if (this->test_on_create && algo != HASH_PREFERRED &&
 				!this->tester->test_hasher(this->tester, algo,
-										   entry->create_hasher))
+										   entry->create_hasher, NULL))
 			{
 				continue;
 			}
@@ -201,11 +239,8 @@ static hasher_t* create_hasher(private_crypto_factory_t *this,
 	return hasher;
 }
 
-/**
- * Implementation of crypto_factory_t.create_prf.
- */
-static prf_t* create_prf(private_crypto_factory_t *this,
-						 pseudo_random_function_t algo)
+METHOD(crypto_factory_t, create_prf, prf_t*,
+	private_crypto_factory_t *this, pseudo_random_function_t algo)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -218,7 +253,8 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 		if (entry->algo == algo)
 		{
 			if (this->test_on_create &&
-				!this->tester->test_prf(this->tester, algo, entry->create_prf))
+				!this->tester->test_prf(this->tester, algo,
+										entry->create_prf, NULL))
 			{
 				continue;
 			}
@@ -234,10 +270,8 @@ static prf_t* create_prf(private_crypto_factory_t *this,
 	return prf;
 }
 
-/**
- * Implementation of crypto_factory_t.create_rng.
- */
-static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
+METHOD(crypto_factory_t, create_rng, rng_t*,
+	private_crypto_factory_t *this, rng_quality_t quality)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -251,7 +285,8 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 		if (entry->algo >= quality && diff > entry->algo - quality)
 		{
 			if (this->test_on_create &&
-				!this->tester->test_rng(this->tester, quality, entry->create_rng))
+				!this->tester->test_rng(this->tester, quality,
+										entry->create_rng, NULL))
 			{
 				continue;
 			}
@@ -272,11 +307,8 @@ static rng_t* create_rng(private_crypto_factory_t *this, rng_quality_t quality)
 	return NULL;
 }
 
-/**
- * Implementation of crypto_factory_t.create_dh.
- */
-static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
-								   diffie_hellman_group_t group)
+METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
+	private_crypto_factory_t *this, diffie_hellman_group_t group, ...)
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
@@ -288,7 +320,21 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 	{
 		if (entry->algo == group)
 		{
-			diffie_hellman = entry->create_dh(group);
+			if (group == MODP_CUSTOM)
+			{
+				va_list args;
+				chunk_t g, p;
+
+				va_start(args, group);
+				g = va_arg(args, chunk_t);
+				p = va_arg(args, chunk_t);
+				va_end(args);
+				diffie_hellman = entry->create_dh(MODP_CUSTOM, g, p);
+			}
+			else
+			{
+				diffie_hellman = entry->create_dh(group);
+			}
 			if (diffie_hellman)
 			{
 				break;
@@ -301,30 +347,65 @@ static diffie_hellman_t* create_dh(private_crypto_factory_t *this,
 }
 
 /**
- * Implementation of crypto_factory_t.add_crypter.
+ * Insert an algorithm entry to a list
  */
-static void add_crypter(private_crypto_factory_t *this,
-						encryption_algorithm_t algo,
-						crypter_constructor_t create)
+static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
+					  int algo, u_int speed, void *create)
 {
-	if (!this->test_on_add ||
-		this->tester->test_crypter(this->tester, algo, 0, create))
+	entry_t *entry, *current;
+	linked_list_t *tmp;
+	bool inserted = FALSE;
+
+	INIT(entry,
+		.algo = algo,
+		.speed = speed,
+	);
+	entry->create = create;
+
+	this->lock->write_lock(this->lock);
+	if (speed)
+	{	/* insert sorted by speed using a temporary list */
+		tmp = linked_list_create();
+		while (list->remove_first(list, (void**)&current) == SUCCESS)
+		{
+			tmp->insert_last(tmp, current);
+		}
+		while (tmp->remove_first(tmp, (void**)&current) == SUCCESS)
+		{
+			if (!inserted &&
+				current->algo == algo &&
+				current->speed < speed)
+			{
+				list->insert_last(list, entry);
+				inserted = TRUE;
+			}
+			list->insert_last(list, current);
+		}
+		tmp->destroy(tmp);
+	}
+	if (!inserted)
 	{
-		entry_t *entry = malloc_thing(entry_t);
+		list->insert_last(list, entry);
+	}
+	this->lock->unlock(this->lock);
+}
+
+METHOD(crypto_factory_t, add_crypter, void,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	crypter_constructor_t create)
+{
+	u_int speed = 0;
 
-		entry->algo = algo;
-		entry->create_crypter = create;
-		this->lock->write_lock(this->lock);
-		this->crypters->insert_last(this->crypters, entry);
-		this->lock->unlock(this->lock);
+	if (!this->test_on_add ||
+		this->tester->test_crypter(this->tester, algo, 0, create,
+								   this->bench ? &speed : NULL))
+	{
+		add_entry(this, this->crypters, algo, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_crypter.
- */
-static void remove_crypter(private_crypto_factory_t *this,
-						   crypter_constructor_t create)
+METHOD(crypto_factory_t, remove_crypter, void,
+	private_crypto_factory_t *this, crypter_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -343,30 +424,56 @@ static void remove_crypter(private_crypto_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_signer.
- */
-static void add_signer(private_crypto_factory_t *this,
-					   integrity_algorithm_t algo, signer_constructor_t create)
+METHOD(crypto_factory_t, add_aead, void,
+	private_crypto_factory_t *this, encryption_algorithm_t algo,
+	aead_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_signer(this->tester, algo, create))
+		this->tester->test_aead(this->tester, algo, 0, create,
+								   this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
+		add_entry(this, this->aeads, algo, speed, create);
+	}
+}
 
-		entry->algo = algo;
-		entry->create_signer = create;
-		this->lock->write_lock(this->lock);
-		this->signers->insert_last(this->signers, entry);
-		this->lock->unlock(this->lock);
+METHOD(crypto_factory_t, remove_aead, void,
+	private_crypto_factory_t *this, aead_constructor_t create)
+{
+	entry_t *entry;
+	enumerator_t *enumerator;
+
+	this->lock->write_lock(this->lock);
+	enumerator = this->aeads->create_enumerator(this->aeads);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		if (entry->create_aead == create)
+		{
+			this->aeads->remove_at(this->aeads, enumerator);
+			free(entry);
+		}
 	}
+	enumerator->destroy(enumerator);
+	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.remove_signer.
- */
-static void remove_signer(private_crypto_factory_t *this,
-						  signer_constructor_t create)
+METHOD(crypto_factory_t, add_signer, void,
+	private_crypto_factory_t *this, integrity_algorithm_t algo,
+	signer_constructor_t create)
+{
+	u_int speed = 0;
+
+	if (!this->test_on_add ||
+		this->tester->test_signer(this->tester, algo, create,
+								  this->bench ? &speed : NULL))
+	{
+		add_entry(this, this->signers, algo, speed, create);
+	}
+}
+
+METHOD(crypto_factory_t, remove_signer, void,
+	private_crypto_factory_t *this, signer_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -385,30 +492,22 @@ static void remove_signer(private_crypto_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_hasher.
- */
-static void add_hasher(private_crypto_factory_t *this, hash_algorithm_t algo,
-					   hasher_constructor_t create)
+METHOD(crypto_factory_t, add_hasher, void,
+	private_crypto_factory_t *this, hash_algorithm_t algo,
+	hasher_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_hasher(this->tester, algo, create))
+		this->tester->test_hasher(this->tester, algo, create,
+								  this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
-
-		entry->algo = algo;
-		entry->create_hasher = create;
-		this->lock->write_lock(this->lock);
-		this->hashers->insert_last(this->hashers, entry);
-		this->lock->unlock(this->lock);
+		add_entry(this, this->hashers, algo, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_hasher.
- */
-static void remove_hasher(private_crypto_factory_t *this,
-						  hasher_constructor_t create)
+METHOD(crypto_factory_t, remove_hasher, void,
+	private_crypto_factory_t *this, hasher_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -427,29 +526,22 @@ static void remove_hasher(private_crypto_factory_t *this,
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_prf.
- */
-static void add_prf(private_crypto_factory_t *this,
-					pseudo_random_function_t algo, prf_constructor_t create)
+METHOD(crypto_factory_t, add_prf, void,
+	private_crypto_factory_t *this, pseudo_random_function_t algo,
+	prf_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_prf(this->tester, algo, create))
+		this->tester->test_prf(this->tester, algo, create,
+							   this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
-
-		entry->algo = algo;
-		entry->create_prf = create;
-		this->lock->write_lock(this->lock);
-		this->prfs->insert_last(this->prfs, entry);
-		this->lock->unlock(this->lock);
+		add_entry(this, this->prfs, algo, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_prf.
- */
-static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
+METHOD(crypto_factory_t, remove_prf, void,
+	private_crypto_factory_t *this, prf_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -468,29 +560,22 @@ static void remove_prf(private_crypto_factory_t *this, prf_constructor_t create)
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_rng.
- */
-static void add_rng(private_crypto_factory_t *this, rng_quality_t quality,
-					rng_constructor_t create)
+METHOD(crypto_factory_t, add_rng, void,
+	private_crypto_factory_t *this, rng_quality_t quality,
+	rng_constructor_t create)
 {
+	u_int speed = 0;
+
 	if (!this->test_on_add ||
-		this->tester->test_rng(this->tester, quality, create))
+		this->tester->test_rng(this->tester, quality, create,
+							   this->bench ? &speed : NULL))
 	{
-		entry_t *entry = malloc_thing(entry_t);
-
-		entry->algo = quality;
-		entry->create_rng = create;
-		this->lock->write_lock(this->lock);
-		this->rngs->insert_last(this->rngs, entry);
-		this->lock->unlock(this->lock);
+		add_entry(this, this->rngs, quality, speed, create);
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.remove_rng.
- */
-static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
+METHOD(crypto_factory_t, remove_rng, void,
+	private_crypto_factory_t *this, rng_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -509,25 +594,15 @@ static void remove_rng(private_crypto_factory_t *this, rng_constructor_t create)
 	this->lock->unlock(this->lock);
 }
 
-/**
- * Implementation of crypto_factory_t.add_dh.
- */
-static void add_dh(private_crypto_factory_t *this, diffie_hellman_group_t group,
-				   dh_constructor_t create)
+METHOD(crypto_factory_t, add_dh, void,
+	private_crypto_factory_t *this, diffie_hellman_group_t group,
+	dh_constructor_t create)
 {
-	entry_t *entry = malloc_thing(entry_t);
-
-	entry->algo = group;
-	entry->create_dh = create;
-	this->lock->write_lock(this->lock);
-	this->dhs->insert_last(this->dhs, entry);
-	this->lock->unlock(this->lock);
+	add_entry(this, this->dhs, group, 0, create);
 }
 
-/**
- * Implementation of crypto_factory_t.remove_dh.
- */
-static void remove_dh(private_crypto_factory_t *this, dh_constructor_t create)
+METHOD(crypto_factory_t, remove_dh, void,
+	private_crypto_factory_t *this, dh_constructor_t create)
 {
 	entry_t *entry;
 	enumerator_t *enumerator;
@@ -591,14 +666,18 @@ static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *alg
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_crypter_enumerator
- */
-static enumerator_t* create_crypter_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_crypter_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->crypters, crypter_filter);
 }
 
+METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
+{
+	return create_enumerator(this, this->aeads, crypter_filter);
+}
+
 /**
  * Filter function to enumerate algorithm, not entry
  */
@@ -608,10 +687,8 @@ static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_signer_enumerator
- */
-static enumerator_t* create_signer_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->signers, signer_filter);
 }
@@ -625,10 +702,8 @@ static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_hasher_enumerator
- */
-static enumerator_t* create_hasher_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->hashers, hasher_filter);
 }
@@ -642,10 +717,8 @@ static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_prf_enumerator
- */
-static enumerator_t* create_prf_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->prfs, prf_filter);
 }
@@ -659,24 +732,21 @@ static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group)
 	return TRUE;
 }
 
-/**
- * Implementation of crypto_factory_t.create_dh_enumerator
- */
-static enumerator_t* create_dh_enumerator(private_crypto_factory_t *this)
+METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*,
+	private_crypto_factory_t *this)
 {
 	return create_enumerator(this, this->dhs, dh_filter);
 }
 
-/**
- * Implementation of crypto_factory_t.add_test_vector
- */
-static void add_test_vector(private_crypto_factory_t *this,
-							transform_type_t type, void *vector)
+METHOD(crypto_factory_t, add_test_vector, void,
+	private_crypto_factory_t *this, transform_type_t type, void *vector)
 {
 	switch (type)
 	{
 		case ENCRYPTION_ALGORITHM:
 			return this->tester->add_crypter_vector(this->tester, vector);
+		case AEAD_ALGORITHM:
+			return this->tester->add_aead_vector(this->tester, vector);
 		case INTEGRITY_ALGORITHM:
 			return this->tester->add_signer_vector(this->tester, vector);
 		case HASH_ALGORITHM:
@@ -691,17 +761,16 @@ static void add_test_vector(private_crypto_factory_t *this,
 	}
 }
 
-/**
- * Implementation of crypto_factory_t.destroy
- */
-static void destroy(private_crypto_factory_t *this)
-{
-	this->crypters->destroy_function(this->crypters, free);
-	this->signers->destroy_function(this->signers, free);
-	this->hashers->destroy_function(this->hashers, free);
-	this->prfs->destroy_function(this->prfs, free);
-	this->rngs->destroy_function(this->rngs, free);
-	this->dhs->destroy_function(this->dhs, free);
+METHOD(crypto_factory_t, destroy, void,
+	private_crypto_factory_t *this)
+{
+	this->crypters->destroy(this->crypters);
+	this->aeads->destroy(this->aeads);
+	this->signers->destroy(this->signers);
+	this->hashers->destroy(this->hashers);
+	this->prfs->destroy(this->prfs);
+	this->rngs->destroy(this->rngs);
+	this->dhs->destroy(this->dhs);
 	this->tester->destroy(this->tester);
 	this->lock->destroy(this->lock);
 	free(this);
@@ -712,46 +781,56 @@ static void destroy(private_crypto_factory_t *this)
  */
 crypto_factory_t *crypto_factory_create()
 {
-	private_crypto_factory_t *this = malloc_thing(private_crypto_factory_t);
-
-	this->public.create_crypter = (crypter_t*(*)(crypto_factory_t*, encryption_algorithm_t, size_t))create_crypter;
-	this->public.create_signer = (signer_t*(*)(crypto_factory_t*, integrity_algorithm_t))create_signer;
-	this->public.create_hasher = (hasher_t*(*)(crypto_factory_t*, hash_algorithm_t))create_hasher;
-	this->public.create_prf = (prf_t*(*)(crypto_factory_t*, pseudo_random_function_t))create_prf;
-	this->public.create_rng = (rng_t*(*)(crypto_factory_t*, rng_quality_t quality))create_rng;
-	this->public.create_dh = (diffie_hellman_t*(*)(crypto_factory_t*, diffie_hellman_group_t group))create_dh;
-	this->public.add_crypter = (void(*)(crypto_factory_t*, encryption_algorithm_t algo, crypter_constructor_t create))add_crypter;
-	this->public.remove_crypter = (void(*)(crypto_factory_t*, crypter_constructor_t create))remove_crypter;
-	this->public.add_signer = (void(*)(crypto_factory_t*, integrity_algorithm_t algo, signer_constructor_t create))add_signer;
-	this->public.remove_signer = (void(*)(crypto_factory_t*, signer_constructor_t create))remove_signer;
-	this->public.add_hasher = (void(*)(crypto_factory_t*, hash_algorithm_t algo, hasher_constructor_t create))add_hasher;
-	this->public.remove_hasher = (void(*)(crypto_factory_t*, hasher_constructor_t create))remove_hasher;
-	this->public.add_prf = (void(*)(crypto_factory_t*, pseudo_random_function_t algo, prf_constructor_t create))add_prf;
-	this->public.remove_prf = (void(*)(crypto_factory_t*, prf_constructor_t create))remove_prf;
-	this->public.add_rng = (void(*)(crypto_factory_t*, rng_quality_t quality, rng_constructor_t create))add_rng;
-	this->public.remove_rng = (void(*)(crypto_factory_t*, rng_constructor_t create))remove_rng;
-	this->public.add_dh = (void(*)(crypto_factory_t*, diffie_hellman_group_t algo, dh_constructor_t create))add_dh;
-	this->public.remove_dh = (void(*)(crypto_factory_t*, dh_constructor_t create))remove_dh;
-	this->public.create_crypter_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_crypter_enumerator;
-	this->public.create_signer_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_signer_enumerator;
-	this->public.create_hasher_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_hasher_enumerator;
-	this->public.create_prf_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_prf_enumerator;
-	this->public.create_dh_enumerator = (enumerator_t*(*)(crypto_factory_t*))create_dh_enumerator;
-	this->public.add_test_vector = (void(*)(crypto_factory_t*, transform_type_t type, ...))add_test_vector;
-	this->public.destroy = (void(*)(crypto_factory_t*))destroy;
-
-	this->crypters = linked_list_create();
-	this->signers = linked_list_create();
-	this->hashers = linked_list_create();
-	this->prfs = linked_list_create();
-	this->rngs = linked_list_create();
-	this->dhs = linked_list_create();
-	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-	this->tester = crypto_tester_create();
-	this->test_on_add = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_add", FALSE);
-	this->test_on_create = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.on_create", FALSE);
+	private_crypto_factory_t *this;
+
+	INIT(this,
+		.public = {
+			.create_crypter = _create_crypter,
+			.create_aead = _create_aead,
+			.create_signer = _create_signer,
+			.create_hasher = _create_hasher,
+			.create_prf = _create_prf,
+			.create_rng = _create_rng,
+			.create_dh = _create_dh,
+			.add_crypter = _add_crypter,
+			.remove_crypter = _remove_crypter,
+			.add_aead = _add_aead,
+			.remove_aead = _remove_aead,
+			.add_signer = _add_signer,
+			.remove_signer = _remove_signer,
+			.add_hasher = _add_hasher,
+			.remove_hasher = _remove_hasher,
+			.add_prf = _add_prf,
+			.remove_prf = _remove_prf,
+			.add_rng = _add_rng,
+			.remove_rng = _remove_rng,
+			.add_dh = _add_dh,
+			.remove_dh = _remove_dh,
+			.create_crypter_enumerator = _create_crypter_enumerator,
+			.create_aead_enumerator = _create_aead_enumerator,
+			.create_signer_enumerator = _create_signer_enumerator,
+			.create_hasher_enumerator = _create_hasher_enumerator,
+			.create_prf_enumerator = _create_prf_enumerator,
+			.create_dh_enumerator = _create_dh_enumerator,
+			.add_test_vector = _add_test_vector,
+			.destroy = _destroy,
+		},
+		.crypters = linked_list_create(),
+		.aeads = linked_list_create(),
+		.signers = linked_list_create(),
+		.hashers = linked_list_create(),
+		.prfs = linked_list_create(),
+		.rngs = linked_list_create(),
+		.dhs = linked_list_create(),
+		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+		.tester = crypto_tester_create(),
+		.test_on_add = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.on_add", FALSE),
+		.test_on_create = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.on_create", FALSE),
+		.bench = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.bench", FALSE),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h
index 9c6effd26..ff06eda7b 100644
--- a/src/libstrongswan/crypto/crypto_factory.h
+++ b/src/libstrongswan/crypto/crypto_factory.h
@@ -25,6 +25,7 @@ typedef struct crypto_factory_t crypto_factory_t;
 
 #include <library.h>
 #include <crypto/crypters/crypter.h>
+#include <crypto/aead.h>
 #include <crypto/signers/signer.h>
 #include <crypto/hashers/hasher.h>
 #include <crypto/prfs/prf.h>
@@ -38,6 +39,11 @@ typedef struct crypto_factory_t crypto_factory_t;
 typedef crypter_t* (*crypter_constructor_t)(encryption_algorithm_t algo,
 											size_t key_size);
 /**
+ * Constructor function for aead transforms
+ */
+typedef aead_t* (*aead_constructor_t)(encryption_algorithm_t algo,
+									  size_t key_size);
+/**
  * Constructor function for signers
  */
 typedef signer_t* (*signer_constructor_t)(integrity_algorithm_t algo);
@@ -59,8 +65,11 @@ typedef rng_t* (*rng_constructor_t)(rng_quality_t quality);
 
 /**
  * Constructor function for diffie hellman
+ *
+ * The DH constructor accepts additional arguments for:
+ * - MODP_CUSTOM: chunk_t generator, chunk_t prime
  */
-typedef diffie_hellman_t* (*dh_constructor_t)(diffie_hellman_group_t group);
+typedef diffie_hellman_t* (*dh_constructor_t)(diffie_hellman_group_t group, ...);
 
 /**
  * Handles crypto modules and creates instances.
@@ -78,6 +87,16 @@ struct crypto_factory_t {
 								 encryption_algorithm_t algo, size_t key_size);
 
 	/**
+	 * Create a aead instance.
+	 *
+	 * @param algo			encryption algorithm
+	 * @param key_size		length of the key in bytes
+	 * @return				aead_t instance, NULL if not supported
+	 */
+	aead_t* (*create_aead)(crypto_factory_t *this,
+						   encryption_algorithm_t algo, size_t key_size);
+
+	/**
 	 * Create a symmetric signer instance.
 	 *
 	 * @param algo			MAC algorithm to use
@@ -113,11 +132,13 @@ struct crypto_factory_t {
 	/**
 	 * Create a diffie hellman instance.
 	 *
+	 * Additional arguments are passed to the DH constructor.
+	 *
 	 * @param group			diffie hellman group
 	 * @return				diffie_hellman_t instance, NULL if not supported
 	 */
 	diffie_hellman_t* (*create_dh)(crypto_factory_t *this,
-								   diffie_hellman_group_t group);
+								   diffie_hellman_group_t group, ...);
 
 	/**
 	 * Register a crypter constructor.
@@ -137,6 +158,23 @@ struct crypto_factory_t {
 	void (*remove_crypter)(crypto_factory_t *this, crypter_constructor_t create);
 
 	/**
+	 * Unregister a aead constructor.
+	 *
+	 * @param create		constructor function to unregister
+	 */
+	void (*remove_aead)(crypto_factory_t *this, aead_constructor_t create);
+
+	/**
+	 * Register a aead constructor.
+	 *
+	 * @param algo			algorithm to constructor
+	 * @param create		constructor function for that algorithm
+	 * @return
+	 */
+	void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo,
+					 aead_constructor_t create);
+
+	/**
 	 * Register a signer constructor.
 	 *
 	 * @param algo			algorithm to constructor
@@ -230,6 +268,13 @@ struct crypto_factory_t {
 	enumerator_t* (*create_crypter_enumerator)(crypto_factory_t *this);
 
 	/**
+	 * Create an enumerator over all registered aead algorithms.
+	 *
+	 * @return				enumerator over encryption_algorithm_t
+	 */
+	enumerator_t* (*create_aead_enumerator)(crypto_factory_t *this);
+
+	/**
 	 * Create an enumerator over all registered signer algorithms.
 	 *
 	 * @return				enumerator over integrity_algorithm_t
@@ -261,9 +306,10 @@ struct crypto_factory_t {
 	 * Add a test vector to the crypto factory.
 	 *
 	 * @param type			type of the test vector
-	 * @param ...			pointer to a test vector, defined in crypto_tester.h
+	 * @param vector		pointer to a test vector, defined in crypto_tester.h
 	 */
-	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type, ...);
+	void (*add_test_vector)(crypto_factory_t *this, transform_type_t type,
+							void *vector);
 
 	/**
 	 * Destroy a crypto_factory instance.
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index 76cc1cf2c..d17485ff2 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2009 Martin Willi
+ * Copyright (C) 2009-2010 Martin Willi
  * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,6 +14,10 @@
  * for more details.
  */
 
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <time.h>
+
 #include "crypto_tester.h"
 
 #include <debug.h>
@@ -36,6 +41,11 @@ struct private_crypto_tester_t {
 	linked_list_t *crypter;
 
 	/**
+	 * List of aead test vectors
+	 */
+	linked_list_t *aead;
+
+	/**
 	 * List of signer test vectors
 	 */
 	linked_list_t *signer;
@@ -64,13 +74,98 @@ struct private_crypto_tester_t {
 	 * should we run RNG_TRUE tests? Enough entropy?
 	 */
 	bool rng_true;
+
+	/**
+	 * time we test each algorithm
+	 */
+	int bench_time;
+
+	/**
+	 * size of buffer we use for benchmarking
+	 */
+	int bench_size;
 };
 
 /**
- * Implementation of crypto_tester_t.test_crypter
+ * Get the name of a test vector, if available
+ */
+static const char* get_name(void *sym)
+{
+#ifdef HAVE_DLADDR
+	Dl_info dli;
+
+	if (dladdr(sym, &dli))
+	{
+		return dli.dli_sname;
+	}
+#endif
+	return "unknown";
+}
+
+/**
+ * Start a benchmark timer
+ */
+static void start_timing(struct timespec *start)
+{
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
+}
+
+/**
+ * End a benchmark timer, return ms
+ */
+static u_int end_timing(struct timespec *start)
+{
+	struct timespec end;
+
+	clock_gettime(CLOCK_THREAD_CPUTIME_ID, &end);
+	return (end.tv_nsec - start->tv_nsec) / 1000000 +
+			(end.tv_sec - start->tv_sec) * 1000;
+}
+
+/**
+ * Benchmark a crypter
  */
-static bool test_crypter(private_crypto_tester_t *this,
-	encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create)
+static u_int bench_crypter(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, crypter_constructor_t create)
+{
+	crypter_t *crypter;
+
+	crypter = create(alg, 0);
+	if (crypter)
+	{
+		char iv[crypter->get_iv_size(crypter)];
+		char key[crypter->get_key_size(crypter)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		memset(iv, 0x56, sizeof(iv));
+		memset(key, 0x12, sizeof(key));
+		crypter->set_key(crypter, chunk_from_thing(key));
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			crypter->encrypt(crypter, buf, chunk_from_thing(iv), NULL);
+			runs++;
+			crypter->decrypt(crypter, buf, chunk_from_thing(iv), NULL);
+			runs++;
+		}
+		free(buf.ptr);
+		crypter->destroy(crypter);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_crypter, bool,
+	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
+	crypter_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	crypter_test_vector_t *vector;
@@ -102,7 +197,7 @@ static bool test_crypter(private_crypto_tester_t *this,
 
 		key = chunk_create(vector->key, crypter->get_key_size(crypter));
 		crypter->set_key(crypter, key);
-		iv = chunk_create(vector->iv, crypter->get_block_size(crypter));
+		iv = chunk_create(vector->iv, crypter->get_iv_size(crypter));
 
 		/* allocated encryption */
 		plain = chunk_create(vector->plain, vector->len);
@@ -136,8 +231,165 @@ static bool test_crypter(private_crypto_tester_t *this,
 		crypter->destroy(crypter);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 encryption_algorithm_names, alg, get_name(vector));
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	if (!tested)
+	{
+		DBG1(DBG_LIB, "%s %N: no test vectors found",
+			 this->required ? "disabled" : "enabled ",
+			 encryption_algorithm_names, alg);
+		return !this->required;
+	}
+	if (!failed)
+	{
+		if (speed)
+		{
+			*speed = bench_crypter(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 encryption_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
 				 encryption_algorithm_names, alg, tested);
+		}
+	}
+	return !failed;
+}
+
+/**
+ * Benchmark an aead transform
+ */
+static u_int bench_aead(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, aead_constructor_t create)
+{
+	aead_t *aead;
+
+	aead = create(alg, 0);
+	if (aead)
+	{
+		char iv[aead->get_iv_size(aead)];
+		char key[aead->get_key_size(aead)];
+		char assoc[4];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+		size_t icv;
+
+		memset(iv, 0x56, sizeof(iv));
+		memset(key, 0x12, sizeof(key));
+		memset(assoc, 0x78, sizeof(assoc));
+		aead->set_key(aead, chunk_from_thing(key));
+		icv = aead->get_icv_size(aead);
+
+		buf = chunk_alloc(this->bench_size + icv);
+		memset(buf.ptr, 0x34, buf.len);
+		buf.len -= icv;
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			aead->encrypt(aead, buf, chunk_from_thing(assoc),
+						  chunk_from_thing(iv), NULL);
+			runs += 2;
+			aead->decrypt(aead, chunk_create(buf.ptr, buf.len + icv),
+						  chunk_from_thing(assoc), chunk_from_thing(iv), NULL);
+			runs += 2;
+		}
+		free(buf.ptr);
+		aead->destroy(aead);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_aead, bool,
+	private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size,
+	aead_constructor_t create, u_int *speed)
+{
+	enumerator_t *enumerator;
+	aead_test_vector_t *vector;
+	bool failed = FALSE;
+	u_int tested = 0;
+
+	enumerator = this->aead->create_enumerator(this->aead);
+	while (enumerator->enumerate(enumerator, &vector))
+	{
+		aead_t *aead;
+		chunk_t key, plain, cipher, iv, assoc;
+		size_t icv;
+
+		if (vector->alg != alg)
+		{
+			continue;
+		}
+		if (key_size && key_size != vector->key_size)
+		{	/* test only vectors with a specific key size, if key size given */
+			continue;
+		}
+		aead = create(alg, vector->key_size);
+		if (!aead)
+		{	/* key size not supported... */
+			continue;
+		}
+
+		failed = FALSE;
+		tested++;
+
+		key = chunk_create(vector->key, aead->get_key_size(aead));
+		aead->set_key(aead, key);
+		iv = chunk_create(vector->iv, aead->get_iv_size(aead));
+		assoc = chunk_create(vector->adata, vector->alen);
+		icv = aead->get_icv_size(aead);
+
+		/* allocated encryption */
+		plain = chunk_create(vector->plain, vector->len);
+		aead->encrypt(aead, plain, assoc, iv, &cipher);
+		if (!memeq(vector->cipher, cipher.ptr, cipher.len))
+		{
+			failed = TRUE;
+		}
+		/* inline decryption */
+		if (!aead->decrypt(aead, cipher, assoc, iv, NULL))
+		{
+			failed = TRUE;
+		}
+		if (!memeq(vector->plain, cipher.ptr, cipher.len - icv))
+		{
+			failed = TRUE;
+		}
+		free(cipher.ptr);
+		/* allocated decryption */
+		cipher = chunk_create(vector->cipher, vector->len + icv);
+		if (!aead->decrypt(aead, cipher, assoc, iv, &plain))
+		{
+			plain = chunk_empty;
+			failed = TRUE;
+		}
+		else if (!memeq(vector->plain, plain.ptr, plain.len))
+		{
+			failed = TRUE;
+		}
+		plain.ptr = realloc(plain.ptr, plain.len + icv);
+		/* inline encryption */
+		aead->encrypt(aead, plain, assoc, iv, NULL);
+		if (!memeq(vector->cipher, plain.ptr, plain.len + icv))
+		{
+			failed = TRUE;
+		}
+		free(plain.ptr);
+
+		aead->destroy(aead);
+		if (failed)
+		{
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 encryption_algorithm_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -151,17 +403,64 @@ static bool test_crypter(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 encryption_algorithm_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_aead(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 encryption_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 encryption_algorithm_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of crypto_tester_t.test_signer
+ * Benchmark a signer
  */
-static bool test_signer(private_crypto_tester_t *this,
-						integrity_algorithm_t alg, signer_constructor_t create)
+static u_int bench_signer(private_crypto_tester_t *this,
+	encryption_algorithm_t alg, signer_constructor_t create)
+{
+	signer_t *signer;
+
+	signer = create(alg);
+	if (signer)
+	{
+		char key[signer->get_key_size(signer)];
+		char mac[signer->get_block_size(signer)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		memset(key, 0x12, sizeof(key));
+		signer->set_key(signer, chunk_from_thing(key));
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			signer->get_signature(signer, buf, mac);
+			runs++;
+			signer->verify_signature(signer, buf, chunk_from_thing(mac));
+			runs++;
+		}
+		free(buf.ptr);
+		signer->destroy(signer);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_signer, bool,
+	private_crypto_tester_t *this, integrity_algorithm_t alg,
+	signer_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	signer_test_vector_t *vector;
@@ -226,11 +525,10 @@ static bool test_signer(private_crypto_tester_t *this,
 		/* signature to existing buffer, using append mode */
 		if (data.len > 2)
 		{
-			memset(mac.ptr, 0, mac.len);
 			signer->allocate_signature(signer, chunk_create(data.ptr, 1), NULL);
 			signer->get_signature(signer, chunk_create(data.ptr + 1, 1), NULL);
-			signer->get_signature(signer, chunk_skip(data, 2), mac.ptr);
-			if (!memeq(vector->mac, mac.ptr, mac.len))
+			if (!signer->verify_signature(signer, chunk_skip(data, 2),
+										  chunk_create(vector->mac, mac.len)))
 			{
 				failed = TRUE;
 			}
@@ -240,8 +538,8 @@ static bool test_signer(private_crypto_tester_t *this,
 		signer->destroy(signer);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 integrity_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 integrity_algorithm_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -255,17 +553,58 @@ static bool test_signer(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 integrity_algorithm_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_signer(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 integrity_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 integrity_algorithm_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of hasher_t.test_hasher
+ * Benchmark a hasher
  */
-static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
-						hasher_constructor_t create)
+static u_int bench_hasher(private_crypto_tester_t *this,
+	hash_algorithm_t alg, hasher_constructor_t create)
+{
+	hasher_t *hasher;
+
+	hasher = create(alg);
+	if (hasher)
+	{
+		char hash[hasher->get_hash_size(hasher)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			hasher->get_hash(hasher, buf, hash);
+			runs++;
+		}
+		free(buf.ptr);
+		hasher->destroy(hasher);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_hasher, bool,
+	private_crypto_tester_t *this, hash_algorithm_t alg,
+	hasher_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	hasher_test_vector_t *vector;
@@ -330,8 +669,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 		hasher->destroy(hasher);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 hash_algorithm_names, alg, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 hash_algorithm_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -345,17 +684,58 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 hash_algorithm_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_hasher(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 hash_algorithm_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 hash_algorithm_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of crypto_tester_t.test_prf
+ * Benchmark a PRF
  */
-static bool test_prf(private_crypto_tester_t *this,
-					 pseudo_random_function_t alg, prf_constructor_t create)
+static u_int bench_prf(private_crypto_tester_t *this,
+					   pseudo_random_function_t alg, prf_constructor_t create)
+{
+	prf_t *prf;
+
+	prf = create(alg);
+	if (prf)
+	{
+		char bytes[prf->get_block_size(prf)];
+		chunk_t buf;
+		struct timespec start;
+		u_int runs;
+
+		buf = chunk_alloc(this->bench_size);
+		memset(buf.ptr, 0x34, buf.len);
+
+		runs = 0;
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			prf->get_bytes(prf, buf, bytes);
+			runs++;
+		}
+		free(buf.ptr);
+		prf->destroy(prf);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_prf, bool,
+	private_crypto_tester_t *this, pseudo_random_function_t alg,
+	prf_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	prf_test_vector_t *vector;
@@ -431,8 +811,8 @@ static bool test_prf(private_crypto_tester_t *this,
 		prf->destroy(prf);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 pseudo_random_function_names, alg, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 pseudo_random_function_names, alg, get_name(vector));
 			break;
 		}
 	}
@@ -446,17 +826,55 @@ static bool test_prf(private_crypto_tester_t *this,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 pseudo_random_function_names, alg, tested);
+		if (speed)
+		{
+			*speed = bench_prf(this, alg, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 pseudo_random_function_names, alg, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 pseudo_random_function_names, alg, tested);
+		}
 	}
 	return !failed;
 }
 
 /**
- * Implementation of crypto_tester_t.test_rng
+ * Benchmark a RNG
  */
-static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
-					 rng_constructor_t create)
+static u_int bench_rng(private_crypto_tester_t *this,
+					   rng_quality_t quality, rng_constructor_t create)
+{
+	rng_t *rng;
+
+	rng = create(quality);
+	if (rng)
+	{
+		struct timespec start;
+		chunk_t buf;
+		u_int runs;
+
+		runs = 0;
+		buf = chunk_alloc(this->bench_size);
+		start_timing(&start);
+		while (end_timing(&start) < this->bench_time)
+		{
+			rng->get_bytes(rng, buf.len, buf.ptr);
+			runs++;
+		}
+		free(buf.ptr);
+		rng->destroy(rng);
+
+		return runs;
+	}
+	return 0;
+}
+
+METHOD(crypto_tester_t, test_rng, bool,
+	private_crypto_tester_t *this, rng_quality_t quality,
+	rng_constructor_t create, u_int *speed)
 {
 	enumerator_t *enumerator;
 	rng_test_vector_t *vector;
@@ -515,8 +933,8 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 		rng->destroy(rng);
 		if (failed)
 		{
-			DBG1(DBG_LIB, "disabled %N: test vector %u failed",
-				 rng_quality_names, quality, tested);
+			DBG1(DBG_LIB, "disabled %N: %s test vector failed",
+				 rng_quality_names, quality, get_name(vector));
 			break;
 		}
 	}
@@ -530,63 +948,62 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
 	}
 	if (!failed)
 	{
-		DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
-			 rng_quality_names, quality, tested);
+		if (speed)
+		{
+			*speed = bench_rng(this, quality, create);
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors, %d points",
+				 rng_quality_names, quality, tested, *speed);
+		}
+		else
+		{
+			DBG1(DBG_LIB, "enabled  %N: passed %u test vectors",
+				 rng_quality_names, quality, tested);
+		}
 	}
 	return !failed;
 }
 
-/**
- * Implementation of crypter_tester_t.add_crypter_vector
- */
-static void add_crypter_vector(private_crypto_tester_t *this,
-							   crypter_test_vector_t *vector)
+METHOD(crypto_tester_t, add_crypter_vector, void,
+	private_crypto_tester_t *this, crypter_test_vector_t *vector)
 {
 	this->crypter->insert_last(this->crypter, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_signer_vector
- */
-static void add_signer_vector(private_crypto_tester_t *this,
-							  signer_test_vector_t *vector)
+METHOD(crypto_tester_t, add_aead_vector, void,
+	private_crypto_tester_t *this, aead_test_vector_t *vector)
+{
+	this->aead->insert_last(this->aead, vector);
+}
+
+METHOD(crypto_tester_t, add_signer_vector, void,
+	private_crypto_tester_t *this, signer_test_vector_t *vector)
 {
 	this->signer->insert_last(this->signer, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_hasher_vector
- */
-static void add_hasher_vector(private_crypto_tester_t *this,
-							  hasher_test_vector_t *vector)
+METHOD(crypto_tester_t, add_hasher_vector, void,
+	private_crypto_tester_t *this, hasher_test_vector_t *vector)
 {
 	this->hasher->insert_last(this->hasher, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_prf_vector
- */
-static void add_prf_vector(private_crypto_tester_t *this,
-						   prf_test_vector_t *vector)
+METHOD(crypto_tester_t, add_prf_vector, void,
+	private_crypto_tester_t *this, prf_test_vector_t *vector)
 {
 	this->prf->insert_last(this->prf, vector);
 }
 
-/**
- * Implementation of crypter_tester_t.add_rng_vector
- */
-static void add_rng_vector(private_crypto_tester_t *this,
-						   rng_test_vector_t *vector)
+METHOD(crypto_tester_t, add_rng_vector, void,
+	private_crypto_tester_t *this, rng_test_vector_t *vector)
 {
 	this->rng->insert_last(this->rng, vector);
 }
 
-/**
- * Implementation of crypto_tester_t.destroy.
- */
-static void destroy(private_crypto_tester_t *this)
+METHOD(crypto_tester_t, destroy, void,
+	private_crypto_tester_t *this)
 {
 	this->crypter->destroy(this->crypter);
+	this->aead->destroy(this->aead);
 	this->signer->destroy(this->signer);
 	this->hasher->destroy(this->hasher);
 	this->prf->destroy(this->prf);
@@ -599,30 +1016,43 @@ static void destroy(private_crypto_tester_t *this)
  */
 crypto_tester_t *crypto_tester_create()
 {
-	private_crypto_tester_t *this = malloc_thing(private_crypto_tester_t);
-
-	this->public.test_crypter = (bool(*)(crypto_tester_t*, encryption_algorithm_t alg,size_t key_size, crypter_constructor_t create))test_crypter;
-	this->public.test_signer = (bool(*)(crypto_tester_t*, integrity_algorithm_t alg, signer_constructor_t create))test_signer;
-	this->public.test_hasher = (bool(*)(crypto_tester_t*, hash_algorithm_t alg, hasher_constructor_t create))test_hasher;
-	this->public.test_prf = (bool(*)(crypto_tester_t*, pseudo_random_function_t alg, prf_constructor_t create))test_prf;
-	this->public.test_rng = (bool(*)(crypto_tester_t*, rng_quality_t quality, rng_constructor_t create))test_rng;
-	this->public.add_crypter_vector = (void(*)(crypto_tester_t*, crypter_test_vector_t *vector))add_crypter_vector;
-	this->public.add_signer_vector = (void(*)(crypto_tester_t*, signer_test_vector_t *vector))add_signer_vector;
-	this->public.add_hasher_vector = (void(*)(crypto_tester_t*, hasher_test_vector_t *vector))add_hasher_vector;
-	this->public.add_prf_vector = (void(*)(crypto_tester_t*, prf_test_vector_t *vector))add_prf_vector;
-	this->public.add_rng_vector = (void(*)(crypto_tester_t*, rng_test_vector_t *vector))add_rng_vector;
-	this->public.destroy = (void(*)(crypto_tester_t*))destroy;
-
-	this->crypter = linked_list_create();
-	this->signer = linked_list_create();
-	this->hasher = linked_list_create();
-	this->prf = linked_list_create();
-	this->rng = linked_list_create();
-
-	this->required = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.required", FALSE);
-	this->rng_true = lib->settings->get_bool(lib->settings,
-								"libstrongswan.crypto_test.rng_true", FALSE);
+	private_crypto_tester_t *this;
+
+	INIT(this,
+		.public = {
+			.test_crypter = _test_crypter,
+			.test_aead = _test_aead,
+			.test_signer = _test_signer,
+			.test_hasher = _test_hasher,
+			.test_prf = _test_prf,
+			.test_rng = _test_rng,
+			.add_crypter_vector = _add_crypter_vector,
+			.add_aead_vector = _add_aead_vector,
+			.add_signer_vector = _add_signer_vector,
+			.add_hasher_vector = _add_hasher_vector,
+			.add_prf_vector = _add_prf_vector,
+			.add_rng_vector = _add_rng_vector,
+			.destroy = _destroy,
+		},
+		.crypter = linked_list_create(),
+		.aead = linked_list_create(),
+		.signer = linked_list_create(),
+		.hasher = linked_list_create(),
+		.prf = linked_list_create(),
+		.rng = linked_list_create(),
+
+		.required = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.required", FALSE),
+		.rng_true = lib->settings->get_bool(lib->settings,
+								"libstrongswan.crypto_test.rng_true", FALSE),
+		.bench_time = lib->settings->get_int(lib->settings,
+								"libstrongswan.crypto_test.bench_time", 50),
+		.bench_size = lib->settings->get_int(lib->settings,
+								"libstrongswan.crypto_test.bench_size", 1024),
+	);
+
+	/* enforce a block size of 16, should be fine for all algorithms */
+	this->bench_size = this->bench_size / 16 * 16;
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h
index ddcc2da51..cef0b3c18 100644
--- a/src/libstrongswan/crypto/crypto_tester.h
+++ b/src/libstrongswan/crypto/crypto_tester.h
@@ -26,6 +26,7 @@ typedef struct crypto_tester_t crypto_tester_t;
 #include <crypto/crypto_factory.h>
 
 typedef struct crypter_test_vector_t crypter_test_vector_t;
+typedef struct aead_test_vector_t aead_test_vector_t;
 typedef struct signer_test_vector_t signer_test_vector_t;
 typedef struct hasher_test_vector_t hasher_test_vector_t;
 typedef struct prf_test_vector_t prf_test_vector_t;
@@ -48,6 +49,27 @@ struct crypter_test_vector_t {
 	u_char *cipher;
 };
 
+struct aead_test_vector_t {
+	/** encryption algorithm this vector tests */
+	encryption_algorithm_t alg;
+	/** key length to use, in bytes */
+	size_t key_size;
+	/** encryption key of test vector */
+	u_char *key;
+	/** initialization vector, using crypters blocksize bytes */
+	u_char *iv;
+	/** length of associated data */
+	size_t alen;
+	/** associated data */
+	u_char *adata;
+	/** length of plain text */
+	size_t len;
+	/** plain text */
+	u_char *plain;
+	/** cipher text */
+	u_char *cipher;
+};
+
 struct signer_test_vector_t {
 	/** signer algorithm this test vector tests */
 	pseudo_random_function_t alg;
@@ -114,48 +136,67 @@ struct crypto_tester_t {
 	 * Test a crypter algorithm, optionally using a specified key size.
 	 *
 	 * @param alg			algorithm to test
-	 * @param key_size		key size to test, 0 for all
+	 * @param key_size		key size to test, 0 for default
 	 * @param create		constructor function for the crypter
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg,
-						 size_t key_size, crypter_constructor_t create);
+						 size_t key_size, crypter_constructor_t create,
+						 u_int *speed);
+
+	/**
+	 * Test an aead algorithm, optionally using a specified key size.
+	 *
+	 * @param alg			algorithm to test
+	 * @param key_size		key size to test, 0 for default
+	 * @param create		constructor function for the aead transform
+	 * @param speed			speed test result, NULL to omit
+	 * @return				TRUE if test passed
+	 */
+	bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg,
+						 size_t key_size, aead_constructor_t create,
+						 u_int *speed);
 	/**
 	 * Test a signer algorithm.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the signer
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg,
-						signer_constructor_t create);
+						signer_constructor_t create, u_int *speed);
 	/**
 	 * Test a hasher algorithm.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the hasher
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg,
-						hasher_constructor_t create);
+						hasher_constructor_t create, u_int *speed);
 	/**
 	 * Test a PRF algorithm.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the PRF
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg,
-					 prf_constructor_t create);
+					 prf_constructor_t create, u_int *speed);
 	/**
 	 * Test a RNG implementation.
 	 *
 	 * @param alg			algorithm to test
 	 * @param create		constructor function for the RNG
+	 * @param speed			speed test result, NULL to omit
 	 * @return				TRUE if test passed
 	 */
 	bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality,
-					 rng_constructor_t create);
+					 rng_constructor_t create, u_int *speed);
 	/**
 	 * Add a test vector to test a crypter.
 	 *
@@ -164,6 +205,13 @@ struct crypto_tester_t {
 	void (*add_crypter_vector)(crypto_tester_t *this,
 							   crypter_test_vector_t *vector);
 	/**
+	 * Add a test vector to test an aead transform.
+	 *
+	 * @param vector		pointer to test vector
+	 */
+	void (*add_aead_vector)(crypto_tester_t *this,
+							aead_test_vector_t *vector);
+	/**
 	 * Add a test vector to test a signer.
 	 *
 	 * @param vector		pointer to test vector
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 9bd8991fc..5f7365321 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -38,9 +38,10 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT,
 	"MODP_2048_256",
 	"ECP_192",
 	"ECP_224");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
-	"MODP_NULL");
-ENUM_END(diffie_hellman_group_names, MODP_NULL);
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_224_BIT,
+	"MODP_NULL",
+	"MODP_CUSTOM");
+ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
 
 
 /**
@@ -441,3 +442,20 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
 	return NULL;
 }
 
+/**
+ * See header.
+ */
+bool diffie_hellman_group_is_ec(diffie_hellman_group_t group)
+{
+	switch (group)
+	{
+		case ECP_256_BIT:
+		case ECP_384_BIT:
+		case ECP_521_BIT:
+		case ECP_192_BIT:
+		case ECP_224_BIT:
+			return TRUE;
+		default:
+			return FALSE;
+	}
+}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index cdc9c785e..9ae772363 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -57,6 +57,8 @@ enum diffie_hellman_group_t {
 	ECP_224_BIT   = 26,
 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
 	MODP_NULL = 1024,
+	/** MODP group with custon generator, prime */
+	MODP_CUSTOM = 1025,
 };
 
 /**
@@ -145,4 +147,12 @@ struct diffie_hellman_params_t {
  */
 diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group);
 
+/**
+ * Check if a given DH group is an ECDH group
+ *
+ * @param group			group to check
+ * @return				TUE if group is an ECP group
+ */
+bool diffie_hellman_group_is_ec(diffie_hellman_group_t group);
+
 #endif /** DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libstrongswan/crypto/prfs/prf.c b/src/libstrongswan/crypto/prfs/prf.c
index 8681a5b97..12e13ef57 100644
--- a/src/libstrongswan/crypto/prfs/prf.c
+++ b/src/libstrongswan/crypto/prfs/prf.c
@@ -16,12 +16,13 @@
 
 #include "prf.h"
 
-ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_KEYED_SHA1,
+ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_CAMELLIA128_XCBC,
 	"PRF_UNDEFINED",
 	"PRF_FIPS_SHA1_160",
 	"PRF_FIPS_DES",
-	"PRF_KEYED_SHA1");
-ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_KEYED_SHA1,
+	"PRF_KEYED_SHA1",
+	"PRF_CAMELLIA128_XCBC");
+ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_AES128_CMAC, PRF_CAMELLIA128_XCBC,
 	"PRF_HMAC_MD5",
 	"PRF_HMAC_SHA1",
 	"PRF_HMAC_TIGER",
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
index 6e853444f..ad15205d3 100644
--- a/src/libstrongswan/crypto/prfs/prf.h
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -30,8 +30,7 @@ typedef struct prf_t prf_t;
 /**
  * Pseudo random function, as in IKEv2 RFC 3.3.2.
  *
- * PRF algorithms not defined in IKEv2 are allocated in "private use"
- * space.
+ * PRF algorithms not defined in IKEv2 are allocated in "private use" space.
  */
 enum pseudo_random_function_t {
 	PRF_UNDEFINED = 1024,
@@ -55,11 +54,12 @@ enum pseudo_random_function_t {
 	PRF_FIPS_SHA1_160 = 1025,
 	/** FIPS 186-2-change1, uses fixed output size of 160bit */
 	PRF_FIPS_DES = 1026,
-	/**
-	 * Keyed hash algorithm using SHA1, used in EAP-AKA:
+	/** Keyed hash algorithm using SHA1, used in EAP-AKA:
 	 * This PRF uses SHA1, but XORs the key into the IV. No "Final()" operation
 	 * is applied to the SHA1 state. */
 	PRF_KEYED_SHA1 = 1027,
+	/** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */
+	PRF_CAMELLIA128_XCBC = 1028,
 };
 
 /**
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.c b/src/libstrongswan/crypto/proposal/proposal_keywords.c
index a43dde7ea..10ab9fc23 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.3 */
 /* Command-line: /usr/bin/gperf -N proposal_get_token -m 10 -C -G -c -t -D  */
-/* Computed positions: -k'1,5,7,10,$' */
+/* Computed positions: -k'1,5,7,10,15,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -59,12 +59,12 @@ struct proposal_token {
     u_int16_t         keysize;
 };
 
-#define TOTAL_KEYWORDS 95
+#define TOTAL_KEYWORDS 117
 #define MIN_WORD_LENGTH 3
-#define MAX_WORD_LENGTH 12
-#define MIN_HASH_VALUE 5
-#define MAX_HASH_VALUE 137
-/* maximum key range = 133, duplicates = 0 */
+#define MAX_WORD_LENGTH 17
+#define MIN_HASH_VALUE 9
+#define MAX_HASH_VALUE 209
+/* maximum key range = 201, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -80,38 +80,45 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138,   3,  11,
-        2,  23,  29,  27,  21,  16,   5,   0, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138,  17, 138,   1,   0,   1,
-        9,   9,  50,   0,   4,  54, 138, 138,   1, 138,
-       35,   0, 138, 138,  71,   3,  38,  22, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138, 138, 138, 138,
-      138, 138, 138, 138, 138, 138, 138
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210,  16,   9,
+        4,  41,  66,  19,   8,   4,   5,   3, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 122, 210,   3,  22,  21,
+        3, 111, 103,  48,   7,   4, 210, 210,   3, 210,
+       57,   3, 210, 210,  78,   6,   3,  28, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210, 210, 210, 210,
+      210, 210, 210, 210, 210, 210, 210
     };
   register int hval = len;
 
   switch (hval)
     {
       default:
+        hval += asso_values[(unsigned char)str[14]];
+      /*FALLTHROUGH*/
+      case 14:
+      case 13:
+      case 12:
+      case 11:
+      case 10:
         hval += asso_values[(unsigned char)str[9]];
       /*FALLTHROUGH*/
       case 9:
@@ -135,115 +142,148 @@ hash (str, len)
 
 static const struct proposal_token wordlist[] =
   {
+    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
     {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                 0},
+    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
+    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
+    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
+    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
     {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
     {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            192},
-    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
-    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            128},
-    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
-    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
-    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"camellia192ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia128ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia192ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+    {"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
+    {"camellia192ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia192ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192},
+    {"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
+    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
+    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"camellia256ccm8",  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
+    {"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
+    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
+    {"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
+    {"camelliaxcbc",     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0},
+    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
     {"aes192ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes128ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
+    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
     {"aes192ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
-    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
     {"aes128ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
     {"aes192ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
-    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"aes128ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
+    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
+    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
+    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
+    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
+    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
+    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
+    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0},
+    {"aes192gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes128gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"aes192gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
-    {"aes192ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      192},
     {"aes128gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
-    {"aes128ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      128},
-    {"3des",             ENCRYPTION_ALGORITHM, ENCR_3DES,                 0},
-    {"cast128",          ENCRYPTION_ALGORITHM, ENCR_CAST,               128},
-    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
-    {"sha",              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
+    {"aes192gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      192},
+    {"aes128gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      128},
+    {"aes192gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
+    {"aes128gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
     {"aes192gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      192},
-    {"aes192ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      192},
     {"aes128gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      128},
-    {"aes128ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      128},
+    {"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192},
+    {"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128},
+    {"camellia192ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192},
+    {"camellia128ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128},
+    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
     {"aes256gcm8",       ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"aes256ccm8",       ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"modp8192",         DIFFIE_HELLMAN_GROUP, MODP_8192_BIT,             0},
+    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
     {"aes256gcm12",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes256ccm12",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"sha1",             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,         0},
-    {"aes256",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,            256},
+    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
     {"aes256gcm128",     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"aes256ccm128",     ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"sha512",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
     {"ecp192",           DIFFIE_HELLMAN_GROUP, ECP_192_BIT,               0},
-    {"aes256gcm96",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12,      256},
-    {"aes256ccm96",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12,      256},
-    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
-    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
-    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
-    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
-    {"md5",              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0},
-    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
-    {"modp768",          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0},
-    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
     {"aes256gcm16",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,      256},
-    {"aes256ccm16",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16,      256},
-    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
-    {"camellia",         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
-    {"modp1024s160",     DIFFIE_HELLMAN_GROUP, MODP_1024_160,             0},
-    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
-    {"camellia192",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192},
-    {"sha384",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256},
+    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                  0},
+    {"camellia256ctr",   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256},
+    {"ecp521",           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,               0},
+    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
+    {"aes192gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
+    {"aes128gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
+    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
     {"modpnull",         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0},
+    {"aes192ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       192},
+    {"aes128ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       128},
     {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            192},
-    {"camellia128",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128},
     {"aes128ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            128},
-    {"modp3072",         DIFFIE_HELLMAN_GROUP, MODP_3072_BIT,             0},
-    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
-    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
-    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
-    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
-    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
-    {"twofish",          ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"sha256",           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
-    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
-    {"twofish192",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        192},
-    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
-    {"modp1536",         DIFFIE_HELLMAN_GROUP, MODP_1536_BIT,             0},
     {"serpent192",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        192},
-    {"twofish128",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        128},
-    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
     {"ecp256",           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,               0},
     {"serpent128",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
+    {"modp2048",         DIFFIE_HELLMAN_GROUP, MODP_2048_BIT,             0},
+    {"aes256gmac",       ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
+    {"modp4096",         DIFFIE_HELLMAN_GROUP, MODP_4096_BIT,             0},
+    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256},
+    {"modp1024",         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0},
+    {"blowfish",         ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"sha2_512",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0},
+    {"aes256ccm64",      ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8,       256},
+    {"blowfish192",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           192},
     {"aes256ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,            256},
-    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0},
+    {"blowfish128",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           128},
+    {"modp2048s256",     DIFFIE_HELLMAN_GROUP, MODP_2048_256,             0},
+    {"aes192gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       192},
+    {"aes128gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       128},
     {"sha2_256",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,    0},
     {"sha256_96",        INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
-    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
     {"sha2_256_96",      INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_96,     0},
+    {"blowfish256",      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,           256},
+    {"aes256gcm64",      ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8,       256},
+    {"ecp224",           DIFFIE_HELLMAN_GROUP, ECP_224_BIT,               0},
+    {"ecp384",           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,               0},
+    {"sha2_384",         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_384_192,    0},
     {"modp6144",         DIFFIE_HELLMAN_GROUP, MODP_6144_BIT,             0},
-    {"camellia256",      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256},
-    {"serpent",          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128},
-    {"twofish256",       ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC,        256},
-    {"serpent256",       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        256}
+    {"modp2048s224",     DIFFIE_HELLMAN_GROUP, MODP_2048_224,             0}
   };
 
 static const short lookup[] =
   {
-    -1, -1, -1, -1, -1,  0,  1, -1,  2, -1,  3, -1,  4,  5,
-     6,  7, -1, -1, -1, -1,  8,  9, 10, 11, 12, 13, 14, 15,
-    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, 26, -1, -1,
-    27, 28, 29, 30, 31, 32, 33, -1, 34, 35, 36, 37, 38, 39,
-    40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53,
-    54, 55, 56, 57, 58, -1, 59, 60, 61, 62, 63, 64, 65, 66,
-    67, 68, -1, 69, 70, 71, 72, 73, 74, 75, 76, -1, -1, 77,
-    78, 79, 80, 81, -1, -1, 82, 83, -1, -1, 84, 85, -1, 86,
-    87, 88, 89, -1, -1, -1, -1, -1, -1, -1, 90, 91, -1, -1,
-    -1, -1, -1, -1, 92, -1, 93, -1, -1, -1, -1, 94
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,   0,
+      1,  -1,  -1,  -1,  -1,  -1,   2,  -1,  -1,  -1,
+     -1,   3,   4,  -1,  -1,  -1,  -1,  -1,   5,   6,
+      7,   8,  -1,  -1,  -1,   9,  10,  11,  12,  13,
+     14,  15,  16,  17,  18,  19,  20,  21,  22,  -1,
+     -1,  -1,  -1,  23,  24,  25,  26,  27,  28,  29,
+     30,  -1,  31,  -1,  32,  33,  34,  35,  36,  37,
+     38,  39,  40,  41,  42,  43,  44,  45,  46,  47,
+     48,  -1,  49,  -1,  50,  -1,  51,  -1,  52,  -1,
+     53,  -1,  54,  55,  56,  57,  58,  59,  60,  61,
+     62,  63,  64,  65,  66,  67,  68,  69,  -1,  70,
+     -1,  71,  -1,  72,  73,  74,  75,  76,  -1,  77,
+     78,  79,  80,  81,  -1,  82,  83,  84,  85,  -1,
+     -1,  86,  87,  88,  89,  90,  91,  92,  -1,  -1,
+     93,  94,  95,  96,  97,  98,  99, 100, 101, 102,
+    103, 104,  -1,  -1,  -1,  -1,  -1,  -1, 105, 106,
+    107, 108,  -1,  -1,  -1,  -1, 109,  -1, 110,  -1,
+     -1,  -1,  -1,  -1, 111,  -1,  -1,  -1,  -1, 112,
+    113,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1, 114, 115,  -1,  -1,  -1, 116
   };
 
 #ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.txt b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
index 338993821..208c6715b 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords.txt
@@ -86,6 +86,27 @@ camellia,         ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
 camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       128
 camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       192
 camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,       256
+camellia128ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       128
+camellia192ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       192
+camellia256ctr,   ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR,       256
+camellia128ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
+camellia128ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  128
+camellia128ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
+camellia128ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128
+camellia128ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
+camellia128ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128
+camellia192ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
+camellia192ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  192
+camellia192ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
+camellia192ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192
+camellia192ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
+camellia192ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 192
+camellia256ccm8,  ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
+camellia256ccm64, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8,  256
+camellia256ccm12, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
+camellia256ccm96, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256
+camellia256ccm16, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
+camellia256ccm128,ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256
 cast128,          ENCRYPTION_ALGORITHM, ENCR_CAST,               128
 serpent,          ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
 serpent128,       ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC,        128
@@ -107,6 +128,7 @@ sha512,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
 sha2_512,         INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_512_256,    0
 md5,              INTEGRITY_ALGORITHM,  AUTH_HMAC_MD5_96,          0
 aesxcbc,          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,          0
+camelliaxcbc,     INTEGRITY_ALGORITHM,  AUTH_CAMELLIA_XCBC_96,     0
 modpnull,         DIFFIE_HELLMAN_GROUP, MODP_NULL,                 0
 modp768,          DIFFIE_HELLMAN_GROUP, MODP_768_BIT,              0
 modp1024,         DIFFIE_HELLMAN_GROUP, MODP_1024_BIT,             0
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
index e98916bfe..d8659170b 100644
--- a/src/libstrongswan/crypto/signers/signer.c
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -16,11 +16,14 @@
 
 #include "signer.h"
 
-ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA2_256_96,
+ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_CAMELLIA_XCBC_96,
 	"UNDEFINED",
 	"HMAC_SHA1_128",
-	"HMAC_SHA2_256_96");
-ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_HMAC_SHA2_256_96,
+	"HMAC_SHA2_256_96",
+	"HMAC_SHA2_256_256",
+	"HMAC_SHA2_384_384",
+	"CAMELLIA_XCBC_96");
+ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_HMAC_SHA2_512_256, AUTH_CAMELLIA_XCBC_96,
 	"HMAC_MD5_96",
 	"HMAC_SHA1_96",
 	"DES_MAC",
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index 94e8c99b9..e2c224d8b 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -66,6 +66,12 @@ enum integrity_algorithm_t {
 	AUTH_HMAC_SHA1_128 = 1025,
 	/** SHA256 96 bit truncation variant, supported by Linux kernels */
 	AUTH_HMAC_SHA2_256_96 = 1026,
+	/** SHA256 full length tuncation variant, as used in TLS */
+	AUTH_HMAC_SHA2_256_256 = 1027,
+	/** SHA384 full length tuncation variant, as used in TLS */
+	AUTH_HMAC_SHA2_384_384 = 1028,
+	/** draft-kanno-ipsecme-camellia-xcbc, not yet assigned by IANA */
+	AUTH_CAMELLIA_XCBC_96 = 1029,
 };
 
 /**
@@ -102,6 +108,10 @@ struct signer_t {
 	/**
 	 * Verify a signature.
 	 *
+	 * To verify a signature of multiple chunks of data, pass the
+	 * data to get_signature() with a NULL buffer. verify_signature() acts
+	 * as a final call and includes all data fed to get_signature().
+	 *
 	 * @param data		a chunk containing the data to verify
 	 * @param signature	a chunk containing the signature
 	 * @return			TRUE, if signature is valid, FALSE otherwise
diff --git a/src/libstrongswan/crypto/transform.c b/src/libstrongswan/crypto/transform.c
index af40f4de6..cec90a616 100644
--- a/src/libstrongswan/crypto/transform.c
+++ b/src/libstrongswan/crypto/transform.c
@@ -15,11 +15,12 @@
 
 #include <crypto/transform.h>
 
-ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, RANDOM_NUMBER_GENERATOR,
+ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, AEAD_ALGORITHM,
 	"UNDEFINED_TRANSFORM_TYPE",
 	"HASH_ALGORITHM",
-	"RANDOM_NUMBER_GENERATOR");
-ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, RANDOM_NUMBER_GENERATOR,
+	"RANDOM_NUMBER_GENERATOR",
+	"AEAD_ALGORITHM");
+ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, AEAD_ALGORITHM,
 	"ENCRYPTION_ALGORITHM",
 	"PSEUDO_RANDOM_FUNCTION",
 	"INTEGRITY_ALGORITHM",
diff --git a/src/libstrongswan/crypto/transform.h b/src/libstrongswan/crypto/transform.h
index d11700a73..1a2660199 100644
--- a/src/libstrongswan/crypto/transform.h
+++ b/src/libstrongswan/crypto/transform.h
@@ -32,6 +32,7 @@ enum transform_type_t {
 	UNDEFINED_TRANSFORM_TYPE = 241,
 	HASH_ALGORITHM = 242,
 	RANDOM_NUMBER_GENERATOR = 243,
+	AEAD_ALGORITHM = 244,
 	ENCRYPTION_ALGORITHM = 1,
 	PSEUDO_RANDOM_FUNCTION = 2,
 	INTEGRITY_ALGORITHM = 3,
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
index 21a7e63dd..6ded70248 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/debug.c
@@ -27,6 +27,8 @@ ENUM(debug_names, DBG_DMN, DBG_LIB,
 	"KNL",
 	"NET",
 	"ENC",
+	"TNC",
+	"TLS",
 	"LIB",
 );
 
@@ -40,6 +42,8 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB,
 	"knl",
 	"net",
 	"enc",
+	"tnc",
+	"tls",
 	"lib",
 );
 
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index a21111d93..d3399bff6 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -50,6 +50,10 @@ enum debug_t {
 	DBG_NET,
 	/** message encoding/decoding */
 	DBG_ENC,
+	/** trusted network connect */
+	DBG_TNC,
+	/** libtls */
+	DBG_TLS,
 	/** libstrongswan */
 	DBG_LIB,
 	/** number of groups */
diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c
new file mode 100644
index 000000000..71734017a
--- /dev/null
+++ b/src/libstrongswan/eap/eap.c
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap.h"
+
+ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
+	"EAP_REQUEST",
+	"EAP_RESPONSE",
+	"EAP_SUCCESS",
+	"EAP_FAILURE",
+);
+
+ENUM(eap_code_short_names, EAP_REQUEST, EAP_FAILURE,
+	"REQ",
+	"RES",
+	"SUCC",
+	"FAIL",
+);
+
+ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC,
+	"EAP_IDENTITY",
+	"EAP_NOTIFICATION",
+	"EAP_NAK",
+	"EAP_MD5",
+	"EAP_OTP",
+	"EAP_GTC");
+ENUM_NEXT(eap_type_names, EAP_TLS, EAP_TLS, EAP_GTC,
+	"EAP_TLS");
+ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TLS,
+	"EAP_SIM");
+ENUM_NEXT(eap_type_names, EAP_TTLS, EAP_TTLS, EAP_SIM,
+	"EAP_TTLS");
+ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_TTLS,
+	"EAP_AKA");
+ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"EAP_MSCHAPV2");
+ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2,
+	"EAP_TNC");
+ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC,
+	"EAP_RADIUS",
+	"EAP_EXPANDED",
+	"EAP_EXPERIMENTAL");
+ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+
+ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC,
+	"ID",
+	"NTF",
+	"NAK",
+	"MD5",
+	"OTP",
+	"GTC");
+ENUM_NEXT(eap_type_short_names, EAP_TLS, EAP_TLS, EAP_GTC,
+	"TLS");
+ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_TLS,
+	"SIM");
+ENUM_NEXT(eap_type_short_names, EAP_TTLS, EAP_TTLS, EAP_SIM,
+	"TTLS");
+ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_TTLS,
+	"AKA");
+ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA,
+	"MSCHAPV2");
+ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSCHAPV2,
+	"TNC");
+ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_TNC,
+	"RAD",
+	"EXP",
+	"XP");
+ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL);
+
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
+	"RULE_IDENTITY",
+	"RULE_AUTH_CLASS",
+	"RULE_EAP_IDENTITY",
+	"RULE_EAP_TYPE",
+	"RULE_EAP_VENDOR",
+	"RULE_CA_CERT",
+	"RULE_IM_CERT",
+	"RULE_SUBJECT_CERT",
+	"RULE_CRL_VALIDATION",
+	"RULE_OCSP_VALIDATION",
+	"RULE_GROUP",
+	"HELPER_IM_CERT",
+	"HELPER_SUBJECT_CERT",
+	"HELPER_IM_HASH_URL",
+	"HELPER_SUBJECT_HASH_URL",
+);
+
+/*
+ * See header
+ */
+eap_type_t eap_type_from_string(char *name)
+{
+	int i;
+	static struct {
+		char *name;
+		eap_type_t type;
+	} types[] = {
+		{"identity",	EAP_IDENTITY},
+		{"md5",			EAP_MD5},
+		{"otp",			EAP_OTP},
+		{"gtc",			EAP_GTC},
+		{"tls",			EAP_TLS},
+		{"ttls",		EAP_TTLS},
+		{"sim",			EAP_SIM},
+		{"aka",			EAP_AKA},
+		{"mschapv2",	EAP_MSCHAPV2},
+		{"tnc",			EAP_TNC},
+		{"radius",		EAP_RADIUS},
+	};
+
+	for (i = 0; i < countof(types); i++)
+	{
+		if (strcaseeq(name, types[i].name))
+		{
+			return types[i].type;
+		}
+	}
+	return 0;
+}
diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h
new file mode 100644
index 000000000..1d55747a4
--- /dev/null
+++ b/src/libstrongswan/eap/eap.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap eap
+ * @{ @ingroup libstrongswan
+ */
+
+#ifndef EAP_H_
+#define EAP_H_
+
+typedef enum eap_code_t eap_code_t;
+typedef enum eap_type_t eap_type_t;
+
+#include <library.h>
+
+/**
+ * EAP code, type of an EAP message
+ */
+enum eap_code_t {
+	EAP_REQUEST = 1,
+	EAP_RESPONSE = 2,
+	EAP_SUCCESS = 3,
+	EAP_FAILURE = 4,
+};
+
+/**
+ * enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_names;
+
+/**
+ * short string enum names for eap_code_t.
+ */
+extern enum_name_t *eap_code_short_names;
+
+/**
+ * EAP types, defines the EAP method implementation
+ */
+enum eap_type_t {
+	EAP_IDENTITY = 1,
+	EAP_NOTIFICATION = 2,
+	EAP_NAK = 3,
+	EAP_MD5 = 4,
+	EAP_OTP = 5,
+	EAP_GTC = 6,
+	EAP_TLS = 13,
+	EAP_SIM = 18,
+	EAP_TTLS = 21,
+	EAP_AKA = 23,
+	EAP_MSCHAPV2 = 26,
+	EAP_TNC = 38,
+	/** not a method, but an implementation providing different methods */
+	EAP_RADIUS = 253,
+	EAP_EXPANDED = 254,
+	EAP_EXPERIMENTAL = 255,
+};
+
+/**
+ * enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_names;
+
+/**
+ * short string enum names for eap_type_t.
+ */
+extern enum_name_t *eap_type_short_names;
+
+/**
+ * Lookup the EAP method type from a string.
+ *
+ * @param name		EAP method name (such as "md5", "aka")
+ * @return			method type, 0 if unkown
+ */
+eap_type_t eap_type_from_string(char *name);
+
+#endif /** EAP_H_ @}*/
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
index 946a54deb..258a5b410 100644
--- a/src/libstrongswan/enum.c
+++ b/src/libstrongswan/enum.c
@@ -16,12 +16,14 @@
 #include <stddef.h>
 #include <stdio.h>
 
+#include <library.h>
+
 #include "enum.h"
 
 /**
- * get the name of an enum value in a enum_name_t list
+ * See header.
  */
-static char *enum_name(enum_name_t *e, int val)
+char *enum_to_name(enum_name_t *e, int val)
 {
 	do
 	{
@@ -35,6 +37,27 @@ static char *enum_name(enum_name_t *e, int val)
 }
 
 /**
+ * See header.
+ */
+int enum_from_name(enum_name_t *e, char *name)
+{
+	do
+	{
+		int i, count = e->last - e->first;
+
+		for (i = 0; i < count; i++)
+		{
+			if (strcaseeq(name, e->names[i]))
+			{
+				return e->first + i;
+			}
+		}
+	}
+	while ((e = e->next));
+	return -1;
+}
+
+/**
  * Described in header.
  */
 int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
@@ -43,7 +66,7 @@ int enum_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
 	enum_name_t *ed = *((enum_name_t**)(args[0]));
 	int val = *((int*)(args[1]));
 
-	char *name = enum_name(ed, val);
+	char *name = enum_to_name(ed, val);
 
 	if (name == NULL)
 	{
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
index 691f9f2bc..d5f169772 100644
--- a/src/libstrongswan/enum.h
+++ b/src/libstrongswan/enum.h
@@ -107,6 +107,24 @@ struct enum_name_t {
 #define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
 
 /**
+ * Convert a enum value to its string representation.
+ *
+ * @param e		enum names for this enum value
+ * @param val	enum value to get string for
+ * @return		string for enum, NULL if not found
+ */
+char *enum_to_name(enum_name_t *e, int val);
+
+/**
+ * Convert a enum string back to its enum value.
+ *
+ * @param e		enum names for this enum value
+ * @param name	name to get enum value for
+ * @return		enum value, -1 if not found
+ */
+int enum_from_name(enum_name_t *e, char *name);
+
+/**
  * printf hook function for enum_names_t.
  *
  * Arguments are:
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index b61bdf7a0..b7e75aec5 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -65,6 +65,8 @@ void library_deinit()
 	detailed = lib->settings->get_bool(lib->settings,
 								"libstrongswan.leak_detective.detailed", TRUE);
 
+	this->public.scheduler->destroy(this->public.scheduler);
+	this->public.processor->destroy(this->public.processor);
 	this->public.plugins->destroy(this->public.plugins);
 	this->public.settings->destroy(this->public.settings);
 	this->public.credmgr->destroy(this->public.credmgr);
@@ -141,6 +143,8 @@ bool library_init(char *settings)
 	this->public.encoding = cred_encoding_create();
 	this->public.fetcher = fetcher_manager_create();
 	this->public.db = database_factory_create();
+	this->public.processor = processor_create();
+	this->public.scheduler = scheduler_create();
 	this->public.plugins = plugin_loader_create();
 	this->public.integrity = NULL;
 
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index cd5dfb479..034ff10c5 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -43,6 +43,12 @@
  * @defgroup plugins plugins
  * @ingroup libstrongswan
  *
+ * @defgroup processing processing
+ * @ingroup libstrongswan
+ *
+ * @defgroup jobs jobs
+ * @ingroup processing
+ *
  * @defgroup threading threading
  * @ingroup libstrongswan
  *
@@ -64,6 +70,8 @@
 #include "settings.h"
 #include "integrity_checker.h"
 #include "plugins/plugin_loader.h"
+#include "processing/processor.h"
+#include "processing/scheduler.h"
 #include "crypto/crypto_factory.h"
 #include "fetcher/fetcher_manager.h"
 #include "database/database_factory.h"
@@ -119,6 +127,16 @@ struct library_t {
 	plugin_loader_t *plugins;
 
 	/**
+	 * process jobs using a thread pool
+	 */
+	processor_t *processor;
+
+	/**
+	 * schedule jobs
+	 */
+	scheduler_t *scheduler;
+
+	/**
 	 * various settings loaded from settings file
 	 */
 	settings_t *settings;
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9859b75cf..99a520852 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.c b/src/libstrongswan/plugins/aes/aes_crypter.c
index 10d48cf67..f13e33492 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.c
+++ b/src/libstrongswan/plugins/aes/aes_crypter.c
@@ -1331,11 +1331,8 @@ static void decrypt_block(const private_aes_crypter_t *this, const unsigned char
     state_out(out_blk, b0);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	int pos;
 	const u_int32_t *iv_i;
@@ -1376,12 +1373,8 @@ static void decrypt(private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 }
 
-
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	int pos;
 	const u_int32_t *iv_i;
@@ -1417,26 +1410,26 @@ static void encrypt (private_aes_crypter_t *this, chunk_t data, chunk_t iv,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_aes_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_aes_crypter_t *this)
 {
 	return AES_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_aes_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_aes_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key (private_aes_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_aes_crypter_t *this, chunk_t key)
 {
 	u_int32_t    *kf, *kt, rci, f = 0;
 	u_int8_t *in_key = key.ptr;
@@ -1498,8 +1491,8 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 	}
 
 	if(!f)
-    {
-		u_int32_t    i;
+	{
+		u_int32_t i;
 
 		kt = this->aes_d_key + nc * this->aes_Nrnd;
 		kf = this->aes_e_key;
@@ -1517,15 +1510,13 @@ static void set_key (private_aes_crypter_t *this, chunk_t key)
 			cpy(kt, kf);
 #endif
 			kt -= 2 * nc;
-        }
+		}
 		cpy(kt, kf);
-    }
+	}
 }
 
-/**
- * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
- */
-static void destroy (private_aes_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_aes_crypter_t *this)
 {
 	free(this);
 }
@@ -1541,36 +1532,38 @@ aes_crypter_t *aes_crypter_create(encryption_algorithm_t algo, size_t key_size)
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_aes_crypter_t);
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 32:
+		case 24:
+		case 16:
+			break;
+		default:
+			return NULL;
+	}
 
 	#if !defined(FIXED_TABLES)
 	if(!tab_gen) { gen_tabs(); tab_gen = 1; }
 	#endif
 
-	this->key_size = key_size;
-	switch(key_size)
-	{
-	case 32:        /* bytes */
-		this->aes_Nkey = 8;
-		break;
-	case 24:        /* bytes */
-		this->aes_Nkey = 6;
-		break;
-	case 16:        /* bytes */
-		this->aes_Nkey = 4;
-		break;
-	default:
-		free(this);
-		return NULL;
-	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key_size = key_size,
+		.aes_Nkey = key_size / 4,
+	);
+
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/aes/aes_crypter.h b/src/libstrongswan/plugins/aes/aes_crypter.h
index 061d72fd6..473772f04 100644
--- a/src/libstrongswan/plugins/aes/aes_crypter.h
+++ b/src/libstrongswan/plugins/aes/aes_crypter.h
@@ -32,9 +32,9 @@ typedef struct aes_crypter_t aes_crypter_t;
 struct aes_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c
index 1e920f8cc..22b47e334 100644
--- a/src/libstrongswan/plugins/aes/aes_plugin.c
+++ b/src/libstrongswan/plugins/aes/aes_plugin.c
@@ -31,10 +31,8 @@ struct private_aes_plugin_t {
 	aes_plugin_t public;
 };
 
-/**
- * Implementation of aes_plugin_t.destroy
- */
-static void destroy(private_aes_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_aes_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)aes_crypter_create);
@@ -46,9 +44,15 @@ static void destroy(private_aes_plugin_t *this)
  */
 plugin_t *aes_plugin_create()
 {
-	private_aes_plugin_t *this = malloc_thing(private_aes_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_aes_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 							 (crypter_constructor_t)aes_crypter_create);
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index c95e7b778..9f65f4ffb 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index d40b437bb..bd3c1ac75 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -31,10 +31,8 @@ struct private_agent_plugin_t {
 	agent_plugin_t public;
 };
 
-/**
- * Implementation of agent_plugin_t.agenttroy
- */
-static void destroy(private_agent_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_agent_plugin_t *this)
 {
 	lib->creds->remove_builder(lib->creds,
 							   (builder_function_t)agent_private_key_open);
@@ -46,11 +44,17 @@ static void destroy(private_agent_plugin_t *this)
  */
 plugin_t *agent_plugin_create()
 {
-	private_agent_plugin_t *this = malloc_thing(private_agent_plugin_t);
+	private_agent_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)agent_private_key_open);
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 51ddbecc6..0864f4118 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -205,7 +205,7 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 		{
 			break;;
 		}
-		if (pubkey && !private_key_belongs_to(&this->public.interface, pubkey))
+		if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
 		{
 			continue;
 		}
@@ -221,11 +221,9 @@ static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
 	return FALSE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_agent_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	u_int32_t len, flags;
 	char buf[2048];
@@ -294,36 +292,28 @@ static bool sign(private_agent_private_key_t *this, signature_scheme_t scheme,
 	return TRUE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static key_type_t get_type(private_agent_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_agent_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static bool decrypt(private_agent_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_agent_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "private key decryption not supported by ssh-agent");
 	return FALSE;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static size_t get_keysize(private_agent_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_agent_private_key_t *this)
 {
-	return this->key_size;
+	return this->key_size * 8;
 }
 
-/**
- * Implementation of agent_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_agent_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_agent_private_key_t *this)
 {
 	chunk_t key, n, e;
 
@@ -336,20 +326,15 @@ static public_key_t* get_public_key(private_agent_private_key_t *this)
 						BUILD_RSA_MODULUS, n, BUILD_RSA_PUB_EXP, e, BUILD_END);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_agent_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_agent_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	return FALSE;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_agent_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e, key;
 
@@ -366,19 +351,15 @@ static bool get_fingerprint(private_agent_private_key_t *this,
 			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
 }
 
-/**
- * Implementation of agent_private_key.get_ref.
- */
-static private_agent_private_key_t* get_ref(private_agent_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_agent_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of agent_private_key.destroy.
- */
-static void destroy(private_agent_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_agent_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -420,20 +401,25 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		return FALSE;
 	}
 
-	this = malloc_thing(private_agent_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.belongs_to = private_key_belongs_to,
+				.equals = private_key_equals,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	this->socket = open_connection(path);
 	if (this->socket < 0)
@@ -441,9 +427,6 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 		free(this);
 		return NULL;
 	}
-	this->key = chunk_empty;
-	this->ref = 1;
-
 	if (!read_key(this, pubkey))
 	{
 		destroy(this);
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.h b/src/libstrongswan/plugins/agent/agent_private_key.h
index 3d9500c1a..0623f2bb9 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.h
+++ b/src/libstrongswan/plugins/agent/agent_private_key.h
@@ -34,7 +34,7 @@ struct agent_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 6a82ce94a..d310843ac 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
index fb856ed37..784c07eaf 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c
@@ -68,8 +68,6 @@ typedef struct private_blowfish_crypter_t private_blowfish_crypter_t;
 
 /**
  * Class implementing the Blowfish symmetric encryption algorithm.
- *
- * @ingroup crypters
  */
 struct private_blowfish_crypter_t {
 
@@ -89,11 +87,9 @@ struct private_blowfish_crypter_t {
 	u_int32_t key_size;
 };
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+	chunk_t *decrypted)
 {
 	u_int8_t *in, *out;
 
@@ -114,11 +110,9 @@ static void decrypt(private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	free(iv.ptr);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
+	chunk_t *encrypted)
 {
 	u_int8_t *in, *out;
 
@@ -139,34 +133,32 @@ static void encrypt (private_blowfish_crypter_t *this, chunk_t data, chunk_t iv,
 	free(iv.ptr);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_blowfish_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_blowfish_crypter_t *this)
 {
 	return BLOWFISH_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_blowfish_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_blowfish_crypter_t *this)
+{
+	return BLOWFISH_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_blowfish_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key (private_blowfish_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_blowfish_crypter_t *this, chunk_t key)
 {
 	BF_set_key(&this->schedule, key.len , key.ptr);
 }
 
-/**
- * Implementation of crypter_t.destroy and blowfish_crypter_t.destroy.
- */
-static void destroy (private_blowfish_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_blowfish_crypter_t *this)
 {
 	free(this);
 }
@@ -174,7 +166,8 @@ static void destroy (private_blowfish_crypter_t *this)
 /*
  * Described in header
  */
-blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t key_size)
+blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo,
+											size_t key_size)
 {
 	private_blowfish_crypter_t *this;
 
@@ -183,15 +176,20 @@ blowfish_crypter_t *blowfish_crypter_create(encryption_algorithm_t algo, size_t
 		return NULL;
 	}
 
-	this = malloc_thing(private_blowfish_crypter_t);
-
-	this->key_size = key_size;
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key_size = key_size ?: 16,
+	);
+
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
index 71cc09cd0..70dcae66e 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
+++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.h
@@ -32,9 +32,9 @@ typedef struct blowfish_crypter_t blowfish_crypter_t;
 struct blowfish_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
index f9fb605b3..6ab093d7b 100644
--- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
+++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c
@@ -32,10 +32,8 @@ struct private_blowfish_plugin_t {
 	blowfish_plugin_t public;
 };
 
-/**
- * Implementation of blowfish_plugin_t.destroy
- */
-static void destroy(private_blowfish_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_blowfish_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)blowfish_crypter_create);
@@ -47,9 +45,15 @@ static void destroy(private_blowfish_plugin_t *this)
  */
 plugin_t *blowfish_plugin_create()
 {
-	private_blowfish_plugin_t *this = malloc_thing(private_blowfish_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	private_blowfish_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH,
 							 (crypter_constructor_t)blowfish_crypter_create);
diff --git a/src/libstrongswan/plugins/ccm/Makefile.am b/src/libstrongswan/plugins/ccm/Makefile.am
new file mode 100644
index 000000000..bca1f0735
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ccm.la
+else
+plugin_LTLIBRARIES = libstrongswan-ccm.la
+endif
+
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
new file mode 100644
index 000000000..017d75c48
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ccm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ccm_la_LIBADD =
+am_libstrongswan_ccm_la_OBJECTS = ccm_plugin.lo ccm_aead.lo
+libstrongswan_ccm_la_OBJECTS = $(am_libstrongswan_ccm_la_OBJECTS)
+libstrongswan_ccm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ccm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ccm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ccm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ccm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ccm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ccm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ccm.la
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ccm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ccm.la: $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_DEPENDENCIES) 
+	$(libstrongswan_ccm_la_LINK) $(am_libstrongswan_ccm_la_rpath) $(libstrongswan_ccm_la_OBJECTS) $(libstrongswan_ccm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ccm_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.c b/src/libstrongswan/plugins/ccm/ccm_aead.c
new file mode 100644
index 000000000..7fee2b3c4
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.c
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_aead.h"
+
+#define BLOCK_SIZE 16
+#define SALT_SIZE 3
+#define IV_SIZE 8
+#define NONCE_SIZE (SALT_SIZE + IV_SIZE) /* 11 */
+#define Q_SIZE (BLOCK_SIZE - NONCE_SIZE - 1) /* 4 */
+
+typedef struct private_ccm_aead_t private_ccm_aead_t;
+
+/**
+ * Private data of an ccm_aead_t object.
+ */
+struct private_ccm_aead_t {
+
+	/**
+	 * Public ccm_aead_t interface.
+	 */
+	ccm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Length of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * salt to add to nonce
+	 */
+	u_char salt[SALT_SIZE];
+};
+
+/**
+ * First block with control information
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD4(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		/* size of our ICV t, as (t-2)/2 */
+		t_len: 3,
+		/* do we have associated data */
+		assoc: 1,
+		reserved: 1,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* lenght of plain text, q */
+	u_char q[Q_SIZE];
+} b0_t;
+
+/**
+ * Counter block
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD3(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		zero: 3,
+		reserved: 2,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* counter value */
+	u_char i[Q_SIZE];
+} ctr_t;
+
+/**
+ * Build the first block B0
+ */
+static void build_b0(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					 chunk_t iv, char *out)
+{
+	b0_t *block = (b0_t*)out;
+
+	block->flags.reserved = 0;
+	block->flags.assoc = assoc.len ? 1 : 0;
+	block->flags.t_len = (this->icv_size - 2) / 2;
+	block->flags.q_len = Q_SIZE - 1;
+	memcpy(block->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(block->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(block->q, plain.len);
+}
+
+/**
+ * Build a counter block for counter i
+ */
+static void build_ctr(private_ccm_aead_t *this, u_int32_t i, chunk_t iv,
+					  char *out)
+{
+	ctr_t *ctr = (ctr_t*)out;
+
+	ctr->flags.reserved = 0;
+	ctr->flags.zero = 0;
+	ctr->flags.q_len = Q_SIZE - 1;
+	memcpy(ctr->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(ctr->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(ctr->i, i);
+}
+
+/**
+ * En-/Decrypt data
+ */
+static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
+					   chunk_t in, chunk_t out)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+	char block[BLOCK_SIZE];
+
+	build_ctr(this, 1, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	while (in.len > 0)
+	{
+		memcpy(block, ctr, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(block),
+							   chunk_from_thing(zero), NULL);
+		chunk_increment(chunk_from_thing(ctr));
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, BLOCK_SIZE));
+		}
+		memxor(out.ptr, block, min(in.len, BLOCK_SIZE));
+		in = chunk_skip(in, BLOCK_SIZE);
+		out = chunk_skip(out, BLOCK_SIZE);
+	}
+}
+
+/**
+ * En-/Decrypt the ICV
+ */
+static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+
+	build_ctr(this, 0, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_from_thing(ctr),
+						   chunk_from_thing(zero), NULL);
+	memxor(icv, ctr, this->icv_size);
+}
+
+/**
+ * Create the ICV
+ */
+static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char zero[BLOCK_SIZE];
+	chunk_t chunk;
+	char *pos;
+	int r, len;
+
+	memset(zero, 0, BLOCK_SIZE);
+
+	/* calculate number of blocks, including b0 */
+	r = 1;
+	if (assoc.len)
+	{	/* assoc gets a 2 byte length header, gets padded to BLOCK_SIZE */
+		r += (2 + assoc.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+	}
+	/* plain text gets padded to BLOCK_SIZE */
+	r += (plain.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(r * BLOCK_SIZE);
+	/* write control block */
+	build_b0(this, plain, assoc, iv, chunk.ptr);
+	pos = chunk.ptr + BLOCK_SIZE;
+	/* append associated data, with length header */
+	if (assoc.len)
+	{
+		/* currently we support two byte headers only (up to 2^16-2^8 bytes) */
+		htoun16(pos, assoc.len);
+		memcpy(pos + 2, assoc.ptr, assoc.len);
+		pos += 2 + assoc.len;
+		/* padding */
+		len = (BLOCK_SIZE - ((2 + assoc.len) % BLOCK_SIZE)) % BLOCK_SIZE;
+		memset(pos, 0, len);
+		pos += len;
+	}
+	/* write plain data */
+	memcpy(pos, plain.ptr, plain.len);
+	pos += plain.len;
+	/* padding */
+	len = (BLOCK_SIZE - (plain.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	memset(pos, 0, len);
+
+	/* encrypt inline with CBC, zero IV */
+	this->crypter->encrypt(this->crypter, chunk, chunk_from_thing(zero), NULL);
+	/* copy last icv_size bytes as ICV to output */
+	memcpy(icv, chunk.ptr + chunk.len - BLOCK_SIZE, this->icv_size);
+
+	/* encrypt the ICV value */
+	crypt_icv(this, iv, icv);
+
+	free(chunk.ptr);
+}
+
+/**
+ * Verify the ICV
+ */
+static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char buf[this->icv_size];
+
+	create_icv(this, plain, assoc, iv, buf);
+
+	return memeq(buf, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len);
+		crypt_data(this, iv, plain, *encrypted);
+	}
+	else
+	{
+		create_icv(this, plain, assoc, iv, plain.ptr + plain.len);
+		crypt_data(this, iv, plain, plain);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_ccm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt_data(this, iv, encrypted, *plain);
+		return verify_icv(this, *plain, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+	else
+	{
+		crypt_data(this, iv, encrypted, encrypted);
+		return verify_icv(this, encrypted, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_ccm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(aead_t, destroy, void,
+	private_ccm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_ccm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_CCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_CCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_CCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV8:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV12:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV16:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ccm/ccm_aead.h b/src/libstrongswan/plugins/ccm/ccm_aead.h
new file mode 100644
index 000000000..d5e302f94
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_aead.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm_aead ccm_aead
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_AEAD_H_
+#define CCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct ccm_aead_t ccm_aead_t;
+
+/**
+ * Counter with Cipher Block Chaining-Message Authentication Code (CCM).
+ *
+ * Implements CCM as specified in NIST 800-38B, using AEAD semantics from
+ * RFC 5282, based on RFC4309.
+ */
+struct ccm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a ccm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a CCM mode
+ * @return				aead, NULL if not supported
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** CCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c
new file mode 100644
index 000000000..5fc3b14d7
--- /dev/null
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_plugin.h"
+
+#include <library.h>
+
+#include "ccm_aead.h"
+
+typedef struct private_ccm_plugin_t private_ccm_plugin_t;
+
+/**
+ * private data of ccm_plugin
+ */
+struct private_ccm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ccm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ccm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)ccm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ccm_plugin_create()
+{
+	private_ccm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/pluto/kernel_netlink.h b/src/libstrongswan/plugins/ccm/ccm_plugin.h
index 65163c966..9a3252012 100644
--- a/src/pluto/kernel_netlink.h
+++ b/src/libstrongswan/plugins/ccm/ccm_plugin.h
@@ -1,6 +1,6 @@
-/* declarations of routines that interface with the kernel's pfkey mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2003  Herbert Xu
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,6 +13,30 @@
  * for more details.
  */
 
-#if defined(KLIPS) && defined(linux)
-extern const struct kernel_ops linux_kernel_ops;
-#endif
+/**
+ * @defgroup ccm ccm
+ * @ingroup plugins
+ *
+ * @defgroup ccm_plugin ccm_plugin
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_PLUGIN_H_
+#define CCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ccm_plugin_t ccm_plugin_t;
+
+/**
+ * Plugin providing CCM mode operation.
+ */
+struct ccm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CCM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/Makefile.am b/src/libstrongswan/plugins/ctr/Makefile.am
new file mode 100644
index 000000000..893171aab
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ctr.la
+else
+plugin_LTLIBRARIES = libstrongswan-ctr.la
+endif
+
+libstrongswan_ctr_la_SOURCES = \
+	ctr_plugin.h ctr_plugin.c \
+	ctr_ipsec_crypter.h ctr_ipsec_crypter.c
+
+libstrongswan_ctr_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
new file mode 100644
index 000000000..b51f57113
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/ctr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_ctr_la_LIBADD =
+am_libstrongswan_ctr_la_OBJECTS = ctr_plugin.lo ctr_ipsec_crypter.lo
+libstrongswan_ctr_la_OBJECTS = $(am_libstrongswan_ctr_la_OBJECTS)
+libstrongswan_ctr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_ctr_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_ctr_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_ctr_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_ctr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_ctr_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-ctr.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ctr.la
+libstrongswan_ctr_la_SOURCES = \
+	ctr_plugin.h ctr_plugin.c \
+	ctr_ipsec_crypter.h ctr_ipsec_crypter.c
+
+libstrongswan_ctr_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/ctr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-ctr.la: $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_DEPENDENCIES) 
+	$(libstrongswan_ctr_la_LINK) $(am_libstrongswan_ctr_la_rpath) $(libstrongswan_ctr_la_OBJECTS) $(libstrongswan_ctr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_ipsec_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctr_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
new file mode 100644
index 000000000..ddcae423b
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ctr_ipsec_crypter.h"
+
+typedef struct private_ctr_ipsec_crypter_t private_ctr_ipsec_crypter_t;
+
+/**
+ * Private data of an ctr_ipsec_crypter_t object.
+ */
+struct private_ctr_ipsec_crypter_t {
+
+	/**
+	 * Public ctr_ipsec_crypter_t interface.
+	 */
+	ctr_ipsec_crypter_t public;
+
+	/**
+	 * Underlying CBC crypter
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) state;
+};
+
+/**
+ * Do the CTR crypto operation
+ */
+static void crypt_ctr(private_ctr_ipsec_crypter_t *this,
+					  chunk_t in, chunk_t out)
+{
+	size_t is, bs;
+	chunk_t state;
+
+	is = this->crypter->get_iv_size(this->crypter);
+	bs = sizeof(this->state);
+
+	this->state.counter = htonl(1);
+	state = chunk_create((char*)&this->state, bs);
+
+	while (in.len > 0)
+	{
+		char iv[is], block[bs];
+
+		memset(iv, 0, is);
+		memcpy(block, state.ptr, bs);
+		this->crypter->encrypt(this->crypter,
+						chunk_create(block, bs), chunk_create(iv, is), NULL);
+		chunk_increment(state);
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, bs));
+		}
+		memxor(out.ptr, block, min(in.len, bs));
+		in = chunk_skip(in, bs);
+		out = chunk_skip(out, bs);
+	}
+}
+
+METHOD(crypter_t, crypt, void,
+	private_ctr_ipsec_crypter_t *this, chunk_t in, chunk_t iv, chunk_t *out)
+{
+	memcpy(this->state.iv, iv.ptr, sizeof(this->state.iv));
+
+	if (out)
+	{
+		*out = chunk_alloc(in.len);
+		crypt_ctr(this, in, *out);
+	}
+	else
+	{
+		crypt_ctr(this, in, in);
+	}
+}
+
+METHOD(crypter_t, get_block_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return 1;
+}
+
+METHOD(crypter_t, get_iv_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return sizeof(this->state.iv);
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_ctr_ipsec_crypter_t *this)
+{
+	return this->crypter->get_key_size(this->crypter)
+			+ sizeof(this->state.nonce);
+}
+
+METHOD(crypter_t, set_key, void,
+	private_ctr_ipsec_crypter_t *this, chunk_t key)
+{
+	memcpy(this->state.nonce, key.ptr + key.len - sizeof(this->state.nonce),
+		   sizeof(this->state.nonce));
+	key.len -= sizeof(this->state.nonce);
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(crypter_t, destroy, void,
+	private_ctr_ipsec_crypter_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo,
+											  size_t key_size)
+{
+	private_ctr_ipsec_crypter_t *this;
+
+	switch (algo)
+	{
+		case ENCR_AES_CTR:
+			algo = ENCR_AES_CBC;
+			break;
+		case ENCR_CAMELLIA_CTR:
+			algo = ENCR_CAMELLIA_CBC;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _crypt,
+				.decrypt = _crypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
new file mode 100644
index 000000000..db21aec3b
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ctr_ipsec_crypter ctr_ipsec_crypter
+ * @{ @ingroup ctr
+ */
+
+#ifndef CTR_IPSEC_CRYPTER_H_
+#define CTR_IPSEC_CRYPTER_H_
+
+#include <crypto/crypters/crypter.h>
+
+typedef struct ctr_ipsec_crypter_t ctr_ipsec_crypter_t;
+
+/**
+ * Counter Mode wrapper for encryption algorithms, IPsec variant (RFC3686).
+ */
+struct ctr_ipsec_crypter_t {
+
+	/**
+	 * Implements crypter_t interface.
+	 */
+	crypter_t crypter;
+};
+
+/**
+ * Create a ctr_ipsec_crypter instance.
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
+
+/**
+ * Create a ctr_ipsec_crypter instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a counter mode
+ * @return				crypter, NULL if not supported
+ */
+ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(encryption_algorithm_t algo,
+											  size_t key_size);
+
+#endif /** CTR_IPSEC_CRYPTER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c
new file mode 100644
index 000000000..5e47f23ec
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ctr_plugin.h"
+
+#include <library.h>
+
+#include "ctr_ipsec_crypter.h"
+
+typedef struct private_ctr_plugin_t private_ctr_plugin_t;
+
+/**
+ * private data of ctr_plugin
+ */
+struct private_ctr_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ctr_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ctr_plugin_t *this)
+{
+	lib->crypto->remove_crypter(lib->crypto,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ctr_plugin_create()
+{
+	private_ctr_plugin_t *this;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)ctr_ipsec_crypter_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.h b/src/libstrongswan/plugins/ctr/ctr_plugin.h
new file mode 100644
index 000000000..7b2f901dc
--- /dev/null
+++ b/src/libstrongswan/plugins/ctr/ctr_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ctr ctr
+ * @ingroup plugins
+ *
+ * @defgroup ctr_plugin ctr_plugin
+ * @{ @ingroup ctr
+ */
+
+#ifndef CTR_PLUGIN_H_
+#define CTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ctr_plugin_t ctr_plugin_t;
+
+/**
+ * Plugin providing CTR mode operation of symmetric encryption algorithms.
+ */
+struct ctr_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CTR_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index fc3b0ab1a..9cc99063c 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 2341c9052..4835f6461 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -166,10 +166,12 @@ curl_fetcher_t *curl_fetcher_create()
 	private_curl_fetcher_t *this;
 
 	INIT(this,
-		.public.interface = {
-			.fetch = _fetch,
-			.set_option = _set_option,
-			.destroy = _destroy,
+		.public = {
+			.interface = {
+				.fetch = _fetch,
+				.set_option = _set_option,
+				.destroy = _destroy,
+			},
 		},
 		.curl = curl_easy_init(),
 	);
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 319baa04c..0e8fa7315 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c
index 142e79613..7d9fbe852 100644
--- a/src/libstrongswan/plugins/des/des_crypter.c
+++ b/src/libstrongswan/plugins/des/des_crypter.c
@@ -1416,11 +1416,8 @@ static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long len
 	tin[0]=tin[1]=0;
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES.
- */
-static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					chunk_t *decrypted)
+METHOD(crypter_t, decrypt, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1437,11 +1434,8 @@ static void decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 }
 
 
-/**
- * Implementation of crypter_t.decrypt for DES.
- */
-static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *encrypted)
+METHOD(crypter_t, encrypt, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1457,11 +1451,8 @@ static void encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, &ivb, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES (ECB).
- */
-static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *decrypted)
+METHOD(crypter_t, decrypt_ecb, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	u_int8_t *out;
 
@@ -1475,11 +1466,8 @@ static void decrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, DES_DECRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for DES (ECB).
- */
-static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-						chunk_t *encrypted)
+METHOD(crypter_t, encrypt_ecb, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	u_int8_t *out;
 
@@ -1493,11 +1481,8 @@ static void encrypt_ecb(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 					 data.len, this->ks, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for 3DES.
- */
-static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *decrypted)
+METHOD(crypter_t, decrypt3, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1514,11 +1499,8 @@ static void decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						 &ivb, DES_DECRYPT);
 }
 
-/**
- * Implementation of crypter_t.decrypt for 3DES.
- */
-static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
-					 chunk_t *encrypted)
+METHOD(crypter_t, encrypt3, void,
+	private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
 {
 	des_cblock ivb;
 	u_int8_t *out;
@@ -1535,44 +1517,40 @@ static void encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv,
 						  &ivb, DES_ENCRYPT);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size (private_des_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_des_crypter_t *this)
 {
 	return sizeof(des_cblock);
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size (private_des_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_des_crypter_t *this)
+{
+	return sizeof(des_cblock);
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_des_crypter_t *this)
 {
 	return this->key_size;
 }
 
-/**
- * Implementation of crypter_t.set_key for DES.
- */
-static void set_key(private_des_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr), &this->ks);
 }
 
-/**
- * Implementation of crypter_t.set_key for 3DES.
- */
-static void set_key3(private_des_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key3, void,
+	private_des_crypter_t *this, chunk_t key)
 {
 	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
 	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
 	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
 }
 
-/**
- * Implementation of crypter_t.destroy and des_crypter_t.destroy.
- */
-static void destroy(private_des_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_des_crypter_t *this)
 {
 	free(this);
 }
@@ -1582,33 +1560,39 @@ static void destroy(private_des_crypter_t *this)
  */
 des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
 {
-	private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
-
-	/* functions of crypter_t interface */
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	private_des_crypter_t *this;
+
+	INIT(this,
+		.public = {
+			.crypter = {
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* use functions depending on algorithm */
 	switch (algo)
 	{
 		case ENCR_DES:
 			this->key_size = sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+			this->public.crypter.set_key = _set_key;
+			this->public.crypter.encrypt = _encrypt;
+			this->public.crypter.decrypt = _decrypt;
 			break;
 		case ENCR_3DES:
 			this->key_size = 3 * sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key3;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3;
+			this->public.crypter.set_key = _set_key3;
+			this->public.crypter.encrypt = _encrypt3;
+			this->public.crypter.decrypt = _decrypt3;
 			break;
 		case ENCR_DES_ECB:
 			this->key_size = sizeof(des_cblock);
-			this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-			this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt_ecb;
-			this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt_ecb;
+			this->public.crypter.set_key = _set_key;
+			this->public.crypter.encrypt = _encrypt_ecb;
+			this->public.crypter.decrypt = _decrypt_ecb;
 			break;
 		default:
 			free(this);
diff --git a/src/libstrongswan/plugins/des/des_crypter.h b/src/libstrongswan/plugins/des/des_crypter.h
index cffbd4ce3..07215d0c5 100644
--- a/src/libstrongswan/plugins/des/des_crypter.h
+++ b/src/libstrongswan/plugins/des/des_crypter.h
@@ -32,9 +32,9 @@ typedef struct des_crypter_t des_crypter_t;
 struct des_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c
index afc82e8d4..43b457ce2 100644
--- a/src/libstrongswan/plugins/des/des_plugin.c
+++ b/src/libstrongswan/plugins/des/des_plugin.c
@@ -31,10 +31,8 @@ struct private_des_plugin_t {
 	des_plugin_t public;
 };
 
-/**
- * Implementation of des_plugin_t.destroy
- */
-static void destroy(private_des_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_des_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 								(crypter_constructor_t)des_crypter_create);
@@ -46,9 +44,15 @@ static void destroy(private_des_plugin_t *this)
  */
 plugin_t *des_plugin_create()
 {
-	private_des_plugin_t *this = malloc_thing(private_des_plugin_t);
+	private_des_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
 							 (crypter_constructor_t)des_crypter_create);
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 73f81f4db..7f4529211 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
index 125047b05..bc0ee30ae 100644
--- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
+++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c
@@ -50,9 +50,9 @@ plugin_t *dnskey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)dnskey_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)dnskey_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 4ed8276c4..7e2a1ccdf 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am
new file mode 100644
index 000000000..ec733fbcc
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/Makefile.am
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-gcm.la
+else
+plugin_LTLIBRARIES = libstrongswan-gcm.la
+endif
+
+libstrongswan_gcm_la_SOURCES = \
+	gcm_plugin.h gcm_plugin.c \
+	gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
new file mode 100644
index 000000000..a4de9ea77
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -0,0 +1,600 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/gcm
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_gcm_la_LIBADD =
+am_libstrongswan_gcm_la_OBJECTS = gcm_plugin.lo gcm_aead.lo
+libstrongswan_gcm_la_OBJECTS = $(am_libstrongswan_gcm_la_OBJECTS)
+libstrongswan_gcm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_gcm_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_gcm_la_rpath = -rpath $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_gcm_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_gcm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_gcm_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-gcm.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-gcm.la
+libstrongswan_gcm_la_SOURCES = \
+	gcm_plugin.h gcm_plugin.c \
+	gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/gcm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-gcm.la: $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_DEPENDENCIES) 
+	$(libstrongswan_gcm_la_LINK) $(am_libstrongswan_gcm_la_rpath) $(libstrongswan_gcm_la_OBJECTS) $(libstrongswan_gcm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_aead.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcm_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
new file mode 100644
index 000000000..0d7d91dbf
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.c
@@ -0,0 +1,425 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_aead.h"
+
+#include <limits.h>
+
+#define BLOCK_SIZE 16
+#define NONCE_SIZE 12
+#define IV_SIZE 8
+#define SALT_SIZE (NONCE_SIZE - IV_SIZE)
+
+typedef struct private_gcm_aead_t private_gcm_aead_t;
+
+/**
+ * Private data of an gcm_aead_t object.
+ */
+struct private_gcm_aead_t {
+
+	/**
+	 * Public gcm_aead_t interface.
+	 */
+	gcm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Size of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * Salt value
+	 */
+	char salt[SALT_SIZE];
+
+	/**
+	 * GHASH subkey H
+	 */
+	char h[BLOCK_SIZE];
+};
+
+/**
+ * Find a suiteable word size and network order conversion functions
+ */
+#if ULONG_MAX == 18446744073709551615UL && defined(htobe64)
+#	define htobeword htobe64
+#	define bewordtoh be64toh
+#	define SHIFT_WORD_TYPE u_int64_t
+#else
+#	define htobeword htonl
+#	define bewordtoh ntohl
+#	define SHIFT_WORD_TYPE u_int32_t
+#endif
+
+/**
+ * Bitshift a block right by one bit
+ */
+static void sr_block(char *block)
+{
+	int i;
+	SHIFT_WORD_TYPE *word = (SHIFT_WORD_TYPE*)block;
+
+	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
+	{
+		word[i] = bewordtoh(word[i]);
+	}
+	for (i = BLOCK_SIZE / sizeof(*word) - 1; i >= 0; i--)
+	{
+		word[i] >>= 1;
+		if (i != 0)
+		{
+			word[i] |= word[i - 1] << (sizeof(*word) * 8 - 1);
+		}
+	}
+	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
+	{
+		word[i] = htobeword(word[i]);
+	}
+}
+
+/**
+ * Naive implementation of block multiplication in GF128, no tables
+ */
+static void mult_block(char *x, char *y, char *res)
+{
+	char z[BLOCK_SIZE], v[BLOCK_SIZE], r;
+	int bit, byte;
+
+	r = 0xE1;
+	memset(z, 0, BLOCK_SIZE);
+	memcpy(v, y, BLOCK_SIZE);
+
+	for (byte = 0; byte < BLOCK_SIZE; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if (x[byte] & (1 << bit))
+			{
+				memxor(z, v, BLOCK_SIZE);
+			}
+			if (v[BLOCK_SIZE - 1] & 0x01)
+			{
+				sr_block(v);
+				v[0] ^= r;
+			}
+			else
+			{
+				sr_block(v);
+			}
+		}
+	}
+	memcpy(res, z, BLOCK_SIZE);
+}
+
+/**
+ * GHASH function
+ */
+static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
+{
+	char y[BLOCK_SIZE];
+
+	memset(y, 0, BLOCK_SIZE);
+
+	while (x.len)
+	{
+		memxor(y, x.ptr, BLOCK_SIZE);
+		mult_block(y, this->h, y);
+		x = chunk_skip(x, BLOCK_SIZE);
+	}
+	memcpy(res, y, BLOCK_SIZE);
+}
+
+/**
+ * GCTR function, en-/decrypts x inline
+ */
+static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
+{
+	char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];
+
+	memset(iv, 0, BLOCK_SIZE);
+	memcpy(cb, icb, BLOCK_SIZE);
+
+	while (x.len)
+	{
+		memcpy(tmp, cb, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
+							   chunk_from_thing(iv), NULL);
+		memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
+		chunk_increment(chunk_from_thing(cb));
+		x = chunk_skip(x, BLOCK_SIZE);
+	}
+}
+
+/**
+ * Generate the block J0
+ */
+static void create_j(private_gcm_aead_t *this, char *iv, char *j)
+{
+	memcpy(j, this->salt, SALT_SIZE);
+	memcpy(j + SALT_SIZE, iv, IV_SIZE);
+	htoun32(j + SALT_SIZE + IV_SIZE, 1);
+}
+
+/**
+ * Create GHASH subkey H
+ */
+static void create_h(private_gcm_aead_t *this, char *h)
+{
+	char zero[BLOCK_SIZE];
+
+	memset(zero, 0, BLOCK_SIZE);
+	memset(h, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
+						   chunk_from_thing(zero), NULL);
+}
+
+/**
+ * Encrypt/decrypt
+ */
+static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
+{
+	char icb[BLOCK_SIZE];
+
+	memcpy(icb, j, BLOCK_SIZE);
+	chunk_increment(chunk_from_thing(icb));
+
+	out.len = in.len;
+	if (in.ptr != out.ptr)
+	{
+		memcpy(out.ptr, in.ptr, in.len);
+	}
+	gctr(this, icb, out);
+}
+
+/**
+ * Create ICV
+ */
+static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+					   char *j, char *icv)
+{
+	size_t assoc_pad, crypt_pad;
+	chunk_t chunk;
+	char s[BLOCK_SIZE], *pos;
+
+	assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE;
+	crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(assoc.len + assoc_pad +
+						crypt.len + crypt_pad + BLOCK_SIZE);
+	pos = chunk.ptr;
+	/* add associated data */
+	memcpy(pos, assoc.ptr, assoc.len);
+	pos += assoc.len;
+	memset(pos, 0, assoc_pad);
+	pos += assoc_pad;
+	/* add encrypted data */
+	memcpy(pos, crypt.ptr, crypt.len);
+	pos += crypt.len;
+	memset(pos, 0, crypt_pad);
+	pos += crypt_pad;
+	/* write associated len */
+	memset(pos, 0, 4);
+	pos += 4;
+	htoun32(pos, assoc.len * 8);
+	pos += 4;
+	/* write encrypted length */
+	memset(pos, 0, 4);
+	pos += 4;
+	htoun32(pos, crypt.len * 8);
+	pos += 4;
+
+	ghash(this, chunk, s);
+	free(chunk.ptr);
+	gctr(this, j, chunk_from_thing(s));
+
+	memcpy(icv, s, this->icv_size);
+}
+
+/**
+ * Verify the ICV value
+ */
+static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+					   char *j, char *icv)
+{
+	char tmp[this->icv_size];
+
+	create_icv(this, assoc, crypt, j, tmp);
+
+	return memeq(tmp, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	char j[BLOCK_SIZE];
+
+	create_j(this, iv.ptr, j);
+
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		crypt(this, j, plain, *encrypted);
+		create_icv(this, assoc,
+				   chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
+				   j, encrypted->ptr + encrypted->len - this->icv_size);
+	}
+	else
+	{
+		crypt(this, j, plain, plain);
+		create_icv(this, assoc, plain, j, plain.ptr + plain.len);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	char j[BLOCK_SIZE];
+
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+
+	create_j(this, iv.ptr, j);
+
+	encrypted.len -= this->icv_size;
+	if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len))
+	{
+		return FALSE;
+	}
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt(this, j, encrypted, *plain);
+	}
+	else
+	{
+		crypt(this, j, encrypted, encrypted);
+	}
+	return TRUE;
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_gcm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_gcm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+	create_h(this, this->h);
+}
+
+METHOD(aead_t, destroy, void,
+	private_gcm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_gcm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_GCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_GCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_GCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
new file mode 100644
index 000000000..db4be2442
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_aead.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm_aead gcm_aead
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_AEAD_H_
+#define GCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct gcm_aead_t gcm_aead_t;
+
+/**
+ * Galois/Counter Mode (GCM).
+ *
+ * Implements GCM as specified in NIST 800-38D, using AEAD semantics from
+ * RFC 5282, based on RFC4106.
+ */
+struct gcm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a gcm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a gcm mode
+ * @return				aead, NULL if not supported
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
new file mode 100644
index 000000000..061001b30
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_plugin.h"
+
+#include <library.h>
+
+#include "gcm_aead.h"
+
+typedef struct private_gcm_plugin_t private_gcm_plugin_t;
+
+/**
+ * private data of gcm_plugin
+ */
+struct private_gcm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	gcm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_gcm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)gcm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *gcm_plugin_create()
+{
+	private_gcm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
+					(aead_constructor_t)gcm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
+					(aead_constructor_t)gcm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
+					(aead_constructor_t)gcm_aead_create);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.h b/src/libstrongswan/plugins/gcm/gcm_plugin.h
new file mode 100644
index 000000000..52676708e
--- /dev/null
+++ b/src/libstrongswan/plugins/gcm/gcm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm gcm
+ * @ingroup plugins
+ *
+ * @defgroup gcm_plugin gcm_plugin
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_PLUGIN_H_
+#define GCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct gcm_plugin_t gcm_plugin_t;
+
+/**
+ * Plugin providing GCM mode operation.
+ */
+struct gcm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** GCM_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 09131c4be..00c49c487 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
index 5dbdde32c..599481911 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.c
@@ -40,15 +40,43 @@ struct private_gcrypt_crypter_t {
 	 * gcrypt algorithm identifier
 	 */
 	int alg;
+
+	/**
+	 * are we using counter mode?
+	 */
+	bool ctr_mode;
+
+	/**
+	 * counter state
+	 */
+	struct {
+		char nonce[4];
+		char iv[8];
+		u_int32_t counter;
+	} __attribute__((packed)) ctr;
 };
 
 /**
- * Implementation of crypter_t.decrypt.
+ * Set the IV for en/decryption
  */
-static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+static void set_iv(private_gcrypt_crypter_t *this, chunk_t iv)
+{
+	if (this->ctr_mode)
+	{
+		memcpy(this->ctr.iv, iv.ptr, sizeof(this->ctr.iv));
+		this->ctr.counter = htonl(1);
+		gcry_cipher_setctr(this->h, &this->ctr, sizeof(this->ctr));
+	}
+	else
+	{
+		gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	}
+}
+
+METHOD(crypter_t, decrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -61,13 +89,10 @@ static void decrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_gcrypt_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
-	gcry_cipher_setiv(this->h, iv.ptr, iv.len);
+	set_iv(this, iv);
 
 	if (dst)
 	{
@@ -80,40 +105,60 @@ static void encrypt(private_gcrypt_crypter_t *this, chunk_t data,
 	}
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
+	if (this->ctr_mode)
+	{	/* counter mode does not need any padding */
+		return 1;
+	}
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
 	return len;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_gcrypt_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_gcrypt_crypter_t *this)
+{
+	size_t len = 0;
+
+	if (this->ctr_mode)
+	{
+		return sizeof(this->ctr.iv);
+	}
+	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_BLKLEN, NULL, &len);
+	return len;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_gcrypt_crypter_t *this)
 {
 	size_t len = 0;
 
 	gcry_cipher_algo_info(this->alg, GCRYCTL_GET_KEYLEN, NULL, &len);
+	if (this->ctr_mode)
+	{
+		return len + sizeof(this->ctr.nonce);
+	}
 	return len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_gcrypt_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_gcrypt_crypter_t *this, chunk_t key)
 {
+	if (this->ctr_mode)
+	{
+		/* last 4 bytes are the nonce */
+		memcpy(this->ctr.nonce, key.ptr + key.len - sizeof(this->ctr.nonce),
+			   sizeof(this->ctr.nonce));
+		key.len -= sizeof(this->ctr.nonce);
+	}
 	gcry_cipher_setkey(this->h, key.ptr, key.len);
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_gcrypt_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_gcrypt_crypter_t *this)
 {
 	gcry_cipher_close(this->h);
 	free(this);
@@ -149,18 +194,19 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			gcrypt_alg = GCRY_CIPHER_CAST5;
 			break;
 		case ENCR_BLOWFISH:
-			if (key_size != 16)
+			if (key_size != 16 && key_size != 0)
 			{	/* gcrypt currently supports 128 bit blowfish only */
 				return NULL;
 			}
 			gcrypt_alg = GCRY_CIPHER_BLOWFISH;
 			break;
-		/* case ENCR_AES_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_AES_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_AES128;
 					break;
@@ -174,13 +220,14 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
-		/* case ENCR_CAMELLIA_CTR:
-			mode = GCRY_CIPHER_MODE_CTR; */
+		case ENCR_CAMELLIA_CTR:
+			mode = GCRY_CIPHER_MODE_CTR;
 			/* fall */
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
 #ifdef HAVE_GCRY_CIPHER_CAMELLIA
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_CAMELLIA128;
 					break;
@@ -198,6 +245,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_SERPENT_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_SERPENT128;
 					break;
@@ -214,6 +262,7 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		case ENCR_TWOFISH_CBC:
 			switch (key_size)
 			{
+				case 0:
 				case 16:
 					gcrypt_alg = GCRY_CIPHER_TWOFISH128;
 					break;
@@ -228,9 +277,22 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.alg = gcrypt_alg,
+		.ctr_mode = mode == GCRY_CIPHER_MODE_CTR,
+	);
 
-	this->alg = gcrypt_alg;
 	err = gcry_cipher_open(&this->h, gcrypt_alg, mode, 0);
 	if (err)
 	{
@@ -239,14 +301,6 @@ gcrypt_crypter_t *gcrypt_crypter_create(encryption_algorithm_t algo,
 		free(this);
 		return NULL;
 	}
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *))encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *))decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *))get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *))get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t))set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
index ce0ead4a8..e565e28c7 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_crypter.h
@@ -33,7 +33,7 @@ struct gcrypt_crypter_t {
 	/**
 	 * The crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index 08d6239ad..6c4665da2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -73,10 +73,8 @@ struct private_gcrypt_dh_t {
 	size_t p_len;
 };
 
-/**
- * Implementation of gcrypt_dh_t.set_other_public_value.
- */
-static void set_other_public_value(private_gcrypt_dh_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t value)
 {
 	gcry_mpi_t p_min_1;
 	gcry_error_t err;
@@ -134,18 +132,14 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
 	return chunk;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_my_public_value.
- */
-static void get_my_public_value(private_gcrypt_dh_t *this, chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gcrypt_dh_t *this, chunk_t *value)
 {
 	*value = export_mpi(this->ya, this->p_len);
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gcrypt_dh_t *this, chunk_t *secret)
 {
 	if (!this->zz)
 	{
@@ -155,18 +149,14 @@ static status_t get_shared_secret(private_gcrypt_dh_t *this, chunk_t *secret)
 	return SUCCESS;
 }
 
-/**
- * Implementation of gcrypt_dh_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gcrypt_dh_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gcrypt_dh_t.destroy.
- */
-static void destroy(private_gcrypt_dh_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gcrypt_dh_t *this)
 {
 	gcry_mpi_release(this->p);
 	gcry_mpi_release(this->xa);
@@ -178,42 +168,37 @@ static void destroy(private_gcrypt_dh_t *this)
 }
 
 /*
- * Described in header.
+ * Generic internal constructor
  */
-gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+gcrypt_dh_t *create_generic(diffie_hellman_group_t group, size_t exp_len,
+							chunk_t g, chunk_t p)
 {
 	private_gcrypt_dh_t *this;
-	diffie_hellman_params_t *params;
 	gcry_error_t err;
 	chunk_t random;
 	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gcrypt_dh_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
-
-	this->group = group;
-	this->p_len = params->prime.len;
-	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG,
-						params->prime.ptr, params->prime.len, NULL);
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
+	err = gcry_mpi_scan(&this->p, GCRYMPI_FMT_USG, p.ptr, p.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi modulus failed: %s", gpg_strerror(err));
 		free(this);
 		return NULL;
 	}
-	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG,
-						params->generator.ptr, params->generator.len, NULL);
+	err = gcry_mpi_scan(&this->g, GCRYMPI_FMT_USG, g.ptr, g.len, NULL);
 	if (err)
 	{
 		DBG1(DBG_LIB, "importing mpi generator failed: %s", gpg_strerror(err));
@@ -225,7 +210,7 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (rng)
 	{	/* prefer external randomizer */
-		rng->allocate_bytes(rng, params->exp_len, &random);
+		rng->allocate_bytes(rng, exp_len, &random);
 		rng->destroy(rng);
 		err = gcry_mpi_scan(&this->xa, GCRYMPI_FMT_USG,
 							random.ptr, random.len, NULL);
@@ -241,21 +226,49 @@ gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
 	}
 	else
 	{	/* fallback to gcrypt internal randomizer, shouldn't ever happen */
-		this->xa = gcry_mpi_new(params->exp_len * 8);
-		gcry_mpi_randomize(this->xa, params->exp_len * 8, GCRY_STRONG_RANDOM);
+		this->xa = gcry_mpi_new(exp_len * 8);
+		gcry_mpi_randomize(this->xa, exp_len * 8, GCRY_STRONG_RANDOM);
 	}
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
-		gcry_mpi_clear_bit(this->xa, params->exp_len * 8 - 1);
+		gcry_mpi_clear_bit(this->xa, exp_len * 8 - 1);
 	}
 
 	this->ya = gcry_mpi_new(this->p_len * 8);
-	this->yb = NULL;
-	this->zz = NULL;
 
 	gcry_mpi_powm(this->ya, this->g, this->xa, this->p);
 
 	return &this->public;
 }
 
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group)
+{
+
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+/*
+ * Described in header.
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(group, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
index 95b68dcd0..a70958dc4 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.h
@@ -44,5 +44,16 @@ struct gcrypt_dh_t {
  */
 gcrypt_dh_t *gcrypt_dh_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gcrypt_dh_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gcrypt_dh_t object, NULL if not supported
+ */
+gcrypt_dh_t *gcrypt_dh_create_custom(diffie_hellman_group_t group,
+									 chunk_t g, chunk_t p);
+
 #endif /** GCRYPT_DH_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 39609c16c..96c87614f 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -37,27 +37,20 @@ struct private_gcrypt_hasher_t {
 	gcry_md_hd_t hd;
 };
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_gcrypt_hasher_t *this)
 {
 	return gcry_md_get_algo_dlen(gcry_md_get_algo(this->hd));
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_gcrypt_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_reset(this->hd);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	gcry_md_write(this->hd, chunk.ptr, chunk.len);
 	if (hash)
@@ -67,11 +60,8 @@ static void get_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_gcrypt_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -84,10 +74,8 @@ static void allocate_hash(private_gcrypt_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_gcrypt_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_gcrypt_hasher_t *this)
 {
 	gcry_md_close(this->hd);
 	free(this);
@@ -132,7 +120,17 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	err = gcry_md_open(&this->hd, gcrypt_alg, 0);
 	if (err)
@@ -143,12 +141,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
index 708ccaafb..a7542bcdd 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.h
@@ -33,7 +33,7 @@ struct gcrypt_hasher_t {
 	/**
 	 * The hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 039036b2c..590add5c8 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -93,10 +93,8 @@ static struct gcry_thread_cbs thread_functions = {
 	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
 };
 
-/**
- * Implementation of gcrypt_plugin_t.destroy
- */
-static void destroy(private_gcrypt_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gcrypt_plugin_t *this)
 {
 	lib->crypto->remove_hasher(lib->crypto,
 					(hasher_constructor_t)gcrypt_hasher_create);
@@ -106,6 +104,8 @@ static void destroy(private_gcrypt_plugin_t *this)
 					(rng_constructor_t)gcrypt_rng_create);
 	lib->crypto->remove_dh(lib->crypto,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->remove_dh(lib->crypto,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 	lib->creds->remove_builder(lib->creds,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -139,9 +139,13 @@ plugin_t *gcrypt_plugin_create()
 	}
 	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 
-	this = malloc_thing(private_gcrypt_plugin_t);
-
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* hashers */
 	lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
@@ -172,8 +176,14 @@ plugin_t *gcrypt_plugin_create()
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#ifdef HAVE_GCRY_CIPHER_CAMELLIA
 	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
+	lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR,
+					(crypter_constructor_t)gcrypt_crypter_create);
+#endif /* HAVE_GCRY_CIPHER_CAMELLIA */
 	lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC,
 					(crypter_constructor_t)gcrypt_crypter_create);
 	lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC,
@@ -210,13 +220,15 @@ plugin_t *gcrypt_plugin_create()
 					(dh_constructor_t)gcrypt_dh_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 					(dh_constructor_t)gcrypt_dh_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+					(dh_constructor_t)gcrypt_dh_create_custom);
 
 	/* RSA */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)gcrypt_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)gcrypt_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
index d0d252572..d29755de9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rng.c
@@ -35,11 +35,8 @@ struct private_gcrypt_rng_t {
 	rng_quality_t quality;
 };
 
-/**
- * Implementation of gcrypt_rng_t.get_bytes.
- */
-static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	switch (this->quality)
 	{
@@ -55,20 +52,15 @@ static void get_bytes(private_gcrypt_rng_t *this, size_t bytes,
 	}
 }
 
-/**
- * Implementation of gcrypt_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_gcrypt_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_gcrypt_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	*chunk = chunk_alloc(bytes);
 	get_bytes(this, chunk->len, chunk->ptr);
 }
 
-/**
- * Implementation of gcrypt_rng_t.destroy.
- */
-static void destroy(private_gcrypt_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_gcrypt_rng_t *this)
 {
 	free(this);
 }
@@ -90,13 +82,16 @@ gcrypt_rng_t *gcrypt_rng_create(rng_quality_t quality)
 			return NULL;
 	}
 
-	this = malloc_thing(private_gcrypt_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
-
-	this->quality = quality;
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+		.quality = quality,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index b8e86aba0..38ce2cd6c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -192,19 +192,15 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
 	return !!signature->len;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static key_type_t get_type(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *sig)
+METHOD(private_key_t, sign, bool,
+	private_gcrypt_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *sig)
 {
 	switch (scheme)
 	{
@@ -229,17 +225,21 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
 	}
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static bool decrypt(private_gcrypt_rsa_private_key_t *this,
-					chunk_t encrypted, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gcrypt_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t encrypted, chunk_t *plain)
 {
 	gcry_error_t err;
 	gcry_sexp_t in, out;
 	chunk_t padded;
 	u_char *pos = NULL;;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	err = gcry_sexp_build(&in, NULL, "(enc-val(flags)(rsa(a %b)))",
 						  encrypted.len, encrypted.ptr);
 	if (err)
@@ -277,18 +277,14 @@ static bool decrypt(private_gcrypt_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gcrypt_rsa_private_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -304,11 +300,9 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty;
 	gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2;
@@ -385,11 +379,9 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -409,19 +401,15 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.get_ref.
- */
-static private_key_t* get_ref(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_private_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gcrypt_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -434,25 +422,29 @@ static void destroy(private_gcrypt_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty()
+static private_gcrypt_rsa_private_key_t *create_empty()
 {
-	private_gcrypt_rsa_private_key_t *this = malloc_thing(private_gcrypt_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	private_gcrypt_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -493,7 +485,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_gen(key_type_t type,
 		DBG1(DBG_LIB, "building S-expression failed: %s", gpg_strerror(err));
 		return NULL;
 	}
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_pk_genkey(&this->key, param);
 	gcry_sexp_release(param);
 	if (err)
@@ -552,7 +544,7 @@ gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_load(key_type_t type,
 		break;
 	}
 
-	this = gcrypt_rsa_private_key_create_empty();
+	this = create_empty();
 	err = gcry_sexp_build(&this->key, NULL,
 					"(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))",
 					n.len, n.ptr, e.len, e.ptr, d.len, d.ptr,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
index 4c3605f4b..0f3d66b80 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 80a91b976..f8645da97 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -159,19 +159,15 @@ static bool verify_pkcs1(private_gcrypt_rsa_public_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gcrypt_rsa_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gcrypt_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -196,15 +192,19 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *encrypted)
+METHOD(public_key_t, encrypt_, bool,
+	private_gcrypt_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *encrypted)
 {
 	gcry_sexp_t in, out;
 	gcry_error_t err;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* "pkcs1" uses PKCS 1.5 (section 8.1) block type 2 encryption:
 	 * 00 | 02 | RANDOM | 00 | DATA */
 	err = gcry_sexp_build(&in, NULL, "(data(flags pkcs1)(value %b))",
@@ -228,19 +228,15 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
 	return !!encrypted->len;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gcrypt_rsa_public_key_t *this)
 {
-	return gcry_pk_get_nbits(this->key) / 8;
+	return gcry_pk_get_nbits(this->key);
 }
 
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -256,11 +252,9 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gcrypt_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -280,19 +274,15 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gcrypt_rsa_public_key.destroy.
- */
-static void destroy(private_gcrypt_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gcrypt_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -331,21 +321,23 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type,
 		break;
 	}
 
-	this = malloc_thing(private_gcrypt_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->key = NULL;
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
 						  n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
index fa18c357b..ca0a284a2 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.h
@@ -34,7 +34,7 @@ struct gcrypt_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index bd7100b27..b4ec1ed8d 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index 4ee449890..e99502b27 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -85,10 +85,8 @@ struct private_gmp_diffie_hellman_t {
 	bool computed;
 };
 
-/**
- * Implementation of gmp_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_gmp_diffie_hellman_t *this, chunk_t value)
 {
 	mpz_t p_min_1;
 
@@ -146,10 +144,8 @@ static void set_other_public_value(private_gmp_diffie_hellman_t *this, chunk_t v
 	mpz_clear(p_min_1);
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_gmp_diffie_hellman_t *this,chunk_t *value)
 {
 	value->len = this->p_len;
 	value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
@@ -159,10 +155,8 @@ static void get_my_public_value(private_gmp_diffie_hellman_t *this,chunk_t *valu
 	}
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_gmp_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -177,18 +171,14 @@ static status_t get_shared_secret(private_gmp_diffie_hellman_t *this, chunk_t *s
 	return SUCCESS;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_gmp_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_gmp_diffie_hellman_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of gmp_diffie_hellman_t.destroy.
- */
-static void destroy(private_gmp_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_gmp_diffie_hellman_t *this)
 {
 	mpz_clear(this->p);
 	mpz_clear(this->xa);
@@ -199,44 +189,38 @@ static void destroy(private_gmp_diffie_hellman_t *this)
 	free(this);
 }
 
-/*
- * Described in header.
+/**
+ * Generic internal constructor
  */
-gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
+											size_t exp_len, chunk_t g, chunk_t p)
 {
 	private_gmp_diffie_hellman_t *this;
-	diffie_hellman_params_t *params;
-	rng_t *rng;
 	chunk_t random;
+	rng_t *rng;
 
-	params = diffie_hellman_get_params(group);
-	if (!params)
-	{
-		return NULL;
-	}
-
-	this = malloc_thing(private_gmp_diffie_hellman_t);
-
-	/* public functions */
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+		.p_len = p.len,
+	);
 
-	/* private variables */
-	this->group = group;
 	mpz_init(this->p);
 	mpz_init(this->yb);
 	mpz_init(this->ya);
 	mpz_init(this->xa);
 	mpz_init(this->zz);
 	mpz_init(this->g);
-
-	this->computed = FALSE;
-	this->p_len = params->prime.len;
-	mpz_import(this->p, params->prime.len, 1, 1, 1, 0, params->prime.ptr);
-	mpz_import(this->g, params->generator.len, 1, 1, 1, 0, params->generator.ptr);
+	mpz_import(this->g, g.len, 1, 1, 1, 0, g.ptr);
+	mpz_import(this->p, p.len, 1, 1, 1, 0, p.ptr);
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
 	if (!rng)
@@ -247,10 +231,10 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 		return NULL;
 	}
 
-	rng->allocate_bytes(rng, params->exp_len, &random);
+	rng->allocate_bytes(rng, exp_len, &random);
 	rng->destroy(rng);
 
-	if (params->exp_len == this->p_len)
+	if (exp_len == this->p_len)
 	{
 		/* achieve bitsof(p)-1 by setting MSB to 0 */
 		*random.ptr &= 0x7F;
@@ -265,3 +249,29 @@ gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
 	return &this->public;
 }
 
+/*
+ * Described in header.
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group)
+{
+	diffie_hellman_params_t *params;
+
+	params = diffie_hellman_get_params(group);
+	if (!params)
+	{
+		return NULL;
+	}
+	return create_generic(group, params->exp_len,
+						  params->generator, params->prime);
+}
+
+
+gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p)
+{
+	if (group == MODP_CUSTOM)
+	{
+		return create_generic(MODP_CUSTOM, p.len, g, p);
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
index 2a54eebb1..6d73c0863 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.h
@@ -45,5 +45,16 @@ struct gmp_diffie_hellman_t {
  */
 gmp_diffie_hellman_t *gmp_diffie_hellman_create(diffie_hellman_group_t group);
 
+/**
+ * Creates a new gmp_diffie_hellman_t object for MODP_CUSTOM.
+ *
+ * @param group			MODP_CUSTOM
+ * @param g				generator
+ * @param p				prime
+ * @return				gmp_diffie_hellman_t object, NULL if not supported
+ */
+gmp_diffie_hellman_t *gmp_diffie_hellman_create_custom(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p);
+
 #endif /** GMP_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index fbce9732f..9b4fad3da 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -33,13 +33,13 @@ struct private_gmp_plugin_t {
 	gmp_plugin_t public;
 };
 
-/**
- * Implementation of gmp_plugin_t.gmptroy
- */
-static void destroy(private_gmp_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_gmp_plugin_t *this)
 {
 	lib->crypto->remove_dh(lib->crypto,
 						(dh_constructor_t)gmp_diffie_hellman_create);
+	lib->crypto->remove_dh(lib->crypto,
+						(dh_constructor_t)gmp_diffie_hellman_create_custom);
 	lib->creds->remove_builder(lib->creds,
 						(builder_function_t)gmp_rsa_private_key_gen);
 	lib->creds->remove_builder(lib->creds,
@@ -54,9 +54,15 @@ static void destroy(private_gmp_plugin_t *this)
  */
 plugin_t *gmp_plugin_create()
 {
-	private_gmp_plugin_t *this = malloc_thing(private_gmp_plugin_t);
+	private_gmp_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_dh(lib->crypto, MODP_2048_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
@@ -81,11 +87,14 @@ plugin_t *gmp_plugin_create()
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)gmp_diffie_hellman_create);
 
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+						(dh_constructor_t)gmp_diffie_hellman_create_custom);
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 						(builder_function_t)gmp_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 						(builder_function_t)gmp_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 						(builder_function_t)gmp_rsa_public_key_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cc9985320..1b6c20817 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -209,7 +209,7 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
 }
 
 /**
- * Implementation of gmp_rsa_private_key_t.build_emsa_pkcs1_signature.
+ * Build a signature using the PKCS#1 EMSA scheme
  */
 static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 									   hash_algorithm_t hash_algorithm,
@@ -250,7 +250,7 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	{
 		free(digestInfo.ptr);
 		DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
-			 this->k * 8);
+			 mpz_sizeinbase(this->n, 2));
 		return FALSE;
 	}
 
@@ -280,19 +280,15 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
 	return TRUE;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_type.
- */
-static key_type_t get_type(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_gmp_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.sign.
- */
-static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -317,15 +313,19 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
 	}
 }
 
-/**
- * Implementation of gmp_rsa_private_key.decrypt.
- */
-static bool decrypt(private_gmp_rsa_private_key_t *this, chunk_t crypto,
-					chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_gmp_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	chunk_t em, stripped;
 	bool success = FALSE;
 
+	if (scheme != ENCRYPT_RSA_PKCS1)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
 	/* rsa decryption using PKCS#1 RSADP */
 	stripped = em = rsadp(this, crypto);
 
@@ -356,18 +356,14 @@ end:
 	return success;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_gmp_rsa_private_key_t *this)
 {
-	return this->k;
+	return mpz_sizeinbase(this->n, 2);
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_gmp_rsa_private_key_t *this)
 {
 	chunk_t n, e;
 	public_key_t *public;
@@ -383,27 +379,9 @@ static public_key_t* get_public_key(private_gmp_rsa_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.equals.
- */
-static bool equals(private_gmp_rsa_private_key_t *this, private_key_t *other)
-{
-	return private_key_equals(&this->public.interface, other);
-}
-
-/**
- * Implementation of gmp_rsa_private_key.belongs_to.
- */
-static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public)
-{
-	return private_key_belongs_to(&this->public.interface, public);
-}
-
-/**
- * Implementation of private_key_t.get_encoding
- */
-static bool get_encoding(private_gmp_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_gmp_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e, d, p, q, exp1, exp2, coeff;
 	bool success;
@@ -435,11 +413,8 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_gmp_rsa_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -459,19 +434,15 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.get_ref.
- */
-static private_gmp_rsa_private_key_t* get_ref(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_gmp_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gmp_rsa_private_key.destroy.
- */
-static void destroy(private_gmp_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_gmp_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -592,23 +563,27 @@ static status_t check(private_gmp_rsa_private_key_t *this)
  */
 static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void)
 {
-	private_gmp_rsa_private_key_t *this = malloc_thing(private_gmp_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
-	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
-	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals;
-	this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
-	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
-	this->ref = 1;
+	private_gmp_rsa_private_key_t *this;
 
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 	return this;
 }
 
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
index db1fcf535..32e1f292c 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.h
@@ -34,7 +34,7 @@ struct gmp_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index c114ae80d..a7ba80138 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -273,19 +273,15 @@ end:
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_gmp_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
-				   chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_gmp_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -312,24 +308,21 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
 
 #define MIN_PS_PADDING 8
 
-/**
- * Implementation of public_key_t.encrypt.
- */
-static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
-					 chunk_t *crypto)
+METHOD(public_key_t, encrypt_, bool,
+	private_gmp_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
 {
 	chunk_t em;
 	u_char *pos;
 	int padding, i;
 	rng_t *rng;
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (rng == NULL)
+	if (scheme != ENCRYPT_RSA_PKCS1)
 	{
-		DBG1(DBG_LIB, "no random generator available");
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
 		return FALSE;
 	}
-
 	/* number of pseudo-random padding octets */
 	padding = this->k - plain.len - 3;
 	if (padding < MIN_PS_PADDING)
@@ -338,6 +331,12 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 			 MIN_PS_PADDING);
 		return FALSE;
 	}
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (rng == NULL)
+	{
+		DBG1(DBG_LIB, "no random generator available");
+		return FALSE;
+	}
 
 	/* padding according to PKCS#1 7.2.1 (RSAES-PKCS1-v1.5-ENCRYPT) */
 	DBG2(DBG_LIB, "padding %u bytes of data to the rsa modulus size of"
@@ -376,27 +375,15 @@ static bool encrypt_(private_gmp_rsa_public_key_t *this, chunk_t plain,
 	return TRUE;
 }
 
-/**
- * Implementation of gmp_rsa_public_key.equals.
- */
-static bool equals(private_gmp_rsa_public_key_t *this, public_key_t *other)
-{
-	return public_key_equals(&this->public.interface, other);
-}
-
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_gmp_rsa_public_key_t *this)
 {
-	return this->k;
+	return mpz_sizeinbase(this->n, 2);
 }
 
-/**
- * Implementation of public_key_t.get_encoding
- */
-static bool get_encoding(private_gmp_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_gmp_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	chunk_t n, e;
 	bool success;
@@ -412,11 +399,8 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint
- */
-static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fp)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_gmp_rsa_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
 {
 	chunk_t n, e;
 	bool success;
@@ -436,19 +420,15 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this,
 	return success;
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static private_gmp_rsa_public_key_t* get_ref(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_gmp_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of gmp_rsa_public_key.destroy.
- */
-static void destroy(private_gmp_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_gmp_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -490,20 +470,23 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
 		return NULL;
 	}
 
-	this = malloc_thing(private_gmp_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (public_key_t*))get_type;
-	this->public.interface.verify = (bool (*) (public_key_t*, signature_scheme_t, chunk_t, chunk_t))verify;
-	this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_;
-	this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*) (public_key_t *this))destroy;
-
-	this->ref = 1;
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt_,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	mpz_init(this->n);
 	mpz_init(this->e);
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
index 807f0bb7c..14dd71e0b 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.h
@@ -35,7 +35,7 @@ struct gmp_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index b03ff44a6..42a7d3747 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index c1ab48899..c7b2739df 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -30,7 +30,7 @@ struct private_hmac_t {
 	/**
 	 * Public hmac_t interface.
 	 */
-	hmac_t hmac;
+	hmac_t public;
 
 	/**
 	 * Block size, as in RFC.
@@ -53,10 +53,8 @@ struct private_hmac_t {
 	chunk_t ipaded_key;
 };
 
-/**
- * Implementation of hmac_t.get_mac.
- */
-static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
+METHOD(hmac_t, get_mac, void,
+	private_hmac_t *this, chunk_t data, u_int8_t *out)
 {
 	/* H(K XOR opad, H(K XOR ipad, text))
 	 *
@@ -91,37 +89,31 @@ static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
 	}
 }
 
-/**
- * Implementation of hmac_t.allocate_mac.
- */
-static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out)
+METHOD(hmac_t, allocate_mac, void,
+	private_hmac_t *this, chunk_t data, chunk_t *out)
 {
 	/* allocate space and use get_mac */
 	if (out == NULL)
 	{
 		/* append mode */
-		this->hmac.get_mac(&(this->hmac), data, NULL);
+		get_mac(this, data, NULL);
 	}
 	else
 	{
 		out->len = this->h->get_hash_size(this->h);
 		out->ptr = malloc(out->len);
-		this->hmac.get_mac(&(this->hmac), data, out->ptr);
+		get_mac(this, data, out->ptr);
 	}
 }
 
-/**
- * Implementation of hmac_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_t *this)
+METHOD(hmac_t, get_block_size, size_t,
+	private_hmac_t *this)
 {
 	return this->h->get_hash_size(this->h);
 }
 
-/**
- * Implementation of hmac_t.set_key.
- */
-static void set_key(private_hmac_t *this, chunk_t key)
+METHOD(hmac_t, set_key, void,
+	private_hmac_t *this, chunk_t key)
 {
 	int i;
 	u_int8_t buffer[this->b];
@@ -151,10 +143,8 @@ static void set_key(private_hmac_t *this, chunk_t key)
 	this->h->get_hash(this->h, this->ipaded_key, NULL);
 }
 
-/**
- * Implementation of hmac_t.destroy.
- */
-static void destroy(private_hmac_t *this)
+METHOD(hmac_t, destroy, void,
+	private_hmac_t *this)
 {
 	this->h->destroy(this->h);
 	free(this->opaded_key.ptr);
@@ -167,14 +157,17 @@ static void destroy(private_hmac_t *this)
  */
 hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 {
-	private_hmac_t *this = malloc_thing(private_hmac_t);
-
-	/* set hmac_t methods */
-	this->hmac.get_mac = (void (*)(hmac_t *,chunk_t,u_int8_t*))get_mac;
-	this->hmac.allocate_mac = (void (*)(hmac_t *,chunk_t,chunk_t*))allocate_mac;
-	this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
-	this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
-	this->hmac.destroy = (void (*)(hmac_t *))destroy;
+	private_hmac_t *this;
+
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.allocate_mac = _allocate_mac,
+			.get_block_size = _get_block_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+	);
 
 	/* set b, according to hasher */
 	switch (hash_algorithm)
@@ -193,7 +186,6 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 			return NULL;
 	}
 
-	/* build the hasher */
 	this->h = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
 	if (this->h == NULL)
 	{
@@ -208,5 +200,5 @@ hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
 	this->ipaded_key.ptr = malloc(this->b);
 	this->ipaded_key.len = this->b;
 
-	return &(this->hmac);
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c
index e6b9f7a74..73df4dc6c 100644
--- a/src/libstrongswan/plugins/hmac/hmac_plugin.c
+++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c
@@ -32,10 +32,8 @@ struct private_hmac_plugin_t {
 	hmac_plugin_t public;
 };
 
-/**
- * Implementation of hmac_plugin_t.hmactroy
- */
-static void destroy(private_hmac_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_hmac_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
 							(prf_constructor_t)hmac_prf_create);
@@ -49,9 +47,15 @@ static void destroy(private_hmac_plugin_t *this)
  */
 plugin_t *hmac_plugin_create()
 {
-	private_hmac_plugin_t *this = malloc_thing(private_hmac_plugin_t);
+	private_hmac_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256,
 						 (prf_constructor_t)hmac_prf_create);
@@ -72,12 +76,16 @@ plugin_t *hmac_plugin_create()
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128,
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256,
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96,
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128,
 							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192,
 							(signer_constructor_t)hmac_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384,
+							(signer_constructor_t)hmac_signer_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256,
 							(signer_constructor_t)hmac_signer_create);
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.c b/src/libstrongswan/plugins/hmac/hmac_prf.c
index cca6e9570..ca10612f9 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.c
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.c
@@ -36,51 +36,39 @@ struct private_hmac_prf_t {
 	hmac_t *hmac;
 };
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
+METHOD(prf_t, get_bytes, void,
+	private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
 	this->hmac->get_mac(this->hmac, seed, buffer);
 }
 
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	this->hmac->allocate_mac(this->hmac, seed, chunk);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_hmac_prf_t *this)
 {
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_key_size(private_hmac_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_hmac_prf_t *this)
 {
 	/* for HMAC prfs, IKEv2 uses block size as key size */
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_hmac_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_hmac_prf_t *this, chunk_t key)
 {
 	this->hmac->set_key(this->hmac, key);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_hmac_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_hmac_prf_t *this)
 {
 	this->hmac->destroy(this->hmac);
 	free(this);
@@ -92,44 +80,47 @@ static void destroy(private_hmac_prf_t *this)
 hmac_prf_t *hmac_prf_create(pseudo_random_function_t algo)
 {
 	private_hmac_prf_t *this;
-	hash_algorithm_t hash;
+	hmac_t *hmac;
 
 	switch (algo)
 	{
 		case PRF_HMAC_SHA1:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			break;
 		case PRF_HMAC_MD5:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			break;
 		case PRF_HMAC_SHA2_256:
-			hash = HASH_SHA256;
+			hmac = hmac_create(HASH_SHA256);
 			break;
 		case PRF_HMAC_SHA2_384:
-			hash = HASH_SHA384;
+			hmac = hmac_create(HASH_SHA384);
 			break;
 		case PRF_HMAC_SHA2_512:
-			hash = HASH_SHA512;
+			hmac = hmac_create(HASH_SHA512);
 			break;
 		default:
 			return NULL;
 	}
-
-	this = malloc_thing(private_hmac_prf_t);
-	this->hmac = hmac_create(hash);
-	if (this->hmac == NULL)
+	if (hmac == NULL)
 	{
-		free(this);
 		return NULL;
 	}
 
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.hmac = hmac,
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_prf.h b/src/libstrongswan/plugins/hmac/hmac_prf.h
index 975b456f5..29d7269ae 100644
--- a/src/libstrongswan/plugins/hmac/hmac_prf.h
+++ b/src/libstrongswan/plugins/hmac/hmac_prf.h
@@ -35,9 +35,9 @@ typedef struct hmac_prf_t hmac_prf_t;
 struct hmac_prf_t {
 
 	/**
-	 * Generic prf_t interface for this hmac_prf_t class.
+	 * Implements prf_t interface.
 	 */
-	prf_t prf_interface;
+	prf_t prf;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.c b/src/libstrongswan/plugins/hmac/hmac_signer.c
index f82a8f3a1..511a3e3a5 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.c
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.c
@@ -41,11 +41,8 @@ struct private_hmac_signer_t {
 	size_t block_size;
 };
 
-/**
- * Implementation of signer_t.get_signature.
- */
-static void get_signature(private_hmac_signer_t *this,
-						  chunk_t data, u_int8_t *buffer)
+METHOD(signer_t, get_signature, void,
+	private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
 	if (buffer == NULL)
 	{	/* append mode */
@@ -60,11 +57,8 @@ static void get_signature(private_hmac_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.allocate_signature.
- */
-static void allocate_signature (private_hmac_signer_t *this,
-								chunk_t data, chunk_t *chunk)
+METHOD(signer_t, allocate_signature, void,
+	private_hmac_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk == NULL)
 	{	/* append mode */
@@ -83,11 +77,8 @@ static void allocate_signature (private_hmac_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.verify_signature.
- */
-static bool verify_signature(private_hmac_signer_t *this,
-							 chunk_t data, chunk_t signature)
+METHOD(signer_t, verify_signature, bool,
+	private_hmac_signer_t *this, chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->hmac->get_block_size(this->hmac)];
 
@@ -100,38 +91,29 @@ static bool verify_signature(private_hmac_signer_t *this,
 	return memeq(signature.ptr, mac, this->block_size);
 }
 
-/**
- * Implementation of signer_t.get_key_size.
- */
-static size_t get_key_size(private_hmac_signer_t *this)
+METHOD(signer_t, get_key_size, size_t,
+	private_hmac_signer_t *this)
 {
 	return this->hmac->get_block_size(this->hmac);
 }
 
-/**
- * Implementation of signer_t.get_block_size.
- */
-static size_t get_block_size(private_hmac_signer_t *this)
+METHOD(signer_t, get_block_size, size_t,
+	private_hmac_signer_t *this)
 {
 	return this->block_size;
 }
 
-/**
- * Implementation of signer_t.set_key.
- */
-static void set_key(private_hmac_signer_t *this, chunk_t key)
+METHOD(signer_t, set_key, void,
+	private_hmac_signer_t *this, chunk_t key)
 {
 	this->hmac->set_key(this->hmac, key);
 }
 
-/**
- * Implementation of signer_t.destroy.
- */
-static status_t destroy(private_hmac_signer_t *this)
+METHOD(signer_t, destroy, void,
+	private_hmac_signer_t *this)
 {
 	this->hmac->destroy(this->hmac);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -140,66 +122,76 @@ static status_t destroy(private_hmac_signer_t *this)
 hmac_signer_t *hmac_signer_create(integrity_algorithm_t algo)
 {
 	private_hmac_signer_t *this;
+	hmac_t *hmac;
 	size_t trunc;
-	hash_algorithm_t hash;
 
 	switch (algo)
 	{
 		case AUTH_HMAC_SHA1_96:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 12;
 			break;
 		case AUTH_HMAC_SHA1_128:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA1_160:
-			hash = HASH_SHA1;
+			hmac = hmac_create(HASH_SHA1);
 			trunc = 20;
 			break;
 		case AUTH_HMAC_MD5_96:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			trunc = 12;
 			break;
 		case AUTH_HMAC_MD5_128:
-			hash = HASH_MD5;
+			hmac = hmac_create(HASH_MD5);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA2_256_128:
-			hash = HASH_SHA256;
+			hmac = hmac_create(HASH_SHA256);
 			trunc = 16;
 			break;
 		case AUTH_HMAC_SHA2_384_192:
-			hash = HASH_SHA384;
+			hmac = hmac_create(HASH_SHA384);
 			trunc = 24;
 			break;
 		case AUTH_HMAC_SHA2_512_256:
-			hash = HASH_SHA512;
+			hmac = hmac_create(HASH_SHA512);
 			trunc = 32;
 			break;
+		case AUTH_HMAC_SHA2_256_256:
+			hmac = hmac_create(HASH_SHA256);
+			trunc = 32;
+			break;
+		case AUTH_HMAC_SHA2_384_384:
+			hmac = hmac_create(HASH_SHA384);
+			trunc = 48;
+			break;
 		default:
 			return NULL;
 	}
 
-	this = malloc_thing(private_hmac_signer_t);
-	this->hmac = hmac_create(hash);
-	if (this->hmac == NULL)
+	if (hmac == NULL)
 	{
-		free(this);
 		return NULL;
 	}
-	/* prevent invalid truncation */
-	this->block_size = min(trunc, this->hmac->get_block_size(this->hmac));
-
-	/* interface functions */
-	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
-	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
-	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
-	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
-	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
-	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
-	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
-
-	return &(this->public);
+
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.block_size = min(trunc, hmac->get_block_size(hmac)),
+		.hmac = hmac,
+	);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/hmac/hmac_signer.h b/src/libstrongswan/plugins/hmac/hmac_signer.h
index 0de93440c..5e798683b 100644
--- a/src/libstrongswan/plugins/hmac/hmac_signer.h
+++ b/src/libstrongswan/plugins/hmac/hmac_signer.h
@@ -34,9 +34,9 @@ typedef struct hmac_signer_t hmac_signer_t;
 struct hmac_signer_t {
 
 	/**
-	 * generic signer_t interface for this signer
+	 * Implements signer_t interface.
 	 */
-	signer_t signer_interface;
+	signer_t signer;
 };
 
 /**
@@ -44,8 +44,7 @@ struct hmac_signer_t {
  *
  * HMAC signatures are often truncated to shorten them to a more usable, but
  * still secure enough length.
- * Block size must be equal or smaller then the hash algorithms
- * hash.
+ * Block size must be equal or smaller then the hash algorithms hash.
  *
  * @param algo		algorithm to implement
  * @return			hmac_signer_t, NULL if  not supported
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index b96fd5abf..65a135e76 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 874ee07a2..a78dad97c 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index cc32bca88..6de400e8e 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 83c1188b6..7d4d42c14 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index de9df7271..a32418b16 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 5645d72d7..b9d97a901 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -416,10 +416,19 @@ static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this,
 static bool parse_crlNumber_ext(private_openssl_crl_t *this,
 								X509_EXTENSION *ext)
 {
-	free(this->serial.ptr);
-	this->serial = chunk_clone(
-						openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)));
-	return this->serial.len != 0;
+	chunk_t chunk;
+
+	chunk = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext));
+	/* quick and dirty INTEGER unwrap */
+	if (chunk.len > 1 && chunk.ptr[0] == V_ASN1_INTEGER &&
+		chunk.ptr[1] == chunk.len - 2)
+	{
+		chunk = chunk_skip(chunk, 2);
+		free(this->serial.ptr);
+		this->serial = chunk_clone(chunk);
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index a8923ab56..2ed07ff0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -41,85 +41,57 @@ struct private_openssl_crypter_t {
 };
 
 /**
- * Mapping from the algorithms defined in IKEv2 to
- * OpenSSL algorithm names and their key length
- */
-typedef struct {
-	/**
-	 * Identifier specified in IKEv2
-	 */
-	int ikev2_id;
-
-	/**
-	 * Name of the algorithm, as used in OpenSSL
-	 */
-	char *name;
-
-	/**
-	 * Minimum valid key length in bytes
-	 */
-	size_t key_size_min;
-
-	/**
-	 * Maximum valid key length in bytes
-	 */
-	size_t key_size_max;
-} openssl_algorithm_t;
-
-#define END_OF_LIST -1
-
-/**
- * Algorithms for encryption
- */
-static openssl_algorithm_t encryption_algs[] = {
-/*	{ENCR_DES_IV64, 	"***", 			0,	0}, */
-	{ENCR_DES, 			"des",			8,	8},		/* 64 bits */
-	{ENCR_3DES, 		"des3",			24,	24},	/* 192 bits */
-	{ENCR_RC5, 			"rc5", 			5,	255},	/* 40 to 2040 bits, RFC 2451 */
-	{ENCR_IDEA, 		"idea",			16,	16},	/* 128 bits, RFC 2451 */
-	{ENCR_CAST, 		"cast",			5,	16},	/* 40 to 128 bits, RFC 2451 */
-	{ENCR_BLOWFISH, 	"blowfish",		5,	56},	/* 40 to 448 bits, RFC 2451 */
-/*	{ENCR_3IDEA, 		"***",			0,	0}, */
-/*	{ENCR_DES_IV32, 	"***",			0,	0}, */
-/*	{ENCR_NULL, 		"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_AES_CBC, 		"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_CAMELLIA_CBC,	"***",			0,	0}, */ /* handled separately */
-/*	{ENCR_AES_CTR, 		"***",			0,	0}, */ /* disabled in evp.h */
-	{END_OF_LIST, 		NULL,			0,	0},
-};
-
-/**
  * Look up an OpenSSL algorithm name and validate its key size
  */
-static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
-					   u_int16_t ikev2_algo, size_t *key_size)
+static char* lookup_algorithm(u_int16_t ikev2_algo, size_t *key_size)
 {
-	while (openssl_algo->ikev2_id != END_OF_LIST)
+	struct {
+		/* identifier specified in IKEv2 */
+		int ikev2_id;
+		/* name of the algorithm, as used in OpenSSL */
+		char *name;
+		/* default key size in bytes */
+		size_t key_def;
+		/* minimum key size */
+		size_t key_min;
+		/* maximum key size */
+		size_t key_max;
+	} mappings[] = {
+		{ENCR_DES, 			"des",			 8,		 8,		  8},
+		{ENCR_3DES, 		"des3",			24,		24,		 24},
+		{ENCR_RC5, 			"rc5", 			16,		 5,		255},
+		{ENCR_IDEA, 		"idea",			16,		16,		 16},
+		{ENCR_CAST, 		"cast",			16,		 5,		 16},
+		{ENCR_BLOWFISH, 	"blowfish",		16,		 5,		 56},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
 	{
-		if (ikev2_algo == openssl_algo->ikev2_id)
+		if (ikev2_algo == mappings[i].ikev2_id)
 		{
 			/* set the key size if it is not set */
-			if (*key_size == 0 &&
-				(openssl_algo->key_size_min == openssl_algo->key_size_max))
+			if (*key_size == 0)
 			{
-				*key_size = openssl_algo->key_size_min;
+				*key_size = mappings[i].key_def;
 			}
-
 			/* validate key size */
-			if (*key_size < openssl_algo->key_size_min ||
-				*key_size > openssl_algo->key_size_max)
+			if (*key_size < mappings[i].key_min ||
+				*key_size > mappings[i].key_max)
 			{
 				return NULL;
 			}
-			return openssl_algo->name;
+			return mappings[i].name;
 		}
-		openssl_algo++;
 	}
 	return NULL;
 }
 
-static void crypt(private_openssl_crypter_t *this, chunk_t data,
-					chunk_t iv, chunk_t *dst, int enc)
+/**
+ * Do the actual en/decryption in an EVP context
+ */
+static void crypt(private_openssl_crypter_t *this, chunk_t data, chunk_t iv,
+				  chunk_t *dst, int enc)
 {
 	int len;
 	u_char *out;
@@ -141,53 +113,44 @@ static void crypt(private_openssl_crypter_t *this, chunk_t data,
 	EVP_CIPHER_CTX_cleanup(&ctx);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_openssl_crypter_t *this, chunk_t data,
-						chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, decrypt, void,
+	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 0);
 }
 
-
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt (private_openssl_crypter_t *this, chunk_t data,
-							chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_openssl_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, data, iv, dst, 1);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_openssl_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_openssl_crypter_t *this)
 {
 	return this->cipher->block_size;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_openssl_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_openssl_crypter_t *this)
+{
+	return this->cipher->block_size;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_openssl_crypter_t *this)
 {
 	return this->key.len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_openssl_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_openssl_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
 }
 
-/**
- * Implementation of crypter_t.destroy.
- */
-static void destroy (private_openssl_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_openssl_crypter_t *this)
 {
 	free(this->key.ptr);
 	free(this);
@@ -201,16 +164,32 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 {
 	private_openssl_crypter_t *this;
 
-	this = malloc_thing(private_openssl_crypter_t);
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	switch (algo)
 	{
 		case ENCR_NULL:
 			this->cipher = EVP_enc_null();
+			key_size = 0;
 			break;
 		case ENCR_AES_CBC:
 			switch (key_size)
 			{
+				case 0:
+					key_size = 16;
+					/* FALL */
 				case 16:        /* AES 128 */
 					this->cipher = EVP_get_cipherbyname("aes128");
 					break;
@@ -228,6 +207,9 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 		case ENCR_CAMELLIA_CBC:
 			switch (key_size)
 			{
+				case 0:
+					key_size = 16;
+					/* FALL */
 				case 16:        /* CAMELLIA 128 */
 					this->cipher = EVP_get_cipherbyname("camellia128");
 					break;
@@ -243,11 +225,14 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 			}
 			break;
 		case ENCR_DES_ECB:
+			key_size = 8;
 			this->cipher = EVP_des_ecb();
 			break;
 		default:
 		{
-			char* name = lookup_algorithm(encryption_algs, algo, &key_size);
+			char* name;
+
+			name = lookup_algorithm(algo, &key_size);
 			if (!name)
 			{
 				/* algo unavailable or key_size invalid */
@@ -268,12 +253,5 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
 
 	this->key = chunk_alloc(key_size);
 
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.h b/src/libstrongswan/plugins/openssl/openssl_crypter.h
index 7e30ae03c..b12e7a6ab 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.h
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.h
@@ -31,9 +31,9 @@ typedef struct openssl_crypter_t openssl_crypter_t;
 struct openssl_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index 9a032c54f..b27aa3391 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -57,11 +57,8 @@ struct private_openssl_diffie_hellman_t {
 	bool computed;
 };
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_diffie_hellman_t *this,
-								chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_openssl_diffie_hellman_t *this, chunk_t *value)
 {
 	*value = chunk_alloc(DH_size(this->dh));
 	memset(value->ptr, 0, value->len);
@@ -69,11 +66,8 @@ static void get_my_public_value(private_openssl_diffie_hellman_t *this,
 			  value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
-								  chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_openssl_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -88,11 +82,8 @@ static status_t get_shared_secret(private_openssl_diffie_hellman_t *this,
 }
 
 
-/**
- * Implementation of openssl_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_openssl_diffie_hellman_t *this,
-								   chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_openssl_diffie_hellman_t *this, chunk_t value)
 {
 	int len;
 
@@ -110,10 +101,8 @@ static void set_other_public_value(private_openssl_diffie_hellman_t *this,
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_openssl_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_openssl_diffie_hellman_t *this)
 {
 	return this->group;
 }
@@ -137,10 +126,8 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_diffie_hellman_t.destroy.
- */
-static void destroy(private_openssl_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_openssl_diffie_hellman_t *this)
 {
 	BN_clear_free(this->pub_key);
 	DH_free(this->dh);
@@ -151,15 +138,22 @@ static void destroy(private_openssl_diffie_hellman_t *this)
 /*
  * Described in header.
  */
-openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group)
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p)
 {
-	private_openssl_diffie_hellman_t *this = malloc_thing(private_openssl_diffie_hellman_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	private_openssl_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	this->dh = DH_new();
 	if (!this->dh)
@@ -173,11 +167,19 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t g
 	this->pub_key = BN_new();
 	this->shared_secret = chunk_empty;
 
-	/* find a modulus according to group */
-	if (set_modulus(this) != SUCCESS)
+	if (group == MODP_CUSTOM)
 	{
-		destroy(this);
-		return NULL;
+		this->dh->p = BN_bin2bn(p.ptr, p.len, NULL);
+		this->dh->g = BN_bin2bn(g.ptr, g.len, NULL);
+	}
+	else
+	{
+		/* find a modulus according to group */
+		if (set_modulus(this) != SUCCESS)
+		{
+			destroy(this);
+			return NULL;
+		}
 	}
 
 	/* generate my public and private values */
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
index 6c4b4fe81..53dc59c78 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h
@@ -40,9 +40,12 @@ struct openssl_diffie_hellman_t {
  * Creates a new openssl_diffie_hellman_t object.
  *
  * @param group			Diffie Hellman group number to use
+ * @param g				custom generator, if MODP_CUSTOM
+ * @param p				custom prime, if MODP_CUSTOM
  * @return				openssl_diffie_hellman_t object, NULL if not supported
  */
-openssl_diffie_hellman_t *openssl_diffie_hellman_create(diffie_hellman_group_t group);
+openssl_diffie_hellman_t *openssl_diffie_hellman_create(
+							diffie_hellman_group_t group, chunk_t g, chunk_t p);
 
 #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index a53e8aea0..32fc2bccd 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -165,7 +165,8 @@ error:
  *   of the Diffie-Hellman shared secret value is the same as that of the
  *   Diffie-Hellman public value."
  */
-static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_t *shared_secret)
+static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
+							   chunk_t *shared_secret)
 {
 	const BIGNUM *priv_key;
 	EC_POINT *secret = NULL;
@@ -209,10 +210,8 @@ error:
 	return ret;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, chunk_t value)
+METHOD(diffie_hellman_t, set_other_public_value, void,
+	private_openssl_ec_diffie_hellman_t *this, chunk_t value)
 {
 	if (!chunk2ecp(this->ec_group, value, this->pub_key))
 	{
@@ -230,18 +229,14 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
 	this->computed = TRUE;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, void,
+	private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
 {
 	ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
+METHOD(diffie_hellman_t, get_shared_secret, status_t,
+	private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
 {
 	if (!this->computed)
 	{
@@ -251,18 +246,14 @@ static status_t get_shared_secret(private_openssl_ec_diffie_hellman_t *this, chu
 	return SUCCESS;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_openssl_ec_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_openssl_ec_diffie_hellman_t *this)
 {
 	return this->group;
 }
 
-/**
- * Implementation of openssl_ec_diffie_hellman_t.destroy.
- */
-static void destroy(private_openssl_ec_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, destroy, void,
+	private_openssl_ec_diffie_hellman_t *this)
 {
 	EC_POINT_clear_free(this->pub_key);
 	EC_KEY_free(this->key);
@@ -275,13 +266,20 @@ static void destroy(private_openssl_ec_diffie_hellman_t *this)
  */
 openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
 {
-	private_openssl_ec_diffie_hellman_t *this = malloc_thing(private_openssl_ec_diffie_hellman_t);
-
-	this->public.dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
-	this->public.dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
-	this->public.dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
-	this->public.dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
-	this->public.dh.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	private_openssl_ec_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.dh = {
+				.get_shared_secret = _get_shared_secret,
+				.set_other_public_value = _set_other_public_value,
+				.get_my_public_value = _get_my_public_value,
+				.get_dh_group = _get_dh_group,
+				.destroy = _destroy,
+			},
+		},
+		.group = group,
+	);
 
 	switch (group)
 	{
@@ -328,11 +326,6 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro
 		return NULL;
 	}
 
-	this->group = group;
-	this->computed = FALSE;
-
-	this->shared_secret = chunk_empty;
-
 	return &this->public;
 }
 #endif /* OPENSSL_NO_EC */
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 281155913..f4c4759bf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -138,11 +138,9 @@ static bool build_der_signature(private_openssl_ec_private_key_t *this,
 	return built;
 }
 
-/**
- * Implementation of private_key_t.sign.
- */
-static bool sign(private_openssl_ec_private_key_t *this,
-				 signature_scheme_t scheme, chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_openssl_ec_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -172,36 +170,38 @@ static bool sign(private_openssl_ec_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of private_key_t.destroy.
- */
-static bool decrypt(private_openssl_ec_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_openssl_ec_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "EC private key decryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of private_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_openssl_ec_private_key_t *this)
 {
-	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+	switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+	{
+		case NID_X9_62_prime256v1:
+			return 256;
+		case NID_secp384r1:
+			return 384;
+		case NID_secp521r1:
+			return 521;
+		default:
+			return 0;
+	}
 }
 
-/**
- * Implementation of private_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_type, key_type_t,
+	private_openssl_ec_private_key_t *this)
 {
 	return KEY_ECDSA;
 }
 
-/**
- * Implementation of private_key_t.get_public_key.
- */
-static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_openssl_ec_private_key_t *this)
 {
 	public_key_t *public;
 	chunk_t key;
@@ -217,20 +217,16 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this)
 	return public;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_ec_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_openssl_ec_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_ec_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_openssl_ec_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -261,19 +257,15 @@ static bool get_encoding(private_openssl_ec_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of private_key_t.get_ref.
- */
-static private_key_t* get_ref(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_openssl_ec_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of private_key_t.destroy.
- */
-static void destroy(private_openssl_ec_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_openssl_ec_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -291,23 +283,27 @@ static void destroy(private_openssl_ec_private_key_t *this)
  */
 static private_openssl_ec_private_key_t *create_empty(void)
 {
-	private_openssl_ec_private_key_t *this = malloc_thing(private_openssl_ec_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(private_key_t *this))get_type;
-	this->public.interface.sign = (bool (*)(private_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t *signature))sign;
-	this->public.interface.decrypt = (bool (*)(private_key_t *this, chunk_t crypto, chunk_t *plain))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t *this))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(private_key_t *this))destroy;
-
-	this->ec = NULL;
-	this->ref = 1;
+	private_openssl_ec_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index 720c63f90..f56c95aa1 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -34,7 +34,7 @@ struct openssl_ec_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index def36c92f..7461695ad 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -130,19 +130,15 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this,
 	return valid;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_openssl_ec_public_key_t *this)
 {
 	return KEY_ECDSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_openssl_ec_public_key_t *this,
-				   signature_scheme_t scheme, chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_openssl_ec_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -172,22 +168,28 @@ static bool verify(private_openssl_ec_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static bool encrypt_(private_openssl_ec_public_key_t *this,
-					 chunk_t crypto, chunk_t *plain)
+METHOD(public_key_t, encrypt, bool,
+	private_openssl_ec_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "EC public key encryption not implemented");
 	return FALSE;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_openssl_ec_public_key_t *this)
 {
-	return EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec));
+	switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(this->ec)))
+	{
+		case NID_X9_62_prime256v1:
+			return 256;
+		case NID_secp384r1:
+			return 384;
+		case NID_secp521r1:
+			return 521;
+		default:
+			return 0;
+	}
 }
 
 /**
@@ -232,20 +234,16 @@ bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp)
 	return TRUE;
 }
 
-/**
- * Implementation of private_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_ec_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_openssl_ec_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_ec_fingerprint(this->ec, type, fingerprint);
 }
 
-/**
- * Implementation of private_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_ec_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_openssl_ec_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -276,19 +274,15 @@ static bool get_encoding(private_openssl_ec_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_openssl_ec_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_ec_public_key.destroy.
- */
-static void destroy(private_openssl_ec_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_openssl_ec_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -306,21 +300,25 @@ static void destroy(private_openssl_ec_public_key_t *this)
  */
 static private_openssl_ec_public_key_t *create_empty()
 {
-	private_openssl_ec_public_key_t *this = malloc_thing(private_openssl_ec_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->ec = NULL;
-	this->ref = 1;
+	private_openssl_ec_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.get_keysize = _get_keysize,
+				.equals = public_key_equals,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
index 29d607d38..8094083a7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.h
@@ -34,7 +34,7 @@ struct openssl_ec_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index 7556bc594..d81f4b21e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -90,27 +90,20 @@ static char* lookup_algorithm(openssl_algorithm_t *openssl_algo,
 	return NULL;
 }
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_openssl_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_openssl_hasher_t *this)
 {
 	return this->hasher->md_size;
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_openssl_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_openssl_hasher_t *this)
 {
 	EVP_DigestInit_ex(this->ctx, this->hasher, NULL);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_openssl_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	EVP_DigestUpdate(this->ctx, chunk.ptr, chunk.len);
 	if (hash)
@@ -120,11 +113,8 @@ static void get_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_openssl_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -137,10 +127,8 @@ static void allocate_hash(private_openssl_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy (private_openssl_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_openssl_hasher_t *this)
 {
 	EVP_MD_CTX_destroy(this->ctx);
 	free(this);
@@ -160,7 +148,17 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_openssl_hasher_t);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	this->hasher = EVP_get_digestbyname(name);
 	if (!this->hasher)
@@ -170,12 +168,6 @@ openssl_hasher_t *openssl_hasher_create(hash_algorithm_t algo)
 		return NULL;
 	}
 
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
 	this->ctx = EVP_MD_CTX_create();
 
 	/* initialization */
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.h b/src/libstrongswan/plugins/openssl/openssl_hasher.h
index fd7a043d1..b03f6891b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.h
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.h
@@ -31,9 +31,9 @@ typedef struct openssl_hasher_t openssl_hasher_t;
 struct openssl_hasher_t {
 
 	/**
-	 * The hasher_t interface.
+	 * Implements hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 31697dcb8..0ab4eda9c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -16,6 +16,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/conf.h>
+#include <openssl/rand.h>
 #include <openssl/crypto.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -24,6 +25,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -151,6 +153,31 @@ static void threading_init()
 }
 
 /**
+ * Seed the OpenSSL RNG, if required
+ */
+static bool seed_rng()
+{
+	rng_t *rng = NULL;
+	char buf[32];
+
+	while (RAND_status() != 1)
+	{
+		if (!rng)
+		{
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			if (!rng)
+			{
+				return FALSE;
+			}
+		}
+		rng->get_bytes(rng, sizeof(buf), buf);
+		RAND_seed(buf, sizeof(buf));
+	}
+	DESTROY_IF(rng);
+	return TRUE;
+}
+
+/**
  * cleanup OpenSSL threading locks
  */
 static void threading_cleanup()
@@ -166,10 +193,8 @@ static void threading_cleanup()
 	mutex = NULL;
 }
 
-/**
- * Implementation of openssl_plugin_t.destroy
- */
-static void destroy(private_openssl_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_openssl_plugin_t *this)
 {
 	lib->crypto->remove_crypter(lib->crypto,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -218,9 +243,15 @@ static void destroy(private_openssl_plugin_t *this)
  */
 plugin_t *openssl_plugin_create()
 {
-	private_openssl_plugin_t *this = malloc_thing(private_openssl_plugin_t);
+	private_openssl_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	threading_init();
 
@@ -233,6 +264,13 @@ plugin_t *openssl_plugin_create()
 	ENGINE_register_all_complete();
 #endif /* OPENSSL_NO_ENGINE */
 
+	if (!seed_rng())
+	{
+		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
+		destroy(this);
+		return NULL;
+	}
+
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);
@@ -312,33 +350,35 @@ plugin_t *openssl_plugin_create()
 						(dh_constructor_t)openssl_diffie_hellman_create);
 	lib->crypto->add_dh(lib->crypto, MODP_768_BIT,
 						(dh_constructor_t)openssl_diffie_hellman_create);
+	lib->crypto->add_dh(lib->crypto, MODP_CUSTOM,
+						(dh_constructor_t)openssl_diffie_hellman_create);
 
 	/* rsa */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, TRUE,
 					(builder_function_t)openssl_rsa_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 					(builder_function_t)openssl_rsa_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 					(builder_function_t)openssl_rsa_private_key_connect);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
 					(builder_function_t)openssl_rsa_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 					(builder_function_t)openssl_rsa_public_key_load);
 
 #ifndef OPENSSL_NO_EC
 	/* ecdsa */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, TRUE,
 					(builder_function_t)openssl_ec_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE,
 					(builder_function_t)openssl_ec_private_key_gen);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, TRUE,
 					(builder_function_t)openssl_ec_public_key_load);
 #endif /* OPENSSL_NO_EC */
 
 	/* X509 certificates */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE,
 					(builder_function_t)openssl_x509_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE,
 					(builder_function_t)openssl_crl_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 5817ade9e..0b607c386 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -131,19 +131,16 @@ error:
 	return success;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_type.
- */
-static key_type_t get_type(private_openssl_rsa_private_key_t *this)
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_openssl_rsa_private_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.sign.
- */
-static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
-				 chunk_t data, chunk_t *signature)
+METHOD(private_key_t, sign, bool,
+	private_openssl_rsa_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
 {
 	switch (scheme)
 	{
@@ -168,28 +165,47 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
 	}
 }
 
-/**
- * Implementation of openssl_rsa_private_key.decrypt.
- */
-static bool decrypt(private_openssl_rsa_private_key_t *this,
-					chunk_t crypto, chunk_t *plain)
+METHOD(private_key_t, decrypt, bool,
+	private_openssl_rsa_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypto, chunk_t *plain)
 {
-	DBG1(DBG_LIB, "RSA private key decryption not implemented");
-	return FALSE;
+	int padding, len;
+	char *decrypted;
+
+	switch (scheme)
+	{
+		case ENCRYPT_RSA_PKCS1:
+			padding = RSA_PKCS1_PADDING;
+			break;
+		case ENCRYPT_RSA_OAEP_SHA1:
+			padding = RSA_PKCS1_OAEP_PADDING;
+			break;
+		default:
+			DBG1(DBG_LIB, "encryption scheme %N not supported via openssl",
+				 encryption_scheme_names, scheme);
+			return FALSE;
+	}
+	decrypted = malloc(RSA_size(this->rsa));
+	len = RSA_private_decrypt(crypto.len, crypto.ptr, decrypted,
+							  this->rsa, padding);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "RSA decryption failed");
+		free(decrypted);
+		return FALSE;
+	}
+	*plain = chunk_create(decrypted, len);
+	return TRUE;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_keysize.
- */
-static size_t get_keysize(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_keysize, int,
+	private_openssl_rsa_private_key_t *this)
 {
-	return RSA_size(this->rsa);
+	return RSA_size(this->rsa) * 8;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_public_key.
- */
-static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_openssl_rsa_private_key_t *this)
 {
 	chunk_t enc;
 	public_key_t *key;
@@ -204,20 +220,16 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this)
 	return key;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_rsa_private_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(private_key_t, get_fingerprint, bool,
+	private_openssl_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_rsa_private_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(private_key_t, get_encoding, bool,
+	private_openssl_rsa_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -252,19 +264,15 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this,
 	}
 }
 
-/**
- * Implementation of openssl_rsa_private_key.get_ref.
- */
-static private_openssl_rsa_private_key_t* get_ref(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_openssl_rsa_private_key_t *this)
 {
 	ref_get(&this->ref);
-	return this;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_rsa_private_key.destroy.
- */
-static void destroy(private_openssl_rsa_private_key_t *this)
+METHOD(private_key_t, destroy, void,
+	private_openssl_rsa_private_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -280,25 +288,29 @@ static void destroy(private_openssl_rsa_private_key_t *this)
 /**
  * Internal generic constructor
  */
-static private_openssl_rsa_private_key_t *create_empty(void)
+static private_openssl_rsa_private_key_t *create_empty()
 {
-	private_openssl_rsa_private_key_t *this = malloc_thing(private_openssl_rsa_private_key_t);
-
-	this->public.interface.get_type = (key_type_t (*) (private_key_t*))get_type;
-	this->public.interface.sign = (bool (*) (private_key_t*, signature_scheme_t, chunk_t, chunk_t*))sign;
-	this->public.interface.decrypt = (bool (*) (private_key_t*, chunk_t, chunk_t*))decrypt;
-	this->public.interface.get_keysize = (size_t (*) (private_key_t*))get_keysize;
-	this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key;
-	this->public.interface.equals = private_key_equals;
-	this->public.interface.belongs_to = private_key_belongs_to;
-	this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref;
-	this->public.interface.destroy = (void (*) (private_key_t*))destroy;
-
-	this->engine = FALSE;
-	this->ref = 1;
+	private_openssl_rsa_private_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
@@ -444,6 +456,48 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 }
 
 /**
+ * Login to engine with a PIN specified for a keyid
+ */
+static bool login(ENGINE *engine, chunk_t keyid)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	identification_t *id;
+	chunk_t key;
+	char pin[64];
+	bool found = FALSE, success = FALSE;
+
+	id = identification_create_from_encoding(ID_KEY_ID, keyid);
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+														SHARED_PIN, id, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		key = shared->get_key(shared);
+		if (snprintf(pin, sizeof(pin), "%.*s", key.len, key.ptr) >= sizeof(pin))
+		{
+			continue;
+		}
+		if (ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+		{
+			success = TRUE;
+			break;
+		}
+		else
+		{
+			DBG1(DBG_CFG, "setting PIN on engine failed");
+		}
+	}
+	enumerator->destroy(enumerator);
+	id->destroy(id);
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no PIN found for %#B", &keyid);
+	}
+	return success;
+}
+
+/**
  * See header.
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
@@ -451,20 +505,25 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 {
 #ifndef OPENSSL_NO_ENGINE
 	private_openssl_rsa_private_key_t *this;
-	char *keyid = NULL, *pin = NULL;
+	char *engine_id = NULL;
+	char keyname[64];
+	chunk_t keyid = chunk_empty;;
 	EVP_PKEY *key;
-	char *engine_id;
 	ENGINE *engine;
+	int slot = -1;
 
 	while (TRUE)
 	{
 		switch (va_arg(args, builder_part_t))
 		{
-			case BUILD_SMARTCARD_KEYID:
-				keyid = va_arg(args, char*);
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
 				continue;
-			case BUILD_SMARTCARD_PIN:
-				pin = va_arg(args, char*);
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				engine_id = va_arg(args, char*);
 				continue;
 			case BUILD_END:
 				break;
@@ -473,17 +532,31 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		}
 		break;
 	}
-	if (!keyid || !pin)
+	if (!keyid.len || keyid.len > 40)
 	{
 		return NULL;
 	}
 
-	engine_id = lib->settings->get_str(lib->settings,
+	memset(keyname, 0, sizeof(keyname));
+	if (slot != -1)
+	{
+		snprintf(keyname, sizeof(keyname), "%d:", slot);
+	}
+	if (sizeof(keyname) - strlen(keyname) <= keyid.len * 4 / 3 + 1)
+	{
+		return NULL;
+	}
+	chunk_to_hex(keyid, keyname + strlen(keyname), FALSE);
+
+	if (!engine_id)
+	{
+		engine_id = lib->settings->get_str(lib->settings,
 						"libstrongswan.plugins.openssl.engine_id", "pkcs11");
+	}
 	engine = ENGINE_by_id(engine_id);
 	if (!engine)
 	{
-		DBG1(DBG_LIB, "engine '%s' is not available", engine_id);
+		DBG2(DBG_LIB, "engine '%s' is not available", engine_id);
 		return NULL;
 	}
 	if (!ENGINE_init(engine))
@@ -492,18 +565,17 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 		ENGINE_free(engine);
 		return NULL;
 	}
-	if (!ENGINE_ctrl_cmd_string(engine, "PIN", pin, 0))
+	if (!login(engine, keyid))
 	{
-		DBG1(DBG_LIB, "failed to set PIN on engine '%s'", engine_id);
+		DBG1(DBG_LIB, "login to engine '%s' failed", engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
-
-	key = ENGINE_load_private_key(engine, keyid, NULL, NULL);
+	key = ENGINE_load_private_key(engine, keyname, NULL, NULL);
 	if (!key)
 	{
 		DBG1(DBG_LIB, "failed to load private key with ID '%s' from "
-			 "engine '%s'", keyid, engine_id);
+			 "engine '%s'", keyname, engine_id);
 		ENGINE_free(engine);
 		return NULL;
 	}
@@ -512,6 +584,11 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 	this = create_empty();
 	this->rsa = EVP_PKEY_get1_RSA(key);
 	this->engine = TRUE;
+	if (!this->rsa)
+	{
+		destroy(this);
+		return NULL;
+	}
 
 	return &this->public;
 #else /* OPENSSL_NO_ENGINE */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 079dfa46a..60889d651 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -34,7 +34,7 @@ struct openssl_rsa_private_key_t {
 	/**
 	 * Implements private_key_t interface
 	 */
-	private_key_t interface;
+	private_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 6ac61a65c..422e31521 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -114,19 +114,15 @@ error:
 	return valid;
 }
 
-/**
- * Implementation of public_key_t.get_type.
- */
-static key_type_t get_type(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_type, key_type_t,
+	private_openssl_rsa_public_key_t *this)
 {
 	return KEY_RSA;
 }
 
-/**
- * Implementation of public_key_t.verify.
- */
-static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
-				   chunk_t data, chunk_t signature)
+METHOD(public_key_t, verify, bool,
+	private_openssl_rsa_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t signature)
 {
 	switch (scheme)
 	{
@@ -151,22 +147,43 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
 	}
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static bool encrypt_(private_openssl_rsa_public_key_t *this,
-					 chunk_t crypto, chunk_t *plain)
+METHOD(public_key_t, encrypt, bool,
+	private_openssl_rsa_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypto)
 {
-	DBG1(DBG_LIB, "RSA public key encryption not implemented");
-	return FALSE;
+	int padding, len;
+	char *encrypted;
+
+	switch (scheme)
+	{
+		case ENCRYPT_RSA_PKCS1:
+			padding = RSA_PKCS1_PADDING;
+			break;
+		case ENCRYPT_RSA_OAEP_SHA1:
+			padding = RSA_PKCS1_OAEP_PADDING;
+			break;
+		default:
+			DBG1(DBG_LIB, "decryption scheme %N not supported via openssl",
+				 encryption_scheme_names, scheme);
+			return FALSE;
+	}
+	encrypted = malloc(RSA_size(this->rsa));
+	len = RSA_public_encrypt(plain.len, plain.ptr, encrypted,
+							 this->rsa, padding);
+	if (len < 0)
+	{
+		DBG1(DBG_LIB, "RSA decryption failed");
+		free(encrypted);
+		return FALSE;
+	}
+	*crypto = chunk_create(encrypted, len);
+	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_keysize.
- */
-static size_t get_keysize(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_keysize, int,
+	private_openssl_rsa_public_key_t *this)
 {
-	return RSA_size(this->rsa);
+	return RSA_size(this->rsa) * 8;
 }
 
 /**
@@ -211,20 +228,16 @@ bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp)
 	return TRUE;
 }
 
-/**
- * Implementation of public_key_t.get_fingerprint.
- */
-static bool get_fingerprint(private_openssl_rsa_public_key_t *this,
-							cred_encoding_type_t type, chunk_t *fingerprint)
+METHOD(public_key_t, get_fingerprint, bool,
+	private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
 {
 	return openssl_rsa_fingerprint(this->rsa, type, fingerprint);
 }
 
-/*
- * Implementation of public_key_t.get_encoding.
- */
-static bool get_encoding(private_openssl_rsa_public_key_t *this,
-						 cred_encoding_type_t type, chunk_t *encoding)
+METHOD(public_key_t, get_encoding, bool,
+	private_openssl_rsa_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
 {
 	u_char *p;
 
@@ -262,19 +275,15 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this,
 	}
 }
 
-/**
- * Implementation of public_key_t.get_ref.
- */
-static public_key_t* get_ref(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_openssl_rsa_public_key_t *this)
 {
 	ref_get(&this->ref);
-	return &this->public.interface;
+	return &this->public.key;
 }
 
-/**
- * Implementation of openssl_rsa_public_key.destroy.
- */
-static void destroy(private_openssl_rsa_public_key_t *this)
+METHOD(public_key_t, destroy, void,
+	private_openssl_rsa_public_key_t *this)
 {
 	if (ref_put(&this->ref))
 	{
@@ -292,21 +301,25 @@ static void destroy(private_openssl_rsa_public_key_t *this)
  */
 static private_openssl_rsa_public_key_t *create_empty()
 {
-	private_openssl_rsa_public_key_t *this = malloc_thing(private_openssl_rsa_public_key_t);
-
-	this->public.interface.get_type = (key_type_t (*)(public_key_t *this))get_type;
-	this->public.interface.verify = (bool (*)(public_key_t *this, signature_scheme_t scheme, chunk_t data, chunk_t signature))verify;
-	this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_;
-	this->public.interface.equals = public_key_equals;
-	this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize;
-	this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint;
-	this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint;
-	this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding;
-	this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref;
-	this->public.interface.destroy = (void (*)(public_key_t *this))destroy;
-
-	this->rsa = NULL;
-	this->ref = 1;
+	private_openssl_rsa_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
 
 	return this;
 }
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
index 620aa51ce..021257d3c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.h
@@ -33,7 +33,7 @@ struct openssl_rsa_public_key_t {
 	/**
 	 * Implements the public_key_t interface
 	 */
-	public_key_t interface;
+	public_key_t key;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
index b65388010..20f2fa984 100644
--- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.c
@@ -124,13 +124,15 @@ openssl_sha1_prf_t *openssl_sha1_prf_create(pseudo_random_function_t algo)
 	}
 
 	INIT(this,
-		.public.prf = {
-			.get_block_size = _get_block_size,
-			.get_bytes = _get_bytes,
-			.allocate_bytes = _allocate_bytes,
-			.get_key_size = _get_key_size,
-			.set_key = _set_key,
-			.destroy = _destroy,
+		.public = {
+			.prf = {
+				.get_block_size = _get_block_size,
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
 		},
 	);
 
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 1c9bb699e..aa39bc93d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -187,6 +187,15 @@ static identification_t *general_name2id(GENERAL_NAME *name)
 		}
 		case GEN_DIRNAME :
 			return openssl_x509_name2id(name->d.directoryName);
+		case GEN_OTHERNAME:
+			if (OBJ_obj2nid(name->d.otherName->type_id) == NID_ms_upn &&
+				name->d.otherName->value->type == V_ASN1_UTF8STRING)
+			{
+				return identification_create_from_encoding(ID_RFC822_ADDR,
+							openssl_asn1_str2chunk(
+								name->d.otherName->value->value.utf8string));
+			}
+			return NULL;
 		default:
 			return NULL;
 	}
@@ -286,10 +295,23 @@ METHOD(certificate_t, has_subject, id_match_t,
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	chunk_t encoding;
 
 	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		if (chunk_equals(this->hash, subject->get_encoding(subject)))
+		encoding = subject->get_encoding(subject);
+
+		if (chunk_equals(this->hash, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->subjectKeyIdentifier.len &&
+			chunk_equals(this->subjectKeyIdentifier, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->pubkey &&
+			this->pubkey->has_fingerprint(this->pubkey, encoding))
 		{
 			return ID_MATCH_PERFECT;
 		}
@@ -756,6 +778,38 @@ static bool parse_extensions(private_openssl_x509_t *this)
 }
 
 /**
+ * Parse ExtendedKeyUsage
+ */
+static void parse_extKeyUsage(private_openssl_x509_t *this)
+{
+	EXTENDED_KEY_USAGE *usage;
+	int i;
+
+	usage = X509_get_ext_d2i(this->x509, NID_ext_key_usage, NULL, NULL);
+	if (usage)
+	{
+		for (i = 0; i < sk_ASN1_OBJECT_num(usage); i++)
+		{
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(usage, i)))
+			{
+				case NID_server_auth:
+					this->flags |= X509_SERVER_AUTH;
+					break;
+				case NID_client_auth:
+					this->flags |= X509_CLIENT_AUTH;
+					break;
+				case NID_OCSP_sign:
+					this->flags |= X509_OCSP_SIGNER;
+					break;
+				default:
+					break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(usage, ASN1_OBJECT_free);
+	}
+}
+
+/**
  * Parse a DER encoded x509 certificate
  */
 static bool parse_certificate(private_openssl_x509_t *this)
@@ -814,6 +868,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return TRUE;
 	}
+	parse_extKeyUsage(this);
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
 	if (!hasher)
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index adb8f08d1..46953f681 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
index 9edea4bd3..06c20292f 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.c
@@ -78,8 +78,8 @@ static void padlock_crypt(void *key, void *ctrl, void *src, void *dst,
 		: "eax", "ecx", "edx", "esi", "edi");
 }
 
-/*
- * Implementation of crypter_t.crypt
+/**
+ * Do encryption/decryption operation using Padlock control word
  */
 static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  chunk_t src, chunk_t *dst, bool enc)
@@ -107,53 +107,44 @@ static void crypt(private_padlock_aes_crypter_t *this, char *iv,
 				  src.len / AES_BLOCK_SIZE, iv_aligned);
 }
 
-/**
- * Implementation of crypter_t.decrypt.
- */
-static void decrypt(private_padlock_aes_crypter_t *this, chunk_t data,
-						chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, decrypt, void,
+	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, TRUE);
 }
 
-
-/**
- * Implementation of crypter_t.encrypt.
- */
-static void encrypt (private_padlock_aes_crypter_t *this, chunk_t data,
-							chunk_t iv, chunk_t *dst)
+METHOD(crypter_t, encrypt, void,
+	private_padlock_aes_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst)
 {
 	crypt(this, iv.ptr, data, dst, FALSE);
 }
 
-/**
- * Implementation of crypter_t.get_block_size.
- */
-static size_t get_block_size(private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, get_block_size, size_t,
+	private_padlock_aes_crypter_t *this)
 {
 	return AES_BLOCK_SIZE;
 }
 
-/**
- * Implementation of crypter_t.get_key_size.
- */
-static size_t get_key_size(private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, get_iv_size, size_t,
+	private_padlock_aes_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+METHOD(crypter_t, get_key_size, size_t,
+	private_padlock_aes_crypter_t *this)
 {
 	return this->key.len;
 }
 
-/**
- * Implementation of crypter_t.set_key.
- */
-static void set_key(private_padlock_aes_crypter_t *this, chunk_t key)
+METHOD(crypter_t, set_key, void,
+	private_padlock_aes_crypter_t *this, chunk_t key)
 {
 	memcpy(this->key.ptr, key.ptr, min(key.len, this->key.len));
 }
 
-/**
- * Implementation of crypter_t.destroy and aes_crypter_t.destroy.
- */
-static void destroy (private_padlock_aes_crypter_t *this)
+METHOD(crypter_t, destroy, void,
+	private_padlock_aes_crypter_t *this)
 {
 	free(this->key.ptr);
 	free(this);
@@ -171,29 +162,33 @@ padlock_aes_crypter_t *padlock_aes_crypter_create(encryption_algorithm_t algo,
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_padlock_aes_crypter_t);
-
 	switch (key_size)
 	{
+		case 0:
+			key_size = 16;
+			/* FALL */
 		case 16:        /* AES 128 */
 			break;
 		case 24:        /* AES-192 */
 		case 32:        /* AES-256 */
 			/* These need an expanded key, currently not supported, FALL */
 		default:
-			free(this);
 			return NULL;
 	}
 
-	this->key = chunk_alloc(key_size);
-
-	this->public.crypter_interface.encrypt = (void (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
-	this->public.crypter_interface.decrypt = (void (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
-	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
-	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
-	this->public.crypter_interface.set_key = (void (*) (crypter_t *,chunk_t)) set_key;
-	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
-
+	INIT(this,
+		.public = {
+			.crypter = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.key = chunk_alloc(key_size),
+	);
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
index d4c7a7577..1c804860c 100644
--- a/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
+++ b/src/libstrongswan/plugins/padlock/padlock_aes_crypter.h
@@ -32,9 +32,9 @@ typedef struct padlock_aes_crypter_t padlock_aes_crypter_t;
 struct padlock_aes_crypter_t {
 
 	/**
-	 * The crypter_t interface.
+	 * Implements crypter_t interface.
 	 */
-	crypter_t crypter_interface;
+	crypter_t crypter;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index c9606ae15..027c53c7b 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -101,10 +101,8 @@ static padlock_feature_t get_padlock_features()
 	return 0;
 }
 
-/**
- * Implementation of aes_plugin_t.destroy
- */
-static void destroy(private_padlock_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_padlock_plugin_t *this)
 {
 	if (this->features & PADLOCK_RNG_ENABLED)
 	{
@@ -133,11 +131,17 @@ static void destroy(private_padlock_plugin_t *this)
  */
 plugin_t *padlock_plugin_create()
 {
-	private_padlock_plugin_t *this = malloc_thing(private_padlock_plugin_t);
+	private_padlock_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.features = get_padlock_features(),
+	);
 
-	this->features = get_padlock_features();
 	if (!this->features)
 	{
 		free(this);
diff --git a/src/libstrongswan/plugins/padlock/padlock_rng.c b/src/libstrongswan/plugins/padlock/padlock_rng.c
index 8ff46081b..3d805df9d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_rng.c
+++ b/src/libstrongswan/plugins/padlock/padlock_rng.c
@@ -53,15 +53,15 @@ struct private_padlock_rng_t {
  */
 static void rng(char *buf, int len, int quality)
 {
-	while (len > 0)

+	while (len > 0)
 	{
 		int status;
 
 		/* run XSTORE until we have all bytes needed. We do not use REP, as
 		 * this should not be performance critical and it's easier this way. */
 		asm volatile (
-			".byte 0x0F,0xA7,0xC0 \n\t"

-			: "=D"(buf), "=a"(status)

+			".byte 0x0F,0xA7,0xC0 \n\t"
+			: "=D"(buf), "=a"(status)
 			: "d"(quality), "D"(buf));
 
 		/* bits[0..4] of status word contains the number of bytes read */
@@ -69,11 +69,8 @@ static void rng(char *buf, int len, int quality)
 	}
 }
 
-/**
- * Implementation of padlock_rng_t.allocate_bytes.
- */
-static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
-						   chunk_t *chunk)
+METHOD(rng_t, allocate_bytes, void,
+	private_padlock_rng_t *this, size_t bytes, chunk_t *chunk)
 {
 	chunk->len = bytes;
 	/* padlock requires some additional bytes */
@@ -82,11 +79,8 @@ static void allocate_bytes(private_padlock_rng_t *this, size_t bytes,
 	rng(chunk->ptr, chunk->len, this->quality);
 }
 
-/**
- * Implementation of padlock_rng_t.get_bytes.
- */
-static void get_bytes(private_padlock_rng_t *this, size_t bytes,
-					  u_int8_t *buffer)
+METHOD(rng_t, get_bytes, void,
+	private_padlock_rng_t *this, size_t bytes, u_int8_t *buffer)
 {
 	chunk_t chunk;
 
@@ -96,10 +90,8 @@ static void get_bytes(private_padlock_rng_t *this, size_t bytes,
 	chunk_clear(&chunk);
 }
 
-/**
- * Implementation of padlock_rng_t.destroy.
- */
-static void destroy(private_padlock_rng_t *this)
+METHOD(rng_t, destroy, void,
+	private_padlock_rng_t *this)
 {
 	free(this);
 }
@@ -109,11 +101,17 @@ static void destroy(private_padlock_rng_t *this)
  */
 padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 {
-	private_padlock_rng_t *this = malloc_thing(private_padlock_rng_t);
-
-	this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes;
-	this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes;
-	this->public.rng.destroy = (void (*) (rng_t *))destroy;
+	private_padlock_rng_t *this;
+
+	INIT(this,
+		.public = {
+			.rng = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	/* map RNG quality to Padlock quality factor */
 	switch (quality)
@@ -127,8 +125,10 @@ padlock_rng_t *padlock_rng_create(rng_quality_t quality)
 		case RNG_TRUE:
 			this->quality = PADLOCK_QF3;
 			break;
+		default:
+			free(this);
+			return NULL;
 	}
-
 	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
index 60b516675..66a077353 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.c
@@ -83,19 +83,14 @@ static void append_data(private_padlock_sha1_hasher_t *this, chunk_t data)
 	this->data.len += data.len;
 }
 
-/**
- * Implementation of hasher_t.reset.
- */
-static void reset(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, reset, void,
+	private_padlock_sha1_hasher_t *this)
 {
 	chunk_free(&this->data);
 }
 
-/**
- * Implementation of hasher_t.get_hash.
- */
-static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
-					 u_int8_t *hash)
+METHOD(hasher_t, get_hash, void,
+	private_padlock_sha1_hasher_t *this, chunk_t chunk, u_int8_t *hash)
 {
 	if (hash)
 	{
@@ -116,11 +111,8 @@ static void get_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.allocate_hash.
- */
-static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
-						  chunk_t *hash)
+METHOD(hasher_t, allocate_hash, void,
+	private_padlock_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
 {
 	if (hash)
 	{
@@ -133,18 +125,14 @@ static void allocate_hash(private_padlock_sha1_hasher_t *this, chunk_t chunk,
 	}
 }
 
-/**
- * Implementation of hasher_t.get_hash_size.
- */
-static size_t get_hash_size(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, get_hash_size, size_t,
+	private_padlock_sha1_hasher_t *this)
 {
 	return HASH_SIZE_SHA1;
 }
 
-/**
- * Implementation of hasher_t.destroy.
- */
-static void destroy(private_padlock_sha1_hasher_t *this)
+METHOD(hasher_t, destroy, void,
+	private_padlock_sha1_hasher_t *this)
 {
 	free(this->data.ptr);
 	free(this);
@@ -161,15 +149,16 @@ padlock_sha1_hasher_t *padlock_sha1_hasher_create(hash_algorithm_t algo)
 	{
 		return NULL;
 	}
-
-	this = malloc_thing(private_padlock_sha1_hasher_t);
-	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
-	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
-	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
-	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
-	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
-
-	this->data = chunk_empty;
-
-	return &(this->public);
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.destroy = _destroy,
+			},
+		},
+	);
+	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
index 740bdfe98..2d2b2b45d 100644
--- a/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
+++ b/src/libstrongswan/plugins/padlock/padlock_sha1_hasher.h
@@ -34,7 +34,7 @@ struct padlock_sha1_hasher_t {
 	/**
 	 * Implements hasher_t interface.
 	 */
-	hasher_t hasher_interface;
+	hasher_t hasher;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index e19a66fa5..cf5acdd1c 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index a15c3f258..b760adda9 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -127,8 +127,8 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 	}
 	crypter->set_key(crypter, key);
 
-	if (iv.len != crypter->get_block_size(crypter) ||
-		blob->len % iv.len)
+	if (iv.len != crypter->get_iv_size(crypter) ||
+		blob->len % crypter->get_block_size(crypter))
 	{
 		crypter->destroy(crypter);
 		DBG1(DBG_LIB, "  data size is not multiple of block size");
@@ -167,8 +167,7 @@ static status_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg,
 /**
  * Converts a PEM encoded file into its binary form (RFC 1421, RFC 934)
  */
-static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data,
-						   bool *pgp)
+static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 {
 	typedef enum {
 		PEM_PRE    = 0,
@@ -187,9 +186,10 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	chunk_t dst    = *blob;
 	chunk_t line   = chunk_empty;
 	chunk_t iv     = chunk_empty;
-	chunk_t passphrase;
-	int try = 0;
 	u_char iv_buf[HASH_SIZE_MD5];
+	status_t status = NOT_FOUND;
+	enumerator_t *enumerator;
+	shared_key_t *shared;
 
 	dst.len = 0;
 	iv.ptr = iv_buf;
@@ -326,36 +326,35 @@ static status_t pem_to_bin(chunk_t *blob, chunk_t(*cb)(void*,int), void *cb_data
 	{
 		return SUCCESS;
 	}
-	if (!cb)
-	{
-		DBG1(DBG_LIB, "  missing passphrase");
-		return INVALID_ARG;
-	}
-	while (TRUE)
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+											SHARED_PRIVATE_KEY_PASS, NULL, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
 	{
-		passphrase = cb(cb_data, ++try);
-		if (!passphrase.len || !passphrase.ptr)
+		chunk_t passphrase, chunk;
+
+		passphrase = shared->get_key(shared);
+		chunk = chunk_clone(*blob);
+		status = pem_decrypt(&chunk, alg, key_size, iv, passphrase);
+		if (status == SUCCESS)
 		{
-			return INVALID_ARG;
+			memcpy(blob->ptr, chunk.ptr, chunk.len);
+			blob->len = chunk.len;
 		}
-		switch (pem_decrypt(blob, alg, key_size, iv, passphrase))
-		{
-			case INVALID_ARG:
-				/* bad passphrase, retry */
-				continue;
-			case SUCCESS:
-				return SUCCESS;
-			default:
-				return FAILED;
+		free(chunk.ptr);
+		if (status != INVALID_ARG)
+		{	/* try again only if passphrase invalid */
+			break;
 		}
 	}
+	enumerator->destroy(enumerator);
+	return status;
 }
 
 /**
  * load the credential from a blob
  */
 static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
-							chunk_t(*cb)(void*,int), void *cb_data,
 							x509_flag_t flags)
 {
 	void *cred = NULL;
@@ -364,7 +363,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 	blob = chunk_clone(blob);
 	if (!is_asn1(blob))
 	{
-		if (pem_to_bin(&blob, cb, cb_data, &pgp) != SUCCESS)
+		if (pem_to_bin(&blob, &pgp) != SUCCESS)
 		{
 			chunk_clear(&blob);
 			return NULL;
@@ -394,7 +393,6 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
  * load the credential from a file
  */
 static void *load_from_file(char *file, credential_type_t type, int subtype,
-							chunk_t(*cb)(void*,int), void *cb_data,
 							x509_flag_t flags)
 {
 	void *cred = NULL;
@@ -425,8 +423,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
 		return NULL;
 	}
 
-	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype,
-						  cb, cb_data, flags);
+	cred = load_from_blob(chunk_create(addr, sb.st_size), type, subtype, flags);
 
 	munmap(addr, sb.st_size);
 	close(fd);
@@ -437,7 +434,6 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
  * load the credential from a file descriptor
  */
 static void *load_from_fd(int fd, credential_type_t type, int subtype,
-						  chunk_t(*cb)(void*,int), void *cb_data,
 						  x509_flag_t flags)
 {
 	char buf[8096];
@@ -464,20 +460,7 @@ static void *load_from_fd(int fd, credential_type_t type, int subtype,
 			return NULL;
 		}
 	}
-	return load_from_blob(chunk_create(buf, total), type, subtype,
-						  cb, cb_data, flags);
-}
-
-/**
- * passphrase callback to use if passphrase given
- */
-static chunk_t given_passphrase_cb(chunk_t *passphrase, int try)
-{
-	if (try > 1)
-	{	/* try only once for given passphrases */
-		return chunk_empty;
-	}
-	return *passphrase;
+	return load_from_blob(chunk_create(buf, total), type, subtype, flags);
 }
 
 /**
@@ -487,9 +470,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 {
 	char *file = NULL;
 	int fd = -1;
-	chunk_t pem = chunk_empty, passphrase = chunk_empty;
-	chunk_t (*cb)(void *data, int try) = NULL;
-	void *cb_data = NULL;
+	chunk_t pem = chunk_empty;
 	int flags = 0;
 
 	while (TRUE)
@@ -505,18 +486,6 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 			case BUILD_BLOB_PEM:
 				pem = va_arg(args, chunk_t);
 				continue;
-			case BUILD_PASSPHRASE:
-				passphrase = va_arg(args, chunk_t);
-				if (passphrase.len && passphrase.ptr)
-				{
-					cb = (void*)given_passphrase_cb;
-					cb_data = &passphrase;
-				}
-				continue;
-			case BUILD_PASSPHRASE_CALLBACK:
-				cb = va_arg(args, chunk_t(*)(void*,int));
-				cb_data = va_arg(args, void*);
-				continue;
 			case BUILD_X509_FLAG:
 				flags = va_arg(args, int);
 				continue;
@@ -530,15 +499,15 @@ static void *pem_load(credential_type_t type, int subtype, va_list args)
 
 	if (pem.len)
 	{
-		return load_from_blob(pem, type, subtype, cb, cb_data, flags);
+		return load_from_blob(pem, type, subtype, flags);
 	}
 	if (file)
 	{
-		return load_from_file(file, type, subtype, cb, cb_data, flags);
+		return load_from_file(file, type, subtype, flags);
 	}
 	if (fd != -1)
 	{
-		return load_from_fd(fd, type, subtype, cb, cb_data, flags);
+		return load_from_fd(fd, type, subtype, flags);
 	}
 	return NULL;
 }
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index 810901b7a..83efb155b 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -57,49 +57,49 @@ plugin_t *pem_plugin_create()
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
 	/* register private key PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, FALSE,
 							(builder_function_t)pem_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_DSA, FALSE,
 							(builder_function_t)pem_private_key_load);
 
 	/* register public key PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, FALSE,
 							(builder_function_t)pem_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_DSA, FALSE,
 							(builder_function_t)pem_public_key_load);
 
 	/* register certificate PEM decoding builders */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_ANY, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pem_certificate_load);
 
 	/* register pluto specific certificate formats */
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
 							(builder_function_t)pem_certificate_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
 							(builder_function_t)pem_certificate_load);
 
 	/* register PEM encoder */
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index a5bc5eb39..0098147a9 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pgp/pgp_builder.c b/src/libstrongswan/plugins/pgp/pgp_builder.c
index 84c9bfddd..440e70a18 100644
--- a/src/libstrongswan/plugins/pgp/pgp_builder.c
+++ b/src/libstrongswan/plugins/pgp/pgp_builder.c
@@ -129,7 +129,7 @@ static bool sign_not_allowed(private_key_t *this, signature_scheme_t scheme,
 /**
  * Implementation of private_key_t.decrypt for signature-only keys
  */
-static bool decrypt_not_allowed(private_key_t *this,
+static bool decrypt_not_allowed(private_key_t *this, encryption_scheme_t scheme,
 								chunk_t crypto, chunk_t *plain)
 {
 	DBG1(DBG_LIB, "decryption failed - signature only key");
diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c
index 3ed1faf01..41e0a5df6 100644
--- a/src/libstrongswan/plugins/pgp/pgp_plugin.c
+++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c
@@ -60,16 +60,16 @@ plugin_t *pgp_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pgp_private_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pgp_private_key_load);
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE,
 							(builder_function_t)pgp_cert_load);
 
 	lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode);
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 947f52d82..8b41499a7 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index 35ec2d2bf..d3afb5c67 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -56,11 +56,11 @@ plugin_t *pkcs1_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pkcs1_public_key_load);
-	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE,
 							(builder_function_t)pkcs1_private_key_load);
 
 	lib->encoding->add_encoder(lib->encoding, pkcs1_encoder_encode);
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am
new file mode 100644
index 000000000..199039d95
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.am
@@ -0,0 +1,21 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-pkcs11.la
+else
+plugin_LTLIBRARIES = libstrongswan-pkcs11.la
+endif
+
+libstrongswan_pkcs11_la_SOURCES = \
+	pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \
+	pkcs11_library.h pkcs11_library.c \
+	pkcs11_creds.h pkcs11_creds.c \
+	pkcs11_private_key.h pkcs11_private_key.c \
+	pkcs11_public_key.h pkcs11_public_key.c \
+	pkcs11_hasher.h pkcs11_hasher.c \
+	pkcs11_manager.h pkcs11_manager.c
+
+libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
new file mode 100644
index 000000000..c27310910
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -0,0 +1,614 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/pkcs11
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_pkcs11_la_LIBADD =
+am_libstrongswan_pkcs11_la_OBJECTS = pkcs11_plugin.lo \
+	pkcs11_library.lo pkcs11_creds.lo pkcs11_private_key.lo \
+	pkcs11_public_key.lo pkcs11_hasher.lo pkcs11_manager.lo
+libstrongswan_pkcs11_la_OBJECTS =  \
+	$(am_libstrongswan_pkcs11_la_OBJECTS)
+libstrongswan_pkcs11_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(libstrongswan_pkcs11_la_LDFLAGS) $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_pkcs11_la_rpath = -rpath \
+@MONOLITHIC_FALSE@	$(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_pkcs11_la_rpath =
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_pkcs11_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-pkcs11.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-pkcs11.la
+libstrongswan_pkcs11_la_SOURCES = \
+	pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \
+	pkcs11_library.h pkcs11_library.c \
+	pkcs11_creds.h pkcs11_creds.c \
+	pkcs11_private_key.h pkcs11_private_key.c \
+	pkcs11_public_key.h pkcs11_public_key.c \
+	pkcs11_hasher.h pkcs11_hasher.c \
+	pkcs11_manager.h pkcs11_manager.c
+
+libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libstrongswan/plugins/pkcs11/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+	}
+
+uninstall-pluginLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+	done
+
+clean-pluginLTLIBRARIES:
+	-test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+	@list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan-pkcs11.la: $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_DEPENDENCIES) 
+	$(libstrongswan_pkcs11_la_LINK) $(am_libstrongswan_pkcs11_la_rpath) $(libstrongswan_pkcs11_la_OBJECTS) $(libstrongswan_pkcs11_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_library.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs11_public_key.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(plugindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-man install-pdf install-pdf-am \
+	install-pluginLTLIBRARIES install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11.h b/src/libstrongswan/plugins/pkcs11/pkcs11.h
new file mode 100644
index 000000000..2e6a1e3ed
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11.h
@@ -0,0 +1,1357 @@
+/* pkcs11.h
+   Copyright 2006, 2007 g10 Code GmbH
+   Copyright 2006 Andreas Jellinghaus
+
+   This file is free software; as a special exception the author gives
+   unlimited permission to copy and/or distribute it, with or without
+   modifications, as long as this notice is preserved.
+
+   This file is distributed in the hope that it will be useful, but
+   WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+   the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+   PURPOSE.  */
+
+/* Please submit changes back to the Scute project at
+   http://www.scute.org/ (or send them to marcus@g10code.com), so that
+   they can be picked up by other projects from there as well.  */
+
+/* This file is a modified implementation of the PKCS #11 standard by
+   RSA Security Inc.  It is mostly a drop-in replacement, with the
+   following change:
+
+   This header file does not require any macro definitions by the user
+   (like CK_DEFINE_FUNCTION etc).  In fact, it defines those macros
+   for you (if useful, some are missing, let me know if you need
+   more).
+
+   There is an additional API available that does comply better to the
+   GNU coding standard.  It can be switched on by defining
+   CRYPTOKI_GNU before including this header file.  For this, the
+   following changes are made to the specification:
+
+   All structure types are changed to a "struct ck_foo" where CK_FOO
+   is the type name in PKCS #11.
+
+   All non-structure types are changed to ck_foo_t where CK_FOO is the
+   lowercase version of the type name in PKCS #11.  The basic types
+   (CK_ULONG et al.) are removed without substitute.
+
+   All members of structures are modified in the following way: Type
+   indication prefixes are removed, and underscore characters are
+   inserted before words.  Then the result is lowercased.
+
+   Note that function names are still in the original case, as they
+   need for ABI compatibility.
+
+   CK_FALSE, CK_TRUE and NULL_PTR are removed without substitute.  Use
+   <stdbool.h>.
+
+   If CRYPTOKI_COMPAT is defined before including this header file,
+   then none of the API changes above take place, and the API is the
+   one defined by the PKCS #11 standard.  */
+
+#ifndef PKCS11_H
+#define PKCS11_H 1
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* The version of cryptoki we implement.  The revision is changed with
+   each modification of this file.  If you do not use the "official"
+   version of this file, please consider deleting the revision macro
+   (you may use a macro with a different name to keep track of your
+   versions).  */
+#define CRYPTOKI_VERSION_MAJOR		2
+#define CRYPTOKI_VERSION_MINOR		20
+#define CRYPTOKI_VERSION_REVISION	6
+
+
+/* Compatibility interface is default, unless CRYPTOKI_GNU is
+   given.  */
+#ifndef CRYPTOKI_GNU
+#ifndef CRYPTOKI_COMPAT
+#define CRYPTOKI_COMPAT 1
+#endif
+#endif
+
+/* System dependencies.  */
+
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+
+/* There is a matching pop below.  */
+#pragma pack(push, cryptoki, 1)
+
+#ifdef CRYPTOKI_EXPORTS
+#define CK_SPEC __declspec(dllexport)
+#else
+#define CK_SPEC __declspec(dllimport)
+#endif
+
+#else
+
+#define CK_SPEC
+
+#endif
+
+
+#ifdef CRYPTOKI_COMPAT
+  /* If we are in compatibility mode, switch all exposed names to the
+     PKCS #11 variant.  There are corresponding #undefs below.  */
+
+#define ck_flags_t CK_FLAGS
+#define ck_version _CK_VERSION
+
+#define ck_info _CK_INFO
+#define cryptoki_version cryptokiVersion
+#define manufacturer_id manufacturerID
+#define library_description libraryDescription
+#define library_version libraryVersion
+
+#define ck_notification_t CK_NOTIFICATION
+#define ck_slot_id_t CK_SLOT_ID
+
+#define ck_slot_info _CK_SLOT_INFO
+#define slot_description slotDescription
+#define hardware_version hardwareVersion
+#define firmware_version firmwareVersion
+
+#define ck_token_info _CK_TOKEN_INFO
+#define serial_number serialNumber
+#define max_session_count ulMaxSessionCount
+#define session_count ulSessionCount
+#define max_rw_session_count ulMaxRwSessionCount
+#define rw_session_count ulRwSessionCount
+#define max_pin_len ulMaxPinLen
+#define min_pin_len ulMinPinLen
+#define total_public_memory ulTotalPublicMemory
+#define free_public_memory ulFreePublicMemory
+#define total_private_memory ulTotalPrivateMemory
+#define free_private_memory ulFreePrivateMemory
+#define utc_time utcTime
+
+#define ck_session_handle_t CK_SESSION_HANDLE
+#define ck_user_type_t CK_USER_TYPE
+#define ck_state_t CK_STATE
+
+#define ck_session_info _CK_SESSION_INFO
+#define slot_id slotID
+#define device_error ulDeviceError
+
+#define ck_object_handle_t CK_OBJECT_HANDLE
+#define ck_object_class_t CK_OBJECT_CLASS
+#define ck_hw_feature_type_t CK_HW_FEATURE_TYPE
+#define ck_key_type_t CK_KEY_TYPE
+#define ck_certificate_type_t CK_CERTIFICATE_TYPE
+#define ck_attribute_type_t CK_ATTRIBUTE_TYPE
+
+#define ck_attribute _CK_ATTRIBUTE
+#define value pValue
+#define value_len ulValueLen
+
+#define ck_date _CK_DATE
+
+#define ck_mechanism_type_t CK_MECHANISM_TYPE
+
+#define ck_mechanism _CK_MECHANISM
+#define parameter pParameter
+#define parameter_len ulParameterLen
+
+#define ck_mechanism_info _CK_MECHANISM_INFO
+#define min_key_size ulMinKeySize
+#define max_key_size ulMaxKeySize
+
+#define ck_rv_t CK_RV
+#define ck_notify_t CK_NOTIFY
+
+#define ck_function_list _CK_FUNCTION_LIST
+
+#define ck_createmutex_t CK_CREATEMUTEX
+#define ck_destroymutex_t CK_DESTROYMUTEX
+#define ck_lockmutex_t CK_LOCKMUTEX
+#define ck_unlockmutex_t CK_UNLOCKMUTEX
+
+#define ck_c_initialize_args _CK_C_INITIALIZE_ARGS
+#define create_mutex CreateMutex
+#define destroy_mutex DestroyMutex
+#define lock_mutex LockMutex
+#define unlock_mutex UnlockMutex
+#define reserved pReserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+
+typedef unsigned long ck_flags_t;
+
+struct ck_version
+{
+  unsigned char major;
+  unsigned char minor;
+};
+
+
+struct ck_info
+{
+  struct ck_version cryptoki_version;
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  unsigned char library_description[32];
+  struct ck_version library_version;
+};
+
+
+typedef unsigned long ck_notification_t;
+
+#define CKN_SURRENDER	(0)
+
+
+typedef unsigned long ck_slot_id_t;
+
+
+struct ck_slot_info
+{
+  unsigned char slot_description[64];
+  unsigned char manufacturer_id[32];
+  ck_flags_t flags;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+};
+
+
+#define CKF_TOKEN_PRESENT	(1 << 0)
+#define CKF_REMOVABLE_DEVICE	(1 << 1)
+#define CKF_HW_SLOT		(1 << 2)
+#define CKF_ARRAY_ATTRIBUTE	(1 << 30)
+
+
+struct ck_token_info
+{
+  unsigned char label[32];
+  unsigned char manufacturer_id[32];
+  unsigned char model[16];
+  unsigned char serial_number[16];
+  ck_flags_t flags;
+  unsigned long max_session_count;
+  unsigned long session_count;
+  unsigned long max_rw_session_count;
+  unsigned long rw_session_count;
+  unsigned long max_pin_len;
+  unsigned long min_pin_len;
+  unsigned long total_public_memory;
+  unsigned long free_public_memory;
+  unsigned long total_private_memory;
+  unsigned long free_private_memory;
+  struct ck_version hardware_version;
+  struct ck_version firmware_version;
+  unsigned char utc_time[16];
+};
+
+
+#define CKF_RNG					(1 << 0)
+#define CKF_WRITE_PROTECTED			(1 << 1)
+#define CKF_LOGIN_REQUIRED			(1 << 2)
+#define CKF_USER_PIN_INITIALIZED		(1 << 3)
+#define CKF_RESTORE_KEY_NOT_NEEDED		(1 << 5)
+#define CKF_CLOCK_ON_TOKEN			(1 << 6)
+#define CKF_PROTECTED_AUTHENTICATION_PATH	(1 << 8)
+#define CKF_DUAL_CRYPTO_OPERATIONS		(1 << 9)
+#define CKF_TOKEN_INITIALIZED			(1 << 10)
+#define CKF_SECONDARY_AUTHENTICATION		(1 << 11)
+#define CKF_USER_PIN_COUNT_LOW			(1 << 16)
+#define CKF_USER_PIN_FINAL_TRY			(1 << 17)
+#define CKF_USER_PIN_LOCKED			(1 << 18)
+#define CKF_USER_PIN_TO_BE_CHANGED		(1 << 19)
+#define CKF_SO_PIN_COUNT_LOW			(1 << 20)
+#define CKF_SO_PIN_FINAL_TRY			(1 << 21)
+#define CKF_SO_PIN_LOCKED			(1 << 22)
+#define CKF_SO_PIN_TO_BE_CHANGED		(1 << 23)
+
+#define CK_UNAVAILABLE_INFORMATION	((unsigned long) -1)
+#define CK_EFFECTIVELY_INFINITE		(0)
+
+
+typedef unsigned long ck_session_handle_t;
+
+#define CK_INVALID_HANDLE	(0)
+
+
+typedef unsigned long ck_user_type_t;
+
+#define CKU_SO			(0)
+#define CKU_USER		(1)
+#define CKU_CONTEXT_SPECIFIC	(2)
+
+
+typedef unsigned long ck_state_t;
+
+#define CKS_RO_PUBLIC_SESSION	(0)
+#define CKS_RO_USER_FUNCTIONS	(1)
+#define CKS_RW_PUBLIC_SESSION	(2)
+#define CKS_RW_USER_FUNCTIONS	(3)
+#define CKS_RW_SO_FUNCTIONS	(4)
+
+
+struct ck_session_info
+{
+  ck_slot_id_t slot_id;
+  ck_state_t state;
+  ck_flags_t flags;
+  unsigned long device_error;
+};
+
+#define CKF_RW_SESSION		(1 << 1)
+#define CKF_SERIAL_SESSION	(1 << 2)
+
+
+typedef unsigned long ck_object_handle_t;
+
+
+typedef unsigned long ck_object_class_t;
+
+#define CKO_DATA		(0)
+#define CKO_CERTIFICATE		(1)
+#define CKO_PUBLIC_KEY		(2)
+#define CKO_PRIVATE_KEY		(3)
+#define CKO_SECRET_KEY		(4)
+#define CKO_HW_FEATURE		(5)
+#define CKO_DOMAIN_PARAMETERS	(6)
+#define CKO_MECHANISM		(7)
+#define CKO_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_hw_feature_type_t;
+
+#define CKH_MONOTONIC_COUNTER	(1)
+#define CKH_CLOCK		(2)
+#define CKH_USER_INTERFACE	(3)
+#define CKH_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_key_type_t;
+
+#define CKK_RSA			(0)
+#define CKK_DSA			(1)
+#define CKK_DH			(2)
+#define CKK_ECDSA		(3)
+#define CKK_EC			(3)
+#define CKK_X9_42_DH		(4)
+#define CKK_KEA			(5)
+#define CKK_GENERIC_SECRET	(0x10)
+#define CKK_RC2			(0x11)
+#define CKK_RC4			(0x12)
+#define CKK_DES			(0x13)
+#define CKK_DES2		(0x14)
+#define CKK_DES3		(0x15)
+#define CKK_CAST		(0x16)
+#define CKK_CAST3		(0x17)
+#define CKK_CAST128		(0x18)
+#define CKK_RC5			(0x19)
+#define CKK_IDEA		(0x1a)
+#define CKK_SKIPJACK		(0x1b)
+#define CKK_BATON		(0x1c)
+#define CKK_JUNIPER		(0x1d)
+#define CKK_CDMF		(0x1e)
+#define CKK_AES			(0x1f)
+#define CKK_BLOWFISH		(0x20)
+#define CKK_TWOFISH		(0x21)
+#define CKK_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_certificate_type_t;
+
+#define CKC_X_509		(0)
+#define CKC_X_509_ATTR_CERT	(1)
+#define CKC_WTLS		(2)
+#define CKC_VENDOR_DEFINED	((unsigned long) (1 << 31))
+
+
+typedef unsigned long ck_attribute_type_t;
+
+#define CKA_CLASS			(0)
+#define CKA_TOKEN			(1)
+#define CKA_PRIVATE			(2)
+#define CKA_LABEL			(3)
+#define CKA_APPLICATION			(0x10)
+#define CKA_VALUE			(0x11)
+#define CKA_OBJECT_ID			(0x12)
+#define CKA_CERTIFICATE_TYPE		(0x80)
+#define CKA_ISSUER			(0x81)
+#define CKA_SERIAL_NUMBER		(0x82)
+#define CKA_AC_ISSUER			(0x83)
+#define CKA_OWNER			(0x84)
+#define CKA_ATTR_TYPES			(0x85)
+#define CKA_TRUSTED			(0x86)
+#define CKA_CERTIFICATE_CATEGORY	(0x87)
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN	(0x88)
+#define CKA_URL				(0x89)
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8a)
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8b)
+#define CKA_CHECK_VALUE			(0x90)
+#define CKA_KEY_TYPE			(0x100)
+#define CKA_SUBJECT			(0x101)
+#define CKA_ID				(0x102)
+#define CKA_SENSITIVE			(0x103)
+#define CKA_ENCRYPT			(0x104)
+#define CKA_DECRYPT			(0x105)
+#define CKA_WRAP			(0x106)
+#define CKA_UNWRAP			(0x107)
+#define CKA_SIGN			(0x108)
+#define CKA_SIGN_RECOVER		(0x109)
+#define CKA_VERIFY			(0x10a)
+#define CKA_VERIFY_RECOVER		(0x10b)
+#define CKA_DERIVE			(0x10c)
+#define CKA_START_DATE			(0x110)
+#define CKA_END_DATE			(0x111)
+#define CKA_MODULUS			(0x120)
+#define CKA_MODULUS_BITS		(0x121)
+#define CKA_PUBLIC_EXPONENT		(0x122)
+#define CKA_PRIVATE_EXPONENT		(0x123)
+#define CKA_PRIME_1			(0x124)
+#define CKA_PRIME_2			(0x125)
+#define CKA_EXPONENT_1			(0x126)
+#define CKA_EXPONENT_2			(0x127)
+#define CKA_COEFFICIENT			(0x128)
+#define CKA_PRIME			(0x130)
+#define CKA_SUBPRIME			(0x131)
+#define CKA_BASE			(0x132)
+#define CKA_PRIME_BITS			(0x133)
+#define CKA_SUB_PRIME_BITS		(0x134)
+#define CKA_VALUE_BITS			(0x160)
+#define CKA_VALUE_LEN			(0x161)
+#define CKA_EXTRACTABLE			(0x162)
+#define CKA_LOCAL			(0x163)
+#define CKA_NEVER_EXTRACTABLE		(0x164)
+#define CKA_ALWAYS_SENSITIVE		(0x165)
+#define CKA_KEY_GEN_MECHANISM		(0x166)
+#define CKA_MODIFIABLE			(0x170)
+#define CKA_ECDSA_PARAMS		(0x180)
+#define CKA_EC_PARAMS			(0x180)
+#define CKA_EC_POINT			(0x181)
+#define CKA_SECONDARY_AUTH		(0x200)
+#define CKA_AUTH_PIN_FLAGS		(0x201)
+#define CKA_ALWAYS_AUTHENTICATE		(0x202)
+#define CKA_WRAP_WITH_TRUSTED		(0x210)
+#define CKA_HW_FEATURE_TYPE		(0x300)
+#define CKA_RESET_ON_INIT		(0x301)
+#define CKA_HAS_RESET			(0x302)
+#define CKA_PIXEL_X			(0x400)
+#define CKA_PIXEL_Y			(0x401)
+#define CKA_RESOLUTION			(0x402)
+#define CKA_CHAR_ROWS			(0x403)
+#define CKA_CHAR_COLUMNS		(0x404)
+#define CKA_COLOR			(0x405)
+#define CKA_BITS_PER_PIXEL		(0x406)
+#define CKA_CHAR_SETS			(0x480)
+#define CKA_ENCODING_METHODS		(0x481)
+#define CKA_MIME_TYPES			(0x482)
+#define CKA_MECHANISM_TYPE		(0x500)
+#define CKA_REQUIRED_CMS_ATTRIBUTES	(0x501)
+#define CKA_DEFAULT_CMS_ATTRIBUTES	(0x502)
+#define CKA_SUPPORTED_CMS_ATTRIBUTES	(0x503)
+#define CKA_WRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x211)
+#define CKA_UNWRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_ALLOWED_MECHANISMS		(CKF_ARRAY_ATTRIBUTE | 0x600)
+#define CKA_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_attribute
+{
+  ck_attribute_type_t type;
+  void *value;
+  unsigned long value_len;
+};
+
+
+struct ck_date
+{
+  unsigned char year[4];
+  unsigned char month[2];
+  unsigned char day[2];
+};
+
+
+typedef unsigned long ck_mechanism_type_t;
+
+#define CKM_RSA_PKCS_KEY_PAIR_GEN	(0)
+#define CKM_RSA_PKCS			(1)
+#define CKM_RSA_9796			(2)
+#define CKM_RSA_X_509			(3)
+#define CKM_MD2_RSA_PKCS		(4)
+#define CKM_MD5_RSA_PKCS		(5)
+#define CKM_SHA1_RSA_PKCS		(6)
+#define CKM_RIPEMD128_RSA_PKCS		(7)
+#define CKM_RIPEMD160_RSA_PKCS		(8)
+#define CKM_RSA_PKCS_OAEP		(9)
+#define CKM_RSA_X9_31_KEY_PAIR_GEN	(0xa)
+#define CKM_RSA_X9_31			(0xb)
+#define CKM_SHA1_RSA_X9_31		(0xc)
+#define CKM_RSA_PKCS_PSS		(0xd)
+#define CKM_SHA1_RSA_PKCS_PSS		(0xe)
+#define CKM_DSA_KEY_PAIR_GEN		(0x10)
+#define	CKM_DSA				(0x11)
+#define CKM_DSA_SHA1			(0x12)
+#define CKM_DH_PKCS_KEY_PAIR_GEN	(0x20)
+#define CKM_DH_PKCS_DERIVE		(0x21)
+#define	CKM_X9_42_DH_KEY_PAIR_GEN	(0x30)
+#define CKM_X9_42_DH_DERIVE		(0x31)
+#define CKM_X9_42_DH_HYBRID_DERIVE	(0x32)
+#define CKM_X9_42_MQV_DERIVE		(0x33)
+#define CKM_SHA256_RSA_PKCS		(0x40)
+#define CKM_SHA384_RSA_PKCS		(0x41)
+#define CKM_SHA512_RSA_PKCS		(0x42)
+#define CKM_SHA256_RSA_PKCS_PSS		(0x43)
+#define CKM_SHA384_RSA_PKCS_PSS		(0x44)
+#define CKM_SHA512_RSA_PKCS_PSS		(0x45)
+#define CKM_RC2_KEY_GEN			(0x100)
+#define CKM_RC2_ECB			(0x101)
+#define	CKM_RC2_CBC			(0x102)
+#define	CKM_RC2_MAC			(0x103)
+#define CKM_RC2_MAC_GENERAL		(0x104)
+#define CKM_RC2_CBC_PAD			(0x105)
+#define CKM_RC4_KEY_GEN			(0x110)
+#define CKM_RC4				(0x111)
+#define CKM_DES_KEY_GEN			(0x120)
+#define CKM_DES_ECB			(0x121)
+#define CKM_DES_CBC			(0x122)
+#define CKM_DES_MAC			(0x123)
+#define CKM_DES_MAC_GENERAL		(0x124)
+#define CKM_DES_CBC_PAD			(0x125)
+#define CKM_DES2_KEY_GEN		(0x130)
+#define CKM_DES3_KEY_GEN		(0x131)
+#define CKM_DES3_ECB			(0x132)
+#define CKM_DES3_CBC			(0x133)
+#define CKM_DES3_MAC			(0x134)
+#define CKM_DES3_MAC_GENERAL		(0x135)
+#define CKM_DES3_CBC_PAD		(0x136)
+#define CKM_CDMF_KEY_GEN		(0x140)
+#define CKM_CDMF_ECB			(0x141)
+#define CKM_CDMF_CBC			(0x142)
+#define CKM_CDMF_MAC			(0x143)
+#define CKM_CDMF_MAC_GENERAL		(0x144)
+#define CKM_CDMF_CBC_PAD		(0x145)
+#define CKM_MD2				(0x200)
+#define CKM_MD2_HMAC			(0x201)
+#define CKM_MD2_HMAC_GENERAL		(0x202)
+#define CKM_MD5				(0x210)
+#define CKM_MD5_HMAC			(0x211)
+#define CKM_MD5_HMAC_GENERAL		(0x212)
+#define CKM_SHA_1			(0x220)
+#define CKM_SHA_1_HMAC			(0x221)
+#define CKM_SHA_1_HMAC_GENERAL		(0x222)
+#define CKM_RIPEMD128			(0x230)
+#define CKM_RIPEMD128_HMAC		(0x231)
+#define CKM_RIPEMD128_HMAC_GENERAL	(0x232)
+#define CKM_RIPEMD160			(0x240)
+#define CKM_RIPEMD160_HMAC		(0x241)
+#define CKM_RIPEMD160_HMAC_GENERAL	(0x242)
+#define CKM_SHA256			(0x250)
+#define CKM_SHA256_HMAC			(0x251)
+#define CKM_SHA256_HMAC_GENERAL		(0x252)
+#define CKM_SHA384			(0x260)
+#define CKM_SHA384_HMAC			(0x261)
+#define CKM_SHA384_HMAC_GENERAL		(0x262)
+#define CKM_SHA512			(0x270)
+#define CKM_SHA512_HMAC			(0x271)
+#define CKM_SHA512_HMAC_GENERAL		(0x272)
+#define CKM_CAST_KEY_GEN		(0x300)
+#define CKM_CAST_ECB			(0x301)
+#define CKM_CAST_CBC			(0x302)
+#define CKM_CAST_MAC			(0x303)
+#define CKM_CAST_MAC_GENERAL		(0x304)
+#define CKM_CAST_CBC_PAD		(0x305)
+#define CKM_CAST3_KEY_GEN		(0x310)
+#define CKM_CAST3_ECB			(0x311)
+#define CKM_CAST3_CBC			(0x312)
+#define CKM_CAST3_MAC			(0x313)
+#define CKM_CAST3_MAC_GENERAL		(0x314)
+#define CKM_CAST3_CBC_PAD		(0x315)
+#define CKM_CAST5_KEY_GEN		(0x320)
+#define CKM_CAST128_KEY_GEN		(0x320)
+#define CKM_CAST5_ECB			(0x321)
+#define CKM_CAST128_ECB			(0x321)
+#define CKM_CAST5_CBC			(0x322)
+#define CKM_CAST128_CBC			(0x322)
+#define CKM_CAST5_MAC			(0x323)
+#define	CKM_CAST128_MAC			(0x323)
+#define CKM_CAST5_MAC_GENERAL		(0x324)
+#define CKM_CAST128_MAC_GENERAL		(0x324)
+#define CKM_CAST5_CBC_PAD		(0x325)
+#define CKM_CAST128_CBC_PAD		(0x325)
+#define CKM_RC5_KEY_GEN			(0x330)
+#define CKM_RC5_ECB			(0x331)
+#define CKM_RC5_CBC			(0x332)
+#define CKM_RC5_MAC			(0x333)
+#define CKM_RC5_MAC_GENERAL		(0x334)
+#define CKM_RC5_CBC_PAD			(0x335)
+#define CKM_IDEA_KEY_GEN		(0x340)
+#define CKM_IDEA_ECB			(0x341)
+#define	CKM_IDEA_CBC			(0x342)
+#define CKM_IDEA_MAC			(0x343)
+#define CKM_IDEA_MAC_GENERAL		(0x344)
+#define CKM_IDEA_CBC_PAD		(0x345)
+#define CKM_GENERIC_SECRET_KEY_GEN	(0x350)
+#define CKM_CONCATENATE_BASE_AND_KEY	(0x360)
+#define CKM_CONCATENATE_BASE_AND_DATA	(0x362)
+#define CKM_CONCATENATE_DATA_AND_BASE	(0x363)
+#define CKM_XOR_BASE_AND_DATA		(0x364)
+#define CKM_EXTRACT_KEY_FROM_KEY	(0x365)
+#define CKM_SSL3_PRE_MASTER_KEY_GEN	(0x370)
+#define CKM_SSL3_MASTER_KEY_DERIVE	(0x371)
+#define CKM_SSL3_KEY_AND_MAC_DERIVE	(0x372)
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH	(0x373)
+#define CKM_TLS_PRE_MASTER_KEY_GEN	(0x374)
+#define CKM_TLS_MASTER_KEY_DERIVE	(0x375)
+#define CKM_TLS_KEY_AND_MAC_DERIVE	(0x376)
+#define CKM_TLS_MASTER_KEY_DERIVE_DH	(0x377)
+#define CKM_SSL3_MD5_MAC		(0x380)
+#define CKM_SSL3_SHA1_MAC		(0x381)
+#define CKM_MD5_KEY_DERIVATION		(0x390)
+#define CKM_MD2_KEY_DERIVATION		(0x391)
+#define CKM_SHA1_KEY_DERIVATION		(0x392)
+#define CKM_PBE_MD2_DES_CBC		(0x3a0)
+#define CKM_PBE_MD5_DES_CBC		(0x3a1)
+#define CKM_PBE_MD5_CAST_CBC		(0x3a2)
+#define CKM_PBE_MD5_CAST3_CBC		(0x3a3)
+#define CKM_PBE_MD5_CAST5_CBC		(0x3a4)
+#define CKM_PBE_MD5_CAST128_CBC		(0x3a4)
+#define CKM_PBE_SHA1_CAST5_CBC		(0x3a5)
+#define CKM_PBE_SHA1_CAST128_CBC	(0x3a5)
+#define CKM_PBE_SHA1_RC4_128		(0x3a6)
+#define CKM_PBE_SHA1_RC4_40		(0x3a7)
+#define CKM_PBE_SHA1_DES3_EDE_CBC	(0x3a8)
+#define CKM_PBE_SHA1_DES2_EDE_CBC	(0x3a9)
+#define CKM_PBE_SHA1_RC2_128_CBC	(0x3aa)
+#define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
+#define CKM_PKCS5_PBKD2			(0x3b0)
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC	(0x3c0)
+#define CKM_KEY_WRAP_LYNKS		(0x400)
+#define CKM_KEY_WRAP_SET_OAEP		(0x401)
+#define CKM_SKIPJACK_KEY_GEN		(0x1000)
+#define CKM_SKIPJACK_ECB64		(0x1001)
+#define CKM_SKIPJACK_CBC64		(0x1002)
+#define CKM_SKIPJACK_OFB64		(0x1003)
+#define CKM_SKIPJACK_CFB64		(0x1004)
+#define CKM_SKIPJACK_CFB32		(0x1005)
+#define CKM_SKIPJACK_CFB16		(0x1006)
+#define CKM_SKIPJACK_CFB8		(0x1007)
+#define CKM_SKIPJACK_WRAP		(0x1008)
+#define CKM_SKIPJACK_PRIVATE_WRAP	(0x1009)
+#define CKM_SKIPJACK_RELAYX		(0x100a)
+#define CKM_KEA_KEY_PAIR_GEN		(0x1010)
+#define CKM_KEA_KEY_DERIVE		(0x1011)
+#define CKM_FORTEZZA_TIMESTAMP		(0x1020)
+#define CKM_BATON_KEY_GEN		(0x1030)
+#define CKM_BATON_ECB128		(0x1031)
+#define CKM_BATON_ECB96			(0x1032)
+#define CKM_BATON_CBC128		(0x1033)
+#define CKM_BATON_COUNTER		(0x1034)
+#define CKM_BATON_SHUFFLE		(0x1035)
+#define CKM_BATON_WRAP			(0x1036)
+#define CKM_ECDSA_KEY_PAIR_GEN		(0x1040)
+#define CKM_EC_KEY_PAIR_GEN		(0x1040)
+#define CKM_ECDSA			(0x1041)
+#define CKM_ECDSA_SHA1			(0x1042)
+#define CKM_ECDH1_DERIVE		(0x1050)
+#define CKM_ECDH1_COFACTOR_DERIVE	(0x1051)
+#define CKM_ECMQV_DERIVE		(0x1052)
+#define CKM_JUNIPER_KEY_GEN		(0x1060)
+#define CKM_JUNIPER_ECB128		(0x1061)
+#define CKM_JUNIPER_CBC128		(0x1062)
+#define CKM_JUNIPER_COUNTER		(0x1063)
+#define CKM_JUNIPER_SHUFFLE		(0x1064)
+#define CKM_JUNIPER_WRAP		(0x1065)
+#define CKM_FASTHASH			(0x1070)
+#define CKM_AES_KEY_GEN			(0x1080)
+#define CKM_AES_ECB			(0x1081)
+#define CKM_AES_CBC			(0x1082)
+#define CKM_AES_MAC			(0x1083)
+#define CKM_AES_MAC_GENERAL		(0x1084)
+#define CKM_AES_CBC_PAD			(0x1085)
+#define CKM_DSA_PARAMETER_GEN		(0x2000)
+#define CKM_DH_PKCS_PARAMETER_GEN	(0x2001)
+#define CKM_X9_42_DH_PARAMETER_GEN	(0x2002)
+#define CKM_VENDOR_DEFINED		((unsigned long) (1 << 31))
+
+
+struct ck_mechanism
+{
+  ck_mechanism_type_t mechanism;
+  void *parameter;
+  unsigned long parameter_len;
+};
+
+
+struct ck_mechanism_info
+{
+  unsigned long min_key_size;
+  unsigned long max_key_size;
+  ck_flags_t flags;
+};
+
+#define CKF_HW			(1 << 0)
+#define CKF_ENCRYPT		(1 << 8)
+#define CKF_DECRYPT		(1 << 9)
+#define CKF_DIGEST		(1 << 10)
+#define CKF_SIGN		(1 << 11)
+#define CKF_SIGN_RECOVER	(1 << 12)
+#define CKF_VERIFY		(1 << 13)
+#define CKF_VERIFY_RECOVER	(1 << 14)
+#define CKF_GENERATE		(1 << 15)
+#define CKF_GENERATE_KEY_PAIR	(1 << 16)
+#define CKF_WRAP		(1 << 17)
+#define CKF_UNWRAP		(1 << 18)
+#define CKF_DERIVE		(1 << 19)
+#define CKF_EXTENSION		((unsigned long) (1 << 31))
+
+
+/* Flags for C_WaitForSlotEvent.  */
+#define CKF_DONT_BLOCK				(1)
+
+
+typedef unsigned long ck_rv_t;
+
+
+typedef ck_rv_t (*ck_notify_t) (ck_session_handle_t session,
+				ck_notification_t event, void *application);
+
+/* Forward reference.  */
+struct ck_function_list;
+
+#define _CK_DECLARE_FUNCTION(name, args)	\
+typedef ck_rv_t (*CK_ ## name) args;		\
+ck_rv_t CK_SPEC name args
+
+_CK_DECLARE_FUNCTION (C_Initialize, (void *init_args));
+_CK_DECLARE_FUNCTION (C_Finalize, (void *reserved));
+_CK_DECLARE_FUNCTION (C_GetInfo, (struct ck_info *info));
+_CK_DECLARE_FUNCTION (C_GetFunctionList,
+		      (struct ck_function_list **function_list));
+
+_CK_DECLARE_FUNCTION (C_GetSlotList,
+		      (unsigned char token_present, ck_slot_id_t *slot_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetSlotInfo,
+		      (ck_slot_id_t slot_id, struct ck_slot_info *info));
+_CK_DECLARE_FUNCTION (C_GetTokenInfo,
+		      (ck_slot_id_t slot_id, struct ck_token_info *info));
+_CK_DECLARE_FUNCTION (C_WaitForSlotEvent,
+		      (ck_flags_t flags, ck_slot_id_t *slot, void *reserved));
+_CK_DECLARE_FUNCTION (C_GetMechanismList,
+		      (ck_slot_id_t slot_id,
+		       ck_mechanism_type_t *mechanism_list,
+		       unsigned long *count));
+_CK_DECLARE_FUNCTION (C_GetMechanismInfo,
+		      (ck_slot_id_t slot_id, ck_mechanism_type_t type,
+		       struct ck_mechanism_info *info));
+_CK_DECLARE_FUNCTION (C_InitToken,
+		      (ck_slot_id_t slot_id, unsigned char *pin,
+		       unsigned long pin_len, unsigned char *label));
+_CK_DECLARE_FUNCTION (C_InitPIN,
+		      (ck_session_handle_t session, unsigned char *pin,
+		       unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_SetPIN,
+		      (ck_session_handle_t session, unsigned char *old_pin,
+		       unsigned long old_len, unsigned char *new_pin,
+		       unsigned long new_len));
+
+_CK_DECLARE_FUNCTION (C_OpenSession,
+		      (ck_slot_id_t slot_id, ck_flags_t flags,
+		       void *application, ck_notify_t notify,
+		       ck_session_handle_t *session));
+_CK_DECLARE_FUNCTION (C_CloseSession, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CloseAllSessions, (ck_slot_id_t slot_id));
+_CK_DECLARE_FUNCTION (C_GetSessionInfo,
+		      (ck_session_handle_t session,
+		       struct ck_session_info *info));
+_CK_DECLARE_FUNCTION (C_GetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long *operation_state_len));
+_CK_DECLARE_FUNCTION (C_SetOperationState,
+		      (ck_session_handle_t session,
+		       unsigned char *operation_state,
+		       unsigned long operation_state_len,
+		       ck_object_handle_t encryption_key,
+		       ck_object_handle_t authentiation_key));
+_CK_DECLARE_FUNCTION (C_Login,
+		      (ck_session_handle_t session, ck_user_type_t user_type,
+		       unsigned char *pin, unsigned long pin_len));
+_CK_DECLARE_FUNCTION (C_Logout, (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_CreateObject,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count, ck_object_handle_t *object));
+_CK_DECLARE_FUNCTION (C_CopyObject,
+		      (ck_session_handle_t session, ck_object_handle_t object,
+		       struct ck_attribute *templ, unsigned long count,
+		       ck_object_handle_t *new_object));
+_CK_DECLARE_FUNCTION (C_DestroyObject,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object));
+_CK_DECLARE_FUNCTION (C_GetObjectSize,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       unsigned long *size));
+_CK_DECLARE_FUNCTION (C_GetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_SetAttributeValue,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t object,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjectsInit,
+		      (ck_session_handle_t session,
+		       struct ck_attribute *templ,
+		       unsigned long count));
+_CK_DECLARE_FUNCTION (C_FindObjects,
+		      (ck_session_handle_t session,
+		       ck_object_handle_t *object,
+		       unsigned long max_object_count,
+		       unsigned long *object_count));
+_CK_DECLARE_FUNCTION (C_FindObjectsFinal,
+		      (ck_session_handle_t session));
+
+_CK_DECLARE_FUNCTION (C_EncryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Encrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *encrypted_data,
+		       unsigned long *encrypted_data_len));
+_CK_DECLARE_FUNCTION (C_EncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_EncryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_encrypted_part,
+		       unsigned long *last_encrypted_part_len));
+
+_CK_DECLARE_FUNCTION (C_DecryptInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Decrypt,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_data,
+		       unsigned long encrypted_data_len,
+		       unsigned char *data, unsigned long *data_len));
+_CK_DECLARE_FUNCTION (C_DecryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part, unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_DecryptFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *last_part,
+		       unsigned long *last_part_len));
+
+_CK_DECLARE_FUNCTION (C_DigestInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism));
+_CK_DECLARE_FUNCTION (C_Digest,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+_CK_DECLARE_FUNCTION (C_DigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_DigestKey,
+		      (ck_session_handle_t session, ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_DigestFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *digest,
+		       unsigned long *digest_len));
+
+_CK_DECLARE_FUNCTION (C_SignInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Sign,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_SignFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+_CK_DECLARE_FUNCTION (C_SignRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_SignRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long *signature_len));
+
+_CK_DECLARE_FUNCTION (C_VerifyInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_Verify,
+		      (ck_session_handle_t session,
+		       unsigned char *data, unsigned long data_len,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len));
+_CK_DECLARE_FUNCTION (C_VerifyFinal,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len));
+_CK_DECLARE_FUNCTION (C_VerifyRecoverInit,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t key));
+_CK_DECLARE_FUNCTION (C_VerifyRecover,
+		      (ck_session_handle_t session,
+		       unsigned char *signature,
+		       unsigned long signature_len,
+		       unsigned char *data,
+		       unsigned long *data_len));
+
+_CK_DECLARE_FUNCTION (C_DigestEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptDigestUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+_CK_DECLARE_FUNCTION (C_SignEncryptUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *part, unsigned long part_len,
+		       unsigned char *encrypted_part,
+		       unsigned long *encrypted_part_len));
+_CK_DECLARE_FUNCTION (C_DecryptVerifyUpdate,
+		      (ck_session_handle_t session,
+		       unsigned char *encrypted_part,
+		       unsigned long encrypted_part_len,
+		       unsigned char *part,
+		       unsigned long *part_len));
+
+_CK_DECLARE_FUNCTION (C_GenerateKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *templ,
+		       unsigned long count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_GenerateKeyPair,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       struct ck_attribute *public_key_template,
+		       unsigned long public_key_attribute_count,
+		       struct ck_attribute *private_key_template,
+		       unsigned long private_key_attribute_count,
+		       ck_object_handle_t *public_key,
+		       ck_object_handle_t *private_key));
+_CK_DECLARE_FUNCTION (C_WrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t wrapping_key,
+		       ck_object_handle_t key,
+		       unsigned char *wrapped_key,
+		       unsigned long *wrapped_key_len));
+_CK_DECLARE_FUNCTION (C_UnwrapKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t unwrapping_key,
+		       unsigned char *wrapped_key,
+		       unsigned long wrapped_key_len,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+_CK_DECLARE_FUNCTION (C_DeriveKey,
+		      (ck_session_handle_t session,
+		       struct ck_mechanism *mechanism,
+		       ck_object_handle_t base_key,
+		       struct ck_attribute *templ,
+		       unsigned long attribute_count,
+		       ck_object_handle_t *key));
+
+_CK_DECLARE_FUNCTION (C_SeedRandom,
+		      (ck_session_handle_t session, unsigned char *seed,
+		       unsigned long seed_len));
+_CK_DECLARE_FUNCTION (C_GenerateRandom,
+		      (ck_session_handle_t session,
+		       unsigned char *random_data,
+		       unsigned long random_len));
+
+_CK_DECLARE_FUNCTION (C_GetFunctionStatus, (ck_session_handle_t session));
+_CK_DECLARE_FUNCTION (C_CancelFunction, (ck_session_handle_t session));
+
+
+struct ck_function_list
+{
+  struct ck_version version;
+  CK_C_Initialize C_Initialize;
+  CK_C_Finalize C_Finalize;
+  CK_C_GetInfo C_GetInfo;
+  CK_C_GetFunctionList C_GetFunctionList;
+  CK_C_GetSlotList C_GetSlotList;
+  CK_C_GetSlotInfo C_GetSlotInfo;
+  CK_C_GetTokenInfo C_GetTokenInfo;
+  CK_C_GetMechanismList C_GetMechanismList;
+  CK_C_GetMechanismInfo C_GetMechanismInfo;
+  CK_C_InitToken C_InitToken;
+  CK_C_InitPIN C_InitPIN;
+  CK_C_SetPIN C_SetPIN;
+  CK_C_OpenSession C_OpenSession;
+  CK_C_CloseSession C_CloseSession;
+  CK_C_CloseAllSessions C_CloseAllSessions;
+  CK_C_GetSessionInfo C_GetSessionInfo;
+  CK_C_GetOperationState C_GetOperationState;
+  CK_C_SetOperationState C_SetOperationState;
+  CK_C_Login C_Login;
+  CK_C_Logout C_Logout;
+  CK_C_CreateObject C_CreateObject;
+  CK_C_CopyObject C_CopyObject;
+  CK_C_DestroyObject C_DestroyObject;
+  CK_C_GetObjectSize C_GetObjectSize;
+  CK_C_GetAttributeValue C_GetAttributeValue;
+  CK_C_SetAttributeValue C_SetAttributeValue;
+  CK_C_FindObjectsInit C_FindObjectsInit;
+  CK_C_FindObjects C_FindObjects;
+  CK_C_FindObjectsFinal C_FindObjectsFinal;
+  CK_C_EncryptInit C_EncryptInit;
+  CK_C_Encrypt C_Encrypt;
+  CK_C_EncryptUpdate C_EncryptUpdate;
+  CK_C_EncryptFinal C_EncryptFinal;
+  CK_C_DecryptInit C_DecryptInit;
+  CK_C_Decrypt C_Decrypt;
+  CK_C_DecryptUpdate C_DecryptUpdate;
+  CK_C_DecryptFinal C_DecryptFinal;
+  CK_C_DigestInit C_DigestInit;
+  CK_C_Digest C_Digest;
+  CK_C_DigestUpdate C_DigestUpdate;
+  CK_C_DigestKey C_DigestKey;
+  CK_C_DigestFinal C_DigestFinal;
+  CK_C_SignInit C_SignInit;
+  CK_C_Sign C_Sign;
+  CK_C_SignUpdate C_SignUpdate;
+  CK_C_SignFinal C_SignFinal;
+  CK_C_SignRecoverInit C_SignRecoverInit;
+  CK_C_SignRecover C_SignRecover;
+  CK_C_VerifyInit C_VerifyInit;
+  CK_C_Verify C_Verify;
+  CK_C_VerifyUpdate C_VerifyUpdate;
+  CK_C_VerifyFinal C_VerifyFinal;
+  CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+  CK_C_VerifyRecover C_VerifyRecover;
+  CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+  CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+  CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+  CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+  CK_C_GenerateKey C_GenerateKey;
+  CK_C_GenerateKeyPair C_GenerateKeyPair;
+  CK_C_WrapKey C_WrapKey;
+  CK_C_UnwrapKey C_UnwrapKey;
+  CK_C_DeriveKey C_DeriveKey;
+  CK_C_SeedRandom C_SeedRandom;
+  CK_C_GenerateRandom C_GenerateRandom;
+  CK_C_GetFunctionStatus C_GetFunctionStatus;
+  CK_C_CancelFunction C_CancelFunction;
+  CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+typedef ck_rv_t (*ck_createmutex_t) (void **mutex);
+typedef ck_rv_t (*ck_destroymutex_t) (void *mutex);
+typedef ck_rv_t (*ck_lockmutex_t) (void *mutex);
+typedef ck_rv_t (*ck_unlockmutex_t) (void *mutex);
+
+
+struct ck_c_initialize_args
+{
+  ck_createmutex_t create_mutex;
+  ck_destroymutex_t destroy_mutex;
+  ck_lockmutex_t lock_mutex;
+  ck_unlockmutex_t unlock_mutex;
+  ck_flags_t flags;
+  void *reserved;
+};
+
+
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS	(1 << 0)
+#define CKF_OS_LOCKING_OK			(1 << 1)
+
+#define CKR_OK					(0)
+#define CKR_CANCEL				(1)
+#define CKR_HOST_MEMORY				(2)
+#define CKR_SLOT_ID_INVALID			(3)
+#define CKR_GENERAL_ERROR			(5)
+#define CKR_FUNCTION_FAILED			(6)
+#define CKR_ARGUMENTS_BAD			(7)
+#define CKR_NO_EVENT				(8)
+#define CKR_NEED_TO_CREATE_THREADS		(9)
+#define CKR_CANT_LOCK				(0xa)
+#define CKR_ATTRIBUTE_READ_ONLY			(0x10)
+#define CKR_ATTRIBUTE_SENSITIVE			(0x11)
+#define CKR_ATTRIBUTE_TYPE_INVALID		(0x12)
+#define CKR_ATTRIBUTE_VALUE_INVALID		(0x13)
+#define CKR_DATA_INVALID			(0x20)
+#define CKR_DATA_LEN_RANGE			(0x21)
+#define CKR_DEVICE_ERROR			(0x30)
+#define CKR_DEVICE_MEMORY			(0x31)
+#define CKR_DEVICE_REMOVED			(0x32)
+#define CKR_ENCRYPTED_DATA_INVALID		(0x40)
+#define CKR_ENCRYPTED_DATA_LEN_RANGE		(0x41)
+#define CKR_FUNCTION_CANCELED			(0x50)
+#define CKR_FUNCTION_NOT_PARALLEL		(0x51)
+#define CKR_FUNCTION_NOT_SUPPORTED		(0x54)
+#define CKR_KEY_HANDLE_INVALID			(0x60)
+#define CKR_KEY_SIZE_RANGE			(0x62)
+#define CKR_KEY_TYPE_INCONSISTENT		(0x63)
+#define CKR_KEY_NOT_NEEDED			(0x64)
+#define CKR_KEY_CHANGED				(0x65)
+#define CKR_KEY_NEEDED				(0x66)
+#define CKR_KEY_INDIGESTIBLE			(0x67)
+#define CKR_KEY_FUNCTION_NOT_PERMITTED		(0x68)
+#define CKR_KEY_NOT_WRAPPABLE			(0x69)
+#define CKR_KEY_UNEXTRACTABLE			(0x6a)
+#define CKR_MECHANISM_INVALID			(0x70)
+#define CKR_MECHANISM_PARAM_INVALID		(0x71)
+#define CKR_OBJECT_HANDLE_INVALID		(0x82)
+#define CKR_OPERATION_ACTIVE			(0x90)
+#define CKR_OPERATION_NOT_INITIALIZED		(0x91)
+#define CKR_PIN_INCORRECT			(0xa0)
+#define CKR_PIN_INVALID				(0xa1)
+#define CKR_PIN_LEN_RANGE			(0xa2)
+#define CKR_PIN_EXPIRED				(0xa3)
+#define CKR_PIN_LOCKED				(0xa4)
+#define CKR_SESSION_CLOSED			(0xb0)
+#define CKR_SESSION_COUNT			(0xb1)
+#define CKR_SESSION_HANDLE_INVALID		(0xb3)
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED	(0xb4)
+#define CKR_SESSION_READ_ONLY			(0xb5)
+#define CKR_SESSION_EXISTS			(0xb6)
+#define CKR_SESSION_READ_ONLY_EXISTS		(0xb7)
+#define CKR_SESSION_READ_WRITE_SO_EXISTS	(0xb8)
+#define CKR_SIGNATURE_INVALID			(0xc0)
+#define CKR_SIGNATURE_LEN_RANGE			(0xc1)
+#define CKR_TEMPLATE_INCOMPLETE			(0xd0)
+#define CKR_TEMPLATE_INCONSISTENT		(0xd1)
+#define CKR_TOKEN_NOT_PRESENT			(0xe0)
+#define CKR_TOKEN_NOT_RECOGNIZED		(0xe1)
+#define CKR_TOKEN_WRITE_PROTECTED		(0xe2)
+#define	CKR_UNWRAPPING_KEY_HANDLE_INVALID	(0xf0)
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE		(0xf1)
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT	(0xf2)
+#define CKR_USER_ALREADY_LOGGED_IN		(0x100)
+#define CKR_USER_NOT_LOGGED_IN			(0x101)
+#define CKR_USER_PIN_NOT_INITIALIZED		(0x102)
+#define CKR_USER_TYPE_INVALID			(0x103)
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN	(0x104)
+#define CKR_USER_TOO_MANY_TYPES			(0x105)
+#define CKR_WRAPPED_KEY_INVALID			(0x110)
+#define CKR_WRAPPED_KEY_LEN_RANGE		(0x112)
+#define CKR_WRAPPING_KEY_HANDLE_INVALID		(0x113)
+#define CKR_WRAPPING_KEY_SIZE_RANGE		(0x114)
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT	(0x115)
+#define CKR_RANDOM_SEED_NOT_SUPPORTED		(0x120)
+#define CKR_RANDOM_NO_RNG			(0x121)
+#define CKR_DOMAIN_PARAMS_INVALID		(0x130)
+#define CKR_BUFFER_TOO_SMALL			(0x150)
+#define CKR_SAVED_STATE_INVALID			(0x160)
+#define CKR_INFORMATION_SENSITIVE		(0x170)
+#define CKR_STATE_UNSAVEABLE			(0x180)
+#define CKR_CRYPTOKI_NOT_INITIALIZED		(0x190)
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED	(0x191)
+#define CKR_MUTEX_BAD				(0x1a0)
+#define CKR_MUTEX_NOT_LOCKED			(0x1a1)
+#define CKR_FUNCTION_REJECTED			(0x200)
+#define CKR_VENDOR_DEFINED			((unsigned long) (1 << 31))
+
+
+
+/* Compatibility layer.  */
+
+#ifdef CRYPTOKI_COMPAT
+
+#undef CK_DEFINE_FUNCTION
+#define CK_DEFINE_FUNCTION(retval, name) retval CK_SPEC name
+
+/* For NULL.  */
+#include <stddef.h>
+
+typedef unsigned char CK_BYTE;
+typedef unsigned char CK_CHAR;
+typedef unsigned char CK_UTF8CHAR;
+typedef unsigned char CK_BBOOL;
+typedef unsigned long int CK_ULONG;
+typedef long int CK_LONG;
+typedef CK_BYTE *CK_BYTE_PTR;
+typedef CK_CHAR *CK_CHAR_PTR;
+typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR;
+typedef CK_ULONG *CK_ULONG_PTR;
+typedef void *CK_VOID_PTR;
+typedef void **CK_VOID_PTR_PTR;
+#define CK_FALSE 0
+#define CK_TRUE 1
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+#endif
+
+typedef struct ck_version CK_VERSION;
+typedef struct ck_version *CK_VERSION_PTR;
+
+typedef struct ck_info CK_INFO;
+typedef struct ck_info *CK_INFO_PTR;
+
+typedef ck_slot_id_t *CK_SLOT_ID_PTR;
+
+typedef struct ck_slot_info CK_SLOT_INFO;
+typedef struct ck_slot_info *CK_SLOT_INFO_PTR;
+
+typedef struct ck_token_info CK_TOKEN_INFO;
+typedef struct ck_token_info *CK_TOKEN_INFO_PTR;
+
+typedef ck_session_handle_t *CK_SESSION_HANDLE_PTR;
+
+typedef struct ck_session_info CK_SESSION_INFO;
+typedef struct ck_session_info *CK_SESSION_INFO_PTR;
+
+typedef ck_object_handle_t *CK_OBJECT_HANDLE_PTR;
+
+typedef ck_object_class_t *CK_OBJECT_CLASS_PTR;
+
+typedef struct ck_attribute CK_ATTRIBUTE;
+typedef struct ck_attribute *CK_ATTRIBUTE_PTR;
+
+typedef struct ck_date CK_DATE;
+typedef struct ck_date *CK_DATE_PTR;
+
+typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;
+
+typedef struct ck_mechanism CK_MECHANISM;
+typedef struct ck_mechanism *CK_MECHANISM_PTR;
+
+typedef struct ck_mechanism_info CK_MECHANISM_INFO;
+typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
+
+typedef struct ck_function_list CK_FUNCTION_LIST;
+typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
+typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+
+typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+
+#define NULL_PTR NULL
+
+/* Delete the helper macros defined at the top of the file.  */
+#undef ck_flags_t
+#undef ck_version
+
+#undef ck_info
+#undef cryptoki_version
+#undef manufacturer_id
+#undef library_description
+#undef library_version
+
+#undef ck_notification_t
+#undef ck_slot_id_t
+
+#undef ck_slot_info
+#undef slot_description
+#undef hardware_version
+#undef firmware_version
+
+#undef ck_token_info
+#undef serial_number
+#undef max_session_count
+#undef session_count
+#undef max_rw_session_count
+#undef rw_session_count
+#undef max_pin_len
+#undef min_pin_len
+#undef total_public_memory
+#undef free_public_memory
+#undef total_private_memory
+#undef free_private_memory
+#undef utc_time
+
+#undef ck_session_handle_t
+#undef ck_user_type_t
+#undef ck_state_t
+
+#undef ck_session_info
+#undef slot_id
+#undef device_error
+
+#undef ck_object_handle_t
+#undef ck_object_class_t
+#undef ck_hw_feature_type_t
+#undef ck_key_type_t
+#undef ck_certificate_type_t
+#undef ck_attribute_type_t
+
+#undef ck_attribute
+#undef value
+#undef value_len
+
+#undef ck_date
+
+#undef ck_mechanism_type_t
+
+#undef ck_mechanism
+#undef parameter
+#undef parameter_len
+
+#undef ck_mechanism_info
+#undef min_key_size
+#undef max_key_size
+
+#undef ck_rv_t
+#undef ck_notify_t
+
+#undef ck_function_list
+
+#undef ck_createmutex_t
+#undef ck_destroymutex_t
+#undef ck_lockmutex_t
+#undef ck_unlockmutex_t
+
+#undef ck_c_initialize_args
+#undef create_mutex
+#undef destroy_mutex
+#undef lock_mutex
+#undef unlock_mutex
+#undef reserved
+
+#endif	/* CRYPTOKI_COMPAT */
+
+
+/* System dependencies.  */
+#if defined(_WIN32) || defined(CRYPTOKI_FORCE_WIN32)
+#pragma pack(pop, cryptoki)
+#endif
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif	/* PKCS11_H */
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
new file mode 100644
index 000000000..1b1448c6a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_creds.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_creds_t private_pkcs11_creds_t;
+
+/**
+ * Private data of an pkcs11_creds_t object.
+ */
+struct private_pkcs11_creds_t {
+
+	/**
+	 * Public pkcs11_creds_t interface.
+	 */
+	pkcs11_creds_t public;
+
+	/**
+	 * PKCS# library
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Token slot
+	 */
+	CK_SLOT_ID slot;
+
+	/**
+	 * List of trusted certificates
+	 */
+	linked_list_t *trusted;
+
+	/**
+	 * List of untrusted certificates
+	 */
+	linked_list_t *untrusted;
+};
+
+/**
+ * Find certificates, optionally trusted
+ */
+static void find_certificates(private_pkcs11_creds_t *this,
+							  CK_SESSION_HANDLE session, CK_BBOOL trusted)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+		{CKA_TRUSTED, &trusted, sizeof(trusted)},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_VALUE, NULL, 0},
+		{CKA_LABEL, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	linked_list_t *raw;
+	certificate_t *cert;
+	struct {
+		chunk_t value;
+		chunk_t label;
+	} *entry;
+
+	raw = linked_list_create();
+	enumerator = this->lib->create_object_enumerator(this->lib,
+							session, tmpl, countof(tmpl), attr, countof(attr));
+	while (enumerator->enumerate(enumerator, &object))
+	{
+		entry = malloc(sizeof(*entry));
+		entry->value = chunk_clone(
+							chunk_create(attr[0].pValue, attr[0].ulValueLen));
+		entry->label = chunk_clone(
+							chunk_create(attr[1].pValue, attr[1].ulValueLen));
+		raw->insert_last(raw, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	while (raw->remove_first(raw, (void**)&entry) == SUCCESS)
+	{
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							BUILD_BLOB_ASN1_DER, entry->value,
+							BUILD_END);
+		if (cert)
+		{
+			DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
+				 trusted ? "" : "un", entry->label.len, entry->label.ptr);
+			/* trusted certificates are also returned as untrusted */
+			this->untrusted->insert_last(this->untrusted, cert);
+			if (trusted)
+			{
+				this->trusted->insert_last(this->trusted, cert->get_ref(cert));
+			}
+		}
+		else
+		{
+			DBG1(DBG_CFG, "    loading cert '%.*s' failed",
+				 entry->label.len, entry->label.ptr);
+		}
+		free(entry->value.ptr);
+		free(entry->label.ptr);
+		free(entry);
+	}
+	raw->destroy(raw);
+}
+
+/**
+ * Load in the certificates from the token
+ */
+static bool load_certificates(private_pkcs11_creds_t *this)
+{
+	CK_SESSION_HANDLE session;
+	CK_RV rv;
+
+	rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION,
+									 NULL, NULL, &session);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "opening session failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+
+	find_certificates(this, session, CK_TRUE);
+	find_certificates(this, session, CK_FALSE);
+
+	this->lib->f->C_CloseSession(session);
+	return TRUE;
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(identification_t *id,
+						 certificate_t **in, certificate_t **out)
+{
+	public_key_t *public;
+	certificate_t *cert = *in;
+
+	if (id == NULL || cert->has_subject(cert, id))
+	{
+		*out = *in;
+		return TRUE;
+	}
+	public = cert->get_public_key(cert);
+	if (public)
+	{
+		if (public->has_fingerprint(public, id->get_encoding(id)))
+		{
+			public->destroy(public);
+			*out = *in;
+			return TRUE;
+		}
+		public->destroy(public);
+	}
+	return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+	private_pkcs11_creds_t *this, certificate_type_t cert, key_type_t key,
+	identification_t *id, bool trusted)
+{
+	enumerator_t *inner;
+
+	if (cert != CERT_X509 && cert != CERT_ANY)
+	{
+		return NULL;
+	}
+	if (trusted)
+	{
+		inner = this->trusted->create_enumerator(this->trusted);
+	}
+	else
+	{
+		inner = this->untrusted->create_enumerator(this->untrusted);
+	}
+	return enumerator_create_filter(inner, (void*)certs_filter, id, NULL);
+}
+
+METHOD(pkcs11_creds_t, get_library, pkcs11_library_t*,
+	private_pkcs11_creds_t *this)
+{
+	return this->lib;
+}
+
+METHOD(pkcs11_creds_t, get_slot, CK_SLOT_ID,
+	private_pkcs11_creds_t *this)
+{
+	return this->slot;
+}
+
+METHOD(pkcs11_creds_t, destroy, void,
+	private_pkcs11_creds_t *this)
+{
+	this->trusted->destroy_offset(this->trusted,
+								offsetof(certificate_t, destroy));
+	this->untrusted->destroy_offset(this->untrusted,
+								offsetof(certificate_t, destroy));
+	free(this);
+}
+
+/**
+ * See header
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot)
+{
+	private_pkcs11_creds_t *this;
+
+	INIT(this,
+		.public = {
+			.set = {
+				.create_shared_enumerator = (void*)enumerator_create_empty,
+				.create_private_enumerator = (void*)enumerator_create_empty,
+				.create_cert_enumerator = _create_cert_enumerator,
+				.create_cdp_enumerator  = (void*)enumerator_create_empty,
+				.cache_cert = (void*)nop,
+			},
+			.get_library = _get_library,
+			.get_slot = _get_slot,
+			.destroy = _destroy,
+		},
+		.lib = p11,
+		.slot = slot,
+		.trusted = linked_list_create(),
+		.untrusted = linked_list_create(),
+	);
+
+	if (!load_certificates(this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
new file mode 100644
index 000000000..c40a8dea6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_creds pkcs11_creds
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_CREDS_H_
+#define PKCS11_CREDS_H_
+
+typedef struct pkcs11_creds_t pkcs11_creds_t;
+
+#include "pkcs11_library.h"
+
+#include <credentials/credential_manager.h>
+
+/**
+ * Credential set on top on a PKCS#11 token.
+ */
+struct pkcs11_creds_t {
+
+	/**
+	 * Implements credential_set_t.
+	 */
+	credential_set_t set;
+
+	/**
+	 * Get the PKCS#11 library this set uses.
+	 *
+	 * @return		library
+	 */
+	pkcs11_library_t* (*get_library)(pkcs11_creds_t *this);
+
+	/**
+	 * Get the slot of the token this set uses.
+	 *
+	 * @return		slot
+	 */
+	CK_SLOT_ID (*get_slot)(pkcs11_creds_t *this);
+
+	/**
+	 * Destroy a pkcs11_creds_t.
+	 */
+	void (*destroy)(pkcs11_creds_t *this);
+};
+
+/**
+ * Create a pkcs11_creds instance.
+ *
+ * @param p11			loaded PKCS#11 library
+ * @param slot			slot of the token we hand out credentials
+ */
+pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
+
+#endif /** PKCS11_CREDS_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
new file mode 100644
index 000000000..6d327be40
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_hasher.h"
+
+#include <unistd.h>
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+#include "pkcs11_manager.h"
+
+typedef struct private_pkcs11_hasher_t private_pkcs11_hasher_t;
+
+/**
+ * Private data of an pkcs11_hasher_t object.
+ */
+struct private_pkcs11_hasher_t {
+
+	/**
+	 * Public pkcs11_hasher_t interface.
+	 */
+	pkcs11_hasher_t public;
+
+	/**
+	 * PKCS#11 library
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Mechanism for this hasher
+	 */
+	CK_MECHANISM_PTR mech;
+
+	/**
+	 * Token session
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * size of the hash
+	 */
+	size_t size;
+
+	/**
+	 * Mutex to lock the tokens hashing engine
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * do we have an initialized state?
+	 */
+	bool have_state;
+
+	/**
+	 * state buffer
+	 */
+	CK_BYTE_PTR state;
+
+	/**
+	 * Length of the state buffer
+	 */
+	CK_ULONG state_len;
+};
+
+METHOD(hasher_t, get_hash_size, size_t,
+	private_pkcs11_hasher_t *this)
+{
+	return this->size;
+}
+
+/**
+ * Save the Operation state to host memory
+ */
+static void save_state(private_pkcs11_hasher_t *this)
+{
+	CK_RV rv;
+
+	while (TRUE)
+	{
+		if (!this->state)
+		{
+			rv = this->lib->f->C_GetOperationState(this->session, NULL,
+												   &this->state_len);
+			if (rv != CKR_OK)
+			{
+				break;
+			}
+			this->state = malloc(this->state_len);
+		}
+		rv = this->lib->f->C_GetOperationState(this->session, this->state,
+											   &this->state_len);
+		switch (rv)
+		{
+			case CKR_BUFFER_TOO_SMALL:
+				free(this->state);
+				this->state = NULL;
+				continue;
+			case CKR_OK:
+				this->have_state = TRUE;
+				return;
+			default:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_CFG, "C_GetOperationState() failed: %N", ck_rv_names, rv);
+	abort();
+}
+
+/**
+ * Load the Operation state from host memory
+ */
+static void load_state(private_pkcs11_hasher_t *this)
+{
+	CK_RV rv;
+
+	rv = this->lib->f->C_SetOperationState(this->session, this->state,
+						this->state_len, CK_INVALID_HANDLE, CK_INVALID_HANDLE);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_SetOperationState() failed: %N", ck_rv_names, rv);
+		abort();
+	}
+	this->have_state = FALSE;
+}
+
+METHOD(hasher_t, reset, void,
+	private_pkcs11_hasher_t *this)
+{
+	this->have_state = FALSE;
+}
+
+METHOD(hasher_t, get_hash, void,
+	private_pkcs11_hasher_t *this, chunk_t chunk, u_int8_t *hash)
+{
+	CK_RV rv;
+	CK_ULONG len;
+
+	this->mutex->lock(this->mutex);
+	if (this->have_state)
+	{
+		load_state(this);
+	}
+	else
+	{
+		rv = this->lib->f->C_DigestInit(this->session, this->mech);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestInit() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	if (chunk.len)
+	{
+		rv = this->lib->f->C_DigestUpdate(this->session, chunk.ptr, chunk.len);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestUpdate() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	if (hash)
+	{
+		len = this->size;
+		rv = this->lib->f->C_DigestFinal(this->session,
+								hash, &len);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_DigestFinal() failed: %N", ck_rv_names, rv);
+			abort();
+		}
+	}
+	else
+	{
+		save_state(this);
+	}
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(hasher_t, allocate_hash, void,
+	private_pkcs11_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	if (hash)
+	{
+		*hash = chunk_alloc(this->size);
+		get_hash(this, chunk, hash->ptr);
+	}
+	else
+	{
+		get_hash(this, chunk, NULL);
+	}
+}
+
+METHOD(hasher_t, destroy, void,
+	private_pkcs11_hasher_t *this)
+{
+	this->lib->f->C_CloseSession(this->session);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/**
+ * Get the Cryptoki mechanism for a hash algorithm
+ */
+static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
+{
+	static struct {
+		hash_algorithm_t algo;
+		CK_MECHANISM mechanism;
+		size_t size;
+	} mappings[] = {
+		{HASH_MD2,		{CKM_MD2,		NULL, 0},	HASH_SIZE_MD2},
+		{HASH_MD5,		{CKM_MD5,		NULL, 0},	HASH_SIZE_MD5},
+		{HASH_SHA1,		{CKM_SHA_1,		NULL, 0},	HASH_SIZE_SHA1},
+		{HASH_SHA256,	{CKM_SHA256,	NULL, 0},	HASH_SIZE_SHA256},
+		{HASH_SHA384,	{CKM_SHA384,	NULL, 0},	HASH_SIZE_SHA384},
+		{HASH_SHA512,	{CKM_SHA512,	NULL, 0},	HASH_SIZE_SHA512},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].algo == algo)
+		{
+			*size = mappings[i].size;
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Find a token we can use for a hash algorithm
+ */
+static pkcs11_library_t* find_token(hash_algorithm_t algo,
+			CK_SESSION_HANDLE *session, CK_MECHANISM_PTR *mout, size_t *size)
+{
+	enumerator_t *tokens, *mechs;
+	pkcs11_manager_t *manager;
+	pkcs11_library_t *current, *found = NULL;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_PTR mech;
+	CK_SLOT_ID slot;
+
+	mech = algo_to_mechanism(algo, size);
+	if (!mech)
+	{
+		return NULL;
+	}
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	tokens = manager->create_token_enumerator(manager);
+	while (tokens->enumerate(tokens, &current, &slot))
+	{
+		mechs = current->create_mechanism_enumerator(current, slot);
+		while (mechs->enumerate(mechs, &type, NULL))
+		{
+			if (type == mech->mechanism)
+			{
+				if (current->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
+											  NULL, NULL, session) == CKR_OK)
+				{
+					found = current;
+					*mout = mech;
+					break;
+				}
+			}
+		}
+		mechs->destroy(mechs);
+		if (found)
+		{
+			break;
+		}
+	}
+	tokens->destroy(tokens);
+	return found;
+}
+
+/**
+ * See header
+ */
+pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo)
+{
+	private_pkcs11_hasher_t *this;
+
+	INIT(this,
+		.public = {
+			.hasher = {
+				.get_hash_size = _get_hash_size,
+				.reset = _reset,
+				.get_hash = _get_hash,
+				.allocate_hash = _allocate_hash,
+				.destroy = _destroy,
+			},
+		},
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->lib = find_token(algo, &this->session, &this->mech, &this->size);
+	if (!this->lib)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
new file mode 100644
index 000000000..9c55d463e
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_hasher pkcs11_hasher
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_HASHER_H_
+#define PKCS11_HASHER_H_
+
+#include <crypto/hashers/hasher.h>
+
+typedef struct pkcs11_hasher_t pkcs11_hasher_t;
+
+/**
+ * Hash implementation using a PKCS#11 token.
+ */
+struct pkcs11_hasher_t {
+
+	/**
+	 * Implements hasher_t interface.
+	 */
+	hasher_t hasher;
+};
+
+/**
+ * Creates a PKCS#11 based hasher.
+ *
+ * @param algo		hash algorithm
+ * @return			hasher, NULL if not supported
+ */
+pkcs11_hasher_t *pkcs11_hasher_create(hash_algorithm_t algo);
+
+#endif /** PKCS11_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
new file mode 100644
index 000000000..9fb1b7769
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -0,0 +1,869 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_library.h"
+
+#include <dlfcn.h>
+
+#include <library.h>
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_pkcs11_library_t private_pkcs11_library_t;
+
+
+ENUM_BEGIN(ck_rv_names, CKR_OK, CKR_CANT_LOCK,
+	"OK",
+	"CANCEL",
+	"HOST_MEMORY",
+	"SLOT_ID_INVALID",
+	"(0x04)",
+	"GENERAL_ERROR",
+	"FUNCTION_FAILED",
+	"ARGUMENTS_BAD",
+	"NO_EVENT",
+	"NEED_TO_CREATE_THREADS",
+	"CANT_LOCK");
+ENUM_NEXT(ck_rv_names, CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID,
+		CKR_CANT_LOCK,
+	"ATTRIBUTE_READ_ONLY",
+	"ATTRIBUTE_SENSITIVE",
+	"ATTRIBUTE_TYPE_INVALID",
+	"ATTRIBUTE_VALUE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_DATA_INVALID, CKR_DATA_LEN_RANGE,
+		CKR_ATTRIBUTE_VALUE_INVALID,
+	"DATA_INVALID"
+	"DATA_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED,
+		CKR_DATA_LEN_RANGE,
+	"DEVICE_ERROR",
+	"DEVICE_MEMORY",
+	"DEVICE_REMOVED");
+ENUM_NEXT(ck_rv_names, CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE,
+		CKR_DEVICE_REMOVED,
+	"ENCRYPTED_DATA_INVALID",
+	"ENCRYPTED_DATA_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED,
+		CKR_ENCRYPTED_DATA_LEN_RANGE,
+	"FUNCTION_CANCELED",
+	"FUNCTION_NOT_PARALLEL",
+	"(0x52)",
+	"(0x53)",
+	"FUNCTION_NOT_SUPPORTED");
+ENUM_NEXT(ck_rv_names, CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE,
+		CKR_FUNCTION_NOT_SUPPORTED,
+	"KEY_HANDLE_INVALID",
+	"(0x61)",
+	"KEY_SIZE_RANGE",
+	"KEY_TYPE_INCONSISTENT",
+	"KEY_NOT_NEEDED",
+	"KEY_CHANGED",
+	"KEY_NEEDED",
+	"KEY_INDIGESTIBLE",
+	"KEY_FUNCTION_NOT_PERMITTED",
+	"KEY_NOT_WRAPPABLE",
+	"KEY_UNEXTRACTABLE");
+ENUM_NEXT(ck_rv_names, CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID,
+		CKR_KEY_UNEXTRACTABLE,
+	"MECHANISM_INVALID",
+	"MECHANISM_PARAM_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID,
+		CKR_MECHANISM_PARAM_INVALID,
+	"OBJECT_HANDLE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED,
+		CKR_OBJECT_HANDLE_INVALID,
+	"OPERATION_ACTIVE",
+	"OPERATION_NOT_INITIALIZED");
+ENUM_NEXT(ck_rv_names, CKR_PIN_INCORRECT, CKR_PIN_LOCKED,
+		CKR_OPERATION_NOT_INITIALIZED,
+	"PIN_INCORRECT",
+	"PIN_INVALID",
+	"PIN_LEN_RANGE",
+	"PIN_EXPIRED",
+	"PIN_LOCKED");
+ENUM_NEXT(ck_rv_names, CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS,
+		CKR_PIN_LOCKED,
+	"SESSION_CLOSED",
+	"SESSION_COUNT",
+	"(0xb2)",
+	"SESSION_HANDLE_INVALID",
+	"SESSION_PARALLEL_NOT_SUPPORTED",
+	"SESSION_READ_ONLY",
+	"SESSION_EXISTS",
+	"SESSION_READ_ONLY_EXISTS",
+	"SESSION_READ_WRITE_SO_EXISTS");
+ENUM_NEXT(ck_rv_names, CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE,
+		CKR_SESSION_READ_WRITE_SO_EXISTS,
+	"SIGNATURE_INVALID",
+	"SIGNATURE_LEN_RANGE");
+ENUM_NEXT(ck_rv_names, CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT,
+		CKR_SIGNATURE_LEN_RANGE,
+	"TEMPLATE_INCOMPLETE",
+	"TEMPLATE_INCONSISTENT",
+);
+ENUM_NEXT(ck_rv_names, CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED,
+		CKR_TEMPLATE_INCONSISTENT,
+	"TOKEN_NOT_PRESENT",
+	"TOKEN_NOT_RECOGNIZED",
+	"TOKEN_WRITE_PROTECTED");
+ENUM_NEXT(ck_rv_names, CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT,
+		CKR_TOKEN_WRITE_PROTECTED,
+	"UNWRAPPING_KEY_HANDLE_INVALID",
+	"UNWRAPPING_KEY_SIZE_RANGE",
+	"UNWRAPPING_KEY_TYPE_INCONSISTENT");
+ENUM_NEXT(ck_rv_names, CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES,
+		CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT,
+	"USER_ALREADY_LOGGED_IN",
+	"USER_NOT_LOGGED_IN",
+	"USER_PIN_NOT_INITIALIZED",
+	"USER_TYPE_INVALID",
+	"USER_ANOTHER_ALREADY_LOGGED_IN",
+	"USER_TOO_MANY_TYPES");
+ENUM_NEXT(ck_rv_names, CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT,
+		CKR_USER_TOO_MANY_TYPES,
+	"WRAPPED_KEY_INVALID",
+	"(0x111)",
+	"WRAPPED_KEY_LEN_RANGE",
+	"WRAPPING_KEY_HANDLE_INVALID",
+	"WRAPPING_KEY_SIZE_RANGE",
+	"WRAPPING_KEY_TYPE_INCONSISTENT");
+ENUM_NEXT(ck_rv_names, CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG,
+		CKR_WRAPPING_KEY_TYPE_INCONSISTENT,
+	"RANDOM_SEED_NOT_SUPPORTED",
+	"RANDOM_NO_RNG");
+ENUM_NEXT(ck_rv_names, CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID,
+		CKR_RANDOM_NO_RNG,
+	"DOMAIN_PARAMS_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL,
+		CKR_DOMAIN_PARAMS_INVALID,
+	"BUFFER_TOO_SMALL");
+ENUM_NEXT(ck_rv_names, CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID,
+		CKR_BUFFER_TOO_SMALL,
+	"SAVED_STATE_INVALID");
+ENUM_NEXT(ck_rv_names, CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE,
+		CKR_SAVED_STATE_INVALID,
+	"INFORMATION_SENSITIVE");
+ENUM_NEXT(ck_rv_names, CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE,
+		CKR_INFORMATION_SENSITIVE,
+	"STATE_UNSAVEABLE");
+ENUM_NEXT(ck_rv_names, CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED,
+		CKR_STATE_UNSAVEABLE,
+	"CRYPTOKI_NOT_INITIALIZED",
+	"CRYPTOKI_ALREADY_INITIALIZED");
+ENUM_NEXT(ck_rv_names, CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED,
+		CKR_CRYPTOKI_ALREADY_INITIALIZED,
+	"MUTEX_BAD",
+	"MUTEX_NOT_LOCKED");
+ENUM_NEXT(ck_rv_names, CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED,
+		CKR_MUTEX_NOT_LOCKED,
+	"FUNCTION_REJECTED");
+ENUM_END(ck_rv_names, CKR_FUNCTION_REJECTED);
+
+
+ENUM_BEGIN(ck_mech_names, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_DSA_SHA1,
+	"RSA_PKCS_KEY_PAIR_GEN",
+	"RSA_PKCS",
+	"RSA_9796",
+	"RSA_X_509",
+	"MD2_RSA_PKCS",
+	"MD5_RSA_PKCS",
+	"SHA1_RSA_PKCS",
+	"RIPEMD128_RSA_PKCS",
+	"RIPEMD160_RSA_PKCS",
+	"RSA_PKCS_OAEP",
+	"RSA_X9_31_KEY_PAIR_GEN",
+	"RSA_X9_31",
+	"SHA1_RSA_X9_31",
+	"RSA_PKCS_PSS",
+	"SHA1_RSA_PKCS_PSS",
+	"(0xf)",
+	"DSA_KEY_PAIR_GEN",
+	"DSA",
+	"DSA_SHA1");
+ENUM_NEXT(ck_mech_names, CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE,
+		CKM_DSA_SHA1,
+	"DH_PKCS_KEY_PAIR_GEN",
+	"DH_PKCS_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_MQV_DERIVE,
+		CKM_DH_PKCS_DERIVE,
+	"X9_42_DH_KEY_PAIR_GEN",
+	"X9_42_DH_DERIVE",
+	"X9_42_DH_HYBRID_DERIVE",
+	"X9_42_MQV_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_SHA256_RSA_PKCS, CKM_SHA512_RSA_PKCS_PSS,
+		CKM_X9_42_MQV_DERIVE,
+	"SHA256_RSA_PKCS",
+	"SHA384_RSA_PKCS",
+	"SHA512_RSA_PKCS",
+	"SHA256_RSA_PKCS_PSS",
+	"SHA384_RSA_PKCS_PSS",
+	"SHA512_RSA_PKCS_PSS");
+ENUM_NEXT(ck_mech_names, CKM_RC2_KEY_GEN, CKM_RC2_CBC_PAD,
+		CKM_SHA512_RSA_PKCS_PSS,
+	"RC2_KEY_GEN",
+	"RC2_ECB",
+	"RC2_CBC",
+	"RC2_MAC",
+	"RC2_MAC_GENERAL",
+	"RC2_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_RC4_KEY_GEN, CKM_RC4,
+		CKM_RC2_CBC_PAD,
+	"RC4_KEY_GEN",
+	"RC4");
+ENUM_NEXT(ck_mech_names, CKM_DES_KEY_GEN, CKM_DES_CBC_PAD,
+		CKM_RC4,
+	"DES_KEY_GEN",
+	"DES_ECB",
+	"DES_CBC",
+	"DES_MAC",
+	"DES_MAC_GENERAL",
+	"DES_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_DES2_KEY_GEN, CKM_DES3_CBC_PAD,
+		CKM_DES_CBC_PAD,
+	"DES2_KEY_GEN",
+	"DES3_KEY_GEN",
+	"DES3_ECB",
+	"DES3_CBC",
+	"DES3_MAC",
+	"DES3_MAC_GENERAL",
+	"DES3_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CDMF_KEY_GEN, CKM_CDMF_CBC_PAD,
+		CKM_DES3_CBC_PAD,
+	"CDMF_KEY_GEN",
+	"CDMF_ECB",
+	"CDMF_CBC",
+	"CDMF_MAC",
+	"CDMF_MAC_GENERAL",
+	"CDMF_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_MD2, CKM_MD2_HMAC_GENERAL,
+		CKM_CDMF_CBC_PAD,
+	"MD2",
+	"MD2_HMAC",
+	"MD2_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_MD5, CKM_MD5_HMAC_GENERAL,
+		CKM_MD2_HMAC_GENERAL,
+	"MD5",
+	"MD5_HMAC",
+	"MD5_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA_1, CKM_SHA_1_HMAC_GENERAL,
+		CKM_MD5_HMAC_GENERAL,
+	"SHA_1",
+	"SHA_1_HMAC",
+	"SHA_1_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_RIPEMD128, CKM_RIPEMD128_HMAC_GENERAL,
+		CKM_SHA_1_HMAC_GENERAL,
+	"RIPEMD128",
+	"RIPEMD128_HMAC",
+	"RIPEMD128_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_RIPEMD160, CKM_RIPEMD160_HMAC_GENERAL,
+		CKM_RIPEMD128_HMAC_GENERAL,
+	"RIPEMD160",
+	"RIPEMD160_HMAC",
+	"RIPEMD160_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA256, CKM_SHA256_HMAC_GENERAL,
+		CKM_RIPEMD160_HMAC_GENERAL,
+	"SHA256",
+	"SHA256_HMAC",
+	"SHA256_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA384, CKM_SHA384_HMAC_GENERAL,
+		CKM_SHA256_HMAC_GENERAL,
+	"SHA384",
+	"SHA384_HMAC",
+	"SHA384_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_SHA512, CKM_SHA512_HMAC_GENERAL,
+		CKM_SHA384_HMAC_GENERAL	,
+	"SHA512",
+	"SHA512_HMAC",
+	"SHA512_HMAC_GENERAL");
+ENUM_NEXT(ck_mech_names, CKM_CAST_KEY_GEN, CKM_CAST_CBC_PAD,
+		CKM_SHA512_HMAC_GENERAL,
+	"CAST_KEY_GEN",
+	"CAST_ECB",
+	"CAST_CBC",
+	"CAST_MAC",
+	"CAST_MAC_GENERAL",
+	"CAST_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CAST3_KEY_GEN, CKM_CAST3_CBC_PAD,
+		CKM_CAST_CBC_PAD,
+	"CAST3_KEY_GEN",
+	"CAST3_ECB",
+	"CAST3_CBC",
+	"CAST3_MAC",
+	"CAST3_MAC_GENERAL",
+	"CAST3_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_CAST128_KEY_GEN, CKM_CAST128_CBC_PAD,
+		CKM_CAST3_CBC_PAD,
+	"CAST128_KEY_GEN",
+	"CAST128_ECB",
+	"CAST128_CBC",
+	"CAST128_MAC",
+	"CAST128_MAC_GENERAL",
+	"CAST128_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_RC5_KEY_GEN, CKM_RC5_CBC_PAD,
+		CKM_CAST128_CBC_PAD,
+	"RC5_KEY_GEN",
+	"RC5_ECB",
+	"RC5_CBC",
+	"RC5_MAC",
+	"RC5_MAC_GENERAL",
+	"RC5_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_IDEA_KEY_GEN, CKM_IDEA_CBC_PAD,
+		CKM_RC5_CBC_PAD,
+	"IDEA_KEY_GEN",
+	"IDEA_ECB",
+	"IDEA_CBC",
+	"IDEA_MAC",
+	"IDEA_MAC_GENERAL",
+	"IDEA_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_GENERIC_SECRET_KEY_GEN, CKM_GENERIC_SECRET_KEY_GEN,
+		CKM_IDEA_CBC_PAD,
+	"GENERIC_SECRET_KEY_GEN");
+ENUM_NEXT(ck_mech_names, CKM_CONCATENATE_BASE_AND_KEY, CKM_EXTRACT_KEY_FROM_KEY,
+		CKM_GENERIC_SECRET_KEY_GEN,
+	"CONCATENATE_BASE_AND_KEY",
+	"(0x361)",
+	"CONCATENATE_BASE_AND_DATA",
+	"CONCATENATE_DATA_AND_BASE",
+	"XOR_BASE_AND_DATA",
+	"EXTRACT_KEY_FROM_KEY");
+ENUM_NEXT(ck_mech_names, CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_MASTER_KEY_DERIVE_DH,
+		CKM_EXTRACT_KEY_FROM_KEY,
+	"SSL3_PRE_MASTER_KEY_GEN",
+	"SSL3_MASTER_KEY_DERIVE",
+	"SSL3_KEY_AND_MAC_DERIVE",
+	"SSL3_MASTER_KEY_DERIVE_DH",
+	"TLS_PRE_MASTER_KEY_GEN",
+	"TLS_MASTER_KEY_DERIVE",
+	"TLS_KEY_AND_MAC_DERIVE",
+	"TLS_MASTER_KEY_DERIVE_DH");
+ENUM_NEXT(ck_mech_names, CKM_SSL3_MD5_MAC, CKM_SSL3_SHA1_MAC,
+		CKM_TLS_MASTER_KEY_DERIVE_DH,
+	"SSL3_MD5_MAC",
+	"SSL3_SHA1_MAC");
+ENUM_NEXT(ck_mech_names, CKM_MD5_KEY_DERIVATION, CKM_SHA1_KEY_DERIVATION,
+		CKM_SSL3_SHA1_MAC,
+	"MD5_KEY_DERIVATION",
+	"MD2_KEY_DERIVATION",
+	"SHA1_KEY_DERIVATION");
+ENUM_NEXT(ck_mech_names, CKM_PBE_MD2_DES_CBC, CKM_PBE_SHA1_RC2_40_CBC,
+		CKM_SHA1_KEY_DERIVATION,
+	"PBE_MD2_DES_CBC",
+	"PBE_MD5_DES_CBC",
+	"PBE_MD5_CAST_CBC",
+	"PBE_MD5_CAST3_CBC",
+	"PBE_MD5_CAST128_CBC",
+	"PBE_SHA1_CAST128_CBC",
+	"PBE_SHA1_RC4_128",
+	"PBE_SHA1_RC4_40",
+	"PBE_SHA1_DES3_EDE_CBC",
+	"PBE_SHA1_DES2_EDE_CBC",
+	"PBE_SHA1_RC2_128_CBC",
+	"PBE_SHA1_RC2_40_CBC");
+ENUM_NEXT(ck_mech_names, CKM_PKCS5_PBKD2, CKM_PKCS5_PBKD2,
+		CKM_PBE_SHA1_RC2_40_CBC,
+	"PKCS5_PBKD2");
+ENUM_NEXT(ck_mech_names, CKM_PBA_SHA1_WITH_SHA1_HMAC, CKM_PBA_SHA1_WITH_SHA1_HMAC,
+		CKM_PKCS5_PBKD2,
+	"PBA_SHA1_WITH_SHA1_HMAC");
+ENUM_NEXT(ck_mech_names, CKM_KEY_WRAP_LYNKS, CKM_KEY_WRAP_SET_OAEP,
+		CKM_PBA_SHA1_WITH_SHA1_HMAC,
+	"KEY_WRAP_LYNKS",
+	"KEY_WRAP_SET_OAEP");
+ENUM_NEXT(ck_mech_names, CKM_SKIPJACK_KEY_GEN, CKM_SKIPJACK_RELAYX,
+		CKM_KEY_WRAP_SET_OAEP,
+	"SKIPJACK_KEY_GEN",
+	"SKIPJACK_ECB64",
+	"SKIPJACK_CBC64",
+	"SKIPJACK_OFB64",
+	"SKIPJACK_CFB64",
+	"SKIPJACK_CFB32",
+	"SKIPJACK_CFB16",
+	"SKIPJACK_CFB8",
+	"SKIPJACK_WRAP",
+	"SKIPJACK_PRIVATE_WRAP",
+	"SKIPJACK_RELAYX");
+ENUM_NEXT(ck_mech_names, CKM_KEA_KEY_PAIR_GEN, CKM_KEA_KEY_DERIVE,
+		CKM_SKIPJACK_RELAYX,
+	"KEA_KEY_PAIR_GEN",
+	"KEA_KEY_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_FORTEZZA_TIMESTAMP, CKM_FORTEZZA_TIMESTAMP,
+		CKM_KEA_KEY_DERIVE,
+	"FORTEZZA_TIMESTAMP");
+ENUM_NEXT(ck_mech_names, CKM_BATON_KEY_GEN, CKM_BATON_WRAP,
+		CKM_FORTEZZA_TIMESTAMP,
+	"BATON_KEY_GEN",
+	"BATON_ECB128",
+	"BATON_ECB96",
+	"BATON_CBC128",
+	"BATON_COUNTER",
+	"BATON_SHUFFLE",
+	"BATON_WRAP");
+ENUM_NEXT(ck_mech_names, CKM_ECDSA_KEY_PAIR_GEN, CKM_ECDSA_SHA1,
+		CKM_BATON_WRAP,
+	"ECDSA_KEY_PAIR_GEN",
+	"ECDSA",
+	"ECDSA_SHA1");
+ENUM_NEXT(ck_mech_names, CKM_ECDH1_DERIVE, CKM_ECMQV_DERIVE,
+		CKM_ECDSA_SHA1,
+	"ECDH1_DERIVE",
+	"ECDH1_COFACTOR_DERIVE",
+	"ECMQV_DERIVE");
+ENUM_NEXT(ck_mech_names, CKM_JUNIPER_KEY_GEN, CKM_JUNIPER_WRAP,
+		CKM_ECMQV_DERIVE,
+	"JUNIPER_KEY_GEN",
+	"JUNIPER_ECB128",
+	"JUNIPER_CBC128",
+	"JUNIPER_COUNTER",
+	"JUNIPER_SHUFFLE",
+	"JUNIPER_WRAP");
+ENUM_NEXT(ck_mech_names, CKM_FASTHASH, CKM_FASTHASH,
+		CKM_JUNIPER_WRAP,
+	"FASTHASH");
+ENUM_NEXT(ck_mech_names, CKM_AES_KEY_GEN, CKM_AES_CBC_PAD,
+		CKM_FASTHASH,
+	"AES_KEY_GEN",
+	"AES_ECB",
+	"AES_CBC",
+	"AES_MAC",
+	"AES_MAC_GENERAL",
+	"AES_CBC_PAD");
+ENUM_NEXT(ck_mech_names, CKM_DSA_PARAMETER_GEN, CKM_X9_42_DH_PARAMETER_GEN,
+		CKM_AES_CBC_PAD,
+	"DSA_PARAMETER_GEN",
+	"DH_PKCS_PARAMETER_GEN",
+	"X9_42_DH_PARAMETER_GEN");
+ENUM_END(ck_mech_names, CKM_X9_42_DH_PARAMETER_GEN);
+
+/**
+ * Private data of an pkcs11_library_t object.
+ */
+struct private_pkcs11_library_t {
+
+	/**
+	 * Public pkcs11_library_t interface.
+	 */
+	pkcs11_library_t public;
+
+	/**
+	 * dlopen() handle
+	 */
+	void *handle;
+
+	/**
+	 * Name as passed to the constructor
+	 */
+	char *name;
+};
+
+METHOD(pkcs11_library_t, get_name, char*,
+	private_pkcs11_library_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Object enumerator
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* session */
+	CK_SESSION_HANDLE session;
+	/* pkcs11 library */
+	pkcs11_library_t *lib;
+	/* attributes to retreive */
+	CK_ATTRIBUTE_PTR attr;
+	/* number of attributes */
+	CK_ULONG count;
+	/* currently allocated attributes, to free */
+	linked_list_t *freelist;
+} object_enumerator_t;
+
+/**
+ * Free contents of attributes in a list
+ */
+static void free_attrs(object_enumerator_t *this)
+{
+	CK_ATTRIBUTE_PTR attr;
+
+	while (this->freelist->remove_last(this->freelist, (void**)&attr) == SUCCESS)
+	{
+		free(attr->pValue);
+		attr->pValue = NULL;
+		attr->ulValueLen = 0;
+	}
+}
+
+/**
+ * Get attributes for a given object during enumeration
+ */
+static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
+{
+	CK_RV rv;
+	int i;
+
+	free_attrs(this);
+
+	/* get length of objects first */
+	rv = this->lib->f->C_GetAttributeValue(this->session, object,
+										   this->attr, this->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	/* allocate required chunks */
+	for (i = 0; i < this->count; i++)
+	{
+		if (this->attr[i].pValue == NULL &&
+			this->attr[i].ulValueLen != 0 && this->attr[i].ulValueLen != -1)
+		{
+			this->attr[i].pValue = malloc(this->attr[i].ulValueLen);
+			this->freelist->insert_last(this->freelist, &this->attr[i]);
+		}
+	}
+	/* get the data */
+	rv = this->lib->f->C_GetAttributeValue(this->session, object,
+										   this->attr, this->count);
+	if (rv != CKR_OK)
+	{
+		free_attrs(this);
+		DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(enumerator_t, object_enumerate, bool,
+	object_enumerator_t *this, CK_OBJECT_HANDLE *out)
+{
+	CK_OBJECT_HANDLE object;
+	CK_ULONG found;
+	CK_RV rv;
+
+	rv = this->lib->f->C_FindObjects(this->session, &object, 1, &found);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_FindObjects() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	if (found)
+	{
+		if (this->attr)
+		{
+			if (!get_attributes(this, object))
+			{
+				return FALSE;
+			}
+		}
+		*out = object;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, object_destroy, void,
+	object_enumerator_t *this)
+{
+	this->lib->f->C_FindObjectsFinal(this->session);
+	free_attrs(this);
+	this->freelist->destroy(this->freelist);
+	free(this);
+}
+
+METHOD(pkcs11_library_t, create_object_enumerator, enumerator_t*,
+	private_pkcs11_library_t *this, CK_SESSION_HANDLE session,
+	CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount,
+	CK_ATTRIBUTE_PTR attr, CK_ULONG acount)
+{
+	object_enumerator_t *enumerator;
+	CK_RV rv;
+
+	rv = this->public.f->C_FindObjectsInit(session, tmpl, tcount);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_FindObjectsInit() failed: %N", ck_rv_names, rv);
+		return enumerator_create_empty();
+	}
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_object_enumerate,
+			.destroy = _object_destroy,
+		},
+		.session = session,
+		.lib = &this->public,
+		.attr = attr,
+		.count = acount,
+		.freelist = linked_list_create(),
+	);
+	return &enumerator->public;
+}
+
+/**
+ * Enumerator over mechanisms
+ */
+typedef struct {
+	/* implements enumerator_t */
+	enumerator_t public;
+	/* PKCS#11 library */
+	pkcs11_library_t *lib;
+	/* slot of token */
+	CK_SLOT_ID slot;
+	/* mechanism type list */
+	CK_MECHANISM_TYPE_PTR mechs;
+	/* number of mechanism types */
+	CK_ULONG count;
+	/* current mechanism */
+	CK_ULONG current;
+} mechanism_enumerator_t;
+
+METHOD(enumerator_t, enumerate_mech, bool,
+	mechanism_enumerator_t *this, CK_MECHANISM_TYPE* type,
+	CK_MECHANISM_INFO *info)
+{
+	CK_RV rv;
+
+	if (this->current >= this->count)
+	{
+		return FALSE;
+	}
+	if (info)
+	{
+		rv = this->lib->f->C_GetMechanismInfo(this->slot,
+											  this->mechs[this->current], info);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "C_GetMechanismInfo() failed: %N", ck_rv_names, rv);
+			return FALSE;
+		}
+	}
+	*type = this->mechs[this->current++];
+	return TRUE;
+}
+
+METHOD(enumerator_t, destroy_mech, void,
+	mechanism_enumerator_t *this)
+{
+	free(this->mechs);
+	free(this);
+}
+
+METHOD(pkcs11_library_t, create_mechanism_enumerator, enumerator_t*,
+	private_pkcs11_library_t *this, CK_SLOT_ID slot)
+{
+	mechanism_enumerator_t *enumerator;
+	CK_RV rv;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_mech,
+			.destroy = _destroy_mech,
+		},
+		.lib = &this->public,
+		.slot = slot,
+	);
+
+	rv = enumerator->lib->f->C_GetMechanismList(slot, NULL, &enumerator->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv);
+		free(enumerator);
+		return enumerator_create_empty();
+	}
+	enumerator->mechs = malloc(sizeof(CK_MECHANISM_TYPE) * enumerator->count);
+	enumerator->lib->f->C_GetMechanismList(slot, enumerator->mechs,
+										   &enumerator->count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetMechanismList() failed: %N", ck_rv_names, rv);
+		destroy_mech(enumerator);
+		return enumerator_create_empty();
+	}
+	return &enumerator->public;
+}
+
+METHOD(pkcs11_library_t, destroy, void,
+	private_pkcs11_library_t *this)
+{
+	this->public.f->C_Finalize(NULL);
+	dlclose(this->handle);
+	free(this);
+}
+
+/**
+ * See header
+ */
+void pkcs11_library_trim(char *str, int len)
+{
+	int i;
+
+	str[len - 1] = '\0';
+	for (i = len - 2; i > 0; i--)
+	{
+		if (str[i] == ' ')
+		{
+			str[i] = '\0';
+			continue;
+		}
+		break;
+	}
+}
+
+/**
+ * Mutex creation callback
+ */
+static CK_RV CreateMutex(CK_VOID_PTR_PTR data)
+{
+	*data = mutex_create(MUTEX_TYPE_DEFAULT);
+	return CKR_OK;
+}
+
+/**
+ * Mutex destruction callback
+ */
+static CK_RV DestroyMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->destroy(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Mutex lock callback
+ */
+static CK_RV LockMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->lock(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Mutex unlock callback
+ */
+static CK_RV UnlockMutex(CK_VOID_PTR data)
+{
+	mutex_t *mutex = (mutex_t*)data;
+
+	mutex->unlock(mutex);
+	return CKR_OK;
+}
+
+/**
+ * Initialize a PKCS#11 library
+ */
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+{
+	CK_C_GetFunctionList pC_GetFunctionList;
+	CK_INFO info;
+	CK_RV rv;
+	CK_C_INITIALIZE_ARGS args = {
+		.CreateMutex = CreateMutex,
+		.DestroyMutex = DestroyMutex,
+		.LockMutex = LockMutex,
+		.UnlockMutex = UnlockMutex,
+	};
+
+	pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList");
+	if (!pC_GetFunctionList)
+	{
+		DBG1(DBG_CFG, "C_GetFunctionList not found for '%s': %s", name, dlerror());
+		return FALSE;
+	}
+	rv = pC_GetFunctionList(&this->public.f);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetFunctionList() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		return FALSE;
+	}
+
+	rv = this->public.f->C_Initialize(&args);
+	if (rv == CKR_CANT_LOCK)
+	{	/* try OS locking */
+		memset(&args, 0, sizeof(args));
+		args.flags = CKF_OS_LOCKING_OK;
+		rv = this->public.f->C_Initialize(&args);
+	}
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_Initialize() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		return FALSE;
+	}
+	rv = this->public.f->C_GetInfo(&info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetInfo() error for '%s': %N",
+			 name, ck_rv_names, rv);
+		this->public.f->C_Finalize(NULL);
+		return FALSE;
+	}
+
+	pkcs11_library_trim(info.manufacturerID,
+			strnlen(info.manufacturerID, sizeof(info.manufacturerID)));
+	pkcs11_library_trim(info.libraryDescription,
+			strnlen(info.libraryDescription, sizeof(info.libraryDescription)));
+
+	DBG1(DBG_CFG, "loaded PKCS#11 v%d.%d library '%s' (%s)",
+		 info.cryptokiVersion.major, info.cryptokiVersion.minor, name, file);
+	DBG1(DBG_CFG, "  %s: %s v%d.%d",
+		 info.manufacturerID, info.libraryDescription,
+		 info.libraryVersion.major, info.libraryVersion.minor);
+	if (args.flags & CKF_OS_LOCKING_OK)
+	{
+		DBG1(DBG_CFG, "  uses OS locking functions");
+	}
+	return TRUE;
+}
+
+/**
+ * See header
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+{
+	private_pkcs11_library_t *this;
+
+	INIT(this,
+		.public = {
+			.get_name = _get_name,
+			.create_object_enumerator = _create_object_enumerator,
+			.create_mechanism_enumerator = _create_mechanism_enumerator,
+			.destroy = _destroy,
+		},
+		.name = name,
+		.handle = dlopen(file, RTLD_LAZY),
+	);
+
+	if (!this->handle)
+	{
+		DBG1(DBG_CFG, "opening PKCS#11 library failed: %s", dlerror());
+		free(this);
+		return NULL;
+	}
+
+	if (!initialize(this, name, file))
+	{
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
new file mode 100644
index 000000000..1457d24d4
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_library pkcs11_library
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_LIBRARY_H_
+#define PKCS11_LIBRARY_H_
+
+typedef struct pkcs11_library_t pkcs11_library_t;
+
+#include "pkcs11.h"
+
+#include <enum.h>
+#include <utils/enumerator.h>
+
+/**
+ * A loaded and initialized PKCS#11 library.
+ */
+struct pkcs11_library_t {
+
+	/**
+	 * PKCS#11 function list, as returned by C_GetFunctionList
+	 */
+	CK_FUNCTION_LIST_PTR f;
+
+	/**
+	 * Get the name this instance was created with.
+	 *
+	 * @return			name, as passed to constructor
+	 */
+	char* (*get_name)(pkcs11_library_t *this);
+
+	/**
+	 * Create an enumerator over CK_OBJECT_HANDLE using a search template.
+	 *
+	 * An optional attribute array is automatically filled in with the
+	 * objects associated attributes. If the value of an output attribute
+	 * is NULL, the value gets allocated/freed during enumeration.
+	 *
+	 * @param session	session to use
+	 * @param tmpl		search template
+	 * @param tcount 	number of attributes in the search template
+	 * @param attr		attributes to read from object
+	 * @param acount	number of attributes to read
+	 */
+	enumerator_t* (*create_object_enumerator)(pkcs11_library_t *this,
+			CK_SESSION_HANDLE session, CK_ATTRIBUTE_PTR tmpl, CK_ULONG tcount,
+			CK_ATTRIBUTE_PTR attr, CK_ULONG acount);
+
+	/**
+	 * Create an enumerator over supported mechanisms of a token.
+	 *
+	 * The resulting enumerator enumerates over the mechanism type, and if
+	 * a non-NULL pointer is given, over the mechanism info details.
+	 *
+	 * @param slot		slot of the token
+	 * @return			enumerator over (CK_MECHANISM_TYPE, CK_MECHANISM_INFO)
+	 */
+	enumerator_t* (*create_mechanism_enumerator)(pkcs11_library_t *this,
+												 CK_SLOT_ID slot);
+
+	/**
+	 * Destroy a pkcs11_library_t.
+	 */
+	void (*destroy)(pkcs11_library_t *this);
+};
+
+/**
+ * Enum names for CK_RV return values
+ */
+extern enum_name_t *ck_rv_names;
+
+/**
+ * Enum names for CK_MECHANISM_TYPE values
+ */
+extern enum_name_t *ck_mech_names;
+
+/**
+ * Trim/null terminate a string returned by the varius PKCS#11 functions.
+ *
+ * @param str		string to trim
+ * @param len		max length of the string
+ */
+void pkcs11_library_trim(char *str, int len);
+
+/**
+ * Create a pkcs11_library instance.
+ *
+ * @param name		an arbitrary name, for debugging
+ * @param file		pkcs11 library file to dlopen()
+ * @return			library abstraction
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+
+#endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
new file mode 100644
index 000000000..0c27600a6
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -0,0 +1,407 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/thread.h>
+
+#include "pkcs11_library.h"
+
+#include <processing/jobs/callback_job.h>
+
+typedef struct private_pkcs11_manager_t private_pkcs11_manager_t;
+
+/**
+ * Private data of an pkcs11_manager_t object.
+ */
+struct private_pkcs11_manager_t {
+
+	/**
+	 * Public pkcs11_manager_t interface.
+	 */
+	pkcs11_manager_t public;
+
+	/**
+	 * List of loaded libraries, as lib_entry_t
+	 */
+	linked_list_t *libs;
+
+	/**
+	 * Slot event callback function
+	 */
+	pkcs11_manager_token_event_t cb;
+
+	/**
+	 * Slot event user data
+	 */
+	void *data;
+};
+
+/**
+ * Entry for a loaded library
+ */
+typedef struct {
+	/* back reference to this */
+	private_pkcs11_manager_t *this;
+	/* associated library path */
+	char *path;
+	/* loaded library */
+	pkcs11_library_t *lib;
+	/* event dispatcher job */
+	callback_job_t *job;
+} lib_entry_t;
+
+/**
+ * Destroy a lib_entry_t
+ */
+static void lib_entry_destroy(lib_entry_t *entry)
+{
+	if (entry->job)
+	{
+		entry->job->cancel(entry->job);
+	}
+	entry->lib->destroy(entry->lib);
+	free(entry);
+}
+
+/**
+ * Print supported mechanisms of a token in a slot
+ */
+static void print_mechs(lib_entry_t *entry, CK_SLOT_ID slot)
+{
+	enumerator_t *enumerator;
+	CK_MECHANISM_TYPE type;
+	CK_MECHANISM_INFO info;
+
+	enumerator = entry->lib->create_mechanism_enumerator(entry->lib, slot);
+	while (enumerator->enumerate(enumerator, &type, &info))
+	{
+		DBG2(DBG_CFG, "      %N %lu-%lu [ %s%s%s%s%s%s%s%s%s%s%s%s%s]",
+			ck_mech_names, type,
+			info.ulMinKeySize, info.ulMaxKeySize,
+			info.flags & CKF_HW ? "HW " : "",
+			info.flags & CKF_ENCRYPT ? "ENCR " : "",
+			info.flags & CKF_DECRYPT ? "DECR " : "",
+			info.flags & CKF_DIGEST ? "DGST " : "",
+			info.flags & CKF_SIGN ? "SIGN " : "",
+			info.flags & CKF_SIGN_RECOVER ? "SIGN_RCVR " : "",
+			info.flags & CKF_VERIFY ? "VRFY " : "",
+			info.flags & CKF_VERIFY_RECOVER ? "VRFY_RCVR " : "",
+			info.flags & CKF_GENERATE ? "GEN " : "",
+			info.flags & CKF_GENERATE_KEY_PAIR ? "GEN_KEY_PAIR " : "",
+			info.flags & CKF_WRAP ? "WRAP " : "",
+			info.flags & CKF_UNWRAP ? "UNWRAP " : "",
+			info.flags & CKF_DERIVE ? "DERIVE " : "");
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * Handle a token
+ */
+static void handle_token(lib_entry_t *entry, CK_SLOT_ID slot)
+{
+	CK_TOKEN_INFO info;
+	CK_RV rv;
+
+	rv = entry->lib->f->C_GetTokenInfo(slot, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetTokenInfo failed: %N", ck_rv_names, rv);
+		return;
+	}
+	pkcs11_library_trim(info.label, sizeof(info.label));
+	pkcs11_library_trim(info.manufacturerID, sizeof(info.manufacturerID));
+	pkcs11_library_trim(info.model, sizeof(info.model));
+	DBG1(DBG_CFG, "    %s (%s: %s)",
+		 info.label, info.manufacturerID, info.model);
+
+	print_mechs(entry, slot);
+}
+
+/**
+ * Handle slot changes
+ */
+static void handle_slot(lib_entry_t *entry, CK_SLOT_ID slot, bool hot)
+{
+	CK_SLOT_INFO info;
+	CK_RV rv;
+
+	rv = entry->lib->f->C_GetSlotInfo(slot, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotInfo failed: %N", ck_rv_names, rv);
+		return;
+	}
+
+	pkcs11_library_trim(info.slotDescription, sizeof(info.slotDescription));
+	if (info.flags & CKF_TOKEN_PRESENT)
+	{
+		DBG1(DBG_CFG, "  found token in slot '%s':%lu (%s)",
+			 entry->lib->get_name(entry->lib), slot, info.slotDescription);
+		handle_token(entry, slot);
+		if (hot)
+		{
+			entry->this->cb(entry->this->data, entry->lib, slot, TRUE);
+		}
+	}
+	else
+	{
+		DBG1(DBG_CFG, "token removed from slot '%s':%lu (%s)",
+			 entry->lib->get_name(entry->lib), slot, info.slotDescription);
+		if (hot)
+		{
+			entry->this->cb(entry->this->data, entry->lib, slot, FALSE);
+		}
+	}
+}
+
+/**
+ * Dispatch slot events
+ */
+static job_requeue_t dispatch_slot_events(lib_entry_t *entry)
+{
+	CK_SLOT_ID slot;
+	CK_RV rv;
+	bool old;
+
+	old = thread_cancelability(TRUE);
+	rv = entry->lib->f->C_WaitForSlotEvent(0, &slot, NULL);
+	thread_cancelability(old);
+	if (rv == CKR_FUNCTION_NOT_SUPPORTED || rv == CKR_NO_EVENT)
+	{
+		DBG1(DBG_CFG, "module '%s' does not support hot-plugging, cancelled",
+			 entry->lib->get_name(entry->lib));
+		return JOB_REQUEUE_NONE;
+	}
+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
+	{	/* C_Finalize called, abort */
+		return JOB_REQUEUE_NONE;
+	}
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "error in C_WaitForSlotEvent: %N", ck_rv_names, rv);
+	}
+	handle_slot(entry, slot, TRUE);
+
+	return JOB_REQUEUE_DIRECT;
+}
+
+/**
+ * End dispatching, unset job
+ */
+static void end_dispatch(lib_entry_t *entry)
+{
+	entry->job = NULL;
+}
+
+/**
+ * Get the slot list of a library
+ */
+static CK_SLOT_ID_PTR get_slot_list(pkcs11_library_t *p11, CK_ULONG *out)
+{
+	CK_SLOT_ID_PTR slots;
+	CK_ULONG count;
+	CK_RV rv;
+
+	rv = p11->f->C_GetSlotList(TRUE, NULL, &count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv);
+		return NULL;
+	}
+	if (count == 0)
+	{
+		return NULL;
+	}
+	slots = malloc(sizeof(CK_SLOT_ID) * count);
+	rv = p11->f->C_GetSlotList(TRUE, slots, &count);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSlotList() failed: %N", ck_rv_names, rv);
+		free(slots);
+		return NULL;
+	}
+	*out = count;
+	return slots;
+}
+
+/**
+ * Query the slots for tokens
+ */
+static void query_slots(lib_entry_t *entry)
+{
+	CK_ULONG count;
+	CK_SLOT_ID_PTR slots;
+	int i;
+
+	slots = get_slot_list(entry->lib, &count);
+	if (slots)
+	{
+		for (i = 0; i < count; i++)
+		{
+			handle_slot(entry, slots[i], FALSE);
+		}
+		free(slots);
+	}
+}
+
+/**
+ * Token enumerator
+ */
+typedef struct {
+	/* implements enumerator */
+	enumerator_t public;
+	/* inner enumerator over PKCS#11 libraries */
+	enumerator_t *inner;
+	/* active library entry */
+	lib_entry_t *entry;
+	/* slot list with tokens */
+	CK_SLOT_ID_PTR slots;
+	/* number of slots */
+	CK_ULONG count;
+	/* current slot */
+	int current;
+} token_enumerator_t;
+
+METHOD(enumerator_t, enumerate_token, bool,
+	token_enumerator_t *this, pkcs11_library_t **out, CK_SLOT_ID *slot)
+{
+	if (this->current >= this->count)
+	{
+		free(this->slots);
+		this->slots = NULL;
+		this->current = 0;
+	}
+	while (!this->slots)
+	{
+		if (!this->inner->enumerate(this->inner, &this->entry))
+		{
+			return FALSE;
+		}
+		this->slots = get_slot_list(this->entry->lib, &this->count);
+	}
+	*out = this->entry->lib;
+	*slot = this->slots[this->current++];
+	return TRUE;
+}
+
+METHOD(enumerator_t, destroy_token, void,
+	token_enumerator_t *this)
+{
+	this->inner->destroy(this->inner);
+	free(this->slots);
+	free(this);
+}
+
+METHOD(pkcs11_manager_t, create_token_enumerator, enumerator_t*,
+	private_pkcs11_manager_t *this)
+{
+	token_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_enumerate_token,
+			.destroy = _destroy_token,
+		},
+		.inner = this->libs->create_enumerator(this->libs),
+	);
+	return &enumerator->public;
+}
+
+/**
+ * Singleton instance
+ */
+static private_pkcs11_manager_t *singleton = NULL;
+
+METHOD(pkcs11_manager_t, destroy, void,
+	private_pkcs11_manager_t *this)
+{
+	this->libs->destroy_function(this->libs, (void*)lib_entry_destroy);
+	free(this);
+	singleton = NULL;
+}
+
+/**
+ * See header
+ */
+pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
+										void *data)
+{
+	private_pkcs11_manager_t *this;
+	enumerator_t *enumerator;
+	lib_entry_t *entry;
+	char *module;
+
+	INIT(this,
+		.public = {
+			.create_token_enumerator = _create_token_enumerator,
+			.destroy = _destroy,
+		},
+		.libs = linked_list_create(),
+		.cb = cb,
+		.data = data,
+	);
+
+	enumerator = lib->settings->create_section_enumerator(lib->settings,
+										"libstrongswan.plugins.pkcs11.modules");
+	while (enumerator->enumerate(enumerator, &module))
+	{
+		INIT(entry,
+			.this = this,
+		);
+
+		entry->path = lib->settings->get_str(lib->settings,
+				"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
+		if (!entry->path)
+		{
+			DBG1(DBG_CFG, "PKCS11 module '%s' misses library path", module);
+			free(entry);
+			continue;
+		}
+		entry->lib = pkcs11_library_create(module, entry->path);
+		if (!entry->lib)
+		{
+			free(entry);
+			continue;
+		}
+		this->libs->insert_last(this->libs, entry);
+	}
+	enumerator->destroy(enumerator);
+
+	singleton = this;
+
+	enumerator = this->libs->create_enumerator(this->libs);
+	while (enumerator->enumerate(enumerator, &entry))
+	{
+		query_slots(entry);
+		entry->job = callback_job_create((void*)dispatch_slot_events,
+										 entry, (void*)end_dispatch, NULL);
+		lib->processor->queue_job(lib->processor, (job_t*)entry->job);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+pkcs11_manager_t *pkcs11_manager_get()
+{
+	return (pkcs11_manager_t*)singleton;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
new file mode 100644
index 000000000..b80d67324
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.h
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_manager pkcs11_manager
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_MANAGER_H_
+#define PKCS11_MANAGER_H_
+
+typedef struct pkcs11_manager_t pkcs11_manager_t;
+
+#include <library.h>
+
+#include "pkcs11_library.h"
+
+/**
+ * Token event callback function.
+ *
+ * @param data		user supplied data, as passed to pkcs11_manager_create()
+ * @param p11		loaded PKCS#11 library token belongs to
+ * @param slot		slot number the event occured in
+ * @param add		TRUE if token was added to the slot, FALSE if removed
+ */
+typedef void (*pkcs11_manager_token_event_t)(void *data, pkcs11_library_t *p11,
+											 CK_SLOT_ID slot, bool add);
+
+
+/**
+ * Manages multiple PKCS#11 libraries with hot pluggable slots
+ */
+struct pkcs11_manager_t {
+
+	/**
+	 * Create an enumerator over all tokens.
+	 *
+	 * @return			enumerator over (pkcs11_library_t*,CK_SLOT_ID)
+	 */
+	enumerator_t* (*create_token_enumerator)(pkcs11_manager_t *this);
+
+	/**
+	 * Destroy a pkcs11_manager_t.
+	 */
+	void (*destroy)(pkcs11_manager_t *this);
+};
+
+/**
+ * Create a pkcs11_manager instance.
+ *
+ * @param cb		token event callback function
+ * @param data		user data to pass to token event callback
+ * @return			instance
+ */
+pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
+										void *data);
+
+
+/**
+ * Get the singleton instance of the manager
+ *
+ * @return			instance, NULL if none available
+ */
+pkcs11_manager_t *pkcs11_manager_get();
+
+#endif /** PKCS11_MANAGER_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
new file mode 100644
index 000000000..ace405c23
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_plugin.h"
+
+#include <library.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/mutex.h>
+
+#include "pkcs11_manager.h"
+#include "pkcs11_creds.h"
+#include "pkcs11_private_key.h"
+#include "pkcs11_public_key.h"
+#include "pkcs11_hasher.h"
+
+typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
+
+/**
+ * private data of pkcs11_plugin
+ */
+struct private_pkcs11_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	pkcs11_plugin_t public;
+
+	/**
+	 * PKCS#11 library/slot manager
+	 */
+	pkcs11_manager_t *manager;
+
+	/**
+	 * List of credential sets, pkcs11_creds_t
+	 */
+	linked_list_t *creds;
+
+	/**
+	 * mutex to lock list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Token event callback function
+ */
+static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
+						   CK_SLOT_ID slot, bool add)
+{
+	enumerator_t *enumerator;
+	pkcs11_creds_t *creds, *found = NULL;;
+
+	if (add)
+	{
+		creds = pkcs11_creds_create(p11, slot);
+		if (creds)
+		{
+			this->mutex->lock(this->mutex);
+			this->creds->insert_last(this->creds, creds);
+			this->mutex->unlock(this->mutex);
+			lib->credmgr->add_set(lib->credmgr, &creds->set);
+		}
+	}
+	else
+	{
+		this->mutex->lock(this->mutex);
+		enumerator = this->creds->create_enumerator(this->creds);
+		while (enumerator->enumerate(enumerator, &creds))
+		{
+			if (creds->get_library(creds) == p11 &&
+				creds->get_slot(creds) == slot)
+			{
+				found = creds;
+				this->creds->remove_at(this->creds, enumerator);
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+		this->mutex->unlock(this->mutex);
+
+		if (found)
+		{
+			lib->credmgr->remove_set(lib->credmgr, &found->set);
+			found->destroy(found);
+			/* flush the cache after a token is gone */
+			lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+		}
+	}
+}
+
+METHOD(plugin_t, destroy, void,
+	private_pkcs11_plugin_t *this)
+{
+	pkcs11_creds_t *creds;
+
+	lib->creds->remove_builder(lib->creds,
+							(builder_function_t)pkcs11_private_key_connect);
+	while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS)
+	{
+		lib->credmgr->remove_set(lib->credmgr, &creds->set);
+		creds->destroy(creds);
+	}
+	lib->crypto->remove_hasher(lib->crypto,
+							(hasher_constructor_t)pkcs11_hasher_create);
+	this->creds->destroy(this->creds);
+	this->manager->destroy(this->manager);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *pkcs11_plugin_create()
+{
+	private_pkcs11_plugin_t *this;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+		.creds = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	this->manager = pkcs11_manager_create((void*)token_event_cb, this);
+
+	if (lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+	{
+		lib->crypto->add_hasher(lib->crypto, HASH_MD2,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_MD5,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+					(hasher_constructor_t)pkcs11_hasher_create);
+	}
+
+	lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
+							(builder_function_t)pkcs11_private_key_connect);
+	lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
+							(builder_function_t)pkcs11_public_key_load);
+
+	enumerator = this->manager->create_token_enumerator(this->manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		token_event_cb(this, p11, slot, TRUE);
+	}
+	enumerator->destroy(enumerator);
+
+	return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
new file mode 100644
index 000000000..432e2173a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11 pkcs11
+ * @ingroup plugins
+ *
+ * @defgroup pkcs11_plugin pkcs11_plugin
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PLUGIN_H_
+#define PKCS11_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct pkcs11_plugin_t pkcs11_plugin_t;
+
+/**
+ * Plugin providing PKCS#11 token support.
+ */
+struct pkcs11_plugin_t {
+
+	/**
+	 * Implements plugin interface,
+	 */
+	plugin_t plugin;
+};
+
+#endif /** PKCS11_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
new file mode 100644
index 000000000..cabca3f54
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -0,0 +1,600 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_private_key.h"
+
+#include "pkcs11_library.h"
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
+
+/**
+ * Private data of an pkcs11_private_key_t object.
+ */
+struct private_pkcs11_private_key_t {
+
+	/**
+	 * Public pkcs11_private_key_t interface.
+	 */
+	pkcs11_private_key_t public;
+
+	/**
+	 * PKCS#11 module
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Token session
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * Mutex to lock session
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Key object on the token
+	 */
+	CK_OBJECT_HANDLE object;
+
+	/**
+	 * Key requires reauthentication for each signature/decryption
+	 */
+	CK_BBOOL reauth;
+
+	/**
+	 * Keyid of the key we use
+	 */
+	identification_t *keyid;
+
+	/**
+	 * Associated public key
+	 */
+	public_key_t *pubkey;
+
+	/**
+	 * References to this key
+	 */
+	refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_type(this->pubkey);
+}
+
+METHOD(private_key_t, get_keysize, int,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_keysize(this->pubkey);
+}
+
+/**
+ * See header.
+ */
+CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme)
+{
+	static struct {
+		signature_scheme_t scheme;
+		CK_MECHANISM mechanism;
+	} mappings[] = {
+		{SIGN_RSA_EMSA_PKCS1_NULL,		{CKM_RSA_PKCS,				NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA1,		{CKM_SHA1_RSA_PKCS,			NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA256,	{CKM_SHA256_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA384,	{CKM_SHA384_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_SHA512,	{CKM_SHA512_RSA_PKCS,		NULL, 0}},
+		{SIGN_RSA_EMSA_PKCS1_MD5,		{CKM_MD5_RSA_PKCS,			NULL, 0}},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].scheme == scheme)
+		{
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * See header.
+ */
+CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme)
+{
+	static struct {
+		encryption_scheme_t scheme;
+		CK_MECHANISM mechanism;
+	} mappings[] = {
+		{ENCRYPT_RSA_PKCS1,			{CKM_RSA_PKCS,				NULL, 0}},
+		{ENCRYPT_RSA_OAEP_SHA1,		{CKM_RSA_PKCS_OAEP,			NULL, 0}},
+	};
+	int i;
+
+	for (i = 0; i < countof(mappings); i++)
+	{
+		if (mappings[i].scheme == scheme)
+		{
+			return &mappings[i].mechanism;
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Reauthenticate to do a signature
+ */
+static bool reauth(private_pkcs11_private_key_t *this)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	chunk_t pin;
+	CK_RV rv;
+	bool found = FALSE, success = FALSE;
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_PIN, this->keyid, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		pin = shared->get_key(shared);
+		rv = this->lib->f->C_Login(this->session, CKU_CONTEXT_SPECIFIC,
+								   pin.ptr, pin.len);
+		if (rv == CKR_OK)
+		{
+			success = TRUE;
+			break;
+		}
+		DBG1(DBG_CFG, "reauthentication login failed: %N", ck_rv_names, rv);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "private key requires reauthentication, but no PIN found");
+		return FALSE;
+	}
+	return success;
+}
+
+METHOD(private_key_t, sign, bool,
+	private_pkcs11_private_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t *signature)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_signature_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_SignInit(this->session, mechanism, this->object);
+	if (this->reauth && !reauth(this))
+	{
+		return FALSE;
+	}
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_SignInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Sign(this->session, data.ptr, data.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Sign() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*signature = chunk_create(buf, len);
+	return TRUE;
+}
+
+METHOD(private_key_t, decrypt, bool,
+	private_pkcs11_private_key_t *this, encryption_scheme_t scheme,
+	chunk_t crypt, chunk_t *plain)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_DecryptInit(this->session, mechanism, this->object);
+	if (this->reauth && !reauth(this))
+	{
+		return FALSE;
+	}
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_DecryptInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Decrypt(this->session, crypt.ptr, crypt.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Decrypt() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*plain = chunk_create(buf, len);
+	return TRUE;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+	private_pkcs11_private_key_t *this)
+{
+	return this->pubkey->get_ref(this->pubkey);
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+	private_pkcs11_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *fingerprint)
+{
+	return this->pubkey->get_fingerprint(this->pubkey, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+	private_pkcs11_private_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	return FALSE;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+	private_pkcs11_private_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+	private_pkcs11_private_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		if (this->pubkey)
+		{
+			this->pubkey->destroy(this->pubkey);
+		}
+		this->mutex->destroy(this->mutex);
+		this->keyid->destroy(this->keyid);
+		this->lib->f->C_CloseSession(this->session);
+		free(this);
+	}
+}
+
+/**
+ * Find the PKCS#11 library by its friendly name
+ */
+static pkcs11_library_t* find_lib(char *module)
+{
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		if (streq(module, p11->get_name(p11)))
+		{
+			found = p11;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Find the PKCS#11 lib having a keyid, and optionally a slot
+ */
+static pkcs11_library_t* find_lib_by_keyid(chunk_t keyid, int *slot)
+{
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator;
+	pkcs11_library_t *p11, *found = NULL;
+	CK_SLOT_ID current;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &current))
+	{
+		if (*slot == -1 || *slot == current)
+		{
+			/* we look for a public key, it is usually readable without login */
+			CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+			CK_ATTRIBUTE tmpl[] = {
+				{CKA_CLASS, &class, sizeof(class)},
+				{CKA_ID, keyid.ptr, keyid.len},
+			};
+			CK_OBJECT_HANDLE object;
+			CK_SESSION_HANDLE session;
+			CK_RV rv;
+			enumerator_t *keys;
+
+			rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
+									   &session);
+			if (rv != CKR_OK)
+			{
+				DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+					 ck_rv_names, rv);
+				continue;
+			}
+			keys = p11->create_object_enumerator(p11, session,
+												 tmpl, countof(tmpl), NULL, 0);
+			if (keys->enumerate(keys, &object))
+			{
+				DBG1(DBG_CFG, "found key on PKCS#11 token '%s':%d",
+					 p11->get_name(p11), current);
+				found = p11;
+				*slot = current;
+			}
+			keys->destroy(keys);
+			p11->f->C_CloseSession(session);
+			if (found)
+			{
+				break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+	return found;
+}
+
+/**
+ * Find the key on the token
+ */
+static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
+{
+	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_ID, keyid.ptr, keyid.len},
+	};
+	CK_OBJECT_HANDLE object;
+	CK_KEY_TYPE type;
+	CK_BBOOL reauth;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_KEY_TYPE, &type, sizeof(type)},
+		{CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+	};
+	enumerator_t *enumerator;
+	chunk_t modulus, pubexp;
+
+	enumerator = this->lib->create_object_enumerator(this->lib,
+						this->session, tmpl, countof(tmpl), attr, countof(attr));
+	if (enumerator->enumerate(enumerator, &object))
+	{
+		switch (type)
+		{
+			case CKK_RSA:
+				if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1)
+				{
+					DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed");
+					break;
+				}
+				modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen);
+				pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen);
+				this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+									KEY_RSA, BUILD_RSA_MODULUS, modulus,
+									BUILD_RSA_PUB_EXP, pubexp, BUILD_END);
+				if (!this->pubkey)
+				{
+					DBG1(DBG_CFG, "extracting public key from PKCS#11 RSA "
+						 "private key failed");
+				}
+				this->reauth = reauth;
+				this->object = object;
+				break;
+			default:
+				DBG1(DBG_CFG, "PKCS#11 key type %d not supported", type);
+				break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return this->pubkey != NULL;
+}
+
+/**
+ * Find a PIN and try to log in
+ */
+static bool login(private_pkcs11_private_key_t *this, int slot)
+{
+	enumerator_t *enumerator;
+	shared_key_t *shared;
+	chunk_t pin;
+	CK_RV rv;
+	CK_SESSION_INFO info;
+	bool found = FALSE, success = FALSE;
+
+	rv = this->lib->f->C_GetSessionInfo(this->session, &info);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "C_GetSessionInfo failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	if (info.state != CKS_RO_PUBLIC_SESSION &&
+		info.state != CKS_RW_PUBLIC_SESSION)
+	{	/* already logged in with another session, skip */
+		return TRUE;
+	}
+
+	enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+												SHARED_PIN, this->keyid, NULL);
+	while (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+	{
+		found = TRUE;
+		pin = shared->get_key(shared);
+		rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
+		if (rv == CKR_OK)
+		{
+			success = TRUE;
+			break;
+		}
+		DBG1(DBG_CFG, "login to '%s':%d failed: %N",
+			 this->lib->get_name(this->lib), slot, ck_rv_names, rv);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!found)
+	{
+		DBG1(DBG_CFG, "no PIN found for PKCS#11 key %Y", this->keyid);
+		return FALSE;
+	}
+	return success;
+}
+
+/**
+ * See header.
+ */
+pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
+{
+	private_pkcs11_private_key_t *this;
+	char *module = NULL;
+	chunk_t keyid = chunk_empty;
+	int slot = -1;
+	CK_RV rv;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_PKCS11_KEYID:
+				keyid = va_arg(args, chunk_t);
+				continue;
+			case BUILD_PKCS11_SLOT:
+				slot = va_arg(args, int);
+				continue;
+			case BUILD_PKCS11_MODULE:
+				module = va_arg(args, char*);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (!keyid.len)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.sign = _sign,
+				.decrypt = _decrypt,
+				.get_keysize = _get_keysize,
+				.get_public_key = _get_public_key,
+				.equals = private_key_equals,
+				.belongs_to = private_key_belongs_to,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = private_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.ref = 1,
+	);
+
+	if (module && slot != -1)
+	{
+		this->lib = find_lib(module);
+		if (!this->lib)
+		{
+			DBG1(DBG_CFG, "PKCS#11 module '%s' not found", module);
+			free(this);
+			return NULL;
+		}
+	}
+	else
+	{
+		this->lib = find_lib_by_keyid(keyid, &slot);
+		if (!this->lib)
+		{
+			DBG1(DBG_CFG, "no PKCS#11 module found having a keyid %#B", &keyid);
+			free(this);
+			return NULL;
+		}
+	}
+
+	rv = this->lib->f->C_OpenSession(slot, CKF_SERIAL_SESSION,
+									 NULL, NULL, &this->session);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_CFG, "opening private key session on '%s':%d failed: %N",
+			 module, slot, ck_rv_names, rv);
+		free(this);
+		return NULL;
+	}
+
+	this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+	this->keyid = identification_create_from_encoding(ID_KEY_ID, keyid);
+
+	if (!login(this, slot))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	if (!find_key(this, keyid))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
new file mode 100644
index 000000000..428913f0a
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_private_key pkcs11_private_key
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PRIVATE_KEY_H_
+#define PKCS11_PRIVATE_KEY_H_
+
+typedef struct pkcs11_private_key_t pkcs11_private_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+#include "pkcs11.h"
+
+/**
+ * Private Key implementation on top of PKCS#11.
+ */
+struct pkcs11_private_key_t {
+
+	/**
+	 * Implements private_key_t interface.
+	 */
+	private_key_t key;
+};
+
+/**
+ * Open a private key on a PKCS#11 device.
+ *
+ * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN arguments.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args);
+
+/**
+ * Get the Cryptoki mechanism for a signature scheme.
+ */
+CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme);
+
+/**
+ * Get the Cryptoki mechanism for a encryption scheme.
+ */
+CK_MECHANISM_PTR pkcs11_encryption_scheme_to_mech(encryption_scheme_t scheme);
+
+#endif /** PKCS11_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
new file mode 100644
index 000000000..8d32d9a3f
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pkcs11_public_key.h"
+
+#include "pkcs11.h"
+#include "pkcs11_private_key.h"
+#include "pkcs11_manager.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+
+typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
+
+/**
+ * Private data of an pkcs11_public_key_t object.
+ */
+struct private_pkcs11_public_key_t {
+
+	/**
+	 * Public pkcs11_public_key_t interface.
+	 */
+	pkcs11_public_key_t public;
+
+	/**
+	 * Type of the key
+	 */
+	key_type_t type;
+
+	/**
+	 * Key size in bytes
+	 */
+	size_t k;
+
+	/**
+	 * PKCS#11 library this key uses
+	 */
+	pkcs11_library_t *lib;
+
+	/**
+	 * Slot the token is in
+	 */
+	CK_SLOT_ID slot;
+
+	/**
+	 * Session we use
+	 */
+	CK_SESSION_HANDLE session;
+
+	/**
+	 * Object handle to the key
+	 */
+	CK_OBJECT_HANDLE object;
+
+	/**
+	 * Mutex to lock session
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * References to this key
+	 */
+	refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+	private_pkcs11_public_key_t *this)
+{
+	return this->type;
+}
+
+METHOD(public_key_t, get_keysize, int,
+	private_pkcs11_public_key_t *this)
+{
+	return this->k * 8;
+}
+
+METHOD(public_key_t, verify, bool,
+	private_pkcs11_public_key_t *this, signature_scheme_t scheme,
+	chunk_t data, chunk_t sig)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_RV rv;
+
+	mechanism = pkcs11_signature_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "signature scheme %N not supported",
+			 signature_scheme_names, scheme);
+		return FALSE;
+	}
+	if (sig.len && sig.ptr[0] == 0)
+	{	/* trim leading zero byte in sig */
+		sig = chunk_skip(sig, 1);
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_VerifyInit(this->session, mechanism, this->object);
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	rv = this->lib->f->C_Verify(this->session, data.ptr, data.len,
+								sig.ptr, sig.len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(public_key_t, encrypt, bool,
+	private_pkcs11_public_key_t *this, encryption_scheme_t scheme,
+	chunk_t plain, chunk_t *crypt)
+{
+	CK_MECHANISM_PTR mechanism;
+	CK_BYTE_PTR buf;
+	CK_ULONG len;
+	CK_RV rv;
+
+	mechanism = pkcs11_encryption_scheme_to_mech(scheme);
+	if (!mechanism)
+	{
+		DBG1(DBG_LIB, "encryption scheme %N not supported",
+			 encryption_scheme_names, scheme);
+		return FALSE;
+	}
+	this->mutex->lock(this->mutex);
+	rv = this->lib->f->C_EncryptInit(this->session, mechanism, this->object);
+	if (rv != CKR_OK)
+	{
+		this->mutex->unlock(this->mutex);
+		DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv);
+		return FALSE;
+	}
+	len = (get_keysize(this) + 7) / 8;
+	buf = malloc(len);
+	rv = this->lib->f->C_Encrypt(this->session, plain.ptr, plain.len, buf, &len);
+	this->mutex->unlock(this->mutex);
+	if (rv != CKR_OK)
+	{
+		DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv);
+		free(buf);
+		return FALSE;
+	}
+	*crypt = chunk_create(buf, len);
+	return TRUE;
+}
+
+/**
+ * Encode RSA key using a given encoding type
+ */
+static bool encode_rsa(private_pkcs11_public_key_t *this,
+					cred_encoding_type_t type, void *cache, chunk_t *encoding)
+{
+	CK_RV rv;
+	bool success = FALSE;
+	chunk_t n, e;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+	};
+
+	rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
+										   attr, countof(attr));
+	if (rv != CKR_OK ||
+		attr[0].ulValueLen == 0 || attr[0].ulValueLen == -1 ||
+		attr[1].ulValueLen == 0 || attr[1].ulValueLen == -1)
+	{
+		return FALSE;
+	}
+	attr[0].pValue = malloc(attr[0].ulValueLen);
+	attr[1].pValue = malloc(attr[1].ulValueLen);
+	rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
+										   attr, countof(attr));
+	if (rv == CKR_OK)
+	{
+		n = chunk_create(attr[0].pValue, attr[0].ulValueLen);
+		e = chunk_create(attr[1].pValue, attr[1].ulValueLen);
+		success = lib->encoding->encode(lib->encoding, type, cache, encoding,
+			CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
+	}
+	free(attr[0].pValue);
+	free(attr[1].pValue);
+	return success;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+	private_pkcs11_public_key_t *this, cred_encoding_type_t type,
+	chunk_t *encoding)
+{
+	switch (this->type)
+	{
+		case KEY_RSA:
+			return encode_rsa(this, type, NULL, encoding);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+	private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+	if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+	{
+		return TRUE;
+	}
+	switch (this->type)
+	{
+		case KEY_RSA:
+			return encode_rsa(this, type, this, fp);
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+	private_pkcs11_public_key_t *this)
+{
+	ref_get(&this->ref);
+	return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+	private_pkcs11_public_key_t *this)
+{
+	if (ref_put(&this->ref))
+	{
+		lib->encoding->clear_cache(lib->encoding, this);
+		this->lib->f->C_CloseSession(this->session);
+		this->mutex->destroy(this->mutex);
+		free(this);
+	}
+}
+
+/**
+ * Create an empty PKCS#11 public key
+ */
+static private_pkcs11_public_key_t *create(key_type_t type, size_t k,
+							pkcs11_library_t *p11, CK_SLOT_ID slot,
+							CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
+{
+	private_pkcs11_public_key_t *this;
+
+	INIT(this,
+		.public = {
+			.key = {
+				.get_type = _get_type,
+				.verify = _verify,
+				.encrypt = _encrypt,
+				.equals = public_key_equals,
+				.get_keysize = _get_keysize,
+				.get_fingerprint = _get_fingerprint,
+				.has_fingerprint = public_key_has_fingerprint,
+				.get_encoding = _get_encoding,
+				.get_ref = _get_ref,
+				.destroy = _destroy,
+			},
+		},
+		.type = type,
+		.k = k,
+		.lib = p11,
+		.slot = slot,
+		.session = session,
+		.object = object,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+		.ref = 1,
+	);
+
+	return this;
+}
+
+/**
+ * Find a key object, including PKCS11 library and slot
+ */
+static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e)
+{
+	private_pkcs11_public_key_t *this = NULL;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *keys;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+		CK_KEY_TYPE type = CKK_RSA;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_KEY_TYPE, &type, sizeof(type)},
+			{CKA_MODULUS, n.ptr, n.len},
+			{CKA_PUBLIC_EXPONENT, e.ptr, e.len},
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+								   &session);
+		if (rv != CKR_OK)
+		{
+			DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
+			continue;
+		}
+		keys = p11->create_object_enumerator(p11, session,
+											 tmpl, countof(tmpl), NULL, 0);
+		if (keys->enumerate(keys, &object))
+		{
+			this = create(KEY_RSA, n.len, p11, slot, session, object);
+			keys->destroy(keys);
+			break;
+		}
+		keys->destroy(keys);
+		p11->f->C_CloseSession(session);
+	}
+	enumerator->destroy(enumerator);
+	return this;
+}
+
+/**
+ * Create a key object in a suitable token session
+ */
+static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e)
+{
+	private_pkcs11_public_key_t *this = NULL;
+	pkcs11_manager_t *manager;
+	enumerator_t *enumerator, *mechs;
+	pkcs11_library_t *p11;
+	CK_SLOT_ID slot;
+
+	manager = pkcs11_manager_get();
+	if (!manager)
+	{
+		return NULL;
+	}
+
+	enumerator = manager->create_token_enumerator(manager);
+	while (enumerator->enumerate(enumerator, &p11, &slot))
+	{
+		CK_MECHANISM_TYPE mech;
+		CK_MECHANISM_INFO info;
+		CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
+		CK_KEY_TYPE type = CKK_RSA;
+		CK_ATTRIBUTE tmpl[] = {
+			{CKA_CLASS, &class, sizeof(class)},
+			{CKA_KEY_TYPE, &type, sizeof(type)},
+			{CKA_MODULUS, n.ptr, n.len},
+			{CKA_PUBLIC_EXPONENT, e.ptr, e.len}
+		};
+		CK_OBJECT_HANDLE object;
+		CK_SESSION_HANDLE session;
+		CK_RV rv;
+
+		mechs = p11->create_mechanism_enumerator(p11, slot);
+		while (mechs->enumerate(mechs, &mech, &info))
+		{
+			if (!(info.flags & CKF_VERIFY))
+			{
+				continue;
+			}
+			switch (mech)
+			{
+				case CKM_RSA_PKCS:
+				case CKM_SHA1_RSA_PKCS:
+				case CKM_SHA256_RSA_PKCS:
+				case CKM_SHA384_RSA_PKCS:
+				case CKM_SHA512_RSA_PKCS:
+				case CKM_MD5_RSA_PKCS:
+					break;
+				default:
+					continue;
+			}
+			rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
+									   &session);
+			if (rv != CKR_OK)
+			{
+				DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
+					 ck_rv_names, rv);
+				continue;
+			}
+			rv = p11->f->C_CreateObject(session, tmpl, countof(tmpl), &object);
+			if (rv == CKR_OK)
+			{
+				this = create(KEY_RSA, n.len, p11, slot, session, object);
+				DBG2(DBG_CFG, "created RSA public key on token '%s':%d ",
+					 p11->get_name(p11), slot);
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "creating RSA public key on token '%s':%d "
+					 "failed: %N", p11->get_name(p11), slot, ck_rv_names, rv);
+				p11->f->C_CloseSession(session);
+			}
+		}
+		mechs->destroy(mechs);
+		if (this)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return this;
+}
+
+/**
+ * See header
+ */
+pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
+{
+	private_pkcs11_public_key_t *this;
+	chunk_t n, e;
+
+	n = e = chunk_empty;
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_RSA_MODULUS:
+				n = va_arg(args, chunk_t);
+				continue;
+			case BUILD_RSA_PUB_EXP:
+				e = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+	if (type == KEY_RSA && e.ptr && n.ptr)
+	{
+		if (n.len && n.ptr[0] == 0)
+		{	/* trim leading zero byte in modulus */
+			n = chunk_skip(n, 1);
+		}
+		this = find_rsa_key(n, e);
+		if (this)
+		{
+			return &this->public;
+		}
+		this = create_rsa_key(n, e);
+		if (this)
+		{
+			return &this->public;
+		}
+	}
+	return NULL;
+}
+
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
new file mode 100644
index 000000000..4fd94620e
--- /dev/null
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs11_public_key pkcs11_public_key
+ * @{ @ingroup pkcs11
+ */
+
+#ifndef PKCS11_PUBLIC_KEY_H_
+#define PKCS11_PUBLIC_KEY_H_
+
+typedef struct pkcs11_public_key_t pkcs11_public_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * PKCS#11 based public key implementation.
+ */
+struct pkcs11_public_key_t {
+
+	/**
+	 * Implements public_key_t.
+	 */
+	public_key_t key;
+};
+
+/**
+ * Create a public key in a PKCS#11 session.
+ *
+ * @param type		type of the key
+ * @param args		builder_part_t argument list
+ * @return 			loaded key, NULL on failure
+ */
+pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args);
+
+#endif /** PKCS11_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 336d0bc02..e1427bf15 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -189,7 +189,6 @@ static bool load(private_plugin_loader_t *this, char *path, char *list)
 		plugin = load_plugin(this, path, token);
 		if (plugin)
 		{
-			/* insert in front to destroy them in reverse order */
 			this->plugins->insert_last(this->plugins, plugin);
 			this->names->insert_last(this->names, token);
 		}
@@ -215,12 +214,13 @@ static void unload(private_plugin_loader_t *this)
 	plugin_t *plugin;
 	char *name;
 
-	while (this->plugins->remove_first(this->plugins,
+	/* unload plugins in reverse order */
+	while (this->plugins->remove_last(this->plugins,
 									   (void**)&plugin) == SUCCESS)
 	{
 		plugin->destroy(plugin);
 	}
-	while (this->names->remove_first(this->names, (void**)&name) == SUCCESS)
+	while (this->names->remove_last(this->names, (void**)&name) == SUCCESS)
 	{
 		free(name);
 	}
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 4dc5985cd..495223855 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
index b0eabc9ee..6f41ada2a 100644
--- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
+++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c
@@ -50,7 +50,7 @@ plugin_t *pubkey_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE,
 							(builder_function_t)pubkey_cert_wrap);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index af929080d..efd24c761 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 871566e65..16a9d21c5 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -168,6 +169,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -199,14 +202,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -221,24 +227,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -246,7 +259,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index d352a9583..02393b907 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -52,7 +52,11 @@ plugin_t *revocation_plugin_create()
 	private_revocation_plugin_t *this;
 
 	INIT(this,
-		.public.plugin.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
 		.validator = revocation_validator_create(),
 	);
 	lib->credmgr->add_validator(lib->credmgr, &this->validator->validator);
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 703764e5e..1036bedfc 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 5e490f2e5..579e6f9b0 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -164,6 +165,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -195,14 +198,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -217,24 +223,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -242,7 +255,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 6d81d0d81..9c9b57f98 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -167,6 +168,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -198,14 +201,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -220,24 +226,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -245,7 +258,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 6d3b05d19..049301977 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -13,9 +13,14 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
 	test_vectors/aes_cbc.c \
+	test_vectors/aes_ctr.c \
 	test_vectors/aes_xcbc.c \
+	test_vectors/aes_ccm.c \
+	test_vectors/aes_gcm.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
+	test_vectors/camellia_ctr.c \
+	test_vectors/camellia_xcbc.c \
 	test_vectors/cast.c \
 	test_vectors/des.c \
 	test_vectors/idea.c \
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 20a6db81e..9be3f825a 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -75,10 +76,11 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 libstrongswan_test_vectors_la_LIBADD =
 am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
-	3des_cbc.lo aes_cbc.lo aes_xcbc.lo blowfish.lo camellia_cbc.lo \
-	cast.lo des.lo idea.lo null.lo rc5.lo serpent_cbc.lo \
-	twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo sha1.lo \
-	sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
+	3des_cbc.lo aes_cbc.lo aes_ctr.lo aes_xcbc.lo aes_ccm.lo \
+	aes_gcm.lo blowfish.lo camellia_cbc.lo camellia_ctr.lo \
+	camellia_xcbc.lo cast.lo des.lo idea.lo null.lo rc5.lo \
+	serpent_cbc.lo twofish_cbc.lo md2.lo md4.lo md5.lo md5_hmac.lo \
+	sha1.lo sha1_hmac.lo sha2.lo sha2_hmac.lo fips_prf.lo rng.lo
 libstrongswan_test_vectors_la_OBJECTS =  \
 	$(am_libstrongswan_test_vectors_la_OBJECTS)
 libstrongswan_test_vectors_la_LINK = $(LIBTOOL) --tag=CC \
@@ -171,6 +173,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +206,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +231,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +263,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -269,9 +286,14 @@ libstrongswan_test_vectors_la_SOURCES = \
 	test_vectors_plugin.h test_vectors_plugin.c test_vectors.h \
 	test_vectors/3des_cbc.c \
 	test_vectors/aes_cbc.c \
+	test_vectors/aes_ctr.c \
 	test_vectors/aes_xcbc.c \
+	test_vectors/aes_ccm.c \
+	test_vectors/aes_gcm.c \
 	test_vectors/blowfish.c \
 	test_vectors/camellia_cbc.c \
+	test_vectors/camellia_ctr.c \
+	test_vectors/camellia_xcbc.c \
 	test_vectors/cast.c \
 	test_vectors/des.c \
 	test_vectors/idea.c \
@@ -376,9 +398,14 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/3des_cbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ccm.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_gcm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/blowfish.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_cbc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_ctr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/camellia_xcbc.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cast.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
@@ -433,6 +460,13 @@ aes_cbc.lo: test_vectors/aes_cbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.lo `test -f 'test_vectors/aes_cbc.c' || echo '$(srcdir)/'`test_vectors/aes_cbc.c
 
+aes_ctr.lo: test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ctr.lo -MD -MP -MF $(DEPDIR)/aes_ctr.Tpo -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ctr.Tpo $(DEPDIR)/aes_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ctr.c' object='aes_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ctr.lo `test -f 'test_vectors/aes_ctr.c' || echo '$(srcdir)/'`test_vectors/aes_ctr.c
+
 aes_xcbc.lo: test_vectors/aes_xcbc.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc.lo -MD -MP -MF $(DEPDIR)/aes_xcbc.Tpo -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_xcbc.Tpo $(DEPDIR)/aes_xcbc.Plo
@@ -440,6 +474,20 @@ aes_xcbc.lo: test_vectors/aes_xcbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc.lo `test -f 'test_vectors/aes_xcbc.c' || echo '$(srcdir)/'`test_vectors/aes_xcbc.c
 
+aes_ccm.lo: test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_ccm.lo -MD -MP -MF $(DEPDIR)/aes_ccm.Tpo -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_ccm.Tpo $(DEPDIR)/aes_ccm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_ccm.c' object='aes_ccm.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_ccm.lo `test -f 'test_vectors/aes_ccm.c' || echo '$(srcdir)/'`test_vectors/aes_ccm.c
+
+aes_gcm.lo: test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_gcm.lo -MD -MP -MF $(DEPDIR)/aes_gcm.Tpo -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/aes_gcm.Tpo $(DEPDIR)/aes_gcm.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/aes_gcm.c' object='aes_gcm.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_gcm.lo `test -f 'test_vectors/aes_gcm.c' || echo '$(srcdir)/'`test_vectors/aes_gcm.c
+
 blowfish.lo: test_vectors/blowfish.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT blowfish.lo -MD -MP -MF $(DEPDIR)/blowfish.Tpo -c -o blowfish.lo `test -f 'test_vectors/blowfish.c' || echo '$(srcdir)/'`test_vectors/blowfish.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/blowfish.Tpo $(DEPDIR)/blowfish.Plo
@@ -454,6 +502,20 @@ camellia_cbc.lo: test_vectors/camellia_cbc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_cbc.lo `test -f 'test_vectors/camellia_cbc.c' || echo '$(srcdir)/'`test_vectors/camellia_cbc.c
 
+camellia_ctr.lo: test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_ctr.lo -MD -MP -MF $(DEPDIR)/camellia_ctr.Tpo -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_ctr.Tpo $(DEPDIR)/camellia_ctr.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_ctr.c' object='camellia_ctr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_ctr.lo `test -f 'test_vectors/camellia_ctr.c' || echo '$(srcdir)/'`test_vectors/camellia_ctr.c
+
+camellia_xcbc.lo: test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT camellia_xcbc.lo -MD -MP -MF $(DEPDIR)/camellia_xcbc.Tpo -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/camellia_xcbc.Tpo $(DEPDIR)/camellia_xcbc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_vectors/camellia_xcbc.c' object='camellia_xcbc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o camellia_xcbc.lo `test -f 'test_vectors/camellia_xcbc.c' || echo '$(srcdir)/'`test_vectors/camellia_xcbc.c
+
 cast.lo: test_vectors/cast.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cast.lo -MD -MP -MF $(DEPDIR)/cast.Tpo -c -o cast.lo `test -f 'test_vectors/cast.c' || echo '$(srcdir)/'`test_vectors/cast.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/cast.Tpo $(DEPDIR)/cast.Plo
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index b182dd829..ab4689c1c 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -19,6 +19,15 @@ TEST_VECTOR_CRYPTER(aes_cbc3)
 TEST_VECTOR_CRYPTER(aes_cbc4)
 TEST_VECTOR_CRYPTER(aes_cbc5)
 TEST_VECTOR_CRYPTER(aes_cbc6)
+TEST_VECTOR_CRYPTER(aes_ctr1)
+TEST_VECTOR_CRYPTER(aes_ctr2)
+TEST_VECTOR_CRYPTER(aes_ctr3)
+TEST_VECTOR_CRYPTER(aes_ctr4)
+TEST_VECTOR_CRYPTER(aes_ctr5)
+TEST_VECTOR_CRYPTER(aes_ctr6)
+TEST_VECTOR_CRYPTER(aes_ctr7)
+TEST_VECTOR_CRYPTER(aes_ctr8)
+TEST_VECTOR_CRYPTER(aes_ctr9)
 TEST_VECTOR_CRYPTER(blowfish1)
 TEST_VECTOR_CRYPTER(blowfish2)
 TEST_VECTOR_CRYPTER(camellia_cbc1)
@@ -27,6 +36,15 @@ TEST_VECTOR_CRYPTER(camellia_cbc3)
 TEST_VECTOR_CRYPTER(camellia_cbc4)
 TEST_VECTOR_CRYPTER(camellia_cbc5)
 TEST_VECTOR_CRYPTER(camellia_cbc6)
+TEST_VECTOR_CRYPTER(camellia_ctr1)
+TEST_VECTOR_CRYPTER(camellia_ctr2)
+TEST_VECTOR_CRYPTER(camellia_ctr3)
+TEST_VECTOR_CRYPTER(camellia_ctr4)
+TEST_VECTOR_CRYPTER(camellia_ctr5)
+TEST_VECTOR_CRYPTER(camellia_ctr6)
+TEST_VECTOR_CRYPTER(camellia_ctr7)
+TEST_VECTOR_CRYPTER(camellia_ctr8)
+TEST_VECTOR_CRYPTER(camellia_ctr9)
 TEST_VECTOR_CRYPTER(cast1)
 TEST_VECTOR_CRYPTER(des_cbc1)
 TEST_VECTOR_CRYPTER(des_cbc2)
@@ -49,11 +67,31 @@ TEST_VECTOR_CRYPTER(twofish_cbc1)
 TEST_VECTOR_CRYPTER(twofish_cbc2)
 TEST_VECTOR_CRYPTER(twofish_cbc3)
 
+TEST_VECTOR_AEAD(aes_ccm1)
+TEST_VECTOR_AEAD(aes_ccm2)
+TEST_VECTOR_AEAD(aes_ccm3)
+TEST_VECTOR_AEAD(aes_ccm4)
+TEST_VECTOR_AEAD(aes_ccm5)
+TEST_VECTOR_AEAD(aes_ccm6)
+TEST_VECTOR_AEAD(aes_ccm7)
+TEST_VECTOR_AEAD(aes_ccm8)
+TEST_VECTOR_AEAD(aes_ccm9)
+TEST_VECTOR_AEAD(aes_ccm10)
+TEST_VECTOR_AEAD(aes_ccm11)
+TEST_VECTOR_AEAD(aes_gcm1)
+TEST_VECTOR_AEAD(aes_gcm2)
+TEST_VECTOR_AEAD(aes_gcm3)
+TEST_VECTOR_AEAD(aes_gcm4)
+TEST_VECTOR_AEAD(aes_gcm5)
+TEST_VECTOR_AEAD(aes_gcm6)
+TEST_VECTOR_AEAD(aes_gcm7)
+
 TEST_VECTOR_SIGNER(aes_xcbc_s1)
 TEST_VECTOR_SIGNER(aes_xcbc_s2)
 TEST_VECTOR_SIGNER(aes_xcbc_s3)
 TEST_VECTOR_SIGNER(aes_xcbc_s4)
 TEST_VECTOR_SIGNER(aes_xcbc_s5)
+TEST_VECTOR_SIGNER(camellia_xcbc_s1)
 TEST_VECTOR_SIGNER(md5_hmac_s1)
 TEST_VECTOR_SIGNER(md5_hmac_s2)
 TEST_VECTOR_SIGNER(md5_hmac_s3)
@@ -118,6 +156,9 @@ TEST_VECTOR_PRF(aes_xcbc_p4)
 TEST_VECTOR_PRF(aes_xcbc_p5)
 TEST_VECTOR_PRF(aes_xcbc_p6)
 TEST_VECTOR_PRF(aes_xcbc_p7)
+TEST_VECTOR_PRF(camellia_xcbc_p1)
+TEST_VECTOR_PRF(camellia_xcbc_p2)
+TEST_VECTOR_PRF(camellia_xcbc_p3)
 TEST_VECTOR_PRF(md5_hmac_p1)
 TEST_VECTOR_PRF(md5_hmac_p2)
 TEST_VECTOR_PRF(md5_hmac_p3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
new file mode 100644
index 000000000..8de180ad5
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ccm.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test vectors with 11 bytes nonces are hard to find, neither RFC3610 nor
+ * NIST 800-38C has one. These vectors are taken from the Linux kernel,
+ * originally from "fips cavs fax files on hand at Red Hat".
+ */
+aead_test_vector_t aes_ccm1 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 0,
+	.key	= "\x83\xac\x54\x66\xc2\xeb\xe5\x05\x2e\x01\xd1\xfc\x5d\x82\x66\x2e"
+			  "\x96\xac\x59",
+	.iv		= "\x30\x07\xa1\xe2\xa2\xc7\x55\x24",
+	.plain	= "\x19\xc8\x81\xf6\xe9\x86\xff\x93\x0b\x78\x67\xe5\xbb\xb7\xfc\x6e"
+			  "\x83\x77\xb3\xa6\x0c\x8c\x9f\x9c\x35\x2e\xad\xe0\x62\xf9\x91\xa1",
+	.cipher	= "\xab\x6f\xe1\x69\x1d\x19\x99\xa8\x92\xa0\xc4\x6f\x7e\xe2\x8b\xb1"
+			  "\x70\xbb\x8c\xa6\x4c\x6e\x97\x8a\x57\x2b\xbe\x5d\x98\xa6\xb1\x32"
+			  "\xda\x24\xea\xd9\xa1\x39\x98\xfd\xa4\xbe\xd9\xf2\x1a\x6d\x22\xa8",
+};
+
+aead_test_vector_t aes_ccm2 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 16, .len = 32, .alen = 32,
+	.key	= "\x1e\x2c\x7e\x01\x41\x9a\xef\xc0\x0d\x58\x96\x6e\x5c\xa2\x4b\xd3"
+			  "\x4f\xa3\x19",
+	.iv		= "\xd3\x01\x5a\xd8\x30\x60\x15\x56",
+	.adata	= "\xda\xe6\x28\x9c\x45\x2d\xfd\x63\x5e\xda\x4c\xb6\xe6\xfc\xf9\xb7"
+			  "\x0c\x56\xcb\xe4\xe0\x05\x7a\xe1\x0a\x63\x09\x78\xbc\x2c\x55\xde",
+	.plain	= "\x87\xa3\x36\xfd\x96\xb3\x93\x78\xa9\x28\x63\xba\x12\xa3\x14\x85"
+			  "\x57\x1e\x06\xc9\x7b\x21\xef\x76\x7f\x38\x7e\x8e\x29\xa4\x3e\x7e",
+	.cipher	= "\x8a\x1e\x11\xf0\x02\x6b\xe2\x19\xfc\x70\xc4\x6d\x8e\xb7\x99\xab"
+			  "\xc5\x4b\xa2\xac\xd3\xf3\x48\xff\x3b\xb5\xce\x53\xef\xde\xbb\x02"
+			  "\xa9\x86\x15\x6c\x13\xfe\xda\x0a\x22\xb8\x29\x3d\xd8\x39\x9a\x23",
+};
+
+aead_test_vector_t aes_ccm3 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 0, .alen = 32,
+	.key	= "\xf4\x6b\xc2\x75\x62\xfe\xb4\xe1\xa3\xf0\xff\xdd\x4e\x4b\x12\x75"
+			  "\x53\x14\x73\x66\x8d\x88\xf6\x80\xa0\x20\x35",
+	.iv		= "\x26\xf2\x21\x8d\x50\x20\xda\xe2",
+	.adata	= "\x5b\x9e\x13\x67\x02\x5e\xef\xc1\x6c\xf9\xd7\x1e\x52\x8f\x7a\x47"
+			  "\xe9\xd4\xcf\x20\x14\x6e\xf0\x2d\xd8\x9e\x2b\x56\x10\x23\x56\xe7",
+	.cipher	= "\x36\xea\x7a\x70\x08\xdc\x6a\xbc\xad\x0c\x7a\x63\xf6\x61\xfd\x9b",
+};
+
+aead_test_vector_t aes_ccm4 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 24, .len = 32, .alen = 32,
+	.key	= "\x56\xdf\x5c\x8f\x26\x3f\x0e\x42\xef\x7a\xd3\xce\xfc\x84\x60\x62"
+			  "\xca\xb4\x40\xaf\x5f\xc9\xc9\x01\xd6\x3c\x8c",
+	.iv		= "\x86\x84\xb6\xcd\xef\x09\x2e\x94",
+	.adata	= "\x02\x65\x78\x3c\xe9\x21\x30\x91\xb1\xb9\xda\x76\x9a\x78\x6d\x95"
+			  "\xf2\x88\x32\xa3\xf2\x50\xcb\x4c\xe3\x00\x73\x69\x84\x69\x87\x79",
+	.plain	= "\x9f\xd2\x02\x4b\x52\x49\x31\x3c\x43\x69\x3a\x2d\x8e\x70\xad\x7e"
+			  "\xe0\xe5\x46\x09\x80\x89\x13\xb2\x8c\x8b\xd9\x3f\x86\xfb\xb5\x6b",
+	.cipher	= "\x39\xdf\x7c\x3c\x5a\x29\xb9\x62\x5d\x51\xc2\x16\xd8\xbd\x06\x9f"
+			  "\x9b\x6a\x09\x70\xc1\x51\x83\xc2\x66\x88\x1d\x4f\x9a\xda\xe0\x1e"
+			  "\xc7\x79\x11\x58\xe5\x6b\x20\x40\x7a\xea\x46\x42\x8b\xe4\x6f\xe1",
+};
+
+aead_test_vector_t aes_ccm5 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\xe0\x8d\x99\x71\x60\xd7\x97\x1a\xbd\x01\x99\xd5\x8a\xdf\x71\x3a"
+			  "\xd3\xdf\x24\x4b\x5e\x3d\x4b\x4e\x30\x7a\xb9\xd8\x53\x0a\x5e\x2b"
+			  "\x1e\x29\x91",
+	.iv		= "\xad\x8e\xc1\x53\x0a\xcf\x2d\xbe",
+	.adata	= "\x19\xb6\x1f\x57\xc4\xf3\xf0\x8b\x78\x2b\x94\x02\x29\x0f\x42\x27"
+			  "\x6b\x75\xcb\x98\x34\x08\x7e\x79\xe4\x3e\x49\x0d\x84\x8b\x22\x87",
+	.plain	= "\xe1\xd9\xd8\x13\xeb\x3a\x75\x3f\x9d\xbd\x5f\x66\xbe\xdc\xbb\x66"
+			  "\xbf\x17\x99\x62\x4a\x39\x27\x1f\x1d\xdc\x24\xae\x19\x2f\x98\x4c",
+	.cipher	= "\x19\xb8\x61\x33\x45\x2b\x43\x96\x6f\x51\xd0\x20\x30\x7d\x9b\xc6"
+			  "\x26\x3d\xf8\xc9\x65\x16\xa8\x9f\xf0\x62\x17\x34\xf2\x1e\x8d\x75"
+			  "\x4e\x13\xcc\xc0\xc3\x2a\x54\x2d",
+};
+
+aead_test_vector_t aes_ccm6 = {
+	.alg = ENCR_AES_CCM_ICV12, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\x7c\xc8\x18\x3b\x8d\x99\xe0\x7c\x45\x41\xb8\xbd\x5c\xa7\xc2\x32"
+			  "\x8a\xb8\x02\x59\xa4\xfe\xa9\x2c\x09\x75\x9a\x9b\x3c\x9b\x27\x39"
+			  "\xf9\xd9\x4e",
+	.iv		= "\x63\xb5\x3d\x9d\x43\xf6\x1e\x50",
+	.adata	= "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b\x13\x02\x01\x0c\x83\x4c\x96\x35"
+			  "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94\xb0\x39\x36\xe6\x8f\x57\xe0\x13",
+	.plain	= "\x3b\x6c\x29\x36\xb6\xef\x07\xa6\x83\x72\x07\x4f\xcf\xfa\x66\x89"
+			  "\x5f\xca\xb1\xba\xd5\x8f\x2c\x27\x30\xdb\x75\x09\x93\xd4\x65\xe4",
+	.cipher	= "\xb0\x88\x5a\x33\xaa\xe5\xc7\x1d\x85\x23\xc7\xc6\x2f\xf4\x1e\x3d"
+			  "\xcc\x63\x44\x25\x07\x78\x4f\x9e\x96\xb8\x88\xeb\xbc\x48\x1f\x06"
+			  "\x39\xaf\x39\xac\xd8\x4a\x80\x39\x7b\x72\x8a\xf7",
+};
+
+aead_test_vector_t aes_ccm7 = {
+	.alg = ENCR_AES_CCM_ICV16, .key_size = 32, .len = 32, .alen = 32,
+	.key	= "\xab\xd0\xe9\x33\x07\x26\xe5\x83\x8c\x76\x95\xd4\xb6\xdc\xf3\x46"
+			  "\xf9\x8f\xad\xe3\x02\x13\x83\x77\x3f\xb0\xf1\xa1\xa1\x22\x0f\x2b"
+			  "\x24\xa7\x8b",
+	.iv		= "\x07\xcb\xcc\x0e\xe6\x33\xbf\xf5",
+	.adata	= "\xd4\xdb\x30\x1d\x03\xfe\xfd\x5f\x87\xd4\x8c\xb6\xb6\xf1\x7a\x5d"
+			  "\xab\x90\x65\x8d\x8e\xca\x4d\x4f\x16\x0c\x40\x90\x4b\xc7\x36\x73",
+	.plain	= "\xf5\xc6\x7d\x48\xc1\xb7\xe6\x92\x97\x5a\xca\xc4\xa9\x6d\xf9\x3d"
+			  "\x6c\xde\xbc\xf1\x90\xea\x6a\xb2\x35\x86\x36\xaf\x5c\xfe\x4b\x3a",
+	.cipher	= "\x83\x6f\x40\x87\x72\xcf\xc1\x13\xef\xbb\x80\x21\x04\x6c\x58\x09"
+			  "\x07\x1b\xfc\xdf\xc0\x3f\x5b\xc7\xe0\x79\xa8\x6e\x71\x7c\x3f\xcf"
+			  "\x5c\xda\xb2\x33\xe5\x13\xe2\x0d\x74\xd1\xef\xb5\x0f\x3a\xb5\xf8",
+};
+
+aead_test_vector_t aes_ccm8 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 16, .len = 0, .alen = 0,
+	.key	= "\xab\x2f\x8a\x74\xb7\x1c\xd2\xb1\xff\x80\x2e\x48\x7d\x82\xf8\xb9"
+			  "\xaf\x94\x87",
+	.iv		= "\x78\x35\x82\x81\x7f\x88\x94\x68",
+	.cipher	= "\x41\x3c\xb8\x87\x73\xcb\xf3\xf3",
+};
+
+aead_test_vector_t aes_ccm9 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 0, .alen = 32,
+	.key	= "\x39\xbb\xa7\xbe\x59\x97\x9e\x73\xa2\xbc\x6b\x98\xd7\x75\x7f\xe3"
+			  "\xa4\x48\x93\x39\x26\x71\x4a\xc6\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.adata	= "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64"
+			  "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61",
+	.cipher	= "\x71\x99\xfa\xf4\x44\x12\x68\x9b",
+};
+
+aead_test_vector_t aes_ccm10 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 32, .len = 0, .alen = 0,
+	.key	= "\xa4\x4b\x54\x29\x0a\xb8\x6d\x01\x5b\x80\x2a\xcf\x25\xc4\xb7\x5c"
+			  "\x20\x2c\xad\x30\xc2\x2b\x41\xfb\x0e\x85\xbc\x33\xad\x0f\x2b\xff"
+			  "\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.cipher	= "\x1f\xb8\x8f\xa3\xdd\x54\x00\xf2",
+};
+
+aead_test_vector_t aes_ccm11 = {
+	.alg = ENCR_AES_CCM_ICV8, .key_size = 24, .len = 32, .alen = 32,
+	.key	= "\x58\x5d\xa0\x96\x65\x1a\x04\xd7\x96\xe5\xc5\x68\xaa\x95\x35\xe0"
+			  "\x29\xa0\xba\x9e\x48\x78\xd1\xba\xee\x49\x83",
+	.iv		= "\xe9\xa9\xff\xe9\x57\xba\xfd\x9e",
+	.adata	= "\x44\xa6\x2c\x05\xe9\xe1\x43\xb1\x58\x7c\xf2\x5c\x6d\x39\x0a\x64"
+			  "\xa4\xf0\x13\x05\xd1\x77\x99\x67\x11\xc4\xc6\xdb\x00\x56\x36\x61",
+	.plain	= "\x85\x34\x66\x42\xc8\x92\x0f\x36\x58\xe0\x6b\x91\x3c\x98\x5c\xbb"
+			  "\x0a\x85\xcc\x02\xad\x7a\x96\xe9\x65\x43\xa4\xc3\x0f\xdc\x55\x81",
+	.cipher	= "\xfb\xe5\x5d\x34\xbe\xe5\xe8\xe7\x5a\xef\x2f\xbf\x1f\x7f\xd4\xb2"
+			  "\x66\xca\x61\x1e\x96\x7a\x61\xb3\x1c\x16\x45\x52\xba\x04\x9c\x9f"
+			  "\xb1\xd2\x40\xbc\x52\x7c\x6f\xb1",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
new file mode 100644
index 000000000..1e5126a70
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_ctr.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC3686
+ */
+crypter_test_vector_t aes_ctr1 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 16,
+	.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
+			  "\x00\x00\x00\x30",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "Single block msg",
+	.cipher	= "\xe4\x09\x5d\x4f\xb7\xa7\xb3\x79\x2d\x61\x75\xa3\x26\x13\x11\xb8"
+};
+
+/**
+ * Test 2 of RFC3686
+ */
+crypter_test_vector_t aes_ctr2 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 32,
+	.key	= "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63"
+			  "\x00\x6c\xb6\xdb",
+	.iv		= "\xc0\x54\x3b\x59\xda\x48\xd9\x0b",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x51\x04\xa1\x06\x16\x8a\x72\xd9\x79\x0d\x41\xee\x8e\xda\xd3\x88"
+			  "\xeb\x2e\x1e\xfc\x46\xda\x57\xc8\xfc\xe6\x30\xdf\x91\x41\xbe\x28"
+};
+
+/**
+ * Test 3 of RFC3686
+ */
+crypter_test_vector_t aes_ctr3 = {
+	.alg = ENCR_AES_CTR, .key_size = 16, .len = 36,
+	.key	= "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc"
+			  "\x00\xe0\x01\x7b",
+	.iv		= "\x27\x77\x7f\x3f\x4a\x17\x86\xf0",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xc1\xcf\x48\xa8\x9f\x2f\xfd\xd9\xcf\x46\x52\xe9\xef\xdb\x72\xd7"
+			  "\x45\x40\xa4\x2b\xde\x6d\x78\x36\xd5\x9a\x5c\xea\xae\xf3\x10\x53"
+			  "\x25\xb2\x07\x2f",
+};
+
+/**
+ * Test 4 of RFC3686
+ */
+crypter_test_vector_t aes_ctr4 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 16,
+	.key	= "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed"
+			  "\x86\x3d\x06\xcc\xfd\xb7\x85\x15"
+			  "\x00\x00\x00\x48",
+	.iv		= "\x36\x73\x3c\x14\x7d\x6d\x93\xcb",
+	.plain	= "Single block msg",
+	.cipher	= "\x4b\x55\x38\x4f\xe2\x59\xc9\xc8\x4e\x79\x35\xa0\x03\xcb\xe9\x28",
+};
+
+/**
+ * Test 5 of RFC3686
+ */
+crypter_test_vector_t aes_ctr5 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 32,
+	.key	= "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c"
+			  "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a"
+			  "\x00\x96\xb0\x3b",
+	.iv		= "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x45\x32\x43\xfc\x60\x9b\x23\x32\x7e\xdf\xaa\xfa\x71\x31\xcd\x9f"
+			  "\x84\x90\x70\x1c\x5a\xd4\xa7\x9c\xfc\x1f\xe0\xff\x42\xf4\xfb\x00",
+};
+
+/**
+ * Test 6 of RFC3686
+ */
+crypter_test_vector_t aes_ctr6 = {
+	.alg = ENCR_AES_CTR, .key_size = 24, .len = 36,
+	.key	= "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b"
+			  "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe"
+			  "\x00\x07\xbd\xfd",
+	.iv		= "\x5c\xbd\x60\x27\x8d\xcc\x09\x12",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\x96\x89\x3f\xc5\x5e\x5c\x72\x2f\x54\x0b\x7d\xd1\xdd\xf7\xe7\x58"
+			  "\xd2\x88\xbc\x95\xc6\x91\x65\x88\x45\x36\xc8\x11\x66\x2f\x21\x88"
+			  "\xab\xee\x09\x35",
+};
+
+/**
+ * Test 7 of RFC3686
+ */
+crypter_test_vector_t aes_ctr7 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 16,
+	.key	= "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c"
+			  "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04"
+			  "\x00\x00\x00\x60",
+	.iv		= "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2",
+	.plain	= "Single block msg",
+	.cipher	= "\x14\x5a\xd0\x1d\xbf\x82\x4e\xc7\x56\x08\x63\xdc\x71\xe3\xe0\xc0",
+};
+
+/**
+ * Test 8 of RFC3686
+ */
+crypter_test_vector_t aes_ctr8 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 32,
+	.key	= "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86"
+			  "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84"
+			  "\x00\xfa\xac\x24",
+	.iv		= "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xf0\x5e\x23\x1b\x38\x94\x61\x2c\x49\xee\x00\x0b\x80\x4e\xb2\xa9"
+			  "\xb8\x30\x6b\x50\x8f\x83\x9d\x6a\x55\x30\x83\x1d\x93\x44\xaf\x1c",
+};
+
+/**
+ * Test 9 of RFC3686
+ */
+crypter_test_vector_t aes_ctr9 = {
+	.alg = ENCR_AES_CTR, .key_size = 32, .len = 36,
+	.key	= "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2"
+			  "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d"
+			  "\x00\x1c\xc5\xb7",
+	.iv		= "\x51\xa5\x1d\x70\xa1\xc1\x11\x48",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xeb\x6c\x52\x82\x1d\x0b\xbb\xf7\xce\x75\x94\x46\x2a\xca\x4f\xaa"
+			  "\xb4\x07\xdf\x86\x65\x69\xfd\x07\xf4\x8c\xc0\xb5\x83\xd6\x07\x1f"
+			  "\x1e\xc0\xe6\xb8",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
new file mode 100644
index 000000000..7534633e1
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/aes_gcm.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * From the Linux kernel, those with an IV. Originally from
+ * McGrew & Viega - http://citeseer.ist.psu.edu/656989.html
+ */
+aead_test_vector_t aes_gcm1 = {
+	.alg = ENCR_AES_GCM_ICV8, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6",
+};
+
+aead_test_vector_t aes_gcm2 = {
+	.alg = ENCR_AES_GCM_ICV12, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd",
+};
+
+aead_test_vector_t aes_gcm3 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x47\x3f\x59\x85"
+			  "\x4d\x5c\x2a\xf3\x27\xcd\x64\xa6\x2c\xf3\x5a\xbd\x2b\xa6\xfa\xb4",
+};
+
+aead_test_vector_t aes_gcm4 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 16, .len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.cipher = "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c"
+			  "\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e"
+			  "\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05"
+			  "\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91\x5b\xc9\x4f\xbc"
+			  "\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47",
+};
+
+aead_test_vector_t aes_gcm5 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 24, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher = "\x39\x80\xca\x0b\x3c\x00\xe8\x41\xeb\x06\xfa\xc4\x87\x2a\x27\x57"
+			  "\x85\x9e\x1c\xea\xa6\xef\xd9\x84\x62\x85\x93\xb4\x0c\xa1\xe1\x9c"
+			  "\x7d\x77\x3d\x00\xc1\x44\xc5\x25\xac\x61\x9d\x18\xc8\x4a\x3f\x47"
+			  "\x18\xe2\x44\x8b\x2f\xe3\x24\xd9\xcc\xda\x27\x10\xac\xad\xe2\x56"
+			  "\x99\x24\xa7\xc8\x58\x73\x36\xbf\xb1\x18\x02\x4d\xb8\x67\x4a\x14",
+};
+
+aead_test_vector_t aes_gcm6 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 64, .alen = 0,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55",
+	.cipher	= "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
+			  "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
+			  "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38"
+			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x89\x80\x15\xad"
+			  "\xb0\x94\xda\xc5\xd9\x34\x71\xbd\xec\x1a\x50\x22\x70\xe3\xcc\x6c",
+};
+
+aead_test_vector_t aes_gcm7 = {
+	.alg = ENCR_AES_GCM_ICV16, .key_size = 32, .len = 60, .alen = 20,
+	.key	= "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"
+			  "\xca\xfe\xba\xbe",
+	.iv		= "\xfa\xce\xdb\xad\xde\xca\xf8\x88",
+	.adata	= "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef"
+			  "\xab\xad\xda\xd2",
+	.plain	= "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a"
+			  "\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72"
+			  "\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25"
+			  "\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39",
+	.cipher	= "\x52\x2d\xc1\xf0\x99\x56\x7d\x07\xf4\x7f\x37\xa3\x2a\x84\x42\x7d"
+			  "\x64\x3a\x8c\xdc\xbf\xe5\xc0\xc9\x75\x98\xa2\xbd\x25\x55\xd1\xaa"
+			  "\x8c\xb0\x8e\x48\x59\x0d\xbb\x3d\xa7\xb0\x8b\x10\x56\x82\x88\x38"
+			  "\xc5\xf6\x1e\x63\x93\xba\x7a\x0a\xbc\xc9\xf6\x62\x76\xfc\x6e\xce"
+			  "\x0f\x4e\x17\x68\xcd\xdf\x88\x53\xbb\x2d\x55\x1b",
+};
+
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
new file mode 100644
index 000000000..241e6ca7a
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_ctr.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * Test 1 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr1 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 16,
+	.key	= "\xae\x68\x52\xf8\x12\x10\x67\xcc\x4b\xf7\xa5\x76\x55\x77\xf3\x9e"
+			  "\x00\x00\x00\x30",
+	.iv		= "\x00\x00\x00\x00\x00\x00\x00\x00",
+	.plain	= "Single block msg",
+	.cipher	= "\xd0\x9d\xc2\x9a\x82\x14\x61\x9a\x20\x87\x7c\x76\xdb\x1f\x0b\x3f"
+};
+
+/**
+ * Test 2 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr2 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 32,
+	.key	= "\x7e\x24\x06\x78\x17\xfa\xe0\xd7\x43\xd6\xce\x1f\x32\x53\x91\x63"
+			  "\x00\x6c\xb6\xdb",
+	.iv		= "\xc0\x54\x3b\x59\xda\x48\xd9\x0b",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xdb\xf3\xc7\x8d\xc0\x83\x96\xd4\xda\x7c\x90\x77\x65\xbb\xcb\x44"
+			  "\x2b\x8e\x8e\x0f\x31\xf0\xdc\xa7\x2c\x74\x17\xe3\x53\x60\xe0\x48"
+};
+
+/**
+ * Test 3 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr3 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 16, .len = 36,
+	.key	= "\x76\x91\xbe\x03\x5e\x50\x20\xa8\xac\x6e\x61\x85\x29\xf9\xa0\xdc"
+			  "\x00\xe0\x01\x7b",
+	.iv		= "\x27\x77\x7f\x3f\x4a\x17\x86\xf0",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xb1\x9d\x1f\xcd\xcb\x75\xeb\x88\x2f\x84\x9c\xe2\x4d\x85\xcf\x73"
+			  "\x9c\xe6\x4b\x2b\x5c\x9d\x73\xf1\x4f\x2d\x5d\x9d\xce\x98\x89\xcd"
+			  "\xdf\x50\x86\x96",
+};
+
+/**
+ * Test 4 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr4 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 16,
+	.key	= "\x16\xaf\x5b\x14\x5f\xc9\xf5\x79\xc1\x75\xf9\x3e\x3b\xfb\x0e\xed"
+			  "\x86\x3d\x06\xcc\xfd\xb7\x85\x15"
+			  "\x00\x00\x00\x48",
+	.iv		= "\x36\x73\x3c\x14\x7d\x6d\x93\xcb",
+	.plain	= "Single block msg",
+	.cipher	= "\x23\x79\x39\x9e\x8a\x8d\x2b\x2b\x16\x70\x2f\xc7\x8b\x9e\x96\x96",
+};
+
+/**
+ * Test 5 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr5 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 32,
+	.key	= "\x7c\x5c\xb2\x40\x1b\x3d\xc3\x3c\x19\xe7\x34\x08\x19\xe0\xf6\x9c"
+			  "\x67\x8c\x3d\xb8\xe6\xf6\xa9\x1a"
+			  "\x00\x96\xb0\x3b",
+	.iv		= "\x02\x0c\x6e\xad\xc2\xcb\x50\x0d",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\x7d\xef\x34\xf7\xa5\xd0\xe4\x15\x67\x4b\x7f\xfc\xae\x67\xc7\x5d"
+			  "\xd0\x18\xb8\x6f\xf2\x30\x51\xe0\x56\x39\x2a\x99\xf3\x5a\x4c\xed",
+};
+
+/**
+ * Test 6 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr6 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 24, .len = 36,
+	.key	= "\x02\xbf\x39\x1e\xe8\xec\xb1\x59\xb9\x59\x61\x7b\x09\x65\x27\x9b"
+			  "\xf5\x9b\x60\xa7\x86\xd3\xe0\xfe"
+			  "\x00\x07\xbd\xfd",
+	.iv		= "\x5c\xbd\x60\x27\x8d\xcc\x09\x12",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\x57\x10\xe5\x56\xe1\x48\x7a\x20\xb5\xac\x0e\x73\xf1\x9e\x4e\x78"
+			  "\x76\xf3\x7f\xdc\x91\xb1\xef\x4d\x4d\xad\xe8\xe6\x66\xa6\x4d\x0e"
+			  "\xd5\x57\xab\x57",
+};
+
+/**
+ * Test 7 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr7 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 16,
+	.key	= "\x77\x6b\xef\xf2\x85\x1d\xb0\x6f\x4c\x8a\x05\x42\xc8\x69\x6f\x6c"
+			  "\x6a\x81\xaf\x1e\xec\x96\xb4\xd3\x7f\xc1\xd6\x89\xe6\xc1\xc1\x04"
+			  "\x00\x00\x00\x60",
+	.iv		= "\xdb\x56\x72\xc9\x7a\xa8\xf0\xb2",
+	.plain	= "Single block msg",
+	.cipher	= "\x34\x01\xf9\xc8\x24\x7e\xff\xce\xbd\x69\x94\x71\x4c\x1b\xbb\x11",
+};
+
+/**
+ * Test 8 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr8 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 32,
+	.key	= "\xf6\xd6\x6d\x6b\xd5\x2d\x59\xbb\x07\x96\x36\x58\x79\xef\xf8\x86"
+			  "\xc6\x6d\xd5\x1a\x5b\x6a\x99\x74\x4b\x50\x59\x0c\x87\xa2\x38\x84"
+			  "\x00\xfa\xac\x24",
+	.iv		= "\xc1\x58\x5e\xf1\x5a\x43\xd8\x75",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+	.cipher	= "\xd6\xc3\x03\x92\x24\x6f\x78\x08\xa8\x3c\x2b\x22\xa8\x83\x9e\x45"
+			  "\xe5\x1c\xd4\x8a\x1c\xdf\x40\x6e\xbc\x9c\xc2\xd3\xab\x83\x41\x08",
+};
+
+/**
+ * Test 9 of RFC5528
+ */
+crypter_test_vector_t camellia_ctr9 = {
+	.alg = ENCR_CAMELLIA_CTR, .key_size = 32, .len = 36,
+	.key	= "\xff\x7a\x61\x7c\xe6\x91\x48\xe4\xf1\x72\x6e\x2f\x43\x58\x1d\xe2"
+			  "\xaa\x62\xd9\xf8\x05\x53\x2e\xdf\xf1\xee\xd6\x87\xfb\x54\x15\x3d"
+			  "\x00\x1c\xc5\xb7",
+	.iv		= "\x51\xa5\x1d\x70\xa1\xc1\x11\x48",
+	.plain	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
+			  "\x20\x21\x22\x23",
+	.cipher	= "\xa4\xda\x23\xfc\xe6\xa5\xff\xaa\x6d\x64\xae\x9a\x06\x52\xa4\x2c"
+			  "\xd1\x61\xa3\x4b\x65\xf9\x67\x9f\x75\xc0\x1f\x10\x1f\x71\x27\x6f"
+			  "\x15\xef\x0d\x8d",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
new file mode 100644
index 000000000..2a58b3732
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/camellia_xcbc.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test Case #1
+ */
+signer_test_vector_t camellia_xcbc_s1 = {
+	.alg = AUTH_CAMELLIA_XCBC_96, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.data	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.mac	= "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15",
+};
+
+prf_test_vector_t camellia_xcbc_p1 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 16, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\x3d\x04\x2d\xd4\xe7\xbc\x79\x1c\xee\x32\x04\x15\xc5\xe3\x26\xd6",
+};
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test Case #2
+ */
+prf_test_vector_t camellia_xcbc_p2 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 10, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\xb9\x16\xb4\x23\x42\x0a\x90\x6c\xd7\xd7\xb6\x72\xa2\x4e\x97\x6f",
+};
+
+/**
+ * draft-kanno-ipsecme-camellia-xcbc Test #3
+ */
+prf_test_vector_t camellia_xcbc_p3 = {
+	.alg = PRF_CAMELLIA128_XCBC, .key_size = 18, .len = 20,
+	.key	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\xed\xcb",
+	.seed	= "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+			  "\x10\x11\x12\x13",
+	.out	= "\xb9\x71\x46\x36\x9d\x31\x94\x0f\xf5\x7a\x0d\xdf\x22\x33\xc1\xd2",
+};
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
index 234d237f3..f3a254d8d 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
@@ -20,6 +20,7 @@
 
 /* define symbols of all test vectors */
 #define TEST_VECTOR_CRYPTER(x) crypter_test_vector_t x;
+#define TEST_VECTOR_AEAD(x) aead_test_vector_t x;
 #define TEST_VECTOR_SIGNER(x) signer_test_vector_t x;
 #define TEST_VECTOR_HASHER(x) hasher_test_vector_t x;
 #define TEST_VECTOR_PRF(x) prf_test_vector_t x;
@@ -28,12 +29,14 @@
 #include "test_vectors.h"
 
 #undef TEST_VECTOR_CRYPTER
+#undef TEST_VECTOR_AEAD
 #undef TEST_VECTOR_SIGNER
 #undef TEST_VECTOR_HASHER
 #undef TEST_VECTOR_PRF
 #undef TEST_VECTOR_RNG
 
 #define TEST_VECTOR_CRYPTER(x)
+#define TEST_VECTOR_AEAD(x)
 #define TEST_VECTOR_SIGNER(x)
 #define TEST_VECTOR_HASHER(x)
 #define TEST_VECTOR_PRF(x)
@@ -48,6 +51,14 @@ static crypter_test_vector_t *crypter[] = {
 #undef TEST_VECTOR_CRYPTER
 #define TEST_VECTOR_CRYPTER(x)
 
+#undef TEST_VECTOR_AEAD
+#define TEST_VECTOR_AEAD(x) &x,
+static aead_test_vector_t *aead[] = {
+#include "test_vectors.h"
+};
+#undef TEST_VECTOR_AEAD
+#define TEST_VECTOR_AEAD(x)
+
 #undef TEST_VECTOR_SIGNER
 #define TEST_VECTOR_SIGNER(x) &x,
 static signer_test_vector_t *signer[] = {
@@ -116,6 +127,11 @@ plugin_t *test_vectors_plugin_create()
 		lib->crypto->add_test_vector(lib->crypto,
 									 ENCRYPTION_ALGORITHM, crypter[i]);
 	}
+	for (i = 0; i < countof(aead); i++)
+	{
+		lib->crypto->add_test_vector(lib->crypto,
+									 AEAD_ALGORITHM, aead[i]);
+	}
 	for (i = 0; i < countof(signer); i++)
 	{
 		lib->crypto->add_test_vector(lib->crypto,
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index f40427f3f..b1cc2f168 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -166,6 +167,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -197,14 +200,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -219,24 +225,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -244,7 +257,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 92b576aa5..559090aa0 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -260,7 +260,7 @@ static const asn1Object_t otherNameObjects[] = {
 /**
  * Extracts an otherName
  */
-static bool parse_otherName(chunk_t blob, int level0)
+static bool parse_otherName(chunk_t *blob, int level0, id_type_t *type)
 {
 	asn1_parser_t *parser;
 	chunk_t object;
@@ -268,7 +268,7 @@ static bool parse_otherName(chunk_t blob, int level0)
 	int oid = OID_UNKNOWN;
 	bool success = FALSE;
 
-	parser = asn1_parser_create(otherNameObjects, blob);
+	parser = asn1_parser_create(otherNameObjects, *blob);
 	parser->set_top_level(parser, level0);
 
 	while (parser->iterate(parser, &objectID, &object))
@@ -279,13 +279,27 @@ static bool parse_otherName(chunk_t blob, int level0)
 				oid = asn1_known_oid(object);
 				break;
 			case ON_OBJ_VALUE:
-				if (oid == OID_XMPP_ADDR)
+				switch (oid)
 				{
-					if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
-								parser->get_level(parser)+1, "xmppAddr"))
-					{
-						goto end;
-					}
+					case OID_XMPP_ADDR:
+						if (!asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+									parser->get_level(parser)+1, "xmppAddr"))
+						{
+							goto end;
+						}
+						break;
+					case OID_USER_PRINCIPAL_NAME:
+						if (asn1_parse_simple_object(&object, ASN1_UTF8STRING,
+									parser->get_level(parser)+1, "msUPN"))
+						{	/* we handle UPNs as RFC822 addr */
+							*blob = object;
+							*type = ID_RFC822_ADDR;
+						}
+						else
+						{
+							goto end;
+						}
+						break;
 				}
 				break;
 			default:
@@ -379,7 +393,8 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 				}
 				break;
 			case GN_OBJ_OTHER_NAME:
-				if (!parse_otherName(object, parser->get_level(parser)+1))
+				if (!parse_otherName(&object, parser->get_level(parser)+1,
+									 &id_type))
 				{
 					goto end;
 				}
@@ -1091,15 +1106,28 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
 	identification_t *current;
 	enumerator_t *enumerator;
 	id_match_t match, best;
+	chunk_t encoding;
 
-	if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
+	if (subject->get_type(subject) == ID_KEY_ID)
 	{
-		if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+		encoding = subject->get_encoding(subject);
+
+		if (this->encoding_hash.len &&
+			chunk_equals(this->encoding_hash, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->subjectKeyIdentifier.len &&
+			chunk_equals(this->subjectKeyIdentifier, encoding))
+		{
+			return ID_MATCH_PERFECT;
+		}
+		if (this->public_key &&
+			this->public_key->has_fingerprint(this->public_key, encoding))
 		{
 			return ID_MATCH_PERFECT;
 		}
 	}
-
 	best = this->subject->matches(this->subject, subject);
 	enumerator = this->subjectAltNames->create_enumerator(this->subjectAltNames);
 	while (enumerator->enumerate(enumerator, &current))
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index bfb0ca621..7b488484e 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -684,7 +684,7 @@ x509_pkcs10_t *x509_pkcs10_gen(certificate_type_t type, va_list args)
 				enumerator->destroy(enumerator);
 				continue;
 			}
-			case BUILD_PASSPHRASE:
+			case BUILD_CHALLENGE_PWD:
 				cert->challengePassword = chunk_clone(va_arg(args, chunk_t));
 				continue;
 			case BUILD_DIGEST_ALG:
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 8391781e2..11a7f023c 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -73,25 +73,25 @@ plugin_t *x509_plugin_create()
 
 	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
 
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE,
 							(builder_function_t)x509_cert_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, TRUE,
 							(builder_function_t)x509_cert_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, FALSE,
 							(builder_function_t)x509_ac_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, TRUE,
 							(builder_function_t)x509_ac_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, TRUE,
 							(builder_function_t)x509_crl_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, FALSE,
 							(builder_function_t)x509_crl_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, FALSE,
 							(builder_function_t)x509_ocsp_request_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, TRUE,
 							(builder_function_t)x509_ocsp_response_load);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, FALSE,
 							(builder_function_t)x509_pkcs10_gen);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, TRUE,
 							(builder_function_t)x509_pkcs10_load);
 
 	return &this->public.plugin;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 69bba8d6f..e82e5246f 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index b9f03eeac..be18d92b8 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -27,10 +27,11 @@ typedef struct private_xcbc_t private_xcbc_t;
  * The variable names are the same as in the RFC.
  */
 struct private_xcbc_t {
+
 	/**
 	 * Public xcbc_t interface.
 	 */
-	xcbc_t xcbc;
+	xcbc_t public;
 
 	/**
 	 * Block size, in bytes
@@ -135,9 +136,9 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	if (this->remaining_bytes == this->b && !this->zero)
 	{
 		/* a) If the blocksize of M[n] is 128 bits:
-         *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
-         *    Key K1, yielding E[n].
-         */
+		 *    XOR M[n] with E[n-1] and Key K2, then encrypt the result with
+		 *    Key K1, yielding E[n].
+		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k2, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
@@ -147,20 +148,20 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 		/* b) If the blocksize of M[n] is less than 128 bits:
 		 *
 		 *  i) Pad M[n] with a single "1" bit, followed by the number of
-         *     "0" bits (possibly none) required to increase M[n]'s
-         *     blocksize to 128 bits.
-         */
-        if (this->remaining_bytes < this->b)
-        {
-		    this->remaining[this->remaining_bytes] = 0x80;
-		    while (++this->remaining_bytes < this->b)
-		    {
-			    this->remaining[this->remaining_bytes] = 0x00;
-		    }
-        }
-        /*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
-         *      with Key K1, yielding E[n].
-         */
+		 *     "0" bits (possibly none) required to increase M[n]'s
+		 *     blocksize to 128 bits.
+		 */
+		if (this->remaining_bytes < this->b)
+		{
+			this->remaining[this->remaining_bytes] = 0x80;
+			while (++this->remaining_bytes < this->b)
+			{
+				this->remaining[this->remaining_bytes] = 0x00;
+			}
+		}
+		/*  ii) XOR M[n] with E[n-1] and Key K3, then encrypt the result
+		 *      with Key K1, yielding E[n].
+		 */
 		memxor(this->e, this->remaining, this->b);
 		memxor(this->e, this->k3, this->b);
 		this->k1->encrypt(this->k1, chunk_create(this->e, this->b), iv, NULL);
@@ -174,10 +175,8 @@ static void final(private_xcbc_t *this, u_int8_t *out)
 	this->zero = TRUE;
 }
 
-/**
- * Implementation of xcbc_t.get_mac.
- */
-static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
+METHOD(xcbc_t, get_mac, void,
+	private_xcbc_t *this, chunk_t data, u_int8_t *out)
 {
 	/* update E, do not process last block */
 	update(this, data);
@@ -188,18 +187,14 @@ static void get_mac(private_xcbc_t *this, chunk_t data, u_int8_t *out)
 	}
 }
 
-/**
- * Implementation of xcbc_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_t *this)
+METHOD(xcbc_t, get_block_size, size_t,
+	private_xcbc_t *this)
 {
 	return this->b;
 }
 
-/**
- * Implementation of xcbc_t.set_key.
- */
-static void set_key(private_xcbc_t *this, chunk_t key)
+METHOD(xcbc_t, set_key, void,
+	private_xcbc_t *this, chunk_t key)
 {
 	chunk_t iv, k1, lengthened;
 
@@ -228,11 +223,11 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 
 	/*
 	 * (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret
-     *     key K, as follows:
-     *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
-     *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
-     *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
-     */
+	 *     key K, as follows:
+	 *     K1 = 0x01010101010101010101010101010101 encrypted with Key K
+	 *     K2 = 0x02020202020202020202020202020202 encrypted with Key K
+	 *     K3 = 0x03030303030303030303030303030303 encrypted with Key K
+	 */
 	this->k1->set_key(this->k1, lengthened);
 	memset(this->k2, 0x02, this->b);
 	this->k1->encrypt(this->k1, chunk_create(this->k2, this->b), iv, NULL);
@@ -243,10 +238,8 @@ static void set_key(private_xcbc_t *this, chunk_t key)
 	this->k1->set_key(this->k1, k1);
 }
 
-/**
- * Implementation of xcbc_t.destroy.
- */
-static void destroy(private_xcbc_t *this)
+METHOD(xcbc_t, destroy, void,
+	private_xcbc_t *this)
 {
 	this->k1->destroy(this->k1);
 	free(this->k2);
@@ -263,35 +256,38 @@ xcbc_t *xcbc_create(encryption_algorithm_t algo, size_t key_size)
 {
 	private_xcbc_t *this;
 	crypter_t *crypter;
+	u_int8_t b;
 
 	crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size);
 	if (!crypter)
 	{
 		return NULL;
 	}
+	b = crypter->get_block_size(crypter);
 	/* input and output of crypter must be equal for xcbc */
-	if (crypter->get_block_size(crypter) != key_size)
+	if (b != key_size)
 	{
 		crypter->destroy(crypter);
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_t);
-	this->xcbc.get_mac = (void (*)(xcbc_t *,chunk_t,u_int8_t*))get_mac;
-	this->xcbc.get_block_size = (size_t (*)(xcbc_t *))get_block_size;
-	this->xcbc.set_key = (void (*)(xcbc_t *,chunk_t))set_key;
-	this->xcbc.destroy = (void (*)(xcbc_t *))destroy;
-
-	this->b = crypter->get_block_size(crypter);
-	this->k1 = crypter;
-	this->k2 = malloc(this->b);
-	this->k3 = malloc(this->b);
-	this->e = malloc(this->b);
-	memset(this->e, 0, this->b);
-	this->remaining = malloc(this->b);
-	this->remaining_bytes = 0;
-	this->zero = TRUE;
-
-	return &this->xcbc;
+	INIT(this,
+		.public = {
+			.get_mac = _get_mac,
+			.get_block_size = _get_block_size,
+			.set_key = _set_key,
+			.destroy = _destroy,
+		},
+		.b = b,
+		.k1 = crypter,
+		.k2 = malloc(b),
+		.k3 = malloc(b),
+		.e = malloc(b),
+		.remaining = malloc(b),
+		.zero = TRUE,
+	);
+	memset(this->e, 0, b);
+
+	return &this->public;
 }
 
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
index 9d903bfaa..88156f383 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c
@@ -32,15 +32,13 @@ struct private_xcbc_plugin_t {
 	xcbc_plugin_t public;
 };
 
-/**
- * Implementation of xcbc_plugin_t.xcbctroy
- */
-static void destroy(private_xcbc_plugin_t *this)
+METHOD(plugin_t, destroy, void,
+	private_xcbc_plugin_t *this)
 {
 	lib->crypto->remove_prf(lib->crypto,
-							(prf_constructor_t)xcbc_prf_create);
+					(prf_constructor_t)xcbc_prf_create);
 	lib->crypto->remove_signer(lib->crypto,
-							   (signer_constructor_t)xcbc_signer_create);
+					(signer_constructor_t)xcbc_signer_create);
 	free(this);
 }
 
@@ -49,14 +47,24 @@ static void destroy(private_xcbc_plugin_t *this)
  */
 plugin_t *xcbc_plugin_create()
 {
-	private_xcbc_plugin_t *this = malloc_thing(private_xcbc_plugin_t);
+	private_xcbc_plugin_t *this;
 
-	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+	INIT(this,
+		.public = {
+			.plugin = {
+				.destroy = _destroy,
+			},
+		},
+	);
 
 	lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC,
-						 (prf_constructor_t)xcbc_prf_create);
+					(prf_constructor_t)xcbc_prf_create);
+	lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC,
+					(prf_constructor_t)xcbc_prf_create);
 	lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96,
-							(signer_constructor_t)xcbc_signer_create);
+					(signer_constructor_t)xcbc_signer_create);
+	lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96,
+					(signer_constructor_t)xcbc_signer_create);
 
 	return &this->public.plugin;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.c b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
index 2459dc616..ac9e1fda0 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.c
@@ -35,18 +35,14 @@ struct private_xcbc_prf_t {
 	xcbc_t *xcbc;
 };
 
-/**
- * Implementation of prf_t.get_bytes.
- */
-static void get_bytes(private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
+METHOD(prf_t, get_bytes, void,
+	private_xcbc_prf_t *this, chunk_t seed, u_int8_t *buffer)
 {
 	this->xcbc->get_mac(this->xcbc, seed, buffer);
 }
 
-/**
- * Implementation of prf_t.allocate_bytes.
- */
-static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
+METHOD(prf_t, allocate_bytes, void,
+	private_xcbc_prf_t *this, chunk_t seed, chunk_t *chunk)
 {
 	if (chunk)
 	{
@@ -59,35 +55,27 @@ static void allocate_bytes(private_xcbc_prf_t *this, chunk_t seed, chunk_t *chun
 	}
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_prf_t *this)
+METHOD(prf_t, get_block_size, size_t,
+	private_xcbc_prf_t *this)
 {
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of prf_t.get_block_size.
- */
-static size_t get_key_size(private_xcbc_prf_t *this)
+METHOD(prf_t, get_key_size, size_t,
+	private_xcbc_prf_t *this)
 {
 	/* in xcbc, block and key size are always equal */
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of prf_t.set_key.
- */
-static void set_key(private_xcbc_prf_t *this, chunk_t key)
+METHOD(prf_t, set_key, void,
+	private_xcbc_prf_t *this, chunk_t key)
 {
 	this->xcbc->set_key(this->xcbc, key);
 }
 
-/**
- * Implementation of prf_t.destroy.
- */
-static void destroy(private_xcbc_prf_t *this)
+METHOD(prf_t, destroy, void,
+	private_xcbc_prf_t *this)
 {
 	this->xcbc->destroy(this->xcbc);
 	free(this);
@@ -106,6 +94,9 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 		case PRF_AES128_XCBC:
 			xcbc = xcbc_create(ENCR_AES_CBC, 16);
 			break;
+		case PRF_CAMELLIA128_XCBC:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			break;
 		default:
 			return NULL;
 	}
@@ -114,15 +105,19 @@ xcbc_prf_t *xcbc_prf_create(pseudo_random_function_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_prf_t);
-	this->xcbc = xcbc;
-
-	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
-	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
-	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
-	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
-	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
-	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	INIT(this,
+		.public = {
+			.prf = {
+				.get_bytes = _get_bytes,
+				.allocate_bytes = _allocate_bytes,
+				.get_block_size = _get_block_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.xcbc = xcbc,
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_prf.h b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
index d2db9af41..294a853b4 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_prf.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_prf.h
@@ -34,9 +34,9 @@ typedef struct xcbc_prf_t xcbc_prf_t;
 struct xcbc_prf_t {
 
 	/**
-	 * Generic prf_t interface for this xcbc_prf_t class.
+	 * Implements prf_t interface.
 	 */
-	prf_t prf_interface;
+	prf_t prf;
 };
 
 /**
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.c b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
index 1c98d39d7..ece592323 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.c
@@ -41,11 +41,8 @@ struct private_xcbc_signer_t {
 	size_t block_size;
 };
 
-/**
- * Implementation of signer_t.get_signature.
- */
-static void get_signature(private_xcbc_signer_t *this,
-						  chunk_t data, u_int8_t *buffer)
+METHOD(signer_t, get_signature, void,
+	private_xcbc_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
 	if (buffer == NULL)
 	{	/* append mode */
@@ -60,11 +57,8 @@ static void get_signature(private_xcbc_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.allocate_signature.
- */
-static void allocate_signature (private_xcbc_signer_t *this,
-								chunk_t data, chunk_t *chunk)
+METHOD(signer_t, allocate_signature, void,
+	private_xcbc_signer_t *this, chunk_t data, chunk_t *chunk)
 {
 	if (chunk == NULL)
 	{	/* append mode */
@@ -83,11 +77,8 @@ static void allocate_signature (private_xcbc_signer_t *this,
 	}
 }
 
-/**
- * Implementation of signer_t.verify_signature.
- */
-static bool verify_signature(private_xcbc_signer_t *this,
-							 chunk_t data, chunk_t signature)
+METHOD(signer_t, verify_signature, bool,
+	private_xcbc_signer_t *this, chunk_t data, chunk_t signature)
 {
 	u_int8_t mac[this->xcbc->get_block_size(this->xcbc)];
 
@@ -100,38 +91,29 @@ static bool verify_signature(private_xcbc_signer_t *this,
 	return memeq(signature.ptr, mac, this->block_size);
 }
 
-/**
- * Implementation of signer_t.get_key_size.
- */
-static size_t get_key_size(private_xcbc_signer_t *this)
+METHOD(signer_t, get_key_size, size_t,
+	private_xcbc_signer_t *this)
 {
 	return this->xcbc->get_block_size(this->xcbc);
 }
 
-/**
- * Implementation of signer_t.get_block_size.
- */
-static size_t get_block_size(private_xcbc_signer_t *this)
+METHOD(signer_t, get_block_size, size_t,
+	private_xcbc_signer_t *this)
 {
 	return this->block_size;
 }
 
-/**
- * Implementation of signer_t.set_key.
- */
-static void set_key(private_xcbc_signer_t *this, chunk_t key)
+METHOD(signer_t, set_key, void,
+	private_xcbc_signer_t *this, chunk_t key)
 {
 	this->xcbc->set_key(this->xcbc, key);
 }
 
-/**
- * Implementation of signer_t.destroy.
- */
-static status_t destroy(private_xcbc_signer_t *this)
+METHOD(signer_t, destroy, void,
+	private_xcbc_signer_t *this)
 {
 	this->xcbc->destroy(this->xcbc);
 	free(this);
-	return SUCCESS;
 }
 
 /*
@@ -149,6 +131,10 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 			xcbc = xcbc_create(ENCR_AES_CBC, 16);
 			trunc = 12;
 			break;
+		case AUTH_CAMELLIA_XCBC_96:
+			xcbc = xcbc_create(ENCR_CAMELLIA_CBC, 16);
+			trunc = 12;
+			break;
 		default:
 			return NULL;
 	}
@@ -157,18 +143,21 @@ xcbc_signer_t *xcbc_signer_create(integrity_algorithm_t algo)
 		return NULL;
 	}
 
-	this = malloc_thing(private_xcbc_signer_t);
-	this->xcbc = xcbc;
-	this->block_size = min(trunc, xcbc->get_block_size(xcbc));
-
-	/* interface functions */
-	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
-	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
-	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
-	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
-	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
-	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
-	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
+	INIT(this,
+		.public = {
+			.signer = {
+				.get_signature = _get_signature,
+				.allocate_signature = _allocate_signature,
+				.verify_signature = _verify_signature,
+				.get_key_size = _get_key_size,
+				.get_block_size = _get_block_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.xcbc = xcbc,
+		.block_size = min(trunc, xcbc->get_block_size(xcbc)),
+	);
 
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/xcbc/xcbc_signer.h b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
index 181cfe299..56b55f223 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc_signer.h
+++ b/src/libstrongswan/plugins/xcbc/xcbc_signer.h
@@ -31,9 +31,9 @@ typedef struct xcbc_signer_t xcbc_signer_t;
 struct xcbc_signer_t {
 
 	/**
-	 * generic signer_t interface for this signer
+	 * Implements signer_t interface.
 	 */
-	signer_t signer_interface;
+	signer_t signer;
 };
 
 /**
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
index 037f0b918..4d4cef829 100644
--- a/src/libstrongswan/printf_hook.c
+++ b/src/libstrongswan/printf_hook.c
@@ -133,6 +133,14 @@ static int custom_arginfo(const struct printf_info *info, size_t n, int *argtype
 #include <unistd.h> /* for STDOUT_FILENO */
 
 /**
+ * These are used below, whenever the public wrapper functions are called before
+ * initialization or after destruction.
+ */
+#undef vprintf
+#undef vfprintf
+#undef vsnprintf
+
+/**
  * Vstr custom format specifier callback function.
  */
 static int custom_fmt_cb(Vstr_base *base, size_t pos, Vstr_fmt_spec *fmt_spec)
@@ -177,13 +185,16 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler
 	switch(handler->numargs)
 	{
 		case 1:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], VSTR_TYPE_FMT_END);
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 VSTR_TYPE_FMT_END);
 			break;
 		case 2:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], VSTR_TYPE_FMT_END);
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 at[1], VSTR_TYPE_FMT_END);
 			break;
 		case 3:
-			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0], at[1], at[2], VSTR_TYPE_FMT_END);
+			vstr_fmt_add(conf, handler->name, custom_fmt_cb, at[0],
+						 at[1], at[2], VSTR_TYPE_FMT_END);
 			break;
 	}
 }
@@ -193,7 +204,7 @@ static void vstr_fmt_add_handler(Vstr_conf *conf, printf_hook_handler_t *handler
  */
 #include <threading/thread_value.h>
 
-static thread_value_t *vstr_conf;
+static thread_value_t *vstr_conf = NULL;
 
 static Vstr_conf *create_vstr_conf()
 {
@@ -216,12 +227,15 @@ static Vstr_conf *create_vstr_conf()
 
 static inline Vstr_conf *get_vstr_conf()
 {
-	Vstr_conf *conf;
-	conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
-	if (!conf)
+	Vstr_conf *conf = NULL;
+	if (vstr_conf)
 	{
-		conf = create_vstr_conf();
-		vstr_conf->set(vstr_conf, conf);
+		conf = (Vstr_conf*)vstr_conf->get(vstr_conf);
+		if (!conf)
+		{
+			conf = create_vstr_conf();
+			vstr_conf->set(vstr_conf, conf);
+		}
 	}
 	return conf;
 }
@@ -265,11 +279,20 @@ int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...)
 	va_end(args);
 	return written;
 }
-static inline int vstr_wrapper_vprintf_internal(int fd, const char *format,
+int vstr_wrapper_asprintf(char **str, const char *format, ...)
+{
+	int written;
+	va_list args;
+	va_start(args, format);
+	written = vstr_wrapper_vasprintf(str, format, args);
+	va_end(args);
+	return written;
+}
+static inline int vstr_wrapper_vprintf_internal(Vstr_conf *conf, int fd,
+												const char *format,
 												va_list args)
 {
 	int written;
-	Vstr_conf *conf = get_vstr_conf();
 	Vstr_base *s = vstr_make_base(conf);
 	vstr_add_vfmt(s, 0, format, args);
 	written = s->len;
@@ -289,24 +312,39 @@ static inline int vstr_wrapper_vprintf_internal(int fd, const char *format,
 }
 int vstr_wrapper_vprintf(const char *format, va_list args)
 {
-	return vstr_wrapper_vprintf_internal(STDOUT_FILENO, format, args);
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		return vstr_wrapper_vprintf_internal(conf, STDOUT_FILENO, format, args);
+	}
+	return vprintf(format, args);
 }
 int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list args)
 {
-	return vstr_wrapper_vprintf_internal(fileno(stream), format, args);
+	Vstr_conf *conf = get_vstr_conf();
+	if (conf)
+	{
+		return vstr_wrapper_vprintf_internal(conf, fileno(stream), format,
+											 args);
+	}
+	return vfprintf(stream, format, args);
 }
 static inline int vstr_wrapper_vsnprintf_internal(char *str, size_t size,
 												  const char *format,
 												  va_list args)
 {
-	int written;
 	Vstr_conf *conf = get_vstr_conf();
-	Vstr_base *s = vstr_make_base(conf);
-	vstr_add_vfmt(s, 0, format, args);
-	written = s->len;
-	vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
-	vstr_free_base(s);
-	return written;
+	if (conf)
+	{
+		int written;
+		Vstr_base *s = vstr_make_base(conf);
+		vstr_add_vfmt(s, 0, format, args);
+		written = s->len;
+		vstr_export_cstr_buf(s, 1, s->len, str, (size > 0) ? size : s->len + 1);
+		vstr_free_base(s);
+		return written;
+	}
+	return vsnprintf(str, size, format, args);
 }
 int vstr_wrapper_vsprintf(char *str, const char *format, va_list args)
 {
@@ -317,7 +355,26 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format,
 {
 	return (size > 0) ? vstr_wrapper_vsnprintf_internal(str, size, format, args) : 0;
 }
-
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list args)
+{
+	size_t len = 100;
+	int written;
+	*str = malloc(len);
+	while (TRUE)
+	{
+		va_list ac;
+		va_copy(ac, args);
+		written = vstr_wrapper_vsnprintf_internal(*str, len, format, ac);
+		va_end(ac);
+		if (written < len)
+		{
+			break;
+		}
+		len = written + 1;
+		*str = realloc(*str, len);
+	}
+	return written;
+}
 #endif
 
 /**
@@ -408,6 +465,7 @@ static void destroy(private_printf_hook_t *this)
 #ifdef USE_VSTR
 	/* freeing the Vstr_conf of the main thread */
 	vstr_conf->destroy(vstr_conf);
+	vstr_conf = NULL;
 	vstr_free_conf(conf);
 	vstr_exit();
 #endif
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index ce7e10b24..11fd66ce9 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -58,21 +58,25 @@ int vstr_wrapper_printf(const char *format, ...);
 int vstr_wrapper_fprintf(FILE *stream, const char *format, ...);
 int vstr_wrapper_sprintf(char *str, const char *format, ...);
 int vstr_wrapper_snprintf(char *str, size_t size, const char *format, ...);
+int vstr_wrapper_asprintf(char **str, const char *format, ...);
 
 int vstr_wrapper_vprintf(const char *format, va_list ap);
 int vstr_wrapper_vfprintf(FILE *stream, const char *format, va_list ap);
 int vstr_wrapper_vsprintf(char *str, const char *format, va_list ap);
 int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list ap);
+int vstr_wrapper_vasprintf(char **str, const char *format, va_list ap);
 
 #define printf vstr_wrapper_printf
 #define fprintf vstr_wrapper_fprintf
 #define sprintf vstr_wrapper_sprintf
 #define snprintf vstr_wrapper_snprintf
+#define asprintf vstr_wrapper_asprintf
 
 #define vprintf vstr_wrapper_vprintf
 #define vfprintf vstr_wrapper_vfprintf
 #define vsprintf vstr_wrapper_vsprintf
 #define vsnprintf vstr_wrapper_vsnprintf
+#define vasprintf vstr_wrapper_vasprintf
 
 #endif
 
@@ -83,7 +87,7 @@ int vstr_wrapper_vsnprintf(char *str, size_t size, const char *format, va_list a
  * @param len		length of the buffer
  * @param spec		format specifier
  * @param args		arguments array
- * @return 			number of characters written
+ * @return			number of characters written
  */
 typedef int (*printf_hook_function_t)(char *dst, size_t len,
 									  printf_hook_spec_t *spec,
diff --git a/src/libcharon/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
index 45e49112e..556cbd907 100644
--- a/src/libcharon/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
@@ -18,10 +18,10 @@
 
 #include <semaphore.h>
 
-#include <daemon.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
+#include <utils/linked_list.h>
 
 typedef struct private_callback_job_t private_callback_job_t;
 
@@ -226,8 +226,8 @@ static void execute(private_callback_job_t *this)
 	thread_cancellation_point();
 	if (requeue)
 	{
-		charon->processor->queue_job(charon->processor,
-									 &this->public.job_interface);
+		lib->processor->queue_job(lib->processor,
+								  &this->public.job_interface);
 	}
 	thread_cleanup_pop(cleanup);
 }
diff --git a/src/libcharon/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
index 62da1edd1..62da1edd1 100644
--- a/src/libcharon/processing/jobs/callback_job.h
+++ b/src/libstrongswan/processing/jobs/callback_job.h
diff --git a/src/libcharon/processing/jobs/job.h b/src/libstrongswan/processing/jobs/job.h
index 0f1c16ebe..0f1c16ebe 100644
--- a/src/libcharon/processing/jobs/job.h
+++ b/src/libstrongswan/processing/jobs/job.h
diff --git a/src/libcharon/processing/processor.c b/src/libstrongswan/processing/processor.c
index d5774af26..2a44f61e8 100644
--- a/src/libcharon/processing/processor.c
+++ b/src/libstrongswan/processing/processor.c
@@ -20,7 +20,7 @@
 
 #include "processor.h"
 
-#include <daemon.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/condvar.h>
 #include <threading/mutex.h>
diff --git a/src/libcharon/processing/processor.h b/src/libstrongswan/processing/processor.h
index 5bf8cf573..bebbe3a15 100644
--- a/src/libcharon/processing/processor.h
+++ b/src/libstrongswan/processing/processor.h
@@ -51,7 +51,7 @@ struct processor_t {
 	/**
 	 * Get the number of queued jobs.
 	 *
-	 * @returns 			number of items in queue
+	 * @return				number of items in queue
 	 */
 	u_int (*get_job_load) (processor_t *this);
 
@@ -60,7 +60,7 @@ struct processor_t {
 	 *
 	 * This function is non blocking and adds a job_t to the queue.
 	 *
-	 * @param job 			job to add to the queue
+	 * @param job			job to add to the queue
 	 */
 	void (*queue_job) (processor_t *this, job_t *job);
 
diff --git a/src/libcharon/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index 345af502a..e23f04598 100644
--- a/src/libcharon/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -19,7 +19,7 @@
 
 #include "scheduler.h"
 
-#include <daemon.h>
+#include <debug.h>
 #include <processing/processor.h>
 #include <processing/jobs/callback_job.h>
 #include <threading/thread.h>
@@ -199,7 +199,7 @@ static job_requeue_t schedule(private_scheduler_t * this)
 			remove_event(this);
 			this->mutex->unlock(this->mutex);
 			DBG2(DBG_JOB, "got event, queuing job for execution");
-			charon->processor->queue_job(charon->processor, event->job);
+			lib->processor->queue_job(lib->processor, event->job);
 			free(event);
 			return JOB_REQUEUE_DIRECT;
 		}
@@ -351,7 +351,7 @@ scheduler_t * scheduler_create()
 	this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
 
 	this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
-	charon->processor->queue_job(charon->processor, (job_t*)this->job);
+	lib->processor->queue_job(lib->processor, (job_t*)this->job);
 
 	return &this->public;
 }
diff --git a/src/libcharon/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h
index 5f5d2a563..f2c72550f 100644
--- a/src/libcharon/processing/scheduler.h
+++ b/src/libstrongswan/processing/scheduler.h
@@ -83,16 +83,16 @@ struct scheduler_t {
 	/**
 	 * Adds a event to the queue, using a relative time offset in s.
 	 *
-	 * @param job 			job to schedule
-	 * @param time 			relative time to schedule job, in s
+	 * @param job			job to schedule
+	 * @param time			relative time to schedule job, in s
 	 */
 	void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
 
 	/**
 	 * Adds a event to the queue, using a relative time offset in ms.
 	 *
-	 * @param job 			job to schedule
-	 * @param time 			relative time to schedule job, in ms
+	 * @param job			job to schedule
+	 * @param time			relative time to schedule job, in ms
 	 */
 	void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
 
@@ -102,15 +102,15 @@ struct scheduler_t {
 	 * The passed timeval should be calculated based on the time_monotonic()
 	 * function.
 	 *
-	 * @param job 			job to schedule
-	 * @param time 			absolut time to schedule job
+	 * @param job			job to schedule
+	 * @param time			absolut time to schedule job
 	 */
 	void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
 
 	/**
 	 * Returns number of jobs scheduled.
 	 *
-	 * @return 				number of scheduled jobs
+	 * @return				number of scheduled jobs
 	 */
 	u_int (*get_job_load) (scheduler_t *this);
 
@@ -123,7 +123,7 @@ struct scheduler_t {
 /**
  * Create a scheduler.
  *
- * @return 		scheduler_t object
+ * @return		scheduler_t object
  */
 scheduler_t *scheduler_create(void);
 
diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c
index 610e2b8ea..d85abb1df 100644
--- a/src/libstrongswan/settings.c
+++ b/src/libstrongswan/settings.c
@@ -88,11 +88,60 @@ struct kv_t {
 };
 
 /**
- * find a section by a given key
+ * Print a format key, but consume already processed arguments
  */
-static section_t *find_section(section_t *section, char *key, va_list args)
+static bool print_key(char *buf, int len, char *start, char *key, va_list args)
 {
-	char name[512], *pos;
+	va_list copy;
+	bool res;
+	char *pos;
+
+	va_copy(copy, args);
+	while (start < key)
+	{
+		pos = strchr(start, '%');
+		if (!pos)
+		{
+			start += strlen(start) + 1;
+			continue;
+		}
+		pos++;
+		switch (*pos)
+		{
+			case 'd':
+				va_arg(copy, int);
+				break;
+			case 's':
+				va_arg(copy, char*);
+				break;
+			case 'N':
+				va_arg(copy, enum_name_t*);
+				va_arg(copy, int);
+				break;
+			case '%':
+				break;
+			default:
+				DBG1(DBG_CFG, "settings with %%%c not supported!", *pos);
+				break;
+		}
+		start = pos;
+		if (*start)
+		{
+			start++;
+		}
+	}
+	res = vsnprintf(buf, len, key, copy) < len;
+	va_end(copy);
+	return res;
+}
+
+/**
+ * find a section by a given key, using buffered key, reusable buffer
+ */
+static section_t *find_section_buffered(section_t *section,
+					char *start, char *key, va_list args, char *buf, int len)
+{
+	char *pos;
 	enumerator_t *enumerator;
 	section_t *current, *found = NULL;
 
@@ -100,21 +149,20 @@ static section_t *find_section(section_t *section, char *key, va_list args)
 	{
 		return NULL;
 	}
-	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
-	{
-		return NULL;
-	}
-
-	pos = strchr(name, '.');
+	pos = strchr(key, '.');
 	if (pos)
 	{
 		*pos = '\0';
 		pos++;
 	}
+	if (!print_key(buf, len, start, key, args))
+	{
+		return NULL;
+	}
 	enumerator = section->sections->create_enumerator(section->sections);
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		if (streq(current->name, name))
+		if (streq(current->name, buf))
 		{
 			found = current;
 			break;
@@ -123,37 +171,55 @@ static section_t *find_section(section_t *section, char *key, va_list args)
 	enumerator->destroy(enumerator);
 	if (found && pos)
 	{
-		return find_section(found, pos, args);
+		return find_section_buffered(found, start, pos, args, buf, len);
 	}
 	return found;
 }
 
-static char *find_value(section_t *section, char *key, va_list args)
+/**
+ * find a section by a given key
+ */
+static section_t *find_section(section_t *section, char *key, va_list args)
 {
-	char name[512], *pos, *value = NULL;
-	enumerator_t *enumerator;
-	kv_t *kv;
-	section_t *current, *found = NULL;
+	char buf[128], keybuf[512];
 
-	if (section == NULL)
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
 	{
 		return NULL;
 	}
+	return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf));
+}
+
+/**
+ * Find the string value for a key, using buffered key, reusable buffer
+ */
+static char *find_value_buffered(section_t *section,
+					char *start, char *key, va_list args, char *buf, int len)
+{
+	char *pos, *value = NULL;
+	enumerator_t *enumerator;
+	kv_t *kv;
+	section_t *current, *found = NULL;
 
-	if (vsnprintf(name, sizeof(name), key, args) >= sizeof(name))
+	if (section == NULL)
 	{
 		return NULL;
 	}
 
-	pos = strchr(name, '.');
+	pos = strchr(key, '.');
 	if (pos)
 	{
 		*pos = '\0';
 		pos++;
+
+		if (!print_key(buf, len, start, key, args))
+		{
+			return NULL;
+		}
 		enumerator = section->sections->create_enumerator(section->sections);
 		while (enumerator->enumerate(enumerator, &current))
 		{
-			if (streq(current->name, name))
+			if (streq(current->name, buf))
 			{
 				found = current;
 				break;
@@ -162,15 +228,19 @@ static char *find_value(section_t *section, char *key, va_list args)
 		enumerator->destroy(enumerator);
 		if (found)
 		{
-			return find_value(found, pos, args);
+			return find_value_buffered(found, start, pos, args, buf, len);
 		}
 	}
 	else
 	{
+		if (!print_key(buf, len, start, key, args))
+		{
+			return NULL;
+		}
 		enumerator = section->kv->create_enumerator(section->kv);
 		while (enumerator->enumerate(enumerator, &kv))
 		{
-			if (streq(kv->key, name))
+			if (streq(kv->key, buf))
 			{
 				value = kv->value;
 				break;
@@ -182,6 +252,20 @@ static char *find_value(section_t *section, char *key, va_list args)
 }
 
 /**
+ * Find the string value for a key
+ */
+static char *find_value(section_t *section, char *key, va_list args)
+{
+	char buf[128], keybuf[512];
+
+	if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf))
+	{
+		return NULL;
+	}
+	return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf));
+}
+
+/**
  * Implementation of settings_t.get.
  */
 static char* get_str(private_settings_t *this, char *key, char *def, ...)
diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h
index f274fb33c..486de8def 100644
--- a/src/libstrongswan/settings.h
+++ b/src/libstrongswan/settings.h
@@ -49,8 +49,11 @@ typedef struct settings_t settings_t;
 	}
 	@endcode
  *
- * The values are accesses using the get() functions using dotted keys, e.g.
+ * The values are accessed using the get() functions using dotted keys, e.g.
  *   section-one.subsection.othervalue
+ *
+ * Currently only a limited set of printf format specifiers are supported
+ * (namely %s, %d and %N, see implementation for details).
  */
 struct settings_t {
 
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 63958593d..b868d538d 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -28,7 +28,7 @@
 #include "enum.h"
 #include "debug.h"
 
-ENUM(status_names, SUCCESS, DESTROY_ME,
+ENUM(status_names, SUCCESS, NEED_MORE,
 	"SUCCESS",
 	"FAILED",
 	"OUT_OF_RES",
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index 04551835e..35d3bebd1 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -138,6 +138,28 @@
 	static ret name(this, ##__VA_ARGS__)
 
 /**
+ * Architecture independent bitfield definition helpers (at least with GCC).
+ *
+ * Defines a bitfield with a type t and a fixed size of bitfield members, e.g.:
+ * BITFIELD2(u_int8_t,
+ *     low: 4,
+ *     high: 4,
+ * ) flags;
+ * The member defined first placed at bit 0.
+ */
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define BITFIELD2(t, a, b,...)			struct { t a; t b; __VA_ARGS__}
+#define BITFIELD3(t, a, b, c,...)		struct { t a; t b; t c; __VA_ARGS__}
+#define BITFIELD4(t, a, b, c, d,...)	struct { t a; t b; t c; t d; __VA_ARGS__}
+#define BITFIELD5(t, a, b, c, d, e,...)	struct { t a; t b; t c; t d; t e; __VA_ARGS__}
+#elif BYTE_ORDER == BIG_ENDIAN
+#define BITFIELD2(t, a, b,...)			struct { t b; t a; __VA_ARGS__}
+#define BITFIELD3(t, a, b, c,...)		struct { t c; t b; t a; __VA_ARGS__}
+#define BITFIELD4(t, a, b, c, d,...)	struct { t d; t c; t b; t a; __VA_ARGS__}
+#define BITFIELD5(t, a, b, c, d, e,...)	struct { t e; t d; t c; t b; t a; __VA_ARGS__}
+#endif
+
+/**
  * Macro to allocate a sized type.
  */
 #define malloc_thing(thing) ((thing*)malloc(sizeof(thing)))
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 3caeb8f0e..0696c1030 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -930,7 +930,11 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
-					this->encoded = chunk_create(strdup(string), strlen(string));
+					this->encoded.len = strlen(string);
+					if (this->encoded.len)
+					{
+						this->encoded.ptr = strdup(string);
+					}
 				}
 				return &this->public;
 			}
@@ -947,7 +951,11 @@ identification_t *identification_create_from_string(char *string)
 				else
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
-					this->encoded = chunk_create(strdup(string), strlen(string));
+					this->encoded.len = strlen(string);
+					if (this->encoded.len)
+					{
+						this->encoded.ptr = strdup(string);
+					}
 				}
 				return &this->public;
 			}
@@ -969,14 +977,22 @@ identification_t *identification_create_from_string(char *string)
 			{
 				this = identification_create(ID_FQDN);
 				string += 1;
-				this->encoded = chunk_create(strdup(string), strlen(string));
+				this->encoded.len = strlen(string);
+				if (this->encoded.len)
+				{
+					this->encoded.ptr = strdup(string);
+				}
 				return &this->public;
 			}
 		}
 		else
 		{
 			this = identification_create(ID_RFC822_ADDR);
-			this->encoded = chunk_create(strdup(string), strlen(string));
+			this->encoded.len = strlen(string);
+			if (this->encoded.len)
+			{
+				this->encoded.ptr = strdup(string);
+			}
 			return &this->public;
 		}
 	}
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index 0673878a5..5673fc32d 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -181,8 +181,11 @@ char *whitelist[] = {
 	"register_printf_specifier",
 	"syslog",
 	"vsyslog",
+	"__syslog_chk",
+	"__vsyslog_chk",
 	"getaddrinfo",
 	"setlocale",
+	"getpass",
 	/* ignore dlopen, as we do not dlclose to get proper leak reports */
 	"dlopen",
 	"dlerror",
@@ -213,6 +216,8 @@ char *whitelist[] = {
 	"gcry_check_version",
 	"gcry_randomize",
 	"gcry_create_nonce",
+	/* NSPR */
+	"PR_CallOnce",
 };
 
 /**
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index ba5f28f6a..1444c93fc 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -34,8 +34,8 @@ typedef struct linked_list_t linked_list_t;
  * @param item			current list item
  * @param ...			user supplied data (only pointers, at most 5)
  * @return
- * 						- TRUE, if the item matched
- * 						- FALSE, otherwise
+ *						- TRUE, if the item matched
+ *						- FALSE, otherwise
  */
 typedef bool (*linked_list_match_t)(void *item, ...);
 
@@ -57,7 +57,7 @@ struct linked_list_t {
 	/**
 	 * Gets the count of items in the list.
 	 *
-	 * @return 			number of items in list
+	 * @return			number of items in list
 	 */
 	int (*get_count) (linked_list_t *this);
 
@@ -69,7 +69,7 @@ struct linked_list_t {
 	 * @deprecated Iterator is obsolete and will disappear, it is too
 	 * complicated to implement. Use enumerator instead.
 	 *
-	 * @param forward 	iterator direction (TRUE: front to end)
+	 * @param forward	iterator direction (TRUE: front to end)
 	 * @return			new iterator_t object
 	 */
 	iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
@@ -94,7 +94,7 @@ struct linked_list_t {
 	/**
 	 * Removes the first item in the list and returns its value.
 	 *
-	 * @param item 		returned value of first item, or NULL
+	 * @param item		returned value of first item, or NULL
 	 * @return			SUCCESS, or NOT_FOUND if list is empty
 	 */
 	status_t (*remove_first) (linked_list_t *this, void **item);
@@ -107,18 +107,20 @@ struct linked_list_t {
 	void (*remove_at)(linked_list_t *this, enumerator_t *enumerator);
 
 	/**
-	 * Remove items from the list matching item.
+	 * Remove items from the list matching the given item.
 	 *
-	 * If a compare function is given, it is called for each item, where
-	 * the first parameter is the current list item and the second parameter
-	 * is the supplied item parameter.
-	 * If compare is NULL, compare is done by pointer.
+	 * If a compare function is given, it is called for each item, with the
+	 * first parameter being the current list item and the second parameter
+	 * being the supplied item. Return TRUE from the compare function to remove
+	 * the item, return FALSE to keep it in the list.
+	 *
+	 * If compare is NULL, comparison is done by pointers.
 	 *
 	 * @param item		item to remove/pass to comparator
 	 * @param compare	compare function, or NULL
 	 * @return			number of removed items
 	 */
-	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void *,void*));
+	int (*remove)(linked_list_t *this, void *item, bool (*compare)(void*,void*));
 
 	/**
 	 * Returns the value of the first list item without removing it.
@@ -132,7 +134,7 @@ struct linked_list_t {
 	/**
 	 * Inserts a new item at the end of the list.
 	 *
-	 * @param item 		value to insert into list
+	 * @param item		value to insert into list
 	 */
 	void (*insert_last) (linked_list_t *this, void *item);
 
@@ -148,7 +150,7 @@ struct linked_list_t {
 	/**
 	 * Returns the value of the last list item without removing it.
 	 *
-	 * @param this 		calling object
+	 * @param this		calling object
 	 * @param item		returned value of last item
 	 * @return			SUCCESS, NOT_FOUND if list is empty
 	 */
@@ -203,6 +205,8 @@ struct linked_list_t {
 	 * which can be evalutated at compile time using the offsetof
 	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
 	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
 	 * @param offset	offset of the method to invoke on objects
 	 * @param ...		user data to supply to called function (limited to 5 arguments)
 	 */
@@ -211,6 +215,8 @@ struct linked_list_t {
 	/**
 	 * Invoke a function on all of the contained objects.
 	 *
+	 * @warning Only use pointers as user supplied data.
+	 *
 	 * @param function	offset of the method to invoke on objects
 	 * @param ...		user data to supply to called function (limited to 5 arguments)
 	 */
@@ -265,7 +271,7 @@ struct linked_list_t {
 /**
  * Creates an empty linked list object.
  *
- * @return 		linked_list_t object.
+ * @return		linked_list_t object.
  */
 linked_list_t *linked_list_create(void);
 
diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am
new file mode 100644
index 000000000..a58e783d7
--- /dev/null
+++ b/src/libtls/Makefile.am
@@ -0,0 +1,18 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+noinst_LTLIBRARIES = libtls.la
+libtls_la_SOURCES = \
+	tls_protection.h tls_protection.c \
+	tls_compression.h tls_compression.c \
+	tls_fragmentation.h tls_fragmentation.c \
+	tls_alert.h tls_alert.c \
+	tls_crypto.h tls_crypto.c \
+	tls_prf.h tls_prf.c \
+	tls_reader.h tls_reader.c \
+	tls_writer.h tls_writer.c \
+	tls_socket.h tls_socket.c \
+	tls_eap.h tls_eap.c \
+	tls_peer.h tls_peer.c \
+	tls_server.h tls_server.c \
+	tls_handshake.h tls_application.h tls.h tls.c
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
new file mode 100644
index 000000000..9f0a817f5
--- /dev/null
+++ b/src/libtls/Makefile.in
@@ -0,0 +1,559 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libtls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+LTLIBRARIES = $(noinst_LTLIBRARIES)
+libtls_la_LIBADD =
+am_libtls_la_OBJECTS = tls_protection.lo tls_compression.lo \
+	tls_fragmentation.lo tls_alert.lo tls_crypto.lo tls_prf.lo \
+	tls_reader.lo tls_writer.lo tls_socket.lo tls_eap.lo \
+	tls_peer.lo tls_server.lo tls.lo
+libtls_la_OBJECTS = $(am_libtls_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libtls_la_SOURCES)
+DIST_SOURCES = $(libtls_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+default_pkcs11 = @default_pkcs11@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
+ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+noinst_LTLIBRARIES = libtls.la
+libtls_la_SOURCES = \
+	tls_protection.h tls_protection.c \
+	tls_compression.h tls_compression.c \
+	tls_fragmentation.h tls_fragmentation.c \
+	tls_alert.h tls_alert.c \
+	tls_crypto.h tls_crypto.c \
+	tls_prf.h tls_prf.c \
+	tls_reader.h tls_reader.c \
+	tls_writer.h tls_writer.c \
+	tls_socket.h tls_socket.c \
+	tls_eap.h tls_eap.c \
+	tls_peer.h tls_peer.c \
+	tls_server.h tls_server.c \
+	tls_handshake.h tls_application.h tls.h tls.c
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libtls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libtls.la: $(libtls_la_OBJECTS) $(libtls_la_DEPENDENCIES) 
+	$(LINK)  $(libtls_la_OBJECTS) $(libtls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_alert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_compression.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_eap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_fragmentation.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_protection.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_reader.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_socket.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls_writer.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
new file mode 100644
index 000000000..20141f235
--- /dev/null
+++ b/src/libtls/tls.c
@@ -0,0 +1,481 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls.h"
+
+#include <debug.h>
+
+#include "tls_protection.h"
+#include "tls_compression.h"
+#include "tls_fragmentation.h"
+#include "tls_crypto.h"
+#include "tls_server.h"
+#include "tls_peer.h"
+
+ENUM_BEGIN(tls_version_names, SSL_2_0, SSL_2_0,
+	"SSLv2");
+ENUM_NEXT(tls_version_names, SSL_3_0, TLS_1_2, SSL_2_0,
+	"SSLv3",
+	"TLS 1.0",
+	"TLS 1.1",
+	"TLS 1.2");
+ENUM_END(tls_version_names, TLS_1_2);
+
+ENUM(tls_content_type_names, TLS_CHANGE_CIPHER_SPEC, TLS_APPLICATION_DATA,
+	"ChangeCipherSpec",
+	"Alert",
+	"Handshake",
+	"ApplicationData",
+);
+
+ENUM_BEGIN(tls_handshake_type_names, TLS_HELLO_REQUEST, TLS_SERVER_HELLO,
+	"HelloRequest",
+	"ClientHello",
+	"ServerHello");
+ENUM_NEXT(tls_handshake_type_names,
+		TLS_CERTIFICATE, TLS_CLIENT_KEY_EXCHANGE, TLS_SERVER_HELLO,
+	"Certificate",
+	"ServerKeyExchange",
+	"CertificateRequest",
+	"ServerHelloDone",
+	"CertificateVerify",
+	"ClientKeyExchange");
+ENUM_NEXT(tls_handshake_type_names,
+		TLS_FINISHED, TLS_FINISHED, TLS_CLIENT_KEY_EXCHANGE,
+	"Finished");
+ENUM_END(tls_handshake_type_names, TLS_FINISHED);
+
+ENUM_BEGIN(tls_extension_names, TLS_EXT_SERVER_NAME, TLS_EXT_STATUS_REQUEST,
+	"server name",
+	"max fragment length",
+	"client certificate url",
+	"trusted ca keys",
+	"truncated hmac",
+	"status request");
+ENUM_NEXT(tls_extension_names,
+		TLS_EXT_ELLIPTIC_CURVES, TLS_EXT_EC_POINT_FORMATS,
+		TLS_EXT_STATUS_REQUEST,
+	"elliptic curves",
+	"ec point formats");
+ENUM_NEXT(tls_extension_names,
+		TLS_EXT_SIGNATURE_ALGORITHMS, TLS_EXT_SIGNATURE_ALGORITHMS,
+		TLS_EXT_EC_POINT_FORMATS,
+	"signature algorithms");
+ENUM_END(tls_extension_names, TLS_EXT_SIGNATURE_ALGORITHMS);
+
+/**
+ * TLS record
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t type;
+	u_int16_t version;
+	u_int16_t length;
+	char data[];
+} tls_record_t;
+
+typedef struct private_tls_t private_tls_t;
+
+/**
+ * Private data of an tls_protection_t object.
+ */
+struct private_tls_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * Role this TLS stack acts as.
+	 */
+	bool is_server;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * Negotiated TLS version
+	 */
+	tls_version_t version;
+
+	/**
+	 * TLS stack purpose, as given to constructor
+	 */
+	tls_purpose_t purpose;
+
+	/**
+	 * TLS record protection layer
+	 */
+	tls_protection_t *protection;
+
+	/**
+	 * TLS record compression layer
+	 */
+	tls_compression_t *compression;
+
+	/**
+	 * TLS record fragmentation layer
+	 */
+	tls_fragmentation_t *fragmentation;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * TLS crypto helper context
+	 */
+	tls_crypto_t *crypto;
+
+	/**
+	 * TLS handshake protocol handler
+	 */
+	tls_handshake_t *handshake;
+
+	/**
+	 * TLS application data handler
+	 */
+	tls_application_t *application;
+
+	/**
+	 * Allocated input buffer
+	 */
+	chunk_t input;
+
+	/**
+	 * Number of bytes read in input buffer
+	 */
+	size_t inpos;
+
+	/**
+	 * Allocated output buffer
+	 */
+	chunk_t output;
+
+	/**
+	 * Number of bytes processed from output buffer
+	 */
+	size_t outpos;
+
+	/**
+	 * Partial TLS record header received
+	 */
+	tls_record_t head;
+
+	/**
+	 * Position in partially received record header
+	 */
+	size_t headpos;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tls_t *this, void *buf, size_t buflen)
+{
+	tls_record_t *record;
+	status_t status;
+	u_int len;
+
+	if (this->headpos)
+	{	/* have a partial TLS record header, try to complete it */
+		len = min(buflen, sizeof(this->head) - this->headpos);
+		memcpy(((char*)&this->head) + this->headpos, buf, len);
+		this->headpos += len;
+		buflen -= len;
+		buf += len;
+		if (this->headpos == sizeof(this->head))
+		{	/* header complete, allocate space with new header */
+			len = untoh16(&this->head.length);
+			this->input = chunk_alloc(len + sizeof(tls_record_t));
+			memcpy(this->input.ptr, &this->head, sizeof(this->head));
+			this->inpos = sizeof(this->head);
+			this->headpos = 0;
+		}
+	}
+
+	while (buflen)
+	{
+		if (this->input.len == 0)
+		{
+			if (buflen < sizeof(tls_record_t))
+			{
+				DBG2(DBG_TLS, "received incomplete TLS record header");
+				memcpy(&this->head, buf, buflen);
+				this->headpos = buflen;
+				break;
+			}
+			while (TRUE)
+			{
+				/* try to process records inline */
+				record = buf;
+				len = untoh16(&record->length);
+
+				if (len + sizeof(tls_record_t) > buflen)
+				{	/* not a full record, read to buffer */
+					this->input = chunk_alloc(len + sizeof(tls_record_t));
+					this->inpos = 0;
+					break;
+				}
+				DBG2(DBG_TLS, "processing TLS %N record (%d bytes)",
+					 tls_content_type_names, record->type, len);
+				status = this->protection->process(this->protection,
+								record->type, chunk_create(record->data, len));
+				if (status != NEED_MORE)
+				{
+					return status;
+				}
+				buf += len + sizeof(tls_record_t);
+				buflen -= len + sizeof(tls_record_t);
+				if (buflen == 0)
+				{
+					return NEED_MORE;
+				}
+			}
+		}
+		len = min(buflen, this->input.len - this->inpos);
+		memcpy(this->input.ptr + this->inpos, buf, len);
+		buf += len;
+		buflen -= len;
+		this->inpos += len;
+		DBG2(DBG_TLS, "buffering %d bytes, %d bytes of %d byte TLS record received",
+			 len, this->inpos, this->input.len);
+		if (this->input.len == this->inpos)
+		{
+			record = (tls_record_t*)this->input.ptr;
+			len = untoh16(&record->length);
+
+			DBG2(DBG_TLS, "processing buffered TLS %N record (%d bytes)",
+				 tls_content_type_names, record->type, len);
+			status = this->protection->process(this->protection,
+								record->type, chunk_create(record->data, len));
+			chunk_free(&this->input);
+			this->inpos = 0;
+			if (status != NEED_MORE)
+			{
+				return status;
+			}
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tls_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	tls_content_type_t type;
+	tls_record_t record;
+	status_t status;
+	chunk_t data;
+	size_t len;
+
+	len = *buflen;
+	if (this->output.len == 0)
+	{
+		/* query upper layers for new records, as many as we can get */
+		while (TRUE)
+		{
+			status = this->protection->build(this->protection, &type, &data);
+			switch (status)
+			{
+				case NEED_MORE:
+					record.type = type;
+					htoun16(&record.version, this->version);
+					htoun16(&record.length, data.len);
+					this->output = chunk_cat("mcm", this->output,
+											 chunk_from_thing(record), data);
+					DBG2(DBG_TLS, "sending TLS %N record (%d bytes)",
+						 tls_content_type_names, type, data.len);
+					continue;
+				case INVALID_STATE:
+					if (this->output.len == 0)
+					{
+						return INVALID_STATE;
+					}
+					break;
+				default:
+					return status;
+			}
+			break;
+		}
+		if (msglen)
+		{
+			*msglen = this->output.len;
+		}
+	}
+	else
+	{
+		if (msglen)
+		{
+			*msglen = 0;
+		}
+	}
+	len = min(len, this->output.len - this->outpos);
+	memcpy(buf, this->output.ptr + this->outpos, len);
+	this->outpos += len;
+	*buflen = len;
+	if (this->outpos == this->output.len)
+	{
+		chunk_free(&this->output);
+		this->outpos = 0;
+		return ALREADY_DONE;
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tls_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_version, tls_version_t,
+	private_tls_t *this)
+{
+	return this->version;
+}
+
+METHOD(tls_t, set_version, bool,
+	private_tls_t *this, tls_version_t version)
+{
+	if (version > this->version)
+	{
+		return FALSE;
+	}
+	switch (version)
+	{
+		case TLS_1_0:
+		case TLS_1_1:
+		case TLS_1_2:
+			this->version = version;
+			this->protection->set_version(this->protection, version);
+			return TRUE;
+		case SSL_2_0:
+		case SSL_3_0:
+		default:
+			return FALSE;
+	}
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tls_t *this)
+{
+	return this->purpose;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tls_t *this)
+{
+	if (this->handshake->finished(this->handshake))
+	{
+		if (!this->application)
+		{
+			return TRUE;
+		}
+		return this->fragmentation->application_finished(this->fragmentation);
+	}
+	return FALSE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tls_t *this)
+{
+	return this->crypto->get_eap_msk(this->crypto);
+}
+
+METHOD(tls_t, destroy, void,
+	private_tls_t *this)
+{
+	this->protection->destroy(this->protection);
+	this->compression->destroy(this->compression);
+	this->fragmentation->destroy(this->fragmentation);
+	this->crypto->destroy(this->crypto);
+	this->handshake->destroy(this->handshake);
+	DESTROY_IF(this->peer);
+	this->server->destroy(this->server);
+	DESTROY_IF(this->application);
+	this->alert->destroy(this->alert);
+
+	free(this->input.ptr);
+	free(this->output.ptr);
+
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tls_create(bool is_server, identification_t *server,
+				  identification_t *peer, tls_purpose_t purpose,
+				  tls_application_t *application)
+{
+	private_tls_t *this;
+
+	switch (purpose)
+	{
+		case TLS_PURPOSE_EAP_TLS:
+		case TLS_PURPOSE_EAP_TTLS:
+		case TLS_PURPOSE_GENERIC:
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_version = _get_version,
+			.set_version = _set_version,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.version = TLS_1_2,
+		.server = server->clone(server),
+		.peer = peer ? peer->clone(peer) : NULL,
+		.application = application,
+		.purpose = purpose,
+	);
+
+	this->crypto = tls_crypto_create(&this->public);
+	this->alert = tls_alert_create();
+	if (is_server)
+	{
+		this->handshake = &tls_server_create(&this->public, this->crypto,
+							this->alert, this->server, this->peer)->handshake;
+	}
+	else
+	{
+		this->handshake = &tls_peer_create(&this->public, this->crypto,
+							this->alert, this->peer, this->server)->handshake;
+	}
+	this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
+												   this->application);
+	this->compression = tls_compression_create(this->fragmentation, this->alert);
+	this->protection = tls_protection_create(this->compression, this->alert);
+	this->crypto->set_protection(this->crypto, this->protection);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
new file mode 100644
index 000000000..1908f5dd4
--- /dev/null
+++ b/src/libtls/tls.h
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtls libtls
+ *
+ * @addtogroup libtls
+ * TLS implementation on top of libstrongswan
+ *
+ * @defgroup tls tls
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_H_
+#define TLS_H_
+
+typedef enum tls_version_t tls_version_t;
+typedef enum tls_content_type_t tls_content_type_t;
+typedef enum tls_handshake_type_t tls_handshake_type_t;
+typedef enum tls_purpose_t tls_purpose_t;
+typedef struct tls_t tls_t;
+
+#include <library.h>
+
+#include "tls_application.h"
+
+/**
+ * TLS/SSL version numbers
+ */
+enum tls_version_t {
+	SSL_2_0 = 0x0200,
+	SSL_3_0 = 0x0300,
+	TLS_1_0 = 0x0301,
+	TLS_1_1 = 0x0302,
+	TLS_1_2 = 0x0303,
+};
+
+/**
+ * Enum names for tls_version_t
+ */
+extern enum_name_t *tls_version_names;
+
+/**
+ * TLS higher level content type
+ */
+enum tls_content_type_t {
+	TLS_CHANGE_CIPHER_SPEC = 20,
+	TLS_ALERT = 21,
+	TLS_HANDSHAKE = 22,
+	TLS_APPLICATION_DATA = 23,
+};
+
+/**
+ * Enum names for tls_content_type_t
+ */
+extern enum_name_t *tls_content_type_names;
+
+/**
+ * TLS handshake subtype
+ */
+enum tls_handshake_type_t {
+	TLS_HELLO_REQUEST = 0,
+	TLS_CLIENT_HELLO = 1,
+	TLS_SERVER_HELLO = 2,
+	TLS_CERTIFICATE = 11,
+	TLS_SERVER_KEY_EXCHANGE = 12,
+	TLS_CERTIFICATE_REQUEST = 13,
+	TLS_SERVER_HELLO_DONE = 14,
+	TLS_CERTIFICATE_VERIFY = 15,
+	TLS_CLIENT_KEY_EXCHANGE = 16,
+	TLS_FINISHED = 20,
+};
+
+/**
+ * Enum names for tls_handshake_type_t
+ */
+extern enum_name_t *tls_handshake_type_names;
+
+/**
+ * Purpose the TLS stack is initiated for.
+ */
+enum tls_purpose_t {
+	/** authentication in EAP-TLS */
+	TLS_PURPOSE_EAP_TLS,
+	/** outer authentication and protection in EAP-TTLS */
+	TLS_PURPOSE_EAP_TTLS,
+	/** non-EAP TLS */
+	TLS_PURPOSE_GENERIC,
+	/** EAP binding for TNC */
+	TLS_PURPOSE_EAP_TNC
+};
+
+/**
+ * TLS Hello extension types.
+ */
+enum tls_extension_t {
+	/** Server name the client wants to talk to */
+	TLS_EXT_SERVER_NAME = 0,
+	/** request a maximum fragment size */
+	TLS_EXT_MAX_FRAGMENT_LENGTH = 1,
+	/** indicate client certificate URL support */
+	TLS_EXT_CLIENT_CERTIFICATE_URL = 2,
+	/** list of CA the client trusts */
+	TLS_EXT_TRUSTED_CA_KEYS = 3,
+	/** request MAC truncation to 80-bit */
+	TLS_EXT_TRUNCATED_HMAC = 4,
+	/** list of OCSP responders the client trusts */
+	TLS_EXT_STATUS_REQUEST = 5,
+	/** list of supported elliptic curves */
+	TLS_EXT_ELLIPTIC_CURVES = 10,
+	/** supported point formats */
+	TLS_EXT_EC_POINT_FORMATS = 11,
+	/** list supported signature algorithms */
+	TLS_EXT_SIGNATURE_ALGORITHMS = 13,
+};
+
+/**
+ * Enum names for tls_extension_t
+ */
+extern enum_name_t *tls_extension_names;
+
+/**
+ * A bottom-up driven TLS stack, suitable for EAP implementations.
+ */
+struct tls_t {
+
+	/**
+	 * Process one or more TLS records, pass it to upper layers.
+	 *
+	 * @param buf		TLS record data, including headers
+	 * @param buflen	number of bytes in buf to process
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_t *this, void *buf, size_t buflen);
+
+	/**
+	 * Query upper layer for one or more TLS records, build fragments.
+	 *
+	 * The TLS stack automatically fragments the records to the given buffer
+	 * size. Fragmentation is indicated by the reclen ouput parameter and
+	 * the return value. For the first fragment of a TLS record, a non-zero
+	 * record length is returned in reclen. If more fragments follow, NEED_MORE
+	 * is returned. A return value of ALREADY_DONE indicates that the final
+	 * fragment has been returned.
+	 *
+	 * @param buf		buffer to write TLS record fragments to
+	 * @param buflen	size of buffer, receives bytes written
+	 * @param msglen	receives size of all TLS fragments
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- INVALID_STATE if more input data required
+	 *					- NEED_MORE if more fragments available
+	 *					- ALREADY_DONE if the last available fragment returned
+	 */
+	status_t (*build)(tls_t *this, void *buf, size_t *buflen, size_t *msglen);
+
+	/**
+	 * Check if TLS stack is acting as a server.
+	 *
+	 * @return			TRUE if server, FALSE if peer
+	 */
+	bool (*is_server)(tls_t *this);
+
+	/**
+	 * Get the negotiated TLS/SSL version.
+	 *
+	 * @return			negotiated TLS version
+	 */
+	tls_version_t (*get_version)(tls_t *this);
+
+	/**
+	 * Set the negotiated TLS/SSL version.
+	 *
+	 * @param version	negotiated TLS version
+	 * @return			TRUE if version acceptable
+	 */
+	bool (*set_version)(tls_t *this, tls_version_t version);
+
+	/**
+	 * Get the purpose of this TLS stack instance.
+	 *
+	 * @return			purpose given during construction
+	 */
+	tls_purpose_t (*get_purpose)(tls_t *this);
+
+	/**
+	 * Check if TLS negotiation completed successfully.
+	 *
+	 * @return			TRUE if TLS negotation and authentication complete
+	 */
+	bool (*is_complete)(tls_t *this);
+
+	/**
+	 * Get the MSK for EAP-TLS.
+	 *
+	 * @return			MSK, internal data
+	 */
+	chunk_t (*get_eap_msk)(tls_t *this);
+
+	/**
+	 * Destroy a tls_t.
+	 */
+	void (*destroy)(tls_t *this);
+};
+
+/**
+ * Create a tls instance.
+ *
+ * @param is_server			TRUE to act as server, FALSE for client
+ * @param server			server identity
+ * @param peer				peer identity, NULL for no client authentication
+ * @param purpose			purpose this TLS stack instance is used for
+ * @param application		higher layer application or NULL if none
+ * @return					TLS stack
+ */
+tls_t *tls_create(bool is_server, identification_t *server,
+				  identification_t *peer, tls_purpose_t purpose,
+				  tls_application_t *application);
+
+#endif /** TLS_H_ @}*/
diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c
new file mode 100644
index 000000000..8a4fa7d77
--- /dev/null
+++ b/src/libtls/tls_alert.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_alert.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+
+ENUM_BEGIN(tls_alert_desc_names, TLS_CLOSE_NOTIFY, TLS_CLOSE_NOTIFY,
+	"close notify",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_UNEXPECTED_MESSAGE, TLS_UNEXPECTED_MESSAGE,
+		TLS_CLOSE_NOTIFY,
+	"unexpected message",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_BAD_RECORD_MAC, TLS_RECORD_OVERFLOW,
+		TLS_UNEXPECTED_MESSAGE,
+	"bad record mac",
+	"decryption failed",
+	"record overflow",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_DECOMPRESSION_FAILURE, TLS_DECOMPRESSION_FAILURE,
+		TLS_RECORD_OVERFLOW,
+	"decompression_failure",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_HANDSHAKE_FAILURE, TLS_DECRYPT_ERROR,
+		TLS_DECOMPRESSION_FAILURE,
+	"handshake failure",
+	"no certificate",
+	"bad certificate",
+	"unsupported certificate",
+	"certificate revoked",
+	"certificate expired",
+	"certificate unknown",
+	"illegal parameter",
+	"unknown ca",
+	"access denied",
+	"decode error",
+	"decrypt error",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_EXPORT_RESTRICTION, TLS_EXPORT_RESTRICTION,
+		TLS_DECRYPT_ERROR,
+	"export restriction",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_PROTOCOL_VERSION, TLS_INSUFFICIENT_SECURITY,
+		TLS_EXPORT_RESTRICTION,
+	"protocol version",
+	"insufficient security",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_INTERNAL_ERROR, TLS_INTERNAL_ERROR,
+		TLS_INSUFFICIENT_SECURITY,
+	"internal error",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_USER_CANCELED, TLS_USER_CANCELED,
+		TLS_INTERNAL_ERROR,
+	"user canceled",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_NO_RENEGOTIATION, TLS_NO_RENEGOTIATION,
+		TLS_USER_CANCELED,
+	"no renegotiation",
+);
+ENUM_NEXT(tls_alert_desc_names, TLS_UNSUPPORTED_EXTENSION, TLS_UNSUPPORTED_EXTENSION,
+		TLS_NO_RENEGOTIATION,
+	"unsupported extension",
+);
+ENUM_END(tls_alert_desc_names, TLS_UNSUPPORTED_EXTENSION);
+
+
+typedef struct private_tls_alert_t private_tls_alert_t;
+
+/**
+ * Private data of an tls_alert_t object.
+ */
+struct private_tls_alert_t {
+
+	/**
+	 * Public tls_alert_t interface.
+	 */
+	tls_alert_t public;
+
+	/**
+	 * Warning queue
+	 */
+	linked_list_t *warnings;
+
+	/**
+	 * Do we have a fatal alert?
+	 */
+	bool fatal;
+
+	/**
+	 * Has the fatal alert been consumed?
+	 */
+	bool consumed;
+
+	/**
+	 * Fatal alert discription
+	 */
+	tls_alert_desc_t desc;
+};
+
+METHOD(tls_alert_t, add, void,
+	private_tls_alert_t *this, tls_alert_level_t level,
+	tls_alert_desc_t desc)
+{
+	if (level == TLS_FATAL)
+	{
+		if (!this->fatal)
+		{
+			this->desc = desc;
+			this->fatal = TRUE;
+		}
+	}
+	else
+	{
+		this->warnings->insert_last(this->warnings, (void*)(uintptr_t)desc);
+	}
+}
+
+METHOD(tls_alert_t, get, bool,
+	private_tls_alert_t *this, tls_alert_level_t *level,
+	tls_alert_desc_t *desc)
+{
+	if (this->fatal && !this->consumed)
+	{
+		this->consumed = TRUE;
+		*level = TLS_FATAL;
+		*desc = this->desc;
+		if (this->desc == TLS_CLOSE_NOTIFY)
+		{
+			DBG1(DBG_TLS, "sending TLS close notify");
+		}
+		else
+		{
+			DBG1(DBG_TLS, "sending fatal TLS alert '%N'",
+				 tls_alert_desc_names, this->desc);
+		}
+		return TRUE;
+	}
+	else
+	{
+		uintptr_t warning;
+
+		if (this->warnings->remove_first(this->warnings,
+										 (void**)&warning) == SUCCESS)
+		{
+			*level = TLS_WARNING;
+			*desc = warning;
+			DBG1(DBG_TLS, "sending TLS alert warning '%N'",
+				 tls_alert_desc_names, warning);
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(tls_alert_t, fatal, bool,
+	private_tls_alert_t *this)
+{
+	return this->fatal;
+}
+
+METHOD(tls_alert_t, process, status_t,
+	private_tls_alert_t *this, tls_alert_level_t level,
+	tls_alert_desc_t desc)
+{
+	if (desc == TLS_CLOSE_NOTIFY)
+	{
+		DBG1(DBG_TLS, "received TLS close notify");
+		add(this, TLS_FATAL, TLS_CLOSE_NOTIFY);
+		return NEED_MORE;
+	}
+	switch (level)
+	{
+		case TLS_WARNING:
+			DBG1(DBG_TLS, "received TLS alert warning '%N'",
+				 tls_alert_desc_names, desc);
+			return NEED_MORE;
+		case TLS_FATAL:
+			DBG1(DBG_TLS, "received fatal TLS alert '%N'",
+				 tls_alert_desc_names, desc);
+			return FAILED;
+		default:
+			DBG1(DBG_TLS, "received unknown TLS alert '%N'",
+				 tls_alert_desc_names, desc);
+			return FAILED;
+	}
+}
+
+METHOD(tls_alert_t, destroy, void,
+	private_tls_alert_t *this)
+{
+	this->warnings->destroy(this->warnings);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_alert_t *tls_alert_create()
+{
+	private_tls_alert_t *this;
+
+	INIT(this,
+		.public = {
+			.add = _add,
+			.get = _get,
+			.fatal = _fatal,
+			.process = _process,
+			.destroy = _destroy,
+		},
+		.warnings = linked_list_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_alert.h b/src/libtls/tls_alert.h
new file mode 100644
index 000000000..95ba4d91b
--- /dev/null
+++ b/src/libtls/tls_alert.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_alert tls_alert
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_ALERT_H_
+#define TLS_ALERT_H_
+
+#include <library.h>
+
+typedef struct tls_alert_t tls_alert_t;
+typedef enum tls_alert_level_t tls_alert_level_t;
+typedef enum tls_alert_desc_t tls_alert_desc_t;
+
+/**
+ * Level of a TLS alert
+ */
+enum tls_alert_level_t {
+	TLS_WARNING = 1,
+	TLS_FATAL = 2,
+};
+
+/**
+ * Description of a TLS alert
+ */
+enum tls_alert_desc_t {
+	TLS_CLOSE_NOTIFY = 0,
+	TLS_UNEXPECTED_MESSAGE = 10,
+	TLS_BAD_RECORD_MAC = 20,
+	TLS_DECRYPTION_FAILED = 21,
+	TLS_RECORD_OVERFLOW = 22,
+	TLS_DECOMPRESSION_FAILURE = 30,
+	TLS_HANDSHAKE_FAILURE = 40,
+	TLS_NO_CERTIFICATE = 41,
+	TLS_BAD_CERTIFICATE = 42,
+	TLS_UNSUPPORTED_CERTIFICATE = 43,
+	TLS_CERTIFICATE_REVOKED = 44,
+	TLS_CERTIFICATE_EXPIRED = 45,
+	TLS_CERTIFICATE_UNKNOWN = 46,
+	TLS_ILLEGAL_PARAMETER = 47,
+	TLS_UNKNOWN_CA = 48,
+	TLS_ACCESS_DENIED = 49,
+	TLS_DECODE_ERROR = 50,
+	TLS_DECRYPT_ERROR = 51,
+	TLS_EXPORT_RESTRICTION = 60,
+	TLS_PROTOCOL_VERSION = 70,
+	TLS_INSUFFICIENT_SECURITY = 71,
+	TLS_INTERNAL_ERROR = 80,
+	TLS_USER_CANCELED = 90,
+	TLS_NO_RENEGOTIATION = 100,
+	TLS_UNSUPPORTED_EXTENSION = 110,
+};
+
+/**
+ * Enum names for alert descriptions
+ */
+extern enum_name_t *tls_alert_desc_names;
+
+/**
+ * TLS alert handling.
+ */
+struct tls_alert_t {
+
+	/**
+	 * Add an alert to the TLS alert queue, will be sent.
+	 *
+	 * @param level			level of TLS alert
+	 * @param description	description of alert
+	 */
+	void (*add)(tls_alert_t *this, tls_alert_level_t level,
+				tls_alert_desc_t description);
+
+	/**
+	 * Get an alert pushed to the alert queue, to send.
+	 *
+	 * @param level			receives TLS alert level
+	 * @param description	receives TLS alert description
+	 * @return				TRUE if returned an alert
+	 */
+	bool (*get)(tls_alert_t *this, tls_alert_level_t *level,
+				tls_alert_desc_t *description);
+
+	/**
+	 * Did a fatal alert occur?.
+	 *
+	 * @return				TRUE if a fatal alert has occured
+	 */
+	bool (*fatal)(tls_alert_t *this);
+
+	/**
+	 * Process a received TLS alert.
+	 *
+	 * @param level			level of received alert
+	 * @param description	alert description
+	 * @return				status to pass down to TLS stack
+	 */
+	status_t (*process)(tls_alert_t *this, tls_alert_level_t level,
+						tls_alert_desc_t description);
+
+	/**
+	 * Destroy a tls_alert_t.
+	 */
+	void (*destroy)(tls_alert_t *this);
+};
+
+/**
+ * Create a tls_alert instance.
+ */
+tls_alert_t *tls_alert_create();
+
+#endif /** TLS_ALERT_H_ @}*/
diff --git a/src/libtls/tls_application.h b/src/libtls/tls_application.h
new file mode 100644
index 000000000..b54a25e22
--- /dev/null
+++ b/src/libtls/tls_application.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_handshake tls_handshake
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_APPLICATION_H_
+#define TLS_APPLICATION_H_
+
+typedef struct tls_application_t tls_application_t;
+
+#include "tls_reader.h"
+#include "tls_writer.h"
+
+/**
+ * TLS application data interface.
+ */
+struct tls_application_t {
+
+	/**
+	 * Process received TLS application data.
+	 *
+	 * @param reader	TLS data buffer
+	 * @return
+	 *					- SUCCESS if application completed
+	 *					- FAILED if application data processing failed
+	 *					- NEED_MORE if another invocation of process/build needed
+	 */
+	status_t (*process)(tls_application_t *this, tls_reader_t *reader);
+
+	/**
+	 * Build TLS application data to send out.
+	 *
+	 * @param writer	TLS data buffer to write to
+	 * @return
+	 *					- SUCCESS if application completed
+	 *					- FAILED if application data build failed
+	 *					- NEED_MORE if more data ready for delivery
+	 *					- INVALID_STATE if more input to process() required
+	 */
+	status_t (*build)(tls_application_t *this, tls_writer_t *writer);
+
+	/**
+	 * Destroy a tls_application_t.
+	 */
+	void (*destroy)(tls_application_t *this);
+};
+
+#endif /** TLS_APPLICATION_H_ @}*/
diff --git a/src/libtls/tls_compression.c b/src/libtls/tls_compression.c
new file mode 100644
index 000000000..68266cd0c
--- /dev/null
+++ b/src/libtls/tls_compression.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_compression.h"
+
+typedef struct private_tls_compression_t private_tls_compression_t;
+
+/**
+ * Private data of an tls_compression_t object.
+ */
+struct private_tls_compression_t {
+
+	/**
+	 * Public tls_compression_t interface.
+	 */
+	tls_compression_t public;
+
+	/**
+	 * Upper layer, TLS record fragmentation
+	 */
+	tls_fragmentation_t *fragmentation;
+};
+
+METHOD(tls_compression_t, process, status_t,
+	private_tls_compression_t *this, tls_content_type_t type, chunk_t data)
+{
+	return this->fragmentation->process(this->fragmentation, type, data);
+}
+
+METHOD(tls_compression_t, build, status_t,
+	private_tls_compression_t *this, tls_content_type_t *type, chunk_t *data)
+{
+	return this->fragmentation->build(this->fragmentation, type, data);
+}
+
+METHOD(tls_compression_t, destroy, void,
+	private_tls_compression_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_compression_t *tls_compression_create(tls_fragmentation_t *fragmentation,
+										  tls_alert_t *alert)
+{
+	private_tls_compression_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.destroy = _destroy,
+		},
+		.fragmentation = fragmentation,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_compression.h b/src/libtls/tls_compression.h
new file mode 100644
index 000000000..b4832ab06
--- /dev/null
+++ b/src/libtls/tls_compression.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_compression tls_compression
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_COMPRESSION_H_
+#define TLS_COMPRESSION_H_
+
+#include <library.h>
+
+#include "tls.h"
+#include "tls_alert.h"
+#include "tls_fragmentation.h"
+
+typedef struct tls_compression_t tls_compression_t;
+
+/**
+ * TLS record protocol compression layer.
+ */
+struct tls_compression_t {
+
+	/**
+	 * Process a compressed TLS record, pass it to upper layers.
+	 *
+	 * @param type		type of the TLS record to process
+	 * @param data		associated TLS record data
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_compression_t *this,
+						tls_content_type_t type, chunk_t data);
+
+	/**
+	 * Query upper layer for TLS record, build compressed record.
+	 *
+	 * @param type		type of the built TLS record
+	 * @param data		allocated data of the built TLS record
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if upper layers have more records to send
+	 *					- INVALID_STATE if more input records required
+	 */
+	status_t (*build)(tls_compression_t *this,
+					  tls_content_type_t *type, chunk_t *data);
+
+	/**
+	 * Destroy a tls_compression_t.
+	 */
+	void (*destroy)(tls_compression_t *this);
+};
+
+/**
+ * Create a tls_compression instance.
+ *
+ * @param fragmentation		fragmentation layer of TLS stack
+ * @param alert				TLS alert handler
+ * @return					TLS compression layer.
+ */
+tls_compression_t *tls_compression_create(tls_fragmentation_t *fragmentation,
+										  tls_alert_t *alert);
+
+#endif /** TLS_COMPRESSION_H_ @}*/
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
new file mode 100644
index 000000000..78f2a796d
--- /dev/null
+++ b/src/libtls/tls_crypto.c
@@ -0,0 +1,1674 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_crypto.h"
+
+#include <debug.h>
+
+ENUM_BEGIN(tls_cipher_suite_names, TLS_NULL_WITH_NULL_NULL,
+								   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	"TLS_NULL_WITH_NULL_NULL",
+	"TLS_RSA_WITH_NULL_MD5",
+	"TLS_RSA_WITH_NULL_SHA",
+	"TLS_RSA_EXPORT_WITH_RC4_40_MD5",
+	"TLS_RSA_WITH_RC4_128_MD5",
+	"TLS_RSA_WITH_RC4_128_SHA",
+	"TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+	"TLS_RSA_WITH_IDEA_CBC_SHA",
+	"TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_RSA_WITH_DES_CBC_SHA",
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DH_DSS_WITH_DES_CBC_SHA",
+	"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DH_RSA_WITH_DES_CBC_SHA",
+	"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DHE_DSS_WITH_DES_CBC_SHA",
+	"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DHE_RSA_WITH_DES_CBC_SHA",
+	"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
+	"TLS_DH_anon_WITH_RC4_128_MD5",
+	"TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+	"TLS_DH_anon_WITH_DES_CBC_SHA",
+	"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
+ENUM_NEXT(tls_cipher_suite_names, TLS_KRB5_WITH_DES_CBC_SHA,
+								  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+								  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	"TLS_KRB5_WITH_DES_CBC_SHA",
+	"TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
+	"TLS_KRB5_WITH_RC4_128_SHA",
+	"TLS_KRB5_WITH_IDEA_CBC_SHA",
+	"TLS_KRB5_WITH_DES_CBC_MD5",
+	"TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
+	"TLS_KRB5_WITH_RC4_128_MD5",
+	"TLS_KRB5_WITH_IDEA_CBC_MD5",
+	"TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+	"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+	"TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
+	"TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+	"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+	"TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
+	"TLS_PSK_WITH_NULL_SHA",
+	"TLS_DHE_PSK_WITH_NULL_SHA",
+	"TLS_RSA_PSK_WITH_NULL_SHA",
+	"TLS_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_DH_DSS_WITH_AES_128_CBC_SHA",
+	"TLS_DH_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+	"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_DH_anon_WITH_AES_128_CBC_SHA",
+	"TLS_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_DH_DSS_WITH_AES_256_CBC_SHA",
+	"TLS_DH_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+	"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_DH_anon_WITH_AES_256_CBC_SHA",
+	"TLS_RSA_WITH_NULL_SHA256",
+	"TLS_RSA_WITH_AES_128_CBC_SHA256 ",
+	"TLS_RSA_WITH_AES_256_CBC_SHA256",
+	"TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
+	"TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+	"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+	"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA");
+ENUM_NEXT(tls_cipher_suite_names, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+								  TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+								  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+	"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
+	"TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+	"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+	"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
+	"TLS_DH_anon_WITH_AES_256_CBC_SHA256");
+ENUM_NEXT(tls_cipher_suite_names, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+								  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
+								  TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+	"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
+	"TLS_PSK_WITH_RC4_128_SHA",
+	"TLS_PSK_WITH_3DES_EDE_CBC_SHA2",
+	"TLS_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_PSK_WITH_AES_256_CBC_SHA",
+	"TLS_DHE_PSK_WITH_RC4_128_SHA",
+	"TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+	"TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_DHE_PSK_WITH_AES_256_CBC_SHA2",
+	"TLS_RSA_PSK_WITH_RC4_128_SHA",
+	"TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+	"TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+	"TLS_RSA_WITH_SEED_CBC_SHA",
+	"TLS_DH_DSS_WITH_SEED_CBC_SHA",
+	"TLS_DH_RSA_WITH_SEED_CBC_SHA",
+	"TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+	"TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+	"TLS_DH_anon_WITH_SEED_CBC_SHA",
+	"TLS_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+	"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+	"TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
+	"TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
+	"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
+	"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
+	"TLS_PSK_WITH_AES_128_GCM_SHA256",
+	"TLS_PSK_WITH_AES_256_GCM_SHA384",
+	"TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",
+	"TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",
+	"TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
+	"TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
+	"TLS_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_PSK_WITH_NULL_SHA256",
+	"TLS_PSK_WITH_NULL_SHA384",
+	"TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_DHE_PSK_WITH_NULL_SHA256",
+	"TLS_DHE_PSK_WITH_NULL_SHA384",
+	"TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_RSA_PSK_WITH_NULL_SHA256",
+	"TLS_RSA_PSK_WITH_NULL_SHA384",
+	"TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
+	"TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
+	"TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256");
+ENUM_NEXT(tls_cipher_suite_names, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+								  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+								  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
+	"TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
+ENUM_NEXT(tls_cipher_suite_names, TLS_ECDH_ECDSA_WITH_NULL_SHA,
+								  TLS_ECDHE_PSK_WITH_NULL_SHA384,
+								  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+	"TLS_ECDH_ECDSA_WITH_NULL_SHA",
+	"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+	"TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDH_RSA_WITH_NULL_SHA",
+	"TLS_ECDH_RSA_WITH_RC4_128_SHA",
+	"TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_NULL_SHA",
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_ECDH_anon_WITH_NULL_SHA",
+	"TLS_ECDH_anon_WITH_RC4_128_SHA",
+	"TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
+	"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
+	"TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
+	"TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
+	"TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
+	"TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
+	"TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
+	"TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
+	"TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
+	"TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+	"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+	"TLS_ECDHE_PSK_WITH_RC4_128_SHA",
+	"TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
+	"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+	"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+	"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
+	"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
+	"TLS_ECDHE_PSK_WITH_NULL_SHA",
+	"TLS_ECDHE_PSK_WITH_NULL_SHA256",
+	"TLS_ECDHE_PSK_WITH_NULL_SHA384");
+ENUM_END(tls_cipher_suite_names, TLS_ECDHE_PSK_WITH_NULL_SHA384);
+
+ENUM(tls_hash_algorithm_names, TLS_HASH_NONE, TLS_HASH_SHA512,
+	"NONE",
+	"MD5",
+	"SHA1",
+	"SHA224",
+	"SHA256",
+	"SHA384",
+	"SHA512",
+);
+
+ENUM(tls_signature_algorithm_names, TLS_SIG_RSA, TLS_SIG_ECDSA,
+	"RSA",
+	"DSA",
+	"ECDSA",
+);
+
+ENUM_BEGIN(tls_client_certificate_type_names,
+		   TLS_RSA_SIGN, TLS_DSS_EPHEMERAL_DH,
+	"RSA_SIGN",
+	"DSA_SIGN",
+	"RSA_FIXED_DH",
+	"DSS_FIXED_DH",
+	"RSA_EPHEMERAL_DH",
+	"DSS_EPHEMERAL_DH");
+ENUM_NEXT(tls_client_certificate_type_names,
+		  TLS_FORTEZZA_DMS, TLS_FORTEZZA_DMS, TLS_DSS_EPHEMERAL_DH,
+	"FORTEZZA_DMS");
+ENUM_NEXT(tls_client_certificate_type_names,
+		  TLS_ECDSA_SIGN, TLS_ECDSA_FIXED_ECDH, TLS_FORTEZZA_DMS,
+	"ECDSA_SIGN",
+	"RSA_FIXED_ECDH",
+	"ECDSA_FIXED_ECDH");
+ENUM_END(tls_client_certificate_type_names, TLS_ECDSA_FIXED_ECDH);
+
+ENUM(tls_ecc_curve_type_names, TLS_ECC_EXPLICIT_PRIME, TLS_ECC_NAMED_CURVE,
+	"EXPLICIT_PRIME",
+	"EXPLICIT_CHAR2",
+	"NAMED_CURVE",
+);
+
+ENUM(tls_named_curve_names, TLS_SECT163K1, TLS_SECP521R1,
+	"SECT163K1",
+	"SECT163R1",
+	"SECT163R2",
+	"SECT193R1",
+	"SECT193R2",
+	"SECT233K1",
+	"SECT233R1",
+	"SECT239K1",
+	"SECT283K1",
+	"SECT283R1",
+	"SECT409K1",
+	"SECT409R1",
+	"SECT571K1",
+	"SECT571R1",
+	"SECP160K1",
+	"SECP160R1",
+	"SECP160R2",
+	"SECP192K1",
+	"SECP192R1",
+	"SECP224K1",
+	"SECP224R1",
+	"SECP256K1",
+	"SECP256R1",
+	"SECP384R1",
+	"SECP521R1",
+);
+
+ENUM(tls_ansi_point_format_names, TLS_ANSI_COMPRESSED, TLS_ANSI_HYBRID_Y,
+	"compressed",
+	"compressed y",
+	"uncompressed",
+	"uncompressed y",
+	"hybrid",
+	"hybrid y",
+);
+
+ENUM(tls_ec_point_format_names,
+	 TLS_EC_POINT_UNCOMPRESSED, TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2,
+	"uncompressed",
+	"ansiX962 compressed prime",
+	"ansiX962 compressed char2",
+);
+
+typedef struct private_tls_crypto_t private_tls_crypto_t;
+
+/**
+ * Private data of an tls_crypto_t object.
+ */
+struct private_tls_crypto_t {
+
+	/**
+	 * Public tls_crypto_t interface.
+	 */
+	tls_crypto_t public;
+
+	/**
+	 * Protection layer
+	 */
+	tls_protection_t *protection;
+
+	/**
+	 * List of supported/acceptable cipher suites
+	 */
+	tls_cipher_suite_t *suites;
+
+	/**
+	 * Number of supported suites
+	 */
+	int suite_count;
+
+	/**
+	 * Selected cipher suite
+	 */
+	tls_cipher_suite_t suite;
+
+	/**
+	 * RSA supported?
+	 */
+	bool rsa;
+
+	/**
+	 * ECDSA supported?
+	 */
+	bool ecdsa;
+
+	/**
+	 * TLS context
+	 */
+	tls_t *tls;
+
+	/**
+	 * All handshake data concatentated
+	 */
+	chunk_t handshake;
+
+	/**
+	 * Connection state TLS PRF
+	 */
+	tls_prf_t *prf;
+
+	/**
+	 * Signer instance for inbound traffic
+	 */
+	signer_t *signer_in;
+
+	/**
+	 * Signer instance for outbound traffic
+	 */
+	signer_t *signer_out;
+
+	/**
+	 * Crypter instance for inbound traffic
+	 */
+	crypter_t *crypter_in;
+
+	/**
+	 * Crypter instance for outbound traffic
+	 */
+	crypter_t *crypter_out;
+
+	/**
+	 * IV for input decryption, if < TLSv1.2
+	 */
+	chunk_t iv_in;
+
+	/**
+	 * IV for output decryption, if < TLSv1.2
+	 */
+	chunk_t iv_out;
+
+	/**
+	 * EAP-[T]TLS MSK
+	 */
+	chunk_t msk;
+
+	/**
+	 * ASCII string constant used as seed for EAP-[T]TLS MSK PRF
+	 */
+	char *msk_label;
+};
+
+typedef struct {
+	tls_cipher_suite_t suite;
+	key_type_t key;
+	diffie_hellman_group_t dh;
+	hash_algorithm_t hash;
+	pseudo_random_function_t prf;
+	integrity_algorithm_t mac;
+	encryption_algorithm_t encr;
+	size_t encr_size;
+} suite_algs_t;
+
+/**
+ * Mapping suites to a set of algorithms
+ */
+static suite_algs_t suite_algs[] = {
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		KEY_ECDSA, ECP_384_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+		KEY_ECDSA, ECP_384_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		KEY_RSA, ECP_384_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+		KEY_RSA, ECP_384_BIT,
+		HASH_SHA384, PRF_HMAC_SHA2_384,
+		AUTH_HMAC_SHA2_384_384, ENCR_AES_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+		KEY_RSA, MODP_2048_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+		KEY_RSA, MODP_4096_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		KEY_RSA, MODP_2048_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		KEY_RSA, MODP_3072_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		KEY_RSA, MODP_4096_BIT,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_RSA, MODP_2048_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_RSA_WITH_AES_128_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 16
+	},
+	{ TLS_RSA_WITH_AES_128_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 16
+	},
+	{ TLS_RSA_WITH_AES_256_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_AES_CBC, 32
+	},
+	{ TLS_RSA_WITH_AES_256_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_AES_CBC, 32
+	},
+	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 16
+	},
+	{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_CAMELLIA_CBC, 32
+	},
+	{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_RSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_3DES, 0
+	},
+	{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_NULL, 0
+	},
+	{ TLS_ECDHE_RSA_WITH_NULL_SHA,
+		KEY_ECDSA, ECP_256_BIT,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_NULL, 0
+	},
+	{ TLS_RSA_WITH_NULL_SHA,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA1, PRF_HMAC_SHA1,
+		AUTH_HMAC_SHA1_160, ENCR_NULL, 0
+	},
+	{ TLS_RSA_WITH_NULL_SHA256,
+		KEY_RSA, MODP_NONE,
+		HASH_SHA256, PRF_HMAC_SHA2_256,
+		AUTH_HMAC_SHA2_256_256, ENCR_NULL, 0
+	},
+	{ TLS_RSA_WITH_NULL_MD5,
+		KEY_RSA, MODP_NONE,
+		HASH_MD5, PRF_HMAC_MD5,
+		AUTH_HMAC_MD5_128, ENCR_NULL, 0
+	},
+};
+
+/**
+ * Look up algoritms by a suite
+ */
+static suite_algs_t *find_suite(tls_cipher_suite_t suite)
+{
+	int i;
+
+	for (i = 0; i < countof(suite_algs); i++)
+	{
+		if (suite_algs[i].suite == suite)
+		{
+			return &suite_algs[i];
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Filter a suite list using a transform enumerator
+ */
+static void filter_suite(private_tls_crypto_t *this,
+						 suite_algs_t suites[], int *count, int offset,
+						 enumerator_t*(*create_enumerator)(crypto_factory_t*))
+{
+	suite_algs_t current;
+	int i, remaining = 0;
+	enumerator_t *enumerator;
+
+	memset(&current, 0, sizeof(current));
+	for (i = 0; i < *count; i++)
+	{
+		enumerator = create_enumerator(lib->crypto);
+		while (enumerator->enumerate(enumerator, ((char*)&current) + offset))
+		{
+			if ((suites[i].encr == ENCR_NULL ||
+				 !current.encr || current.encr == suites[i].encr) &&
+				(!current.mac  || current.mac  == suites[i].mac) &&
+				(!current.prf  || current.prf  == suites[i].prf) &&
+				(!current.hash || current.hash == suites[i].hash) &&
+				(suites[i].dh == MODP_NONE ||
+				 !current.dh   || current.dh   == suites[i].dh))
+			{
+				suites[remaining] = suites[i];
+				remaining++;
+				break;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	*count = remaining;
+}
+
+/**
+ * Purge NULL encryption cipher suites from list
+ */
+static void filter_null_suites(private_tls_crypto_t *this,
+							   suite_algs_t suites[], int *count)
+{
+	int i, remaining = 0;
+
+	for (i = 0; i < *count; i++)
+	{
+		if (suites[i].encr != ENCR_NULL)
+		{
+			suites[remaining] = suites[i];
+			remaining++;
+		}
+	}
+	*count = remaining;
+}
+
+/**
+ * Purge suites using a given key type
+ */
+static void filter_key_suites(private_tls_crypto_t *this,
+							  suite_algs_t suites[], int *count, key_type_t key)
+{
+	int i, remaining = 0;
+
+	DBG2(DBG_TLS, "disabling %N suites, no backend found", key_type_names, key);
+	for (i = 0; i < *count; i++)
+	{
+		if (suites[i].key != key)
+		{
+			suites[remaining] = suites[i];
+			remaining++;
+		}
+	}
+	*count = remaining;
+}
+
+/**
+ * Filter suites by key exchange user config
+ */
+static void filter_key_exchange_config_suites(private_tls_crypto_t *this,
+											  suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.key_exchange", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				if (strcaseeq(token, "ecdhe-ecdsa") &&
+					diffie_hellman_group_is_ec(suites[i].dh) &&
+					suites[i].key == KEY_ECDSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "ecdhe-rsa") &&
+					diffie_hellman_group_is_ec(suites[i].dh) &&
+					suites[i].key == KEY_RSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "dhe-rsa") &&
+					!diffie_hellman_group_is_ec(suites[i].dh) &&
+					suites[i].dh != MODP_NONE &&
+					suites[i].key == KEY_RSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "rsa") &&
+					suites[i].dh == MODP_NONE &&
+					suites[i].key == KEY_RSA)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Filter suites by cipher user config
+ */
+static void filter_cipher_config_suites(private_tls_crypto_t *this,
+										suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.cipher", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				if (strcaseeq(token, "aes128") &&
+					suites[i].encr == ENCR_AES_CBC &&
+					suites[i].encr_size == 16)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "aes256") &&
+					suites[i].encr == ENCR_AES_CBC &&
+					suites[i].encr_size == 32)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "camellia128") &&
+					suites[i].encr == ENCR_CAMELLIA_CBC &&
+					suites[i].encr_size == 16)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "camellia256") &&
+					suites[i].encr == ENCR_CAMELLIA_CBC &&
+					suites[i].encr_size == 32)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "3des") &&
+					suites[i].encr == ENCR_3DES)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "null") &&
+					suites[i].encr == ENCR_NULL)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Filter suites by mac user config
+ */
+static void filter_mac_config_suites(private_tls_crypto_t *this,
+									 suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.mac", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				if (strcaseeq(token, "md5") &&
+					suites[i].hash == HASH_MD5)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "sha1") &&
+					suites[i].hash == HASH_SHA1)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "sha256") &&
+					suites[i].hash == HASH_SHA256)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+				if (strcaseeq(token, "sha384") &&
+					suites[i].hash == HASH_SHA384)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Filter for specific suites specified in strongswan.conf
+ */
+static void filter_specific_config_suites(private_tls_crypto_t *this,
+										  suite_algs_t suites[], int *count)
+{
+	enumerator_t *enumerator;
+	int i, remaining = 0, suite;
+	char *token, *config;
+
+	config = lib->settings->get_str(lib->settings, "libtls.suites", NULL);
+	if (config)
+	{
+		for (i = 0; i < *count; i++)
+		{
+			enumerator = enumerator_create_token(config, ",", " ");
+			while (enumerator->enumerate(enumerator, &token))
+			{
+				suite = enum_from_name(tls_cipher_suite_names, token);
+				if (suite == suites[i].suite)
+				{
+					suites[remaining++] = suites[i];
+					break;
+				}
+			}
+			enumerator->destroy(enumerator);
+		}
+		*count = remaining;
+	}
+}
+
+/**
+ * Initialize the cipher suite list
+ */
+static void build_cipher_suite_list(private_tls_crypto_t *this,
+									bool require_encryption)
+{
+	suite_algs_t suites[countof(suite_algs)];
+	int count = countof(suite_algs), i;
+
+	/* copy all suites */
+	for (i = 0; i < count; i++)
+	{
+		suites[i] = suite_algs[i];
+	}
+	if (require_encryption)
+	{
+		filter_null_suites(this, suites, &count);
+	}
+	if (!this->rsa)
+	{
+		filter_key_suites(this, suites, &count, KEY_RSA);
+	}
+	if (!this->ecdsa)
+	{
+		filter_key_suites(this, suites, &count, KEY_ECDSA);
+	}
+
+	/* filter suite list by each algorithm */
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
+				 lib->crypto->create_crypter_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
+				 lib->crypto->create_signer_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
+				 lib->crypto->create_prf_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
+				 lib->crypto->create_hasher_enumerator);
+	filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
+				 lib->crypto->create_dh_enumerator);
+
+	/* filter suites with strongswan.conf options */
+	filter_key_exchange_config_suites(this, suites, &count);
+	filter_cipher_config_suites(this, suites, &count);
+	filter_mac_config_suites(this, suites, &count);
+	filter_specific_config_suites(this, suites, &count);
+
+	free(this->suites);
+	this->suite_count = count;
+	this->suites = malloc(sizeof(tls_cipher_suite_t) * count);
+
+	DBG2(DBG_TLS, "%d supported TLS cipher suites:", count);
+	for (i = 0; i < count; i++)
+	{
+		DBG2(DBG_TLS, "  %N", tls_cipher_suite_names, suites[i].suite);
+		this->suites[i] = suites[i].suite;
+	}
+}
+
+METHOD(tls_crypto_t, get_cipher_suites, int,
+	private_tls_crypto_t *this, tls_cipher_suite_t **suites)
+{
+	*suites = this->suites;
+	return this->suite_count;
+}
+
+/**
+ * Create crypto primitives
+ */
+static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+	DESTROY_IF(this->prf);
+	if (this->tls->get_version(this->tls) < TLS_1_2)
+	{
+		this->prf = tls_prf_create_10();
+	}
+	else
+	{
+		this->prf = tls_prf_create_12(algs->prf);
+	}
+	if (!this->prf)
+	{
+		DBG1(DBG_TLS, "selected TLS PRF not supported");
+		return FALSE;
+	}
+
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
+	this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
+	if (!this->signer_in || !this->signer_out)
+	{
+		DBG1(DBG_TLS, "selected TLS MAC %N not supported",
+			 integrity_algorithm_names, algs->mac);
+		return FALSE;
+	}
+
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	if (algs->encr == ENCR_NULL)
+	{
+		this->crypter_in = this->crypter_out = NULL;
+	}
+	else
+	{
+		this->crypter_in = lib->crypto->create_crypter(lib->crypto,
+												algs->encr, algs->encr_size);
+		this->crypter_out = lib->crypto->create_crypter(lib->crypto,
+												algs->encr, algs->encr_size);
+		if (!this->crypter_in || !this->crypter_out)
+		{
+			DBG1(DBG_TLS, "selected TLS crypter %N not supported",
+				 encryption_algorithm_names, algs->encr);
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
+	private_tls_crypto_t *this, tls_cipher_suite_t *suites, int count,
+	key_type_t key)
+{
+	suite_algs_t *algs;
+	int i, j;
+
+	for (i = 0; i < this->suite_count; i++)
+	{
+		for (j = 0; j < count; j++)
+		{
+			if (this->suites[i] == suites[j])
+			{
+				algs = find_suite(this->suites[i]);
+				if (algs)
+				{
+					if (key == KEY_ANY || key == algs->key)
+					{
+						if (create_ciphers(this, algs))
+						{
+							this->suite = this->suites[i];
+							return this->suite;
+						}
+					}
+				}
+			}
+		}
+	}
+	return 0;
+}
+
+METHOD(tls_crypto_t, get_dh_group, diffie_hellman_group_t,
+	private_tls_crypto_t *this)
+{
+	suite_algs_t *algs;
+
+	algs = find_suite(this->suite);
+	if (algs)
+	{
+		return algs->dh;
+	}
+	return MODP_NONE;
+}
+
+METHOD(tls_crypto_t, get_signature_algorithms, void,
+	private_tls_crypto_t *this, tls_writer_t *writer)
+{
+	tls_writer_t *supported;
+	enumerator_t *enumerator;
+	hash_algorithm_t alg;
+	tls_hash_algorithm_t hash;
+
+	supported = tls_writer_create(32);
+	enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+	while (enumerator->enumerate(enumerator, &alg))
+	{
+		switch (alg)
+		{
+			case HASH_MD5:
+				hash = TLS_HASH_MD5;
+				break;
+			case HASH_SHA1:
+				hash = TLS_HASH_SHA1;
+				break;
+			case HASH_SHA224:
+				hash = TLS_HASH_SHA224;
+				break;
+			case HASH_SHA256:
+				hash = TLS_HASH_SHA256;
+				break;
+			case HASH_SHA384:
+				hash = TLS_HASH_SHA384;
+				break;
+			case HASH_SHA512:
+				hash = TLS_HASH_SHA512;
+				break;
+			default:
+				continue;
+		}
+		if (this->rsa)
+		{
+			supported->write_uint8(supported, hash);
+			supported->write_uint8(supported, TLS_SIG_RSA);
+		}
+		if (this->ecdsa && alg != HASH_MD5 && alg != HASH_SHA224)
+		{	/* currently we have no signature scheme for MD5/SHA224 */
+			supported->write_uint8(supported, hash);
+			supported->write_uint8(supported, TLS_SIG_ECDSA);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	writer->write_data16(writer, supported->get_buf(supported));
+	supported->destroy(supported);
+}
+
+/**
+ * Mapping groups to TLS named curves
+ */
+static struct {
+	diffie_hellman_group_t group;
+	tls_named_curve_t curve;
+} curves[] = {
+	{ ECP_256_BIT, TLS_SECP256R1},
+	{ ECP_384_BIT, TLS_SECP384R1},
+	{ ECP_521_BIT, TLS_SECP521R1},
+	{ ECP_224_BIT, TLS_SECP224R1},
+	{ ECP_192_BIT, TLS_SECP192R1},
+};
+
+/**
+ * Filter EC groups, add TLS curve
+ */
+static bool group_filter(void *null,
+						diffie_hellman_group_t *in, diffie_hellman_group_t *out,
+						void* dummy1, tls_named_curve_t *curve)
+{
+	int i;
+
+	for (i = 0; i < countof(curves); i++)
+	{
+		if (curves[i].group == *in)
+		{
+			if (out)
+			{
+				*out = curves[i].group;
+			}
+			if (curve)
+			{
+				*curve = curves[i].curve;
+			}
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+METHOD(tls_crypto_t, create_ec_enumerator, enumerator_t*,
+	private_tls_crypto_t *this)
+{
+	return enumerator_create_filter(
+					lib->crypto->create_dh_enumerator(lib->crypto),
+					(void*)group_filter, NULL, NULL);
+}
+
+METHOD(tls_crypto_t, set_protection, void,
+	private_tls_crypto_t *this, tls_protection_t *protection)
+{
+	this->protection = protection;
+}
+
+METHOD(tls_crypto_t, append_handshake, void,
+	private_tls_crypto_t *this, tls_handshake_type_t type, chunk_t data)
+{
+	u_int32_t header;
+
+	/* reconstruct handshake header */
+	header = htonl(data.len | (type << 24));
+	this->handshake = chunk_cat("mcc", this->handshake,
+								chunk_from_thing(header), data);
+}
+
+/**
+ * Create a hash using the suites HASH algorithm
+ */
+static bool hash_data(private_tls_crypto_t *this, chunk_t data, chunk_t *hash)
+{
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		hasher_t *hasher;
+		suite_algs_t *alg;
+
+		alg = find_suite(this->suite);
+		if (!alg)
+		{
+			return FALSE;
+		}
+		hasher = lib->crypto->create_hasher(lib->crypto, alg->hash);
+		if (!hasher)
+		{
+			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, alg->hash);
+			return FALSE;
+		}
+		hasher->allocate_hash(hasher, data, hash);
+		hasher->destroy(hasher);
+	}
+	else
+	{
+		hasher_t *md5, *sha1;
+		char buf[HASH_SIZE_MD5 + HASH_SIZE_SHA1];
+
+		md5 = lib->crypto->create_hasher(lib->crypto, HASH_MD5);
+		if (!md5)
+		{
+			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_MD5);
+			return FALSE;
+		}
+		md5->get_hash(md5, data, buf);
+		md5->destroy(md5);
+		sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+		if (!sha1)
+		{
+			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names, HASH_SHA1);
+			return FALSE;
+		}
+		sha1->get_hash(sha1, data, buf + HASH_SIZE_MD5);
+		sha1->destroy(sha1);
+
+		*hash = chunk_clone(chunk_from_thing(buf));
+	}
+	return TRUE;
+}
+
+/**
+ * Get the signature scheme from a TLS 1.2 hash/sig algorithm pair
+ */
+static signature_scheme_t hashsig_to_scheme(key_type_t type,
+					tls_hash_algorithm_t hash, tls_signature_algorithm_t sig)
+{
+	switch (sig)
+	{
+		case TLS_SIG_RSA:
+			if (type != KEY_RSA)
+			{
+				return SIGN_UNKNOWN;
+			}
+			switch (hash)
+			{
+				case TLS_HASH_MD5:
+					return SIGN_RSA_EMSA_PKCS1_MD5;
+				case TLS_HASH_SHA1:
+					return SIGN_RSA_EMSA_PKCS1_SHA1;
+				case TLS_HASH_SHA224:
+					return SIGN_RSA_EMSA_PKCS1_SHA224;
+				case TLS_HASH_SHA256:
+					return SIGN_RSA_EMSA_PKCS1_SHA256;
+				case TLS_HASH_SHA384:
+					return SIGN_RSA_EMSA_PKCS1_SHA384;
+				case TLS_HASH_SHA512:
+					return SIGN_RSA_EMSA_PKCS1_SHA512;
+				default:
+					return SIGN_UNKNOWN;
+			}
+		case TLS_SIG_ECDSA:
+			if (type != KEY_ECDSA)
+			{
+				return SIGN_UNKNOWN;
+			}
+			switch (hash)
+			{
+				case TLS_HASH_SHA224:
+					return SIGN_ECDSA_WITH_SHA1_DER;
+				case TLS_HASH_SHA256:
+					return SIGN_ECDSA_WITH_SHA256_DER;
+				case TLS_HASH_SHA384:
+					return SIGN_ECDSA_WITH_SHA384_DER;
+				case TLS_HASH_SHA512:
+					return SIGN_ECDSA_WITH_SHA512_DER;
+				default:
+					return SIGN_UNKNOWN;
+			}
+		default:
+			return SIGN_UNKNOWN;
+	}
+}
+
+METHOD(tls_crypto_t, sign, bool,
+	private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
+	chunk_t data, chunk_t hashsig)
+{
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		signature_scheme_t scheme;
+		tls_reader_t *reader;
+		u_int8_t hash, alg;
+		chunk_t sig;
+		bool done = FALSE;
+
+		if (!hashsig.len)
+		{	/* fallback if none given */
+			hashsig = chunk_from_chars(
+				TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
+		}
+		reader = tls_reader_create(hashsig);
+		while (reader->remaining(reader) >= 2)
+		{
+			if (reader->read_uint8(reader, &hash) &&
+				reader->read_uint8(reader, &alg))
+			{
+				scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
+				if (scheme != SIGN_UNKNOWN &&
+					key->sign(key, scheme, data, &sig))
+				{
+					done = TRUE;
+					break;
+				}
+			}
+		}
+		reader->destroy(reader);
+		if (!done)
+		{
+			DBG1(DBG_TLS, "none of the proposed hash/sig algorithms supported");
+			return FALSE;
+		}
+		DBG2(DBG_TLS, "created signature with %N/%N",
+			 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
+		writer->write_uint8(writer, hash);
+		writer->write_uint8(writer, alg);
+		writer->write_data16(writer, sig);
+		free(sig.ptr);
+	}
+	else
+	{
+		chunk_t sig, hash;
+		bool done;
+
+		switch (key->get_type(key))
+		{
+			case KEY_RSA:
+				if (!hash_data(this, data, &hash))
+				{
+					return FALSE;
+				}
+				done = key->sign(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, &sig);
+				free(hash.ptr);
+				if (!done)
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "created signature with MD5+SHA1/RSA");
+				break;
+			case KEY_ECDSA:
+				if (!key->sign(key, SIGN_ECDSA_WITH_SHA1_DER, data, &sig))
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "created signature with SHA1/ECDSA");
+				break;
+			default:
+				return FALSE;
+		}
+		writer->write_data16(writer, sig);
+		free(sig.ptr);
+	}
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, verify, bool,
+	private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader,
+	chunk_t data)
+{
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		signature_scheme_t scheme = SIGN_UNKNOWN;
+		u_int8_t hash, alg;
+		chunk_t sig;
+
+		if (!reader->read_uint8(reader, &hash) ||
+			!reader->read_uint8(reader, &alg) ||
+			!reader->read_data16(reader, &sig))
+		{
+			DBG1(DBG_TLS, "received invalid signature");
+			return FALSE;
+		}
+		scheme = hashsig_to_scheme(key->get_type(key), hash, alg);
+		if (scheme == SIGN_UNKNOWN)
+		{
+			DBG1(DBG_TLS, "signature algorithms %N/%N not supported",
+				 tls_hash_algorithm_names, hash,
+				 tls_signature_algorithm_names, alg);
+			return FALSE;
+		}
+		if (!key->verify(key, scheme, data, sig))
+		{
+			return FALSE;
+		}
+		DBG2(DBG_TLS, "verified signature with %N/%N",
+			 tls_hash_algorithm_names, hash, tls_signature_algorithm_names, alg);
+	}
+	else
+	{
+		chunk_t sig, hash;
+		bool done;
+
+		if (!reader->read_data16(reader, &sig))
+		{
+			DBG1(DBG_TLS, "received invalid signature");
+			return FALSE;
+		}
+		switch (key->get_type(key))
+		{
+			case KEY_RSA:
+				if (!hash_data(this, data, &hash))
+				{
+					return FALSE;
+				}
+				done = key->verify(key, SIGN_RSA_EMSA_PKCS1_NULL, hash, sig);
+				free(hash.ptr);
+				if (!done)
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "verified signature data with MD5+SHA1/RSA");
+				break;
+			case KEY_ECDSA:
+				if (!key->verify(key, SIGN_ECDSA_WITH_SHA1_DER, data, sig))
+				{
+					return FALSE;
+				}
+				DBG2(DBG_TLS, "verified signature with SHA1/ECDSA");
+				break;
+			default:
+				return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, sign_handshake, bool,
+	private_tls_crypto_t *this, private_key_t *key, tls_writer_t *writer,
+	chunk_t hashsig)
+{
+	return sign(this, key, writer, this->handshake, hashsig);
+}
+
+METHOD(tls_crypto_t, verify_handshake, bool,
+	private_tls_crypto_t *this, public_key_t *key, tls_reader_t *reader)
+{
+	return verify(this, key, reader, this->handshake);
+}
+
+METHOD(tls_crypto_t, calculate_finished, bool,
+	private_tls_crypto_t *this, char *label, char out[12])
+{
+	chunk_t seed;
+
+	if (!this->prf)
+	{
+		return FALSE;
+	}
+	if (!hash_data(this, this->handshake, &seed))
+	{
+		return FALSE;
+	}
+	this->prf->get_bytes(this->prf, label, seed, 12, out);
+	free(seed.ptr);
+	return TRUE;
+}
+
+METHOD(tls_crypto_t, derive_secrets, void,
+	private_tls_crypto_t *this, chunk_t premaster,
+	chunk_t client_random, chunk_t server_random)
+{
+	char master[48];
+	chunk_t seed, block, client_write, server_write;
+	int mks, eks = 0, ivs = 0;
+
+	/* derive master secret */
+	seed = chunk_cata("cc", client_random, server_random);
+	this->prf->set_key(this->prf, premaster);
+	this->prf->get_bytes(this->prf, "master secret", seed,
+						 sizeof(master), master);
+
+	this->prf->set_key(this->prf, chunk_from_thing(master));
+	memset(master, 0, sizeof(master));
+
+	/* derive key block for key expansion */
+	mks = this->signer_out->get_key_size(this->signer_out);
+	if (this->crypter_out)
+	{
+		eks = this->crypter_out->get_key_size(this->crypter_out);
+		if (this->tls->get_version(this->tls) < TLS_1_1)
+		{
+			ivs = this->crypter_out->get_iv_size(this->crypter_out);
+		}
+	}
+	seed = chunk_cata("cc", server_random, client_random);
+	block = chunk_alloca((mks + eks + ivs) * 2);
+	this->prf->get_bytes(this->prf, "key expansion", seed, block.len, block.ptr);
+
+	/* signer keys */
+	client_write = chunk_create(block.ptr, mks);
+	block = chunk_skip(block, mks);
+	server_write = chunk_create(block.ptr, mks);
+	block = chunk_skip(block, mks);
+	if (this->tls->is_server(this->tls))
+	{
+		this->signer_in->set_key(this->signer_in, client_write);
+		this->signer_out->set_key(this->signer_out, server_write);
+	}
+	else
+	{
+		this->signer_out->set_key(this->signer_out, client_write);
+		this->signer_in->set_key(this->signer_in, server_write);
+	}
+
+	/* crypter keys, and IVs if < TLSv1.2 */
+	if (this->crypter_out && this->crypter_in)
+	{
+		client_write = chunk_create(block.ptr, eks);
+		block = chunk_skip(block, eks);
+		server_write = chunk_create(block.ptr, eks);
+		block = chunk_skip(block, eks);
+
+		if (this->tls->is_server(this->tls))
+		{
+			this->crypter_in->set_key(this->crypter_in, client_write);
+			this->crypter_out->set_key(this->crypter_out, server_write);
+		}
+		else
+		{
+			this->crypter_out->set_key(this->crypter_out, client_write);
+			this->crypter_in->set_key(this->crypter_in, server_write);
+		}
+		if (ivs)
+		{
+			client_write = chunk_create(block.ptr, ivs);
+			block = chunk_skip(block, ivs);
+			server_write = chunk_create(block.ptr, ivs);
+			block = chunk_skip(block, ivs);
+
+			if (this->tls->is_server(this->tls))
+			{
+				this->iv_in = chunk_clone(client_write);
+				this->iv_out = chunk_clone(server_write);
+			}
+			else
+			{
+				this->iv_out = chunk_clone(client_write);
+				this->iv_in = chunk_clone(server_write);
+			}
+		}
+	}
+}
+
+METHOD(tls_crypto_t, change_cipher, void,
+	private_tls_crypto_t *this, bool inbound)
+{
+	if (this->protection)
+	{
+		if (inbound)
+		{
+			this->protection->set_cipher(this->protection, TRUE,
+							this->signer_in, this->crypter_in, this->iv_in);
+		}
+		else
+		{
+			this->protection->set_cipher(this->protection, FALSE,
+							this->signer_out, this->crypter_out, this->iv_out);
+		}
+	}
+}
+
+METHOD(tls_crypto_t, derive_eap_msk, void,
+	private_tls_crypto_t *this, chunk_t client_random, chunk_t server_random)
+{
+	if (this->msk_label)
+	{
+		chunk_t seed;
+
+		seed = chunk_cata("cc", client_random, server_random);
+		free(this->msk.ptr);
+		this->msk = chunk_alloc(64);
+		this->prf->get_bytes(this->prf, this->msk_label, seed,
+							 this->msk.len, this->msk.ptr);
+	}
+}
+
+METHOD(tls_crypto_t, get_eap_msk, chunk_t,
+	private_tls_crypto_t *this)
+{
+	return this->msk;
+}
+
+METHOD(tls_crypto_t, destroy, void,
+	private_tls_crypto_t *this)
+{
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	free(this->iv_in.ptr);
+	free(this->iv_out.ptr);
+	free(this->handshake.ptr);
+	free(this->msk.ptr);
+	DESTROY_IF(this->prf);
+	free(this->suites);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_crypto_t *tls_crypto_create(tls_t *tls)
+{
+	private_tls_crypto_t *this;
+	enumerator_t *enumerator;
+	credential_type_t type;
+	int subtype;
+
+	INIT(this,
+		.public = {
+			.get_cipher_suites = _get_cipher_suites,
+			.select_cipher_suite = _select_cipher_suite,
+			.get_dh_group = _get_dh_group,
+			.get_signature_algorithms = _get_signature_algorithms,
+			.create_ec_enumerator = _create_ec_enumerator,
+			.set_protection = _set_protection,
+			.append_handshake = _append_handshake,
+			.sign = _sign,
+			.verify = _verify,
+			.sign_handshake = _sign_handshake,
+			.verify_handshake = _verify_handshake,
+			.calculate_finished = _calculate_finished,
+			.derive_secrets = _derive_secrets,
+			.change_cipher = _change_cipher,
+			.derive_eap_msk = _derive_eap_msk,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.tls = tls,
+	);
+
+	enumerator = lib->creds->create_builder_enumerator(lib->creds);
+	while (enumerator->enumerate(enumerator, &type, &subtype))
+	{
+		if (type == CRED_PUBLIC_KEY)
+		{
+			switch (subtype)
+			{
+				case KEY_RSA:
+					this->rsa = TRUE;
+					break;
+				case KEY_ECDSA:
+					this->ecdsa = TRUE;
+					break;
+				default:
+					break;
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	switch (tls->get_purpose(tls))
+	{
+		case TLS_PURPOSE_EAP_TLS:
+			/* MSK PRF ASCII constant label according to EAP-TLS RFC 5216 */
+			this->msk_label = "client EAP encryption";
+			build_cipher_suite_list(this, FALSE);
+			break;
+		case TLS_PURPOSE_EAP_TTLS:
+			/* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
+			this->msk_label = "ttls keying material";
+			build_cipher_suite_list(this, TRUE);
+			break;
+		case TLS_PURPOSE_GENERIC:
+			build_cipher_suite_list(this, TRUE);
+			break;
+		default:
+			break;
+	}
+	return &this->public;
+}
diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h
new file mode 100644
index 000000000..f57b8f3e1
--- /dev/null
+++ b/src/libtls/tls_crypto.h
@@ -0,0 +1,554 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_crypto tls_crypto
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_CRYPTO_H_
+#define TLS_CRYPTO_H_
+
+typedef struct tls_crypto_t tls_crypto_t;
+typedef enum tls_cipher_suite_t tls_cipher_suite_t;
+typedef enum tls_hash_algorithm_t tls_hash_algorithm_t;
+typedef enum tls_signature_algorithm_t tls_signature_algorithm_t;
+typedef enum tls_client_certificate_type_t tls_client_certificate_type_t;
+typedef enum tls_ecc_curve_type_t tls_ecc_curve_type_t;
+typedef enum tls_named_curve_t tls_named_curve_t;
+typedef enum tls_ansi_point_format_t tls_ansi_point_format_t;
+typedef enum tls_ec_point_format_t tls_ec_point_format_t;
+
+#include "tls.h"
+#include "tls_prf.h"
+#include "tls_protection.h"
+
+#include <library.h>
+
+#include <credentials/keys/private_key.h>
+
+/**
+ * TLS cipher suites
+ */
+enum tls_cipher_suite_t {
+	TLS_NULL_WITH_NULL_NULL =					0x0000,
+	TLS_RSA_WITH_NULL_MD5 =						0x0001,
+	TLS_RSA_WITH_NULL_SHA =						0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5 =			0x0003,
+	TLS_RSA_WITH_RC4_128_MD5 =					0x0004,
+	TLS_RSA_WITH_RC4_128_SHA =					0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 =		0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA =					0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA =			0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA =					0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA =				0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 		0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA =				0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA =			0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA =		0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA = 				0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA =			0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 	0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA =				0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA =			0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA =		0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA =				0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA =			0x0016,
+	TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 =		0x0017,
+	TLS_DH_anon_WITH_RC4_128_MD5 =				0x0018,
+	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA =		0x0019,
+	TLS_DH_anon_WITH_DES_CBC_SHA =				0x001A,
+	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA =			0x001B,
+
+	TLS_KRB5_WITH_DES_CBC_SHA =					0x001E,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA =			0x001F,
+	TLS_KRB5_WITH_RC4_128_SHA =					0x0020,
+	TLS_KRB5_WITH_IDEA_CBC_SHA =				0x0021,
+	TLS_KRB5_WITH_DES_CBC_MD5 =					0x0022,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5 =			0x0023,
+	TLS_KRB5_WITH_RC4_128_MD5 =					0x0024,
+	TLS_KRB5_WITH_IDEA_CBC_MD5 =				0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA =		0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA =		0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA =			0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 =		0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 =		0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5 =			0x002B,
+	TLS_PSK_WITH_NULL_SHA =						0x002C,
+	TLS_DHE_PSK_WITH_NULL_SHA =					0x002D,
+	TLS_RSA_PSK_WITH_NULL_SHA =					0x002E,
+	TLS_RSA_WITH_AES_128_CBC_SHA =				0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA =			0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA =			0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA =			0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA =			0x0033,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA =			0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA =				0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA =			0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA =			0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA =			0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA =			0x0039,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA =			0x003A,
+	TLS_RSA_WITH_NULL_SHA256 =					0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256 =			0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256 =			0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 =		0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 =		0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 =		0x0040,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA =			0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA =		0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA =		0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 	0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA =		0x0045,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA =		0x0046,
+
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 =		0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 =		0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 =		0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 =		0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 =		0x006B,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA256 =		0x006C,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA256 =		0x006D,
+
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA =			0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA =		0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA =		0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA =		0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 	0x0088,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 	0x0089,
+	TLS_PSK_WITH_RC4_128_SHA =					0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA =				0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA =				0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA =				0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA =				0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA =			0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA =			0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA =			0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA =				0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA =			0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA =			0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA =			0x0095,
+	TLS_RSA_WITH_SEED_CBC_SHA =					0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA =				0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA =				0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA =				0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA =				0x009A,
+	TLS_DH_anon_WITH_SEED_CBC_SHA =				0x009B,
+	TLS_RSA_WITH_AES_128_GCM_SHA256 =			0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384 =			0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 =		0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 =		0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256 =		0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384 =		0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 =		0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 =		0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256 =		0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384 =		0x00A5,
+	TLS_DH_anon_WITH_AES_128_GCM_SHA256 =		0x00A6,
+	TLS_DH_anon_WITH_AES_256_GCM_SHA384 =		0x00A7,
+	TLS_PSK_WITH_AES_128_GCM_SHA256 =			0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384 =			0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 =		0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 =		0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 =		0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 =		0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256 =			0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384 =			0x00AF,
+	TLS_PSK_WITH_NULL_SHA256 =					0x00B0,
+	TLS_PSK_WITH_NULL_SHA384 =					0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 =		0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 =		0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256 =				0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384 =				0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 =		0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 =		0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256 =				0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384 =				0x00B9,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 =		0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BE,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 =	0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 =		0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C4,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 =	0x00C5,
+
+	TLS_EMPTY_RENEGOTIATION_INFO_SCSV =			0x00FF,
+
+	TLS_ECDH_ECDSA_WITH_NULL_SHA =				0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA =			0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA =		0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA =		0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA =		0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA =				0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA =			0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA =		0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA =		0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA =		0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA =				0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA =				0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA =		0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA =			0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA =			0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA =				0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA =			0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA =		0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA =		0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA =		0xC014,
+	TLS_ECDH_anon_WITH_NULL_SHA =				0xC015,
+	TLS_ECDH_anon_WITH_RC4_128_SHA =			0xC016,
+	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA =		0xC017,
+	TLS_ECDH_anon_WITH_AES_128_CBC_SHA =		0xC018,
+	TLS_ECDH_anon_WITH_AES_256_CBC_SHA =		0xC019,
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA =			0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA =		0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA =		0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA =			0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA =		0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA =		0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA =			0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA =		0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA =		0xC022,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 =	0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 =	0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 =	0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 =	0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 =		0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 =		0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 =		0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 =		0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 =	0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 =	0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 =	0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 =	0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 =		0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 =		0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 =		0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 =		0xC032,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA =			0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA =		0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA =		0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA =		0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 =		0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 =		0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA =				0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256 =			0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384 =			0xC03B
+};
+
+/**
+ * Enum names for tls_cipher_suite_t
+ */
+extern enum_name_t *tls_cipher_suite_names;
+
+/**
+ * TLS HashAlgorithm identifiers
+ */
+enum tls_hash_algorithm_t {
+	TLS_HASH_NONE =		0,
+	TLS_HASH_MD5 =		1,
+	TLS_HASH_SHA1 =		2,
+	TLS_HASH_SHA224 =	3,
+	TLS_HASH_SHA256 =	4,
+	TLS_HASH_SHA384 =	5,
+	TLS_HASH_SHA512 =	6,
+};
+
+/**
+ * Enum names for tls_hash_algorithm_t
+ */
+extern enum_name_t *tls_hash_algorithm_names;
+
+/**
+ * TLS SignatureAlgorithm identifiers
+ */
+enum tls_signature_algorithm_t {
+	TLS_SIG_RSA =		1,
+	TLS_SIG_DSA =		2,
+	TLS_SIG_ECDSA =		3,
+};
+
+/**
+ * Enum names for tls_signature_algorithm_t
+ */
+extern enum_name_t *tls_signature_algorithm_names;
+
+/**
+ * TLS ClientCertificateType
+ */
+enum tls_client_certificate_type_t {
+	TLS_RSA_SIGN =			1,
+	TLS_DSA_SIGN =			2,
+	TLS_RSA_FIXED_DH =		3,
+	TLS_DSS_FIXED_DH =		4,
+	TLS_RSA_EPHEMERAL_DH =	5,
+	TLS_DSS_EPHEMERAL_DH =	6,
+	TLS_FORTEZZA_DMS =		20,
+	TLS_ECDSA_SIGN =		64,
+	TLS_RSA_FIXED_ECDH =	65,
+	TLS_ECDSA_FIXED_ECDH =	66,
+};
+
+/**
+ * Enum names for tls_client_certificate_type_t
+ */
+extern enum_name_t *tls_client_certificate_type_names;
+
+/**
+ * TLS EccCurveType
+ */
+enum tls_ecc_curve_type_t {
+	TLS_ECC_EXPLICIT_PRIME =	1,
+	TLS_ECC_EXPLICIT_CHAR2 =	2,
+	TLS_ECC_NAMED_CURVE =		3,
+};
+
+/**
+ * Enum names for tls_ecc_curve_type_t
+ */
+extern enum_name_t *tls_ecc_curve_type_names;
+
+/**
+ * TLS Named Curve identifiers
+ */
+enum tls_named_curve_t {
+	TLS_SECT163K1 =		 1,
+	TLS_SECT163R1 =		 2,
+	TLS_SECT163R2 =		 3,
+	TLS_SECT193R1 =		 4,
+	TLS_SECT193R2 =		 5,
+	TLS_SECT233K1 =		 6,
+	TLS_SECT233R1 =		 7,
+	TLS_SECT239K1 =		 8,
+	TLS_SECT283K1 =		 9,
+	TLS_SECT283R1 =		10,
+	TLS_SECT409K1 =		11,
+	TLS_SECT409R1 =		12,
+	TLS_SECT571K1 =		13,
+	TLS_SECT571R1 =		14,
+	TLS_SECP160K1 =		15,
+	TLS_SECP160R1 =		16,
+	TLS_SECP160R2 =		17,
+	TLS_SECP192K1 =		18,
+	TLS_SECP192R1 =		19,
+	TLS_SECP224K1 =		20,
+	TLS_SECP224R1 =		21,
+	TLS_SECP256K1 =		22,
+	TLS_SECP256R1 =		23,
+	TLS_SECP384R1 =		24,
+	TLS_SECP521R1 =		25,
+};
+
+/**
+ * Enum names for tls_named_curve_t
+ */
+extern enum_name_t *tls_named_curve_names;
+
+/**
+ * EC Point format, ANSI X9.62.
+ */
+enum tls_ansi_point_format_t {
+	TLS_ANSI_COMPRESSED =	2,
+	TLS_ANSI_COMPRESSED_Y =	3,
+	TLS_ANSI_UNCOMPRESSED =	4,
+	TLS_ANSI_HYBRID =		6,
+	TLS_ANSI_HYBRID_Y =		7,
+};
+
+/**
+ * Enum names for tls_ansi_point_format_t.
+ */
+extern enum_name_t *tls_ansi_point_format_names;
+
+/**
+ * EC Point format, TLS specific identifiers.
+ */
+enum tls_ec_point_format_t {
+	TLS_EC_POINT_UNCOMPRESSED = 0,
+	TLS_EC_POINT_ANSIX962_COMPRESSED_PRIME = 1,
+	TLS_EC_POINT_ANSIX962_COMPRESSED_CHAR2 = 2,
+};
+
+/**
+ * Enum names for tls_ec_point_format_t.
+ */
+extern enum_name_t *tls_ec_point_format_names;
+
+/**
+ * TLS crypto helper functions.
+ */
+struct tls_crypto_t {
+
+	/**
+	 * Get a list of supported TLS cipher suites.
+	 *
+	 * @param suites		list of suites, points to internal data
+	 * @return				number of suites returned
+	 */
+	int (*get_cipher_suites)(tls_crypto_t *this, tls_cipher_suite_t **suites);
+
+	/**
+	 * Select and store a cipher suite from a given list of candidates.
+	 *
+	 * @param suites		list of candidates to select from
+	 * @param count			number of suites
+	 * @param key			key type used, or KEY_ANY
+	 * @return				selected suite, 0 if none acceptable
+	 */
+	tls_cipher_suite_t (*select_cipher_suite)(tls_crypto_t *this,
+										tls_cipher_suite_t *suites, int count,
+										key_type_t key);
+
+	/**
+	 * Get the Diffie-Hellman group to use, if any.
+	 *
+	 * @return				Diffie Hellman group, ord MODP_NONE
+	 */
+	diffie_hellman_group_t (*get_dh_group)(tls_crypto_t *this);
+
+	/**
+	 * Write the list of supported hash/sig algorithms to writer.
+	 *
+	 * @param writer		writer to write supported hash/sig algorithms
+	 */
+	void (*get_signature_algorithms)(tls_crypto_t *this, tls_writer_t *writer);
+
+	/**
+	 * Create an enumerator over supported ECDH groups.
+	 *
+	 * Enumerates over (diffie_hellman_group_t, tls_named_curve_t)
+	 *
+	 * @return				enumerator
+	 */
+	enumerator_t* (*create_ec_enumerator)(tls_crypto_t *this);
+
+	/**
+	 * Set the protection layer of the TLS stack to control it.
+	 *
+	 * @param protection		protection layer to work on
+	 */
+	void (*set_protection)(tls_crypto_t *this, tls_protection_t *protection);
+
+	/**
+	 * Store exchanged handshake data, used for cryptographic operations.
+	 *
+	 * @param type			handshake sub type
+	 * @param data			data to append to handshake buffer
+	 */
+	void (*append_handshake)(tls_crypto_t *this,
+							 tls_handshake_type_t type, chunk_t data);
+
+	/**
+	 * Sign a blob of data, append signature to writer.
+	 *
+	 * @param key			private key to use for signature
+	 * @param writer		TLS writer to write signature to
+	 * @param data			data to sign
+	 * @param hashsig		list of TLS1.2 hash/sig algorithms to select from
+	 * @return				TRUE if signature create successfully
+	 */
+	bool (*sign)(tls_crypto_t *this, private_key_t *key,
+				 tls_writer_t *writer, chunk_t data, chunk_t hashsig);
+
+	/**
+	 * Verify a blob of data, read signature from a reader.
+	 *
+	 * @param key			public key to verify signature with
+	 * @param reader		TLS reader to read signature from
+	 * @param data			data to verify signature
+	 * @return				TRUE if signature valid
+	 */
+	bool (*verify)(tls_crypto_t *this, public_key_t *key,
+				   tls_reader_t *reader, chunk_t data);
+
+	/**
+	 * Create a signature of the handshake data using a given private key.
+	 *
+	 * @param key			private key to use for signature
+	 * @param writer		TLS writer to write signature to
+	 * @param hashsig		list of TLS1.2 hash/sig algorithms to select from
+	 * @return				TRUE if signature create successfully
+	 */
+	bool (*sign_handshake)(tls_crypto_t *this, private_key_t *key,
+						   tls_writer_t *writer, chunk_t hashsig);
+
+	/**
+	 * Verify the signature over handshake data using a given public key.
+	 *
+	 * @param key			public key to verify signature with
+	 * @param reader		TLS reader to read signature from
+	 * @return				TRUE if signature valid
+	 */
+	bool (*verify_handshake)(tls_crypto_t *this, public_key_t *key,
+							 tls_reader_t *reader);
+
+	/**
+	 * Calculate the data of a TLS finished message.
+	 *
+	 * @param label			ASCII label to use for calculation
+	 * @param out			buffer to write finished data to
+	 * @return				TRUE if calculation successful
+	 */
+	bool (*calculate_finished)(tls_crypto_t *this, char *label, char out[12]);
+
+	/**
+	 * Derive the master secret, MAC and encryption keys.
+	 *
+	 * @param premaster		premaster secret
+	 * @param client_random	random data from client hello
+	 * @param server_random	random data from server hello
+	 */
+	void (*derive_secrets)(tls_crypto_t *this, chunk_t premaster,
+						   chunk_t client_random, chunk_t server_random);
+
+	/**
+	 * Change the cipher used at protection layer.
+	 *
+	 * @param inbound		TRUE to change inbound cipher, FALSE for outbound
+	 */
+	void (*change_cipher)(tls_crypto_t *this, bool inbound);
+
+	/**
+	 * Derive the EAP-TLS MSK.
+	 *
+	 * @param client_random	random data from client hello
+	 * @param server_random	random data from server hello
+	 */
+	void (*derive_eap_msk)(tls_crypto_t *this,
+						   chunk_t client_random, chunk_t server_random);
+
+	/**
+	 * Get the MSK to use in EAP-TLS.
+	 *
+	 * @return				MSK, points to internal data
+	 */
+	chunk_t (*get_eap_msk)(tls_crypto_t *this);
+
+	/**
+	 * Destroy a tls_crypto_t.
+	 */
+	void (*destroy)(tls_crypto_t *this);
+};
+
+/**
+ * Create a tls_crypto instance.
+ */
+tls_crypto_t *tls_crypto_create(tls_t *tls);
+
+#endif /** TLS_CRYPTO_H_ @}*/
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
new file mode 100644
index 000000000..a8c3a5053
--- /dev/null
+++ b/src/libtls/tls_eap.c
@@ -0,0 +1,379 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_eap.h"
+
+#include "tls.h"
+
+#include <debug.h>
+#include <library.h>
+
+/** Size limit for a single TLS message */
+#define MAX_TLS_MESSAGE_LEN 65536
+
+typedef struct private_tls_eap_t private_tls_eap_t;
+
+/**
+ * Private data of an tls_eap_t object.
+ */
+struct private_tls_eap_t {
+
+	/**
+	 * Public tls_eap_t interface.
+	 */
+	tls_eap_t public;
+
+	/**
+	 * Type of EAP method, EAP-TLS, EAP-TTLS, or EAP-TNC
+	 */
+	eap_type_t type;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * Role
+	 */
+	bool is_server;
+
+	/**
+	 * First fragment of a multi-fragment record?
+	 */
+	bool first_fragment;
+
+	/**
+	 * Maximum size of an outgoing EAP-TLS fragment
+	 */
+	size_t frag_size;
+
+	/**
+	 * Number of EAP messages/fragments processed so far
+	 */
+	int processed;
+
+	/**
+	 * Maximum number of processed EAP messages/fragments 
+	 */
+	int max_msg_count;
+};
+
+/**
+ * Flags of an EAP-TLS/TTLS/TNC message
+ */
+typedef enum {
+	EAP_TLS_LENGTH = (1<<7),		/* shared with EAP-TTLS/TNC */
+	EAP_TLS_MORE_FRAGS = (1<<6),	/* shared with EAP-TTLS/TNC */
+	EAP_TLS_START = (1<<5),			/* shared with EAP-TTLS/TNC */
+	EAP_TTLS_VERSION = (0x07),		/* shared with EAP-TNC      */
+} eap_tls_flags_t;
+
+#define EAP_TTLS_SUPPORTED_VERSION	0
+#define EAP_TNC_SUPPORTED_VERSION	1
+
+/**
+ * EAP-TLS/TTLS packet format
+ */
+typedef struct __attribute__((packed)) {
+	u_int8_t code;
+	u_int8_t identifier;
+	u_int16_t length;
+	u_int8_t type;
+	u_int8_t flags;
+} eap_tls_packet_t;
+
+METHOD(tls_eap_t, initiate, status_t,
+	private_tls_eap_t *this, chunk_t *out)
+{
+	if (this->is_server)
+	{
+		eap_tls_packet_t pkt = {
+			.type = this->type,
+			.code = EAP_REQUEST,
+			.flags = EAP_TLS_START,
+		};
+		switch (this->type)
+		{
+			case EAP_TTLS:
+				pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
+				break;
+			case EAP_TNC:
+				pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
+				break;
+			default:
+				break;
+		}
+		htoun16(&pkt.length, sizeof(eap_tls_packet_t));
+		do
+		{	/* start with non-zero random identifier */
+			pkt.identifier = random();
+		}
+		while (!pkt.identifier);
+
+		DBG2(DBG_IKE, "sending %N start packet", eap_type_names, this->type);
+		*out = chunk_clone(chunk_from_thing(pkt));
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+/**
+ * Process a received packet
+ */
+static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
+{
+	u_int32_t msg_len;
+	u_int16_t pkt_len;
+
+	pkt_len = untoh16(&pkt->length);
+	if (pkt->flags & EAP_TLS_LENGTH)
+	{
+		if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len))
+		{
+			DBG1(DBG_TLS, "%N packet too short", eap_type_names, this->type);
+			return FAILED;
+		}
+		msg_len = untoh32(pkt + 1);
+		if (msg_len < pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len) ||
+			msg_len > MAX_TLS_MESSAGE_LEN)
+		{
+			DBG1(DBG_TLS, "invalid %N packet length", eap_type_names, this->type);
+			return FAILED;
+		}
+		return this->tls->process(this->tls, (char*)(pkt + 1) + sizeof(msg_len),
+						pkt_len - sizeof(eap_tls_packet_t) - sizeof(msg_len));
+	}
+	return this->tls->process(this->tls, (char*)(pkt + 1),
+							  pkt_len - sizeof(eap_tls_packet_t));
+}
+
+/**
+ * Build a packet to send
+ */
+static status_t build_pkt(private_tls_eap_t *this,
+						  u_int8_t identifier, chunk_t *out)
+{
+	char buf[this->frag_size];
+	eap_tls_packet_t *pkt;
+	size_t len, reclen;
+	status_t status;
+	char *kind;
+
+	pkt = (eap_tls_packet_t*)buf;
+	pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE;
+	pkt->identifier = this->is_server ? identifier + 1 : identifier;
+	pkt->type = this->type;
+	pkt->flags = 0;
+
+	switch (this->type)
+	{
+		case EAP_TTLS:
+			pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
+			break;
+		case EAP_TNC:
+			pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
+			break;
+		default:
+			break;
+	}
+
+	if (this->first_fragment)
+	{
+		pkt->flags |= EAP_TLS_LENGTH;
+		len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
+		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
+								  sizeof(u_int32_t), &len, &reclen);
+	}
+	else
+	{
+		len = sizeof(buf) - sizeof(eap_tls_packet_t);
+		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t),
+								  &len, &reclen);
+	}
+	switch (status)
+	{
+		case NEED_MORE:
+			pkt->flags |= EAP_TLS_MORE_FRAGS;
+			kind = "further fragment";
+			if (this->first_fragment)
+			{
+				this->first_fragment = FALSE;
+				kind = "first fragment";
+			}
+			break;
+		case ALREADY_DONE:
+			kind = "packet";
+			if (!this->first_fragment)
+			{
+				this->first_fragment = TRUE;
+				kind = "final fragment";
+			}
+			break;
+		default:
+			return status;
+	}
+	DBG2(DBG_TLS, "sending %N %s (%u bytes)",
+		 eap_type_names, this->type, kind, len);
+	if (reclen)
+	{
+		htoun32(pkt + 1, reclen);
+		len += sizeof(u_int32_t);
+		pkt->flags |= EAP_TLS_LENGTH;
+	}
+	len += sizeof(eap_tls_packet_t);
+	htoun16(&pkt->length, len);
+	*out = chunk_clone(chunk_create(buf, len));
+	return NEED_MORE;
+}
+
+/**
+ * Send an ack to request next fragment
+ */
+static chunk_t create_ack(private_tls_eap_t *this, u_int8_t identifier)
+{
+	eap_tls_packet_t pkt = {
+		.code = this->is_server ? EAP_REQUEST : EAP_RESPONSE,
+		.identifier = this->is_server ? identifier + 1 : identifier,
+		.type = this->type,
+	};
+	htoun16(&pkt.length, sizeof(pkt));
+	switch (this->type)
+	{
+		case EAP_TTLS:
+			pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
+		break;
+		case EAP_TNC:
+			pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
+			break;
+		default:
+			break;
+	}
+	DBG2(DBG_TLS, "sending %N acknowledgement packet",
+		 eap_type_names, this->type);
+	return chunk_clone(chunk_from_thing(pkt));
+}
+
+METHOD(tls_eap_t, process, status_t,
+	private_tls_eap_t *this, chunk_t in, chunk_t *out)
+{
+	eap_tls_packet_t *pkt;
+	status_t status;
+
+	if (++this->processed > this->max_msg_count)
+	{
+		DBG1(DBG_IKE, "%N packet count exceeded (%d > %d)",
+			 eap_type_names, this->type,
+			 this->processed, this->max_msg_count);
+		return FAILED;
+	}
+
+	pkt = (eap_tls_packet_t*)in.ptr;
+	if (in.len < sizeof(eap_tls_packet_t) ||
+		untoh16(&pkt->length) != in.len)
+	{
+		DBG1(DBG_IKE, "invalid %N packet length",
+			 eap_type_names, this->type);
+		return FAILED;
+	}
+	if (pkt->flags & EAP_TLS_START)
+	{
+		if (this->type == EAP_TTLS || this->type == EAP_TNC)
+		{
+			DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
+				 pkt->flags & EAP_TTLS_VERSION);
+		}
+	}
+	else
+	{
+		if (in.len == sizeof(eap_tls_packet_t))
+		{
+			DBG2(DBG_TLS, "received %N acknowledgement packet",
+				 eap_type_names, this->type);
+			status = build_pkt(this, pkt->identifier, out);
+			if (status == INVALID_STATE &&
+				this->tls->is_complete(this->tls))
+			{
+				return SUCCESS;
+			}
+			return status;
+		}
+		status = process_pkt(this, pkt);
+		if (status != NEED_MORE)
+		{
+			return status;
+		}
+	}
+	status = build_pkt(this, pkt->identifier, out);
+	switch (status)
+	{
+		case INVALID_STATE:
+			*out = create_ack(this, pkt->identifier);
+			return NEED_MORE;
+		case FAILED:
+			if (!this->is_server)
+			{
+				*out = create_ack(this, pkt->identifier);
+				return NEED_MORE;
+			}
+			return FAILED;
+		default:
+			return status;
+	}
+}
+
+METHOD(tls_eap_t, get_msk, chunk_t,
+	private_tls_eap_t *this)
+{
+	return this->tls->get_eap_msk(this->tls);
+}
+
+METHOD(tls_eap_t, destroy, void,
+	private_tls_eap_t *this)
+{
+	this->tls->destroy(this->tls);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
+						  int max_msg_count)
+{
+	private_tls_eap_t *this;
+
+	if (!tls)
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.initiate = _initiate,
+			.process = _process,
+			.get_msk = _get_msk,
+			.destroy = _destroy,
+		},
+		.type = type,
+		.is_server = tls->is_server(tls),
+		.first_fragment = TRUE,
+		.frag_size = frag_size,
+		.max_msg_count = max_msg_count,
+		.tls = tls,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
new file mode 100644
index 000000000..ebda2636d
--- /dev/null
+++ b/src/libtls/tls_eap.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_eap tls_eap
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_EAP_H_
+#define TLS_EAP_H_
+
+typedef struct tls_eap_t tls_eap_t;
+
+#include <eap/eap.h>
+
+#include "tls.h"
+
+/**
+ * TLS over EAP helper, as used by EAP-TLS and EAP-TTLS.
+ */
+struct tls_eap_t {
+
+	/**
+	 * Initiate TLS/TTLS/TNC over EAP exchange (as client).
+	 *
+	 * @param out			allocated EAP packet data to send
+	 * @return
+	 *						- NEED_MORE if more exchanges required
+	 *						- FAILED if initiation failed
+	 */
+	status_t (*initiate)(tls_eap_t *this, chunk_t *out);
+
+	/**
+	 * Process a received EAP-TLS/TTLS/TNC packet, create response.
+	 *
+	 * @param in			EAP packet data to process
+	 * @param out			allocated EAP packet data to send
+	 * @return
+	 *						- SUCCESS if TLS negotiation completed
+	 *						- FAILED if TLS negotiation failed
+	 *						- NEED_MORE if more exchanges required
+	 */
+	status_t (*process)(tls_eap_t *this, chunk_t in, chunk_t *out);
+
+	/**
+	 * Get the EAP-MSK.
+	 *
+	 * @return				MSK
+	 */
+	chunk_t (*get_msk)(tls_eap_t *this);
+
+	/**
+	 * Destroy a tls_eap_t.
+	 */
+	void (*destroy)(tls_eap_t *this);
+};
+
+/**
+ * Create a tls_eap instance.
+ *
+ * @param type				EAP type, EAP-TLS or EAP-TTLS
+ * @param tls				TLS implementation
+ * @param frag_size			maximum size of a TLS fragment we send
+ * @param max_msg_count		maximum number of processed messages
+ */
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
+						  int max_msg_count);
+
+#endif /** TLS_EAP_H_ @}*/
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
new file mode 100644
index 000000000..5a598cfc4
--- /dev/null
+++ b/src/libtls/tls_fragmentation.c
@@ -0,0 +1,471 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_fragmentation.h"
+
+#include "tls_reader.h"
+
+#include <debug.h>
+
+typedef struct private_tls_fragmentation_t private_tls_fragmentation_t;
+
+/**
+ * Alert state
+ */
+typedef enum {
+	/* no alert received/sent */
+	ALERT_NONE,
+	/* currently sending an alert */
+	ALERT_SENDING,
+	/* alert sent and out */
+	ALERT_SENT,
+} alert_state_t;
+
+/**
+ * Private data of an tls_fragmentation_t object.
+ */
+struct private_tls_fragmentation_t {
+
+	/**
+	 * Public tls_fragmentation_t interface.
+	 */
+	tls_fragmentation_t public;
+
+	/**
+	 * Upper layer handshake protocol
+	 */
+	tls_handshake_t *handshake;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * State of alert handling
+	 */
+	alert_state_t state;
+
+	/**
+	 * Did the application layer complete successfully?
+	 */
+	bool application_finished;
+
+	/**
+	 * Handshake input buffer
+	 */
+	chunk_t input;
+
+	/**
+	 * Position in input buffer
+	 */
+	size_t inpos;
+
+	/**
+	 * Currently processed handshake message type
+	 */
+	tls_handshake_type_t type;
+
+	/**
+	 * Handshake output buffer
+	 */
+	chunk_t output;
+
+	/**
+	 * Type of data in output buffer
+	 */
+	tls_content_type_t output_type;
+
+	/**
+	 * Upper layer application data protocol
+	 */
+	tls_application_t *application;
+};
+
+/**
+ * Maximum size of a TLS fragment
+ */
+#define MAX_TLS_FRAGMENT_LEN 16384
+
+/**
+ * Maximum size of a TLS handshake message we accept
+ */
+#define MAX_TLS_HANDSHAKE_LEN 65536
+
+/**
+ * Process a TLS alert
+ */
+static status_t process_alert(private_tls_fragmentation_t *this,
+							  tls_reader_t *reader)
+{
+	u_int8_t level, description;
+
+	if (!reader->read_uint8(reader, &level) ||
+		!reader->read_uint8(reader, &description))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	return this->alert->process(this->alert, level, description);
+}
+
+/**
+ * Process TLS handshake protocol data
+ */
+static status_t process_handshake(private_tls_fragmentation_t *this,
+								  tls_reader_t *reader)
+{
+	while (reader->remaining(reader))
+	{
+		tls_reader_t *msg;
+		u_int8_t type;
+		u_int32_t len;
+		status_t status;
+		chunk_t data;
+
+		if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+		{
+			DBG1(DBG_TLS, "TLS fragment has invalid length");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+
+		if (this->input.len == 0)
+		{	/* new handshake message */
+			if (!reader->read_uint8(reader, &type) ||
+				!reader->read_uint24(reader, &len))
+			{
+				DBG1(DBG_TLS, "TLS handshake header invalid");
+				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+				return NEED_MORE;
+			}
+			this->type = type;
+			if (len > MAX_TLS_HANDSHAKE_LEN)
+			{
+				DBG1(DBG_TLS, "TLS handshake exceeds maximum length");
+				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+				return NEED_MORE;
+			}
+			chunk_free(&this->input);
+			this->inpos = 0;
+			if (len)
+			{
+				this->input = chunk_alloc(len);
+			}
+		}
+
+		len = min(this->input.len - this->inpos, reader->remaining(reader));
+		if (!reader->read_data(reader, len, &data))
+		{
+			DBG1(DBG_TLS, "TLS fragment has invalid length");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+		memcpy(this->input.ptr + this->inpos, data.ptr, len);
+		this->inpos += len;
+
+		if (this->input.len == this->inpos)
+		{	/* message completely defragmented, process */
+			msg = tls_reader_create(this->input);
+			DBG2(DBG_TLS, "received TLS %N handshake (%u bytes)",
+				 tls_handshake_type_names, this->type, this->input.len);
+			status = this->handshake->process(this->handshake, this->type, msg);
+			msg->destroy(msg);
+			chunk_free(&this->input);
+			if (status != NEED_MORE)
+			{
+				return status;
+			}
+		}
+		if (this->alert->fatal(this->alert))
+		{
+			break;
+		}
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Process TLS application data
+ */
+static status_t process_application(private_tls_fragmentation_t *this,
+									tls_reader_t *reader)
+{
+	while (reader->remaining(reader))
+	{
+		status_t status;
+
+		if (reader->remaining(reader) > MAX_TLS_FRAGMENT_LEN)
+		{
+			DBG1(DBG_TLS, "TLS fragment has invalid length");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+		status = this->application->process(this->application, reader);
+		switch (status)
+		{
+			case NEED_MORE:
+				continue;
+			case SUCCESS:
+				this->application_finished = TRUE;
+				return SUCCESS;
+			case FAILED:
+			default:
+				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
+				return NEED_MORE;
+		}
+	}
+	return NEED_MORE;
+}
+
+METHOD(tls_fragmentation_t, process, status_t,
+	private_tls_fragmentation_t *this, tls_content_type_t type, chunk_t data)
+{
+	tls_reader_t *reader;
+	status_t status;
+
+	switch (this->state)
+	{
+		case ALERT_SENDING:
+		case ALERT_SENT:
+			/* don't accept more input, fatal error ocurred */
+			return NEED_MORE;
+		case ALERT_NONE:
+			break;
+	}
+	reader = tls_reader_create(data);
+	switch (type)
+	{
+		case TLS_CHANGE_CIPHER_SPEC:
+			if (this->handshake->change_cipherspec(this->handshake))
+			{
+				status = NEED_MORE;
+				break;
+			}
+			status = FAILED;
+			break;
+		case TLS_ALERT:
+			status = process_alert(this, reader);
+			break;
+		case TLS_HANDSHAKE:
+			status = process_handshake(this, reader);
+			break;
+		case TLS_APPLICATION_DATA:
+			status = process_application(this, reader);
+			break;
+		default:
+			DBG1(DBG_TLS, "received unknown TLS content type %d, ignored", type);
+			status = NEED_MORE;
+			break;
+	}
+	reader->destroy(reader);
+	return status;
+}
+
+/**
+ * Check if alerts are pending
+ */
+static bool check_alerts(private_tls_fragmentation_t *this, chunk_t *data)
+{
+	tls_alert_level_t level;
+	tls_alert_desc_t desc;
+	tls_writer_t *writer;
+
+	if (this->alert->get(this->alert, &level, &desc))
+	{
+		writer = tls_writer_create(2);
+
+		writer->write_uint8(writer, level);
+		writer->write_uint8(writer, desc);
+
+		*data = chunk_clone(writer->get_buf(writer));
+		writer->destroy(writer);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Build hanshake message
+ */
+static status_t build_handshake(private_tls_fragmentation_t *this)
+{
+	tls_writer_t *hs, *msg;
+	tls_handshake_type_t type;
+	status_t status;
+
+	msg = tls_writer_create(64);
+	while (TRUE)
+	{
+		hs = tls_writer_create(64);
+		status = this->handshake->build(this->handshake, &type, hs);
+		switch (status)
+		{
+			case NEED_MORE:
+				if (this->alert->fatal(this->alert))
+				{
+					break;
+				}
+				msg->write_uint8(msg, type);
+				msg->write_data24(msg, hs->get_buf(hs));
+				DBG2(DBG_TLS, "sending TLS %N handshake (%u bytes)",
+					 tls_handshake_type_names, type, hs->get_buf(hs).len);
+				hs->destroy(hs);
+				continue;
+			case INVALID_STATE:
+				this->output_type = TLS_HANDSHAKE;
+				this->output = chunk_clone(msg->get_buf(msg));
+				break;
+			default:
+				break;
+		}
+		hs->destroy(hs);
+		break;
+	}
+	msg->destroy(msg);
+	return status;
+}
+
+/**
+ * Build TLS application data
+ */
+static status_t build_application(private_tls_fragmentation_t *this)
+{
+	tls_writer_t *msg;
+	status_t status;
+
+	msg = tls_writer_create(64);
+	while (TRUE)
+	{
+		status = this->application->build(this->application, msg);
+		switch (status)
+		{
+			case NEED_MORE:
+				continue;
+			case INVALID_STATE:
+				this->output_type = TLS_APPLICATION_DATA;
+				this->output = chunk_clone(msg->get_buf(msg));
+				break;
+			case SUCCESS:
+				this->application_finished = TRUE;
+				break;
+			case FAILED:
+			default:
+				this->alert->add(this->alert, TLS_FATAL, TLS_CLOSE_NOTIFY);
+				break;
+		}
+		break;
+	}
+	msg->destroy(msg);
+	return status;
+}
+
+METHOD(tls_fragmentation_t, build, status_t,
+	private_tls_fragmentation_t *this, tls_content_type_t *type, chunk_t *data)
+{
+	status_t status = INVALID_STATE;
+
+	switch (this->state)
+	{
+		case ALERT_SENDING:
+			this->state = ALERT_SENT;
+			return INVALID_STATE;
+		case ALERT_SENT:
+			return FAILED;
+		case ALERT_NONE:
+			break;
+	}
+	if (check_alerts(this, data))
+	{
+		this->state = ALERT_SENDING;
+		*type = TLS_ALERT;
+		return NEED_MORE;
+	}
+	if (!this->output.len)
+	{
+		if (this->handshake->cipherspec_changed(this->handshake))
+		{
+			*type = TLS_CHANGE_CIPHER_SPEC;
+			*data = chunk_clone(chunk_from_chars(0x01));
+			return NEED_MORE;
+		}
+		if (!this->handshake->finished(this->handshake))
+		{
+			status = build_handshake(this);
+		}
+		else if (this->application)
+		{
+			status = build_application(this);
+		}
+		if (check_alerts(this, data))
+		{
+			this->state = ALERT_SENDING;
+			*type = TLS_ALERT;
+			return NEED_MORE;
+		}
+	}
+	if (this->output.len)
+	{
+		*type = this->output_type;
+		if (this->output.len <= MAX_TLS_FRAGMENT_LEN)
+		{
+			*data = this->output;
+			this->output = chunk_empty;
+			return NEED_MORE;
+		}
+		*data = chunk_create(this->output.ptr, MAX_TLS_FRAGMENT_LEN);
+		this->output = chunk_clone(chunk_skip(this->output, MAX_TLS_FRAGMENT_LEN));
+		return NEED_MORE;
+	}
+	return status;
+}
+
+METHOD(tls_fragmentation_t, application_finished, bool,
+	private_tls_fragmentation_t *this)
+{
+	return this->application_finished;
+}
+
+METHOD(tls_fragmentation_t, destroy, void,
+	private_tls_fragmentation_t *this)
+{
+	free(this->input.ptr);
+	free(this->output.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
+							tls_alert_t *alert, tls_application_t *application)
+{
+	private_tls_fragmentation_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.application_finished = _application_finished,
+			.destroy = _destroy,
+		},
+		.handshake = handshake,
+		.alert = alert,
+		.state = ALERT_NONE,
+		.application = application,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h
new file mode 100644
index 000000000..d80278916
--- /dev/null
+++ b/src/libtls/tls_fragmentation.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_fragmentation tls_fragmentation
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_FRAGMENTATION_H_
+#define TLS_FRAGMENTATION_H_
+
+#include <library.h>
+
+#include "tls.h"
+#include "tls_alert.h"
+#include "tls_handshake.h"
+
+typedef struct tls_fragmentation_t tls_fragmentation_t;
+
+/**
+ * TLS record protocol fragmentation layer.
+ */
+struct tls_fragmentation_t {
+
+	/**
+	 * Process a fragmented TLS record, pass it to upper layers.
+	 *
+	 * @param type		type of the TLS record to process
+	 * @param data		associated TLS record data
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_fragmentation_t *this,
+						tls_content_type_t type, chunk_t data);
+
+	/**
+	 * Query upper layer for TLS messages, build fragmented records.
+	 *
+	 * @param type		type of the built TLS record
+	 * @param data		allocated data of the built TLS record
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if upper layers have more records to send
+	 *					- INVALID_STATE if more input records required
+	 */
+	status_t (*build)(tls_fragmentation_t *this,
+					  tls_content_type_t *type, chunk_t *data);
+
+	/**
+	 * Has the application layer finished (returned SUCCESS)?.
+	 *
+	 * @return			TRUE if application layer finished
+	 */
+	bool (*application_finished)(tls_fragmentation_t *this);
+
+	/**
+	 * Destroy a tls_fragmentation_t.
+	 */
+	void (*destroy)(tls_fragmentation_t *this);
+};
+
+/**
+ * Create a tls_fragmentation instance.
+ *
+ * @param handshake			upper layer handshake protocol
+ * @param alert				TLS alert handler
+ * @param application		upper layer application data or NULL
+ * @return					TLS fragmentation layer
+ */
+tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
+							tls_alert_t *alert, tls_application_t *application);
+
+#endif /** TLS_FRAGMENTATION_H_ @}*/
diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h
new file mode 100644
index 000000000..6703b341b
--- /dev/null
+++ b/src/libtls/tls_handshake.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_handshake tls_handshake
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_HANDSHAKE_H_
+#define TLS_HANDSHAKE_H_
+
+typedef struct tls_handshake_t tls_handshake_t;
+
+#include "tls.h"
+#include "tls_reader.h"
+#include "tls_writer.h"
+
+/**
+ * TLS handshake state machine interface.
+ */
+struct tls_handshake_t {
+
+	/**
+	 * Process received TLS handshake message.
+	 *
+	 * @param type		TLS handshake message type
+	 * @param reader	TLS data buffer
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if a fatal TLS alert queued
+	 *					- NEED_MORE if more invocations to process/build needed
+	 *					- DESTROY_ME if a fatal TLS alert received
+	 */
+	status_t (*process)(tls_handshake_t *this,
+						tls_handshake_type_t type, tls_reader_t *reader);
+
+	/**
+	 * Build TLS handshake messages to send out.
+	 *
+	 * @param type		type of created handshake message
+	 * @param writer	TLS data buffer to write to
+	 * @return
+	 *					- SUCCESS if handshake complete
+	 *					- FAILED if handshake failed
+	 *					- NEED_MORE if more messages ready for delivery
+	 *					- INVALID_STATE if more input to process() required
+	 */
+	status_t (*build)(tls_handshake_t *this,
+					  tls_handshake_type_t *type, tls_writer_t *writer);
+
+	/**
+	 * Check if the cipher spec for outgoing messages has changed.
+	 *
+	 * @return			TRUE if cipher spec changed
+	 */
+	bool (*cipherspec_changed)(tls_handshake_t *this);
+
+	/**
+	 * Change the cipher spec for incoming messages.
+	 *
+	 * @return			TRUE if cipher spec changed
+	 */
+	bool (*change_cipherspec)(tls_handshake_t *this);
+
+	/**
+	 * Check if the finished message was decoded successfully.
+	 *
+	 * @return			TRUE if finished message was decoded successfully
+	 */
+	bool (*finished)(tls_handshake_t *this);
+
+	/**
+	 * Destroy a tls_handshake_t.
+	 */
+	void (*destroy)(tls_handshake_t *this);
+};
+
+#endif /** TLS_HANDSHAKE_H_ @}*/
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
new file mode 100644
index 000000000..c1fd33eea
--- /dev/null
+++ b/src/libtls/tls_peer.c
@@ -0,0 +1,1099 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_peer.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
+#include <time.h>
+
+typedef struct private_tls_peer_t private_tls_peer_t;
+
+typedef enum {
+	STATE_INIT,
+	STATE_HELLO_SENT,
+	STATE_HELLO_RECEIVED,
+	STATE_HELLO_DONE,
+	STATE_CERT_SENT,
+	STATE_CERT_RECEIVED,
+	STATE_KEY_EXCHANGE_RECEIVED,
+	STATE_CERTREQ_RECEIVED,
+	STATE_KEY_EXCHANGE_SENT,
+	STATE_VERIFY_SENT,
+	STATE_CIPHERSPEC_CHANGED_OUT,
+	STATE_FINISHED_SENT,
+	STATE_CIPHERSPEC_CHANGED_IN,
+	STATE_COMPLETE,
+} peer_state_t;
+
+/**
+ * Private data of an tls_peer_t object.
+ */
+struct private_tls_peer_t {
+
+	/**
+	 * Public tls_peer_t interface.
+	 */
+	tls_peer_t public;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * TLS crypto context
+	 */
+	tls_crypto_t *crypto;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * Peer identity, NULL for no client authentication
+	 */
+	identification_t *peer;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * State we are in
+	 */
+	peer_state_t state;
+
+	/**
+	 * Hello random data selected by client
+	 */
+	char client_random[32];
+
+	/**
+	 * Hello random data selected by server
+	 */
+	char server_random[32];
+
+	/**
+	 * Auth helper for peer authentication
+	 */
+	auth_cfg_t *peer_auth;
+
+	/**
+	 * Auth helper for server authentication
+	 */
+	auth_cfg_t *server_auth;
+
+	/**
+	 * Peer private key
+	 */
+	private_key_t *private;
+
+	/**
+	 * DHE exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * List of server-supported hashsig algorithms
+	 */
+	chunk_t hashsig;
+
+	/**
+	 * List of server-supported client certificate types
+	 */
+	chunk_t cert_types;
+};
+
+/**
+ * Process a server hello message
+ */
+static status_t process_server_hello(private_tls_peer_t *this,
+									 tls_reader_t *reader)
+{
+	u_int8_t compression;
+	u_int16_t version, cipher;
+	chunk_t random, session, ext = chunk_empty;
+	tls_cipher_suite_t suite;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_SERVER_HELLO, reader->peek(reader));
+
+	if (!reader->read_uint16(reader, &version) ||
+		!reader->read_data(reader, sizeof(this->server_random), &random) ||
+		!reader->read_data8(reader, &session) ||
+		!reader->read_uint16(reader, &cipher) ||
+		!reader->read_uint8(reader, &compression) ||
+		(reader->remaining(reader) && !reader->read_data16(reader, &ext)))
+	{
+		DBG1(DBG_TLS, "received invalid ServerHello");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	memcpy(this->server_random, random.ptr, sizeof(this->server_random));
+
+	if (!this->tls->set_version(this->tls, version))
+	{
+		DBG1(DBG_TLS, "negotiated version %N not supported",
+			 tls_version_names, version);
+		this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
+		return NEED_MORE;
+	}
+	suite = cipher;
+	if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1, KEY_ANY))
+	{
+		DBG1(DBG_TLS, "received TLS cipher suite %N inacceptable",
+			 tls_cipher_suite_names, suite);
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
+		 tls_version_names, version, tls_cipher_suite_names, suite);
+	this->state = STATE_HELLO_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Check if a server certificate is acceptable for the given server identity
+ */
+static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
+{
+	identification_t *id;
+
+	if (cert->has_subject(cert, this->server))
+	{
+		return TRUE;
+	}
+	id = cert->get_subject(cert);
+	if (id->matches(id, this->server))
+	{
+		return TRUE;
+	}
+	if (cert->get_type(cert) == CERT_X509)
+	{
+		x509_t *x509 = (x509_t*)cert;
+		enumerator_t *enumerator;
+
+		enumerator = x509->create_subjectAltName_enumerator(x509);
+		while (enumerator->enumerate(enumerator, &id))
+		{
+			if (id->matches(id, this->server))
+			{
+				enumerator->destroy(enumerator);
+				return TRUE;
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+	DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
+	return FALSE;
+}
+
+/**
+ * Process a Certificate message
+ */
+static status_t process_certificate(private_tls_peer_t *this,
+									tls_reader_t *reader)
+{
+	certificate_t *cert;
+	tls_reader_t *certs;
+	chunk_t data;
+	bool first = TRUE;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CERTIFICATE, reader->peek(reader));
+
+	if (!reader->read_data24(reader, &data))
+	{
+		DBG1(DBG_TLS, "certificate message header invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	certs = tls_reader_create(data);
+	while (certs->remaining(certs))
+	{
+		if (!certs->read_data24(certs, &data))
+		{
+			DBG1(DBG_TLS, "certificate message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			certs->destroy(certs);
+			return NEED_MORE;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		if (cert)
+		{
+			if (first)
+			{
+				if (!check_certificate(this, cert))
+				{
+					cert->destroy(cert);
+					certs->destroy(certs);
+					this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
+					return NEED_MORE;
+				}
+				this->server_auth->add(this->server_auth,
+									   AUTH_HELPER_SUBJECT_CERT, cert);
+				DBG1(DBG_TLS, "received TLS server certificate '%Y'",
+					 cert->get_subject(cert));
+				first = FALSE;
+			}
+			else
+			{
+				DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				this->server_auth->add(this->server_auth,
+									   AUTH_HELPER_IM_CERT, cert);
+			}
+		}
+		else
+		{
+			DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
+			this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
+		}
+	}
+	certs->destroy(certs);
+	this->state = STATE_CERT_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Find a trusted public key to encrypt/verify key exchange data
+ */
+static public_key_t *find_public_key(private_tls_peer_t *this)
+{
+	public_key_t *public = NULL, *current;
+	certificate_t *cert;
+	enumerator_t *enumerator;
+	auth_cfg_t *auth;
+
+	cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
+	if (cert)
+	{
+		enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+						KEY_ANY, cert->get_subject(cert), this->server_auth);
+		while (enumerator->enumerate(enumerator, &current, &auth))
+		{
+			public = current->get_ref(current);
+			break;
+		}
+		enumerator->destroy(enumerator);
+	}
+	return public;
+}
+
+/**
+ * Process a Key Exchange message using MODP Diffie Hellman
+ */
+static status_t process_modp_key_exchange(private_tls_peer_t *this,
+										  tls_reader_t *reader)
+{
+	chunk_t prime, generator, pub, chunk;
+	public_key_t *public;
+
+	chunk = reader->peek(reader);
+	if (!reader->read_data16(reader, &prime) ||
+		!reader->read_data16(reader, &generator) ||
+		!reader->read_data16(reader, &pub))
+	{
+		DBG1(DBG_TLS, "received invalid Server Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	public = find_public_key(this);
+	if (!public)
+	{
+		DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+
+	chunk.len = 2 + prime.len + 2 + generator.len + 2 + pub.len;
+	chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
+					  chunk_from_thing(this->server_random), chunk);
+	if (!this->crypto->verify(this->crypto, public, reader, chunk))
+	{
+		public->destroy(public);
+		free(chunk.ptr);
+		DBG1(DBG_TLS, "verifying DH parameters failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
+		return NEED_MORE;
+	}
+	public->destroy(public);
+	free(chunk.ptr);
+
+	this->dh = lib->crypto->create_dh(lib->crypto, MODP_CUSTOM,
+									  generator, prime);
+	if (!this->dh)
+	{
+		DBG1(DBG_TLS, "custom DH parameters not supported");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->dh->set_other_public_value(this->dh, pub);
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Get the EC group for a TLS named curve
+ */
+static diffie_hellman_group_t curve_to_ec_group(private_tls_peer_t *this,
+												tls_named_curve_t curve)
+{
+	diffie_hellman_group_t group;
+	tls_named_curve_t current;
+	enumerator_t *enumerator;
+
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, &group, &current))
+	{
+		if (current == curve)
+		{
+			enumerator->destroy(enumerator);
+			return group;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return 0;
+}
+
+/**
+ * Process a Key Exchange message using EC Diffie Hellman
+ */
+static status_t process_ec_key_exchange(private_tls_peer_t *this,
+										tls_reader_t *reader)
+{
+	diffie_hellman_group_t group;
+	public_key_t *public;
+	u_int8_t type;
+	u_int16_t curve;
+	chunk_t pub, chunk;
+
+	chunk = reader->peek(reader);
+	if (!reader->read_uint8(reader, &type))
+	{
+		DBG1(DBG_TLS, "received invalid Server Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	if (type != TLS_ECC_NAMED_CURVE)
+	{
+		DBG1(DBG_TLS, "ECDH curve type %N not supported",
+			 tls_ecc_curve_type_names, type);
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	if (!reader->read_uint16(reader, &curve) ||
+		!reader->read_data8(reader, &pub) || pub.len == 0)
+	{
+		DBG1(DBG_TLS, "received invalid Server Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	group = curve_to_ec_group(this, curve);
+	if (!group)
+	{
+		DBG1(DBG_TLS, "ECDH curve %N not supported",
+			 tls_named_curve_names, curve);
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+
+	public = find_public_key(this);
+	if (!public)
+	{
+		DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+
+	chunk.len = 4 + pub.len;
+	chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
+					  chunk_from_thing(this->server_random), chunk);
+	if (!this->crypto->verify(this->crypto, public, reader, chunk))
+	{
+		public->destroy(public);
+		free(chunk.ptr);
+		DBG1(DBG_TLS, "verifying DH parameters failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
+		return NEED_MORE;
+	}
+	public->destroy(public);
+	free(chunk.ptr);
+
+	this->dh = lib->crypto->create_dh(lib->crypto, group);
+	if (!this->dh)
+	{
+		DBG1(DBG_TLS, "DH group %N not supported",
+			 diffie_hellman_group_names, group);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
+	{
+		DBG1(DBG_TLS, "DH point format '%N' not supported",
+			 tls_ansi_point_format_names, pub.ptr[0]);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process a Server Key Exchange
+ */
+static status_t process_key_exchange(private_tls_peer_t *this,
+									 tls_reader_t *reader)
+{
+	diffie_hellman_group_t group;
+
+	this->crypto->append_handshake(this->crypto,
+								TLS_SERVER_KEY_EXCHANGE, reader->peek(reader));
+
+	group = this->crypto->get_dh_group(this->crypto);
+	if (group == MODP_NONE)
+	{
+		DBG1(DBG_TLS, "received Server Key Exchange, but not required "
+			 "for current suite");
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	if (diffie_hellman_group_is_ec(group))
+	{
+		return process_ec_key_exchange(this, reader);
+	}
+	return process_modp_key_exchange(this, reader);
+}
+
+/**
+ * Process a Certificate Request message
+ */
+static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader)
+{
+	chunk_t types, hashsig, data;
+	tls_reader_t *authorities;
+	identification_t *id;
+	certificate_t *cert;
+
+	if (!this->peer)
+	{
+		DBG1(DBG_TLS, "server requested a certificate, but client "
+			 "authentication disabled");
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	this->crypto->append_handshake(this->crypto,
+								TLS_CERTIFICATE_REQUEST, reader->peek(reader));
+
+	if (!reader->read_data8(reader, &types))
+	{
+		DBG1(DBG_TLS, "certreq message header invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	this->cert_types = chunk_clone(types);
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		if (!reader->read_data16(reader, &hashsig))
+		{
+			DBG1(DBG_TLS, "certreq message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			return NEED_MORE;
+		}
+		this->hashsig = chunk_clone(hashsig);
+	}
+	if (!reader->read_data16(reader, &data))
+	{
+		DBG1(DBG_TLS, "certreq message invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	authorities = tls_reader_create(data);
+	while (authorities->remaining(authorities))
+	{
+		if (!authorities->read_data16(authorities, &data))
+		{
+			DBG1(DBG_TLS, "certreq message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			authorities->destroy(authorities);
+			return NEED_MORE;
+		}
+		id = identification_create_from_encoding(ID_DER_ASN1_DN, data);
+		cert = lib->credmgr->get_cert(lib->credmgr,
+									  CERT_X509, KEY_ANY, id, TRUE);
+		if (cert)
+		{
+			DBG1(DBG_TLS, "received TLS cert request for '%Y", id);
+			this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert);
+		}
+		else
+		{
+			DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id);
+		}
+		id->destroy(id);
+	}
+	authorities->destroy(authorities);
+	this->state = STATE_CERTREQ_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process Hello Done message
+ */
+static status_t process_hello_done(private_tls_peer_t *this,
+								   tls_reader_t *reader)
+{
+	this->crypto->append_handshake(this->crypto,
+								   TLS_SERVER_HELLO_DONE, reader->peek(reader));
+	this->state = STATE_HELLO_DONE;
+	return NEED_MORE;
+}
+
+/**
+ * Process finished message
+ */
+static status_t process_finished(private_tls_peer_t *this, tls_reader_t *reader)
+{
+	chunk_t received;
+	char buf[12];
+
+	if (!reader->read_data(reader, sizeof(buf), &received))
+	{
+		DBG1(DBG_TLS, "received server finished too short");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating server finished failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	if (!chunk_equals(received, chunk_from_thing(buf)))
+	{
+		DBG1(DBG_TLS, "received server finished invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
+		return NEED_MORE;
+	}
+	this->state = STATE_COMPLETE;
+	this->crypto->derive_eap_msk(this->crypto,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, process, status_t,
+	private_tls_peer_t *this, tls_handshake_type_t type, tls_reader_t *reader)
+{
+	tls_handshake_type_t expected;
+
+	switch (this->state)
+	{
+		case STATE_HELLO_SENT:
+			if (type == TLS_SERVER_HELLO)
+			{
+				return process_server_hello(this, reader);
+			}
+			expected = TLS_SERVER_HELLO;
+			break;
+		case STATE_HELLO_RECEIVED:
+			if (type == TLS_CERTIFICATE)
+			{
+				return process_certificate(this, reader);
+			}
+			expected = TLS_CERTIFICATE;
+			break;
+		case STATE_CERT_RECEIVED:
+			if (type == TLS_SERVER_KEY_EXCHANGE)
+			{
+				return process_key_exchange(this, reader);
+			}
+			/* fall through since TLS_SERVER_KEY_EXCHANGE is optional */
+		case STATE_KEY_EXCHANGE_RECEIVED:
+			if (type == TLS_CERTIFICATE_REQUEST)
+			{
+				return process_certreq(this, reader);
+			}
+			this->peer = NULL;
+			/* fall through since TLS_CERTIFICATE_REQUEST is optional */
+		case STATE_CERTREQ_RECEIVED:
+			if (type == TLS_SERVER_HELLO_DONE)
+			{
+				return process_hello_done(this, reader);
+			}
+			expected = TLS_SERVER_HELLO_DONE;
+			break;
+		case STATE_CIPHERSPEC_CHANGED_IN:
+			if (type == TLS_FINISHED)
+			{
+				return process_finished(this, reader);
+			}
+			expected = TLS_FINISHED;
+			break;
+		default:
+			DBG1(DBG_TLS, "TLS %N not expected in current state",
+				 tls_handshake_type_names, type);
+			this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+			return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "TLS %N expected, but received %N",
+		 tls_handshake_type_names, expected, tls_handshake_type_names, type);
+	this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+	return NEED_MORE;
+}
+
+/**
+ * Send a client hello
+ */
+static status_t send_client_hello(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	tls_cipher_suite_t *suites;
+	tls_writer_t *extensions, *curves = NULL;
+	tls_version_t version;
+	tls_named_curve_t curve;
+	enumerator_t *enumerator;
+	int count, i;
+	rng_t *rng;
+
+	htoun32(&this->client_random, time(NULL));
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "no suitable RNG found to generate client random");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	rng->get_bytes(rng, sizeof(this->client_random) - 4, this->client_random + 4);
+	rng->destroy(rng);
+
+	/* TLS version */
+	version = this->tls->get_version(this->tls);
+	writer->write_uint16(writer, version);
+	writer->write_data(writer, chunk_from_thing(this->client_random));
+
+	/* session identifier => none */
+	writer->write_data8(writer, chunk_empty);
+
+	/* add TLS cipher suites */
+	count = this->crypto->get_cipher_suites(this->crypto, &suites);
+	writer->write_uint16(writer, count * 2);
+	for (i = 0; i < count; i++)
+	{
+		writer->write_uint16(writer, suites[i]);
+	}
+
+	/* NULL compression only */
+	writer->write_uint8(writer, 1);
+	writer->write_uint8(writer, 0);
+
+	extensions = tls_writer_create(32);
+
+	extensions->write_uint16(extensions, TLS_EXT_SIGNATURE_ALGORITHMS);
+	this->crypto->get_signature_algorithms(this->crypto, extensions);
+
+	/* add supported Elliptic Curves, if any */
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, NULL, &curve))
+	{
+		if (!curves)
+		{
+			extensions->write_uint16(extensions, TLS_EXT_ELLIPTIC_CURVES);
+			curves = tls_writer_create(16);
+		}
+		curves->write_uint16(curves, curve);
+	}
+	enumerator->destroy(enumerator);
+	if (curves)
+	{
+		extensions->write_data16(extensions, curves->get_buf(curves));
+		curves->destroy(curves);
+
+		/* if we support curves, add point format extension */
+		extensions->write_uint16(extensions, TLS_EXT_EC_POINT_FORMATS);
+		extensions->write_uint16(extensions, 2);
+		extensions->write_uint8(extensions, 1);
+		extensions->write_uint8(extensions, TLS_EC_POINT_UNCOMPRESSED);
+	}
+
+	writer->write_data16(writer, extensions->get_buf(extensions));
+	extensions->destroy(extensions);
+
+	*type = TLS_CLIENT_HELLO;
+	this->state = STATE_HELLO_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Find a private key suitable to sign Certificate Verify
+ */
+static private_key_t *find_private_key(private_tls_peer_t *this)
+{
+	private_key_t *key = NULL;
+	tls_reader_t *reader;
+	key_type_t type;
+	u_int8_t cert;
+
+	if (!this->peer)
+	{
+		return NULL;
+	}
+	reader = tls_reader_create(this->cert_types);
+	while (reader->remaining(reader) && reader->read_uint8(reader, &cert))
+	{
+		switch (cert)
+		{
+			case TLS_RSA_SIGN:
+				type = KEY_RSA;
+				break;
+			case TLS_ECDSA_SIGN:
+				type = KEY_ECDSA;
+				break;
+			default:
+				continue;
+		}
+		key = lib->credmgr->get_private(lib->credmgr, type,
+										this->peer, this->peer_auth);
+		if (key)
+		{
+			break;
+		}
+	}
+	reader->destroy(reader);
+	return key;
+}
+
+/**
+ * Send Certificate
+ */
+static status_t send_certificate(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_rule_t rule;
+	tls_writer_t *certs;
+	chunk_t data;
+
+	this->private = find_private_key(this);
+	if (!this->private)
+	{
+		DBG1(DBG_TLS, "no TLS peer certificate found for '%Y'", this->peer);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	/* generate certificate payload */
+	certs = tls_writer_create(256);
+	cert = this->peer_auth->get(this->peer_auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+		{
+			DBG1(DBG_TLS, "sending TLS peer certificate '%Y'",
+				 cert->get_subject(cert));
+			certs->write_data24(certs, data);
+			free(data.ptr);
+		}
+	}
+	enumerator = this->peer_auth->create_enumerator(this->peer_auth);
+	while (enumerator->enumerate(enumerator, &rule, &cert))
+	{
+		if (rule == AUTH_RULE_IM_CERT)
+		{
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+			{
+				DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				certs->write_data24(certs, data);
+				free(data.ptr);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	writer->write_data24(writer, certs->get_buf(certs));
+	certs->destroy(certs);
+
+	*type = TLS_CERTIFICATE;
+	this->state = STATE_CERT_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send client key exchange, using premaster encryption
+ */
+static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	public_key_t *public;
+	rng_t *rng;
+	char premaster[48];
+	chunk_t encrypted;
+
+	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "no suitable RNG found for TLS premaster secret");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
+	rng->destroy(rng);
+	htoun16(premaster, TLS_1_2);
+
+	this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+
+	public = find_public_key(this);
+	if (!public)
+	{
+		DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+	if (!public->encrypt(public, ENCRYPT_RSA_PKCS1,
+						 chunk_from_thing(premaster), &encrypted))
+	{
+		public->destroy(public);
+		DBG1(DBG_TLS, "encrypting TLS premaster secret failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_BAD_CERTIFICATE);
+		return NEED_MORE;
+	}
+	public->destroy(public);
+
+	writer->write_data16(writer, encrypted);
+	free(encrypted.ptr);
+
+	*type = TLS_CLIENT_KEY_EXCHANGE;
+	this->state = STATE_KEY_EXCHANGE_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send client key exchange, using DHE exchange
+ */
+static status_t send_key_exchange_dhe(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	chunk_t premaster, pub;
+
+	if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+	{
+		DBG1(DBG_TLS, "calculating premaster from DH failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->crypto->derive_secrets(this->crypto, premaster,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	chunk_clear(&premaster);
+
+	this->dh->get_my_public_value(this->dh, &pub);
+	if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
+	{
+		writer->write_data16(writer, pub);
+	}
+	else
+	{	/* ECP uses 8bit length header only, but a point format */
+		writer->write_uint8(writer, pub.len + 1);
+		writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
+		writer->write_data(writer, pub);
+	}
+	free(pub.ptr);
+
+	*type = TLS_CLIENT_KEY_EXCHANGE;
+	this->state = STATE_KEY_EXCHANGE_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send client key exchange, depending on suite
+ */
+static status_t send_key_exchange(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	if (this->dh)
+	{
+		return send_key_exchange_dhe(this, type, writer);
+	}
+	return send_key_exchange_encrypt(this, type, writer);
+}
+
+/**
+ * Send certificate verify
+ */
+static status_t send_certificate_verify(private_tls_peer_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	if (!this->private ||
+		!this->crypto->sign_handshake(this->crypto, this->private,
+									  writer, this->hashsig))
+	{
+		DBG1(DBG_TLS, "creating TLS Certificate Verify signature failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	*type = TLS_CERTIFICATE_VERIFY;
+	this->state = STATE_VERIFY_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Finished
+ */
+static status_t send_finished(private_tls_peer_t *this,
+							  tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	char buf[12];
+
+	if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating client finished data failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	writer->write_data(writer, chunk_from_thing(buf));
+
+	*type = TLS_FINISHED;
+	this->state = STATE_FINISHED_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, build, status_t,
+	private_tls_peer_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	switch (this->state)
+	{
+		case STATE_INIT:
+			return send_client_hello(this, type, writer);
+		case STATE_HELLO_DONE:
+			if (this->peer)
+			{
+				return send_certificate(this, type, writer);
+			}
+			/* otherwise fall through to next state */
+		case STATE_CERT_SENT:
+			return send_key_exchange(this, type, writer);
+		case STATE_KEY_EXCHANGE_SENT:
+			if (this->peer)
+			{
+				return send_certificate_verify(this, type, writer);
+			}
+			else
+			{
+				return INVALID_STATE;
+			}
+		case STATE_CIPHERSPEC_CHANGED_OUT:
+			return send_finished(this, type, writer);
+		default:
+			return INVALID_STATE;
+	}
+}
+
+METHOD(tls_handshake_t, cipherspec_changed, bool,
+	private_tls_peer_t *this)
+{
+	if ((this->peer && this->state == STATE_VERIFY_SENT) ||
+	   (!this->peer && this->state == STATE_KEY_EXCHANGE_SENT))
+	{
+		this->crypto->change_cipher(this->crypto, FALSE);
+		this->state = STATE_CIPHERSPEC_CHANGED_OUT;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, change_cipherspec, bool,
+	private_tls_peer_t *this)
+{
+	if (this->state == STATE_FINISHED_SENT)
+	{
+		this->crypto->change_cipher(this->crypto, TRUE);
+		this->state = STATE_CIPHERSPEC_CHANGED_IN;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, finished, bool,
+	private_tls_peer_t *this)
+{
+	return this->state == STATE_COMPLETE;
+}
+
+METHOD(tls_handshake_t, destroy, void,
+	private_tls_peer_t *this)
+{
+	DESTROY_IF(this->private);
+	DESTROY_IF(this->dh);
+	this->peer_auth->destroy(this->peer_auth);
+	this->server_auth->destroy(this->server_auth);
+	free(this->hashsig.ptr);
+	free(this->cert_types.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
+							identification_t *peer, identification_t *server)
+{
+	private_tls_peer_t *this;
+
+	INIT(this,
+		.public = {
+			.handshake = {
+				.process = _process,
+				.build = _build,
+				.cipherspec_changed = _cipherspec_changed,
+				.change_cipherspec = _change_cipherspec,
+				.finished = _finished,
+				.destroy = _destroy,
+			},
+		},
+		.state = STATE_INIT,
+		.tls = tls,
+		.crypto = crypto,
+		.alert = alert,
+		.peer = peer,
+		.server = server,
+		.peer_auth = auth_cfg_create(),
+		.server_auth = auth_cfg_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_peer.h b/src/libtls/tls_peer.h
new file mode 100644
index 000000000..f773ea72e
--- /dev/null
+++ b/src/libtls/tls_peer.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_peer tls_peer
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_PEER_H_
+#define TLS_PEER_H_
+
+typedef struct tls_peer_t tls_peer_t;
+
+#include "tls_handshake.h"
+#include "tls_crypto.h"
+
+#include <library.h>
+
+/**
+ * TLS handshake protocol handler as peer.
+ */
+struct tls_peer_t {
+
+	/**
+	 * Implements the TLS handshake protocol handler.
+	 */
+	tls_handshake_t handshake;
+};
+
+/**
+ * Create a tls_peer instance.
+*
+ * @param tls		TLS stack
+ * @param crypto	TLS crypto helper
+ * @param alert		TLS alert handler
+ * @param peer		peer identity
+ * @param server	server identity
+ */
+tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert,
+							identification_t *peer, identification_t *server);
+
+#endif /** TLS_PEER_H_ @}*/
diff --git a/src/libtls/tls_prf.c b/src/libtls/tls_prf.c
new file mode 100644
index 000000000..f181d01d3
--- /dev/null
+++ b/src/libtls/tls_prf.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_prf.h"
+
+typedef struct private_tls_prf12_t private_tls_prf12_t;
+
+/**
+ * Private data of an tls_prf_t object.
+ */
+struct private_tls_prf12_t {
+
+	/**
+	 * Public tls_prf_t interface.
+	 */
+	tls_prf_t public;
+
+	/**
+	 * Underlying primitive PRF
+	 */
+	prf_t *prf;
+};
+
+METHOD(tls_prf_t, set_key12, void,
+	private_tls_prf12_t *this, chunk_t key)
+{
+	this->prf->set_key(this->prf, key);
+}
+
+/**
+ * The P_hash function as in TLS 1.0/1.2
+ */
+static void p_hash(prf_t *prf, char *label, chunk_t seed, size_t block_size,
+				   size_t bytes, char *out)
+{
+	char buf[block_size], abuf[block_size];
+	chunk_t a;
+
+	/* seed = label + seed */
+	seed = chunk_cata("cc", chunk_create(label, strlen(label)), seed);
+	/* A(0) = seed */
+	a = seed;
+
+	while (TRUE)
+	{
+		/* A(i) = HMAC_hash(secret, A(i-1)) */
+		prf->get_bytes(prf, a, abuf);
+		a = chunk_from_thing(abuf);
+		/* HMAC_hash(secret, A(i) + seed) */
+		prf->get_bytes(prf, a, NULL);
+		prf->get_bytes(prf, seed, buf);
+
+		if (bytes <= block_size)
+		{
+			memcpy(out, buf, bytes);
+			break;
+		}
+		memcpy(out, buf, block_size);
+		out += block_size;
+		bytes -= block_size;
+	}
+}
+
+METHOD(tls_prf_t, get_bytes12, void,
+	private_tls_prf12_t *this, char *label, chunk_t seed,
+	size_t bytes, char *out)
+{
+	p_hash(this->prf, label, seed, this->prf->get_block_size(this->prf),
+		   bytes, out);
+}
+
+METHOD(tls_prf_t, destroy12, void,
+	private_tls_prf12_t *this)
+{
+	this->prf->destroy(this->prf);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_prf_t *tls_prf_create_12(pseudo_random_function_t prf)
+{
+	private_tls_prf12_t *this;
+
+	INIT(this,
+		.public = {
+			.set_key = _set_key12,
+			.get_bytes = _get_bytes12,
+			.destroy = _destroy12,
+		},
+		.prf = lib->crypto->create_prf(lib->crypto, prf),
+	);
+	if (!this->prf)
+	{
+		free(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+
+typedef struct private_tls_prf10_t private_tls_prf10_t;
+
+/**
+ * Private data of an tls_prf_t object.
+ */
+struct private_tls_prf10_t {
+
+	/**
+	 * Public tls_prf_t interface.
+	 */
+	tls_prf_t public;
+
+	/**
+	 * Underlying MD5 PRF
+	 */
+	prf_t *md5;
+
+	/**
+	 * Underlying SHA1 PRF
+	 */
+	prf_t *sha1;
+};
+
+METHOD(tls_prf_t, set_key10, void,
+	private_tls_prf10_t *this, chunk_t key)
+{
+	size_t len = key.len / 2 + key.len % 2;
+
+	this->md5->set_key(this->md5, chunk_create(key.ptr, len));
+	this->sha1->set_key(this->sha1, chunk_create(key.ptr + key.len - len, len));
+}
+
+METHOD(tls_prf_t, get_bytes10, void,
+	private_tls_prf10_t *this, char *label, chunk_t seed,
+	size_t bytes, char *out)
+{
+	char buf[bytes];
+
+	p_hash(this->md5, label, seed, this->md5->get_block_size(this->md5),
+		   bytes, out);
+	p_hash(this->sha1, label, seed, this->sha1->get_block_size(this->sha1),
+		   bytes, buf);
+	memxor(out, buf, bytes);
+}
+
+METHOD(tls_prf_t, destroy10, void,
+	private_tls_prf10_t *this)
+{
+	DESTROY_IF(this->md5);
+	DESTROY_IF(this->sha1);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_prf_t *tls_prf_create_10(pseudo_random_function_t prf)
+{
+	private_tls_prf10_t *this;
+
+	INIT(this,
+		.public = {
+			.set_key = _set_key10,
+			.get_bytes = _get_bytes10,
+			.destroy = _destroy10,
+		},
+		.md5 = lib->crypto->create_prf(lib->crypto, PRF_HMAC_MD5),
+		.sha1 = lib->crypto->create_prf(lib->crypto, PRF_HMAC_SHA1),
+	);
+	if (!this->md5 || !this->sha1)
+	{
+		destroy10(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libtls/tls_prf.h b/src/libtls/tls_prf.h
new file mode 100644
index 000000000..9fb9bc2de
--- /dev/null
+++ b/src/libtls/tls_prf.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_prf tls_prf
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_PRF_H_
+#define TLS_PRF_H_
+
+typedef struct tls_prf_t tls_prf_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * The PRF function specified on TLS, based on HMAC.
+ */
+struct tls_prf_t {
+
+	/**
+	 * Set the key of the PRF function.
+	 *
+	 * @param key		key to set
+	 */
+	void (*set_key)(tls_prf_t *this, chunk_t key);
+
+	/**
+	 * Generate a series of bytes using a label and a seed.
+	 *
+	 * @param label		ASCII input label
+	 * @param seed		seed input value
+	 * @param bytes		number of bytes to get
+	 * @param out		buffer receiving bytes
+	 */
+	void (*get_bytes)(tls_prf_t *this, char *label, chunk_t seed,
+					  size_t bytes, char *out);
+
+	/**
+	 * Destroy a tls_prf_t.
+	 */
+	void (*destroy)(tls_prf_t *this);
+};
+
+/**
+ * Create a tls_prf instance with specific algorithm as in TLS 1.2.
+ *
+ * @param prf			underlying PRF function to use
+ * @return				TLS PRF algorithm
+ */
+tls_prf_t *tls_prf_create_12(pseudo_random_function_t prf);
+
+/**
+ * Create a tls_prf instance with XOred SHA1/MD5 as in TLS 1.0/1.1.
+ *
+ * @return				TLS PRF algorithm
+ */
+tls_prf_t *tls_prf_create_10();
+
+#endif /** TLS_PRF_H_ @}*/
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
new file mode 100644
index 000000000..d823bae04
--- /dev/null
+++ b/src/libtls/tls_protection.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_protection.h"
+
+#include <debug.h>
+
+typedef struct private_tls_protection_t private_tls_protection_t;
+
+/**
+ * Private data of an tls_protection_t object.
+ */
+struct private_tls_protection_t {
+
+	/**
+	 * Public tls_protection_t interface.
+	 */
+	tls_protection_t public;
+
+	/**
+	 * negotiated TLS version
+	 */
+	tls_version_t version;
+
+	/**
+	 * Upper layer, TLS record compression
+	 */
+	tls_compression_t *compression;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * RNG if we generate IVs ourself
+	 */
+	rng_t *rng;
+
+	/**
+	 * Sequence number of incoming records
+	 */
+	u_int32_t seq_in;
+
+	/**
+	 * Sequence number for outgoing records
+	 */
+	u_int32_t seq_out;
+
+	/**
+	 * Signer instance for inbound traffic
+	 */
+	signer_t *signer_in;
+
+	/**
+	 * Signer instance for outbound traffic
+	 */
+	signer_t *signer_out;
+
+	/**
+	 * Crypter instance for inbound traffic
+	 */
+	crypter_t *crypter_in;
+
+	/**
+	 * Crypter instance for outbound traffic
+	 */
+	crypter_t *crypter_out;
+
+	/**
+	 * Current IV for input decryption
+	 */
+	chunk_t iv_in;
+
+	/**
+	 * Current IV for output decryption
+	 */
+	chunk_t iv_out;
+};
+
+/**
+ * Create the header to append to the record data to create the MAC
+ */
+static chunk_t sigheader(u_int32_t seq, u_int8_t type,
+						 u_int16_t version, u_int16_t length)
+{
+	/* we only support 32 bit sequence numbers, but TLS uses 64 bit */
+	u_int32_t seq_high = 0;
+
+	seq = htonl(seq);
+	version = htons(version);
+	length = htons(length);
+
+	return chunk_cat("ccccc", chunk_from_thing(seq_high),
+					chunk_from_thing(seq), chunk_from_thing(type),
+					chunk_from_thing(version), chunk_from_thing(length));
+}
+
+METHOD(tls_protection_t, process, status_t,
+	private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
+{
+	if (this->alert->fatal(this->alert))
+	{	/* don't accept more input, fatal error ocurred */
+		return NEED_MORE;
+	}
+
+	if (this->crypter_in)
+	{
+		chunk_t iv, next_iv = chunk_empty;
+		u_int8_t bs, padding_length;
+
+		bs = this->crypter_in->get_block_size(this->crypter_in);
+		if (this->iv_in.len)
+		{	/* < TLSv1.1 uses IV from key derivation/last block */
+			if (data.len < bs || data.len % bs)
+			{
+				DBG1(DBG_TLS, "encrypted TLS record length invalid");
+				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+				return NEED_MORE;
+			}
+			iv = this->iv_in;
+			next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
+		}
+		else
+		{	/* TLSv1.1 uses random IVs, prepended to record */
+			iv.len = this->crypter_in->get_iv_size(this->crypter_in);
+			iv = chunk_create(data.ptr, iv.len);
+			data = chunk_skip(data, iv.len);
+			if (data.len < bs || data.len % bs)
+			{
+				DBG1(DBG_TLS, "encrypted TLS record length invalid");
+				this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+				return NEED_MORE;
+			}
+		}
+		this->crypter_in->decrypt(this->crypter_in, data, iv, NULL);
+
+		if (next_iv.len)
+		{	/* next record IV is last ciphertext block of this record */
+			memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
+			free(next_iv.ptr);
+		}
+
+		padding_length = data.ptr[data.len - 1];
+		if (padding_length >= data.len)
+		{
+			DBG1(DBG_TLS, "invalid TLS record padding");
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
+		data.len -= padding_length + 1;
+	}
+	if (this->signer_in)
+	{
+		chunk_t mac, macdata, header;
+		u_int8_t bs;
+
+		bs = this->signer_in->get_block_size(this->signer_in);
+		if (data.len < bs)
+		{
+			DBG1(DBG_TLS, "TLS record too short to verify MAC");
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
+		mac = chunk_skip(data, data.len - bs);
+		data.len -= bs;
+
+		header = sigheader(this->seq_in, type, this->version, data.len);
+		macdata = chunk_cat("mc", header, data);
+		if (!this->signer_in->verify_signature(this->signer_in, macdata, mac))
+		{
+			DBG1(DBG_TLS, "TLS record MAC verification failed");
+			free(macdata.ptr);
+			this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
+			return NEED_MORE;
+		}
+		free(macdata.ptr);
+	}
+
+	if (type == TLS_CHANGE_CIPHER_SPEC)
+	{
+		this->seq_in = 0;
+	}
+	else
+	{
+		this->seq_in++;
+	}
+	return this->compression->process(this->compression, type, data);
+}
+
+METHOD(tls_protection_t, build, status_t,
+	private_tls_protection_t *this, tls_content_type_t *type, chunk_t *data)
+{
+	status_t status;
+
+	status = this->compression->build(this->compression, type, data);
+	if (*type == TLS_CHANGE_CIPHER_SPEC)
+	{
+		this->seq_out = 0;
+		return status;
+	}
+
+	if (status == NEED_MORE)
+	{
+		if (this->signer_out)
+		{
+			chunk_t mac, header;
+
+			header = sigheader(this->seq_out, *type, this->version, data->len);
+			this->signer_out->get_signature(this->signer_out, header, NULL);
+			free(header.ptr);
+			this->signer_out->allocate_signature(this->signer_out, *data, &mac);
+			if (this->crypter_out)
+			{
+				chunk_t padding, iv;
+				u_int8_t bs, padding_length;
+
+				bs = this->crypter_out->get_block_size(this->crypter_out);
+				padding_length = bs - ((data->len + mac.len + 1) % bs);
+
+				padding = chunk_alloca(padding_length);
+				memset(padding.ptr, padding_length, padding.len);
+
+				if (this->iv_out.len)
+				{	/* < TLSv1.1 uses IV from key derivation/last block */
+					iv = this->iv_out;
+				}
+				else
+				{	/* TLSv1.1 uses random IVs, prepended to record */
+					if (!this->rng)
+					{
+						DBG1(DBG_TLS, "no RNG supported to generate TLS IV");
+						free(data->ptr);
+						return FAILED;
+					}
+					iv.len = this->crypter_out->get_iv_size(this->crypter_out);
+					this->rng->allocate_bytes(this->rng, iv.len, &iv);
+				}
+
+				*data = chunk_cat("mmcc", *data, mac, padding,
+								  chunk_from_thing(padding_length));
+				/* encrypt inline */
+				this->crypter_out->encrypt(this->crypter_out, *data, iv, NULL);
+
+				if (this->iv_out.len)
+				{	/* next record IV is last ciphertext block of this record */
+					memcpy(this->iv_out.ptr, data->ptr + data->len -
+						   this->iv_out.len, this->iv_out.len);
+				}
+				else
+				{	/* prepend IV */
+					*data = chunk_cat("mm", iv, *data);
+				}
+			}
+			else
+			{	/* NULL encryption */
+				*data = chunk_cat("mm", *data, mac);
+			}
+		}
+		this->seq_out++;
+	}
+	return status;
+}
+
+METHOD(tls_protection_t, set_cipher, void,
+	private_tls_protection_t *this, bool inbound, signer_t *signer,
+	crypter_t *crypter, chunk_t iv)
+{
+	if (inbound)
+	{
+		this->signer_in = signer;
+		this->crypter_in = crypter;
+		this->iv_in = iv;
+	}
+	else
+	{
+		this->signer_out = signer;
+		this->crypter_out = crypter;
+		this->iv_out = iv;
+		if (!iv.len)
+		{	/* generate IVs if none given */
+			this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+		}
+	}
+}
+
+METHOD(tls_protection_t, set_version, void,
+	private_tls_protection_t *this, tls_version_t version)
+{
+	this->version = version;
+}
+
+METHOD(tls_protection_t, destroy, void,
+	private_tls_protection_t *this)
+{
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_protection_t *tls_protection_create(tls_compression_t *compression,
+										tls_alert_t *alert)
+{
+	private_tls_protection_t *this;
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.set_cipher = _set_cipher,
+			.set_version = _set_version,
+			.destroy = _destroy,
+		},
+		.alert = alert,
+		.compression = compression,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_protection.h b/src/libtls/tls_protection.h
new file mode 100644
index 000000000..99c94e935
--- /dev/null
+++ b/src/libtls/tls_protection.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_protection tls_protection
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_PROTECTION_H_
+#define TLS_PROTECTION_H_
+
+#include <library.h>
+
+#include "tls.h"
+#include "tls_alert.h"
+#include "tls_compression.h"
+
+typedef struct tls_protection_t tls_protection_t;
+
+/**
+ * TLS record protocol protection layer.
+ */
+struct tls_protection_t {
+
+	/**
+	 * Process a protected TLS record, pass it to upper layers.
+	 *
+	 * @param type		type of the TLS record to process
+	 * @param data		associated TLS record data
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if more invocations to process/build needed
+	 */
+	status_t (*process)(tls_protection_t *this,
+						tls_content_type_t type, chunk_t data);
+
+	/**
+	 * Query upper layer for TLS record, build protected record.
+	 *
+	 * @param type		type of the built TLS record
+	 * @param data		allocated data of the built TLS record
+	 * @return
+	 *					- SUCCESS if TLS negotiation complete
+	 *					- FAILED if TLS handshake failed
+	 *					- NEED_MORE if upper layers have more records to send
+	 *					- INVALID_STATE if more input records required
+	 */
+	status_t (*build)(tls_protection_t *this,
+					  tls_content_type_t *type, chunk_t *data);
+
+	/**
+	 * Set a new cipher, including encryption and integrity algorithms.
+	 *
+	 * @param inbound	TRUE to use cipher for inbound data, FALSE for outbound
+	 * @param signer	new signer to use, gets owned by protection layer
+	 * @param crypter	new crypter to use, gets owned by protection layer
+	 * @param iv		initial IV for crypter, gets owned by protection layer
+	 */
+	void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer,
+					   crypter_t *crypter, chunk_t iv);
+
+	/**
+	 * Set the TLS version negotiated, used for MAC calculation.
+	 *
+	 * @param version	TLS version negotiated
+	 */
+	void (*set_version)(tls_protection_t *this, tls_version_t version);
+
+	/**
+	 * Destroy a tls_protection_t.
+	 */
+	void (*destroy)(tls_protection_t *this);
+};
+
+/**
+ * Create a tls_protection instance.
+ *
+ * @param compression		compression layer of TLS stack
+ * @param alert				TLS alert handler
+ * @return					TLS protection layer.
+ */
+tls_protection_t *tls_protection_create(tls_compression_t *compression,
+										tls_alert_t *alert);
+
+#endif /** TLS_PROTECTION_H_ @}*/
diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c
new file mode 100644
index 000000000..17ec68fd5
--- /dev/null
+++ b/src/libtls/tls_reader.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_reader.h"
+
+#include <debug.h>
+
+typedef struct private_tls_reader_t private_tls_reader_t;
+
+/**
+ * Private data of an tls_reader_t object.
+ */
+struct private_tls_reader_t {
+
+	/**
+	 * Public tls_reader_t interface.
+	 */
+	tls_reader_t public;
+
+	/**
+	 * Remaining data to process
+	 */
+	chunk_t buf;
+};
+
+METHOD(tls_reader_t, remaining, u_int32_t,
+	private_tls_reader_t *this)
+{
+	return this->buf.len;
+}
+
+METHOD(tls_reader_t, peek, chunk_t,
+	private_tls_reader_t *this)
+{
+	return this->buf;
+}
+
+METHOD(tls_reader_t, read_uint8, bool,
+	private_tls_reader_t *this, u_int8_t *res)
+{
+	if (this->buf.len < 1)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 8);
+		return FALSE;
+	}
+	*res = this->buf.ptr[0];
+	this->buf = chunk_skip(this->buf, 1);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_uint16, bool,
+	private_tls_reader_t *this, u_int16_t *res)
+{
+	if (this->buf.len < 2)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 16);
+		return FALSE;
+	}
+	*res = untoh16(this->buf.ptr);
+	this->buf = chunk_skip(this->buf, 2);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_uint24, bool,
+	private_tls_reader_t *this, u_int32_t *res)
+{
+	if (this->buf.len < 3)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 24);
+		return FALSE;
+	}
+	*res = untoh32(this->buf.ptr) >> 8;
+	this->buf = chunk_skip(this->buf, 3);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_uint32, bool,
+	private_tls_reader_t *this, u_int32_t *res)
+{
+	if (this->buf.len < 4)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data",
+			 this->buf.len, 32);
+		return FALSE;
+	}
+	*res = untoh32(this->buf.ptr);
+	this->buf = chunk_skip(this->buf, 4);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_data, bool,
+	private_tls_reader_t *this, u_int32_t len, chunk_t *res)
+{
+	if (this->buf.len < len)
+	{
+		DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data",
+			 this->buf.len, len);
+		return FALSE;
+	}
+	*res = chunk_create(this->buf.ptr, len);
+	this->buf = chunk_skip(this->buf, len);
+	return TRUE;
+}
+
+METHOD(tls_reader_t, read_data8, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int8_t len;
+
+	if (!read_uint8(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, read_data16, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int16_t len;
+
+	if (!read_uint16(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, read_data24, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int32_t len;
+
+	if (!read_uint24(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, read_data32, bool,
+	private_tls_reader_t *this, chunk_t *res)
+{
+	u_int32_t len;
+
+	if (!read_uint32(this, &len))
+	{
+		return FALSE;
+	}
+	return read_data(this, len, res);
+}
+
+METHOD(tls_reader_t, destroy, void,
+	private_tls_reader_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_reader_t *tls_reader_create(chunk_t data)
+{
+	private_tls_reader_t *this;
+
+	INIT(this,
+		.public = {
+			.remaining = _remaining,
+			.peek = _peek,
+			.read_uint8 = _read_uint8,
+			.read_uint16 = _read_uint16,
+			.read_uint24 = _read_uint24,
+			.read_uint32 = _read_uint32,
+			.read_data = _read_data,
+			.read_data8 = _read_data8,
+			.read_data16 = _read_data16,
+			.read_data24 = _read_data24,
+			.read_data32 = _read_data32,
+			.destroy = _destroy,
+		},
+		.buf = data,
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_reader.h b/src/libtls/tls_reader.h
new file mode 100644
index 000000000..a8978b486
--- /dev/null
+++ b/src/libtls/tls_reader.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_reader tls_reader
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_READER_H_
+#define TLS_READER_H_
+
+typedef struct tls_reader_t tls_reader_t;
+
+#include <library.h>
+
+/**
+ * TLS record parser.
+ */
+struct tls_reader_t {
+
+	/**
+	 * Get the number of remaining bytes.
+	 *
+	 * @return			number of remaining bytes in buffer
+	 */
+	u_int32_t (*remaining)(tls_reader_t *this);
+
+	/**
+	 * Peek the remaining data, not consuming any bytes.
+	 *
+	 * @return			remaining data
+	 */
+	chunk_t (*peek)(tls_reader_t *this);
+
+	/**
+	 * Read a 8-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint8)(tls_reader_t *this, u_int8_t *res);
+
+	/**
+	 * Read a 16-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint16)(tls_reader_t *this, u_int16_t *res);
+
+	/**
+	 * Read a 24-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint24)(tls_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a 32-bit integer from the buffer, advance.
+	 *
+	 * @param res		pointer to result
+	 * @return			TRUE if integer read successfully
+	 */
+	bool (*read_uint32)(tls_reader_t *this, u_int32_t *res);
+
+	/**
+	 * Read a chunk of len bytes, advance.
+	 *
+	 * @param len		number of bytes to read
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data)(tls_reader_t *this, u_int32_t len, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 8-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data8)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 16-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data16)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 24-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data24)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Read a chunk of bytes with a 32-bit length header, advance.
+	 *
+	 * @param res		pointer to result, not cloned
+	 * @return			TRUE if data read successfully
+	 */
+	bool (*read_data32)(tls_reader_t *this, chunk_t *res);
+
+	/**
+	 * Destroy a tls_reader_t.
+	 */
+	void (*destroy)(tls_reader_t *this);
+};
+
+/**
+ * Create a tls_reader instance.
+ */
+tls_reader_t *tls_reader_create(chunk_t data);
+
+#endif /** tls_reader_H_ @}*/
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
new file mode 100644
index 000000000..b0417f6cb
--- /dev/null
+++ b/src/libtls/tls_server.c
@@ -0,0 +1,1032 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_server.h"
+
+#include <time.h>
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+
+typedef struct private_tls_server_t private_tls_server_t;
+
+
+typedef enum {
+	STATE_INIT,
+	STATE_HELLO_RECEIVED,
+	STATE_HELLO_SENT,
+	STATE_CERT_SENT,
+	STATE_KEY_EXCHANGE_SENT,
+	STATE_CERTREQ_SENT,
+	STATE_HELLO_DONE,
+	STATE_CERT_RECEIVED,
+	STATE_KEY_EXCHANGE_RECEIVED,
+	STATE_CERT_VERIFY_RECEIVED,
+	STATE_CIPHERSPEC_CHANGED_IN,
+	STATE_FINISHED_RECEIVED,
+	STATE_CIPHERSPEC_CHANGED_OUT,
+	STATE_FINISHED_SENT,
+} server_state_t;
+
+/**
+ * Private data of an tls_server_t object.
+ */
+struct private_tls_server_t {
+
+	/**
+	 * Public tls_server_t interface.
+	 */
+	tls_server_t public;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * TLS crypto context
+	 */
+	tls_crypto_t *crypto;
+
+	/**
+	 * TLS alert handler
+	 */
+	tls_alert_t *alert;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity, NULL for no client authentication
+	 */
+	identification_t *peer;
+
+	/**
+	 * State we are in
+	 */
+	server_state_t state;
+
+	/**
+	 * Hello random data selected by client
+	 */
+	char client_random[32];
+
+	/**
+	 * Hello random data selected by server
+	 */
+	char server_random[32];
+
+	/**
+	 * Auth helper for peer authentication
+	 */
+	auth_cfg_t *peer_auth;
+
+	/**
+	 * Auth helper for server authentication
+	 */
+	auth_cfg_t *server_auth;
+
+	/**
+	 * Peer private key
+	 */
+	private_key_t *private;
+
+	/**
+	 * DHE exchange
+	 */
+	diffie_hellman_t *dh;
+
+	/**
+	 * Selected TLS cipher suite
+	 */
+	tls_cipher_suite_t suite;
+
+	/**
+	 * Offered TLS version of the client
+	 */
+	tls_version_t client_version;
+
+	/**
+	 * Hash and signature algorithms supported by peer
+	 */
+	chunk_t hashsig;
+
+	/**
+	 * Elliptic curves supported by peer
+	 */
+	chunk_t curves;
+
+	/**
+	 * Did we receive the curves from the client?
+	 */
+	bool curves_received;
+};
+
+/**
+ * Find a cipher suite and a server key
+ */
+static bool select_suite_and_key(private_tls_server_t *this,
+								 tls_cipher_suite_t *suites, int count)
+{
+	private_key_t *key;
+	key_type_t type;
+
+	key = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->server,
+									this->server_auth);
+	if (!key)
+	{
+		DBG1(DBG_TLS, "no usable TLS server certificate found for '%Y'",
+			 this->server);
+		return FALSE;
+	}
+	this->suite = this->crypto->select_cipher_suite(this->crypto,
+											suites, count, key->get_type(key));
+	if (!this->suite)
+	{	/* no match for this key, try to find another type */
+		if (key->get_type(key) == KEY_ECDSA)
+		{
+			type = KEY_RSA;
+		}
+		else
+		{
+			type = KEY_ECDSA;
+		}
+		key->destroy(key);
+
+		this->suite = this->crypto->select_cipher_suite(this->crypto,
+											suites, count, type);
+		if (!this->suite)
+		{
+			DBG1(DBG_TLS, "received cipher suites inacceptable");
+			return FALSE;
+		}
+		this->server_auth->destroy(this->server_auth);
+		this->server_auth = auth_cfg_create();
+		key = lib->credmgr->get_private(lib->credmgr, type, this->server,
+										this->server_auth);
+		if (!key)
+		{
+			DBG1(DBG_TLS, "received cipher suites inacceptable");
+			return FALSE;
+		}
+	}
+	this->private = key;
+	return TRUE;
+}
+
+/**
+ * Process client hello message
+ */
+static status_t process_client_hello(private_tls_server_t *this,
+									 tls_reader_t *reader)
+{
+	u_int16_t version, extension;
+	chunk_t random, session, ciphers, compression, ext = chunk_empty;
+	tls_reader_t *extensions;
+	tls_cipher_suite_t *suites;
+	int count, i;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CLIENT_HELLO, reader->peek(reader));
+
+	if (!reader->read_uint16(reader, &version) ||
+		!reader->read_data(reader, sizeof(this->client_random), &random) ||
+		!reader->read_data8(reader, &session) ||
+		!reader->read_data16(reader, &ciphers) ||
+		!reader->read_data8(reader, &compression) ||
+		(reader->remaining(reader) && !reader->read_data16(reader, &ext)))
+	{
+		DBG1(DBG_TLS, "received invalid ClientHello");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	if (ext.len)
+	{
+		extensions = tls_reader_create(ext);
+		while (extensions->remaining(extensions))
+		{
+			if (!extensions->read_uint16(extensions, &extension) ||
+				!extensions->read_data16(extensions, &ext))
+			{
+				DBG1(DBG_TLS, "received invalid ClientHello Extensions");
+				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+				extensions->destroy(extensions);
+				return NEED_MORE;
+			}
+			DBG1(DBG_TLS, "received TLS '%N' extension",
+				 tls_extension_names, extension);
+			DBG3(DBG_TLS, "%B", &ext);
+			switch (extension)
+			{
+				case TLS_EXT_SIGNATURE_ALGORITHMS:
+					this->hashsig = chunk_clone(ext);
+					break;
+				case TLS_EXT_ELLIPTIC_CURVES:
+					this->curves_received = TRUE;
+					this->curves = chunk_clone(ext);
+					break;
+				default:
+					break;
+			}
+		}
+		extensions->destroy(extensions);
+	}
+
+	memcpy(this->client_random, random.ptr, sizeof(this->client_random));
+
+	if (!this->tls->set_version(this->tls, version))
+	{
+		DBG1(DBG_TLS, "negotiated version %N not supported",
+			 tls_version_names, version);
+		this->alert->add(this->alert, TLS_FATAL, TLS_PROTOCOL_VERSION);
+		return NEED_MORE;
+	}
+	count = ciphers.len / sizeof(u_int16_t);
+	suites = alloca(count * sizeof(tls_cipher_suite_t));
+	DBG2(DBG_TLS, "received %d TLS cipher suites:", count);
+	for (i = 0; i < count; i++)
+	{
+		suites[i] = untoh16(&ciphers.ptr[i * sizeof(u_int16_t)]);
+		DBG2(DBG_TLS, "  %N", tls_cipher_suite_names, suites[i]);
+	}
+
+	if (!select_suite_and_key(this, suites, count))
+	{
+		this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+		return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "negotiated TLS version %N with suite %N",
+		 tls_version_names, this->tls->get_version(this->tls),
+		 tls_cipher_suite_names, this->suite);
+	this->client_version = version;
+	this->state = STATE_HELLO_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process certificate
+ */
+static status_t process_certificate(private_tls_server_t *this,
+									tls_reader_t *reader)
+{
+	certificate_t *cert;
+	tls_reader_t *certs;
+	chunk_t data;
+	bool first = TRUE;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CERTIFICATE, reader->peek(reader));
+
+	if (!reader->read_data24(reader, &data))
+	{
+		DBG1(DBG_TLS, "certificate message header invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	certs = tls_reader_create(data);
+	while (certs->remaining(certs))
+	{
+		if (!certs->read_data24(certs, &data))
+		{
+			DBG1(DBG_TLS, "certificate message invalid");
+			this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+			certs->destroy(certs);
+			return NEED_MORE;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_BLOB_ASN1_DER, data, BUILD_END);
+		if (cert)
+		{
+			if (first)
+			{
+				this->peer_auth->add(this->peer_auth,
+									 AUTH_HELPER_SUBJECT_CERT, cert);
+				DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
+					 cert->get_subject(cert));
+				first = FALSE;
+			}
+			else
+			{
+				DBG1(DBG_TLS, "received TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				this->peer_auth->add(this->peer_auth, AUTH_HELPER_IM_CERT, cert);
+			}
+		}
+		else
+		{
+			DBG1(DBG_TLS, "parsing TLS certificate failed, skipped");
+			this->alert->add(this->alert, TLS_WARNING, TLS_BAD_CERTIFICATE);
+		}
+	}
+	certs->destroy(certs);
+	this->state = STATE_CERT_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process Client Key Exchange, using premaster encryption
+ */
+static status_t process_key_exchange_encrypted(private_tls_server_t *this,
+											   tls_reader_t *reader)
+{
+	chunk_t encrypted, decrypted;
+	char premaster[48];
+	rng_t *rng;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
+
+	if (!reader->read_data16(reader, &encrypted))
+	{
+		DBG1(DBG_TLS, "received invalid Client Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	htoun16(premaster, this->client_version);
+	/* pre-randomize premaster for failure cases */
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "creating RNG failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	rng->get_bytes(rng, sizeof(premaster) - 2, premaster + 2);
+	rng->destroy(rng);
+
+	if (this->private &&
+		this->private->decrypt(this->private,
+							   ENCRYPT_RSA_PKCS1, encrypted, &decrypted))
+	{
+		if (decrypted.len == sizeof(premaster) &&
+			untoh16(decrypted.ptr) == this->client_version)
+		{
+			memcpy(premaster + 2, decrypted.ptr + 2, sizeof(premaster) - 2);
+		}
+		else
+		{
+			DBG1(DBG_TLS, "decrypted premaster has invalid length/version");
+		}
+		chunk_clear(&decrypted);
+	}
+	else
+	{
+		DBG1(DBG_TLS, "decrypting Client Key Exchange failed");
+	}
+
+	this->crypto->derive_secrets(this->crypto, chunk_from_thing(premaster),
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process client key exchange, using DHE exchange
+ */
+static status_t process_key_exchange_dhe(private_tls_server_t *this,
+										 tls_reader_t *reader)
+{
+	chunk_t premaster, pub;
+	bool ec;
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CLIENT_KEY_EXCHANGE, reader->peek(reader));
+
+	ec = diffie_hellman_group_is_ec(this->dh->get_dh_group(this->dh));
+	if ((ec && !reader->read_data8(reader, &pub)) ||
+		(!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
+	{
+		DBG1(DBG_TLS, "received invalid Client Key Exchange");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+
+	if (ec)
+	{
+		if (pub.ptr[0] != TLS_ANSI_UNCOMPRESSED)
+		{
+			DBG1(DBG_TLS, "DH point format '%N' not supported",
+				 tls_ansi_point_format_names, pub.ptr[0]);
+			this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+			return NEED_MORE;
+		}
+		pub = chunk_skip(pub, 1);
+	}
+	this->dh->set_other_public_value(this->dh, pub);
+	if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+	{
+		DBG1(DBG_TLS, "calculating premaster from DH failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+
+	this->crypto->derive_secrets(this->crypto, premaster,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	chunk_clear(&premaster);
+
+	this->state = STATE_KEY_EXCHANGE_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process Client Key Exchange
+ */
+static status_t process_key_exchange(private_tls_server_t *this,
+									 tls_reader_t *reader)
+{
+	if (this->dh)
+	{
+		return process_key_exchange_dhe(this, reader);
+	}
+	return process_key_exchange_encrypted(this, reader);
+}
+
+/**
+ * Process Certificate verify
+ */
+static status_t process_cert_verify(private_tls_server_t *this,
+									tls_reader_t *reader)
+{
+	bool verified = FALSE;
+	enumerator_t *enumerator;
+	public_key_t *public;
+	auth_cfg_t *auth;
+	tls_reader_t *sig;
+
+	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+										KEY_ANY, this->peer, this->peer_auth);
+	while (enumerator->enumerate(enumerator, &public, &auth))
+	{
+		sig = tls_reader_create(reader->peek(reader));
+		verified = this->crypto->verify_handshake(this->crypto, public, sig);
+		sig->destroy(sig);
+		if (verified)
+		{
+			break;
+		}
+		DBG1(DBG_TLS, "signature verification failed, trying another key");
+	}
+	enumerator->destroy(enumerator);
+
+	if (!verified)
+	{
+		DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
+			 this->peer);
+		this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
+		return NEED_MORE;
+	}
+
+	this->crypto->append_handshake(this->crypto,
+								   TLS_CERTIFICATE_VERIFY, reader->peek(reader));
+	this->state = STATE_CERT_VERIFY_RECEIVED;
+	return NEED_MORE;
+}
+
+/**
+ * Process finished message
+ */
+static status_t process_finished(private_tls_server_t *this,
+								 tls_reader_t *reader)
+{
+	chunk_t received;
+	char buf[12];
+
+	if (!reader->read_data(reader, sizeof(buf), &received))
+	{
+		DBG1(DBG_TLS, "received client finished too short");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
+		return NEED_MORE;
+	}
+	if (!this->crypto->calculate_finished(this->crypto, "client finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating client finished failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	if (!chunk_equals(received, chunk_from_thing(buf)))
+	{
+		DBG1(DBG_TLS, "received client finished invalid");
+		this->alert->add(this->alert, TLS_FATAL, TLS_DECRYPT_ERROR);
+		return NEED_MORE;
+	}
+
+	this->crypto->append_handshake(this->crypto, TLS_FINISHED, received);
+	this->state = STATE_FINISHED_RECEIVED;
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, process, status_t,
+	private_tls_server_t *this, tls_handshake_type_t type, tls_reader_t *reader)
+{
+	tls_handshake_type_t expected;
+
+	switch (this->state)
+	{
+		case STATE_INIT:
+			if (type == TLS_CLIENT_HELLO)
+			{
+				return process_client_hello(this, reader);
+			}
+			expected = TLS_CLIENT_HELLO;
+			break;
+		case STATE_HELLO_DONE:
+			if (type == TLS_CERTIFICATE)
+			{
+				return process_certificate(this, reader);
+			}
+			if (this->peer)
+			{
+				expected = TLS_CERTIFICATE;
+				break;
+			}
+			/* otherwise fall through to next state */
+		case STATE_CERT_RECEIVED:
+			if (type == TLS_CLIENT_KEY_EXCHANGE)
+			{
+				return process_key_exchange(this, reader);
+			}
+			expected = TLS_CLIENT_KEY_EXCHANGE;
+			break;
+		case STATE_KEY_EXCHANGE_RECEIVED:
+			if (type == TLS_CERTIFICATE_VERIFY)
+			{
+				return process_cert_verify(this, reader);
+			}
+			if (this->peer)
+			{
+				expected = TLS_CERTIFICATE_VERIFY;
+				break;
+			}
+			else
+			{
+				return INVALID_STATE;
+			}
+		case STATE_CIPHERSPEC_CHANGED_IN:
+			if (type == TLS_FINISHED)
+			{
+				return process_finished(this, reader);
+			}
+			expected = TLS_FINISHED;
+			break;
+		default:
+			DBG1(DBG_TLS, "TLS %N not expected in current state",
+				 tls_handshake_type_names, type);
+			this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+			return NEED_MORE;
+	}
+	DBG1(DBG_TLS, "TLS %N expected, but received %N",
+		 tls_handshake_type_names, expected, tls_handshake_type_names, type);
+	this->alert->add(this->alert, TLS_FATAL, TLS_UNEXPECTED_MESSAGE);
+	return NEED_MORE;
+}
+
+/**
+ * Send ServerHello message
+ */
+static status_t send_server_hello(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	tls_version_t version;
+	rng_t *rng;
+
+	htoun32(&this->server_random, time(NULL));
+	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+	if (!rng)
+	{
+		DBG1(DBG_TLS, "no suitable RNG found to generate server random");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return FAILED;
+	}
+	rng->get_bytes(rng, sizeof(this->server_random) - 4, this->server_random + 4);
+	rng->destroy(rng);
+
+	/* TLS version */
+	version = this->tls->get_version(this->tls);
+	writer->write_uint16(writer, version);
+	writer->write_data(writer, chunk_from_thing(this->server_random));
+
+	/* session identifier => none, we don't support session resumption */
+	writer->write_data8(writer, chunk_empty);
+
+	/* add selected TLS cipher suite */
+	writer->write_uint16(writer, this->suite);
+
+	/* NULL compression only */
+	writer->write_uint8(writer, 0);
+
+	*type = TLS_SERVER_HELLO;
+	this->state = STATE_HELLO_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Certificate
+ */
+static status_t send_certificate(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	auth_rule_t rule;
+	tls_writer_t *certs;
+	chunk_t data;
+
+	/* generate certificate payload */
+	certs = tls_writer_create(256);
+	cert = this->server_auth->get(this->server_auth, AUTH_RULE_SUBJECT_CERT);
+	if (cert)
+	{
+		if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+		{
+			DBG1(DBG_TLS, "sending TLS server certificate '%Y'",
+				 cert->get_subject(cert));
+			certs->write_data24(certs, data);
+			free(data.ptr);
+		}
+	}
+	enumerator = this->server_auth->create_enumerator(this->server_auth);
+	while (enumerator->enumerate(enumerator, &rule, &cert))
+	{
+		if (rule == AUTH_RULE_IM_CERT)
+		{
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &data))
+			{
+				DBG1(DBG_TLS, "sending TLS intermediate certificate '%Y'",
+					 cert->get_subject(cert));
+				certs->write_data24(certs, data);
+				free(data.ptr);
+			}
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	writer->write_data24(writer, certs->get_buf(certs));
+	certs->destroy(certs);
+
+	*type = TLS_CERTIFICATE;
+	this->state = STATE_CERT_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Certificate Request
+ */
+static status_t send_certificate_request(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	tls_writer_t *authorities, *supported;
+	enumerator_t *enumerator;
+	certificate_t *cert;
+	x509_t *x509;
+	identification_t *id;
+
+	supported = tls_writer_create(4);
+	/* we propose both RSA and ECDSA */
+	supported->write_uint8(supported, TLS_RSA_SIGN);
+	supported->write_uint8(supported, TLS_ECDSA_SIGN);
+	writer->write_data8(writer, supported->get_buf(supported));
+	supported->destroy(supported);
+	if (this->tls->get_version(this->tls) >= TLS_1_2)
+	{
+		this->crypto->get_signature_algorithms(this->crypto, writer);
+	}
+
+	authorities = tls_writer_create(64);
+	enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+												CERT_X509, KEY_RSA, NULL, TRUE);
+	while (enumerator->enumerate(enumerator, &cert))
+	{
+		x509 = (x509_t*)cert;
+		if (x509->get_flags(x509) & X509_CA)
+		{
+			id = cert->get_subject(cert);
+			DBG1(DBG_TLS, "sending TLS cert request for '%Y'", id);
+			authorities->write_data16(authorities, id->get_encoding(id));
+		}
+	}
+	enumerator->destroy(enumerator);
+	writer->write_data16(writer, authorities->get_buf(authorities));
+	authorities->destroy(authorities);
+
+	*type = TLS_CERTIFICATE_REQUEST;
+	this->state = STATE_CERTREQ_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Get the TLS curve of a given EC DH group
+ */
+static tls_named_curve_t ec_group_to_curve(private_tls_server_t *this,
+										   diffie_hellman_group_t group)
+{
+	diffie_hellman_group_t current;
+	tls_named_curve_t curve;
+	enumerator_t *enumerator;
+
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, &current, &curve))
+	{
+		if (current == group)
+		{
+			enumerator->destroy(enumerator);
+			return curve;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return 0;
+}
+
+/**
+ * Check if the peer supports a given TLS curve
+ */
+bool peer_supports_curve(private_tls_server_t *this, tls_named_curve_t curve)
+{
+	tls_reader_t *reader;
+	u_int16_t current;
+
+	if (!this->curves_received)
+	{	/* none received, assume yes */
+		return TRUE;
+	}
+	reader = tls_reader_create(this->curves);
+	while (reader->remaining(reader) && reader->read_uint16(reader, &current))
+	{
+		if (current == curve)
+		{
+			reader->destroy(reader);
+			return TRUE;
+		}
+	}
+	reader->destroy(reader);
+	return FALSE;
+}
+
+/**
+ * Try to find a curve supported by both, client and server
+ */
+static bool find_supported_curve(private_tls_server_t *this,
+								 tls_named_curve_t *curve)
+{
+	tls_named_curve_t current;
+	enumerator_t *enumerator;
+
+	enumerator = this->crypto->create_ec_enumerator(this->crypto);
+	while (enumerator->enumerate(enumerator, NULL, &current))
+	{
+		if (peer_supports_curve(this, current))
+		{
+			*curve = current;
+			enumerator->destroy(enumerator);
+			return TRUE;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return FALSE;
+}
+
+/**
+ * Send Server key Exchange
+ */
+static status_t send_server_key_exchange(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer,
+							diffie_hellman_group_t group)
+{
+	diffie_hellman_params_t *params = NULL;
+	tls_named_curve_t curve;
+	chunk_t chunk;
+
+	if (diffie_hellman_group_is_ec(group))
+	{
+		curve = ec_group_to_curve(this, group);
+		if (!curve || (!peer_supports_curve(this, curve) &&
+					   !find_supported_curve(this, &curve)))
+		{
+			DBG1(DBG_TLS, "no EC group supported by client and server");
+			this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE);
+			return NEED_MORE;
+		}
+		DBG2(DBG_TLS, "selected ECDH group %N", tls_named_curve_names, curve);
+		writer->write_uint8(writer, TLS_ECC_NAMED_CURVE);
+		writer->write_uint16(writer, curve);
+	}
+	else
+	{
+		params = diffie_hellman_get_params(group);
+		if (!params)
+		{
+			DBG1(DBG_TLS, "no parameters found for DH group %N",
+				 diffie_hellman_group_names, group);
+			this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+			return NEED_MORE;
+		}
+		DBG2(DBG_TLS, "selected DH group %N", diffie_hellman_group_names, group);
+		writer->write_data16(writer, params->prime);
+		writer->write_data16(writer, params->generator);
+	}
+	this->dh = lib->crypto->create_dh(lib->crypto, group);
+	if (!this->dh)
+	{
+		DBG1(DBG_TLS, "DH group %N not supported",
+			 diffie_hellman_group_names, group);
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return NEED_MORE;
+	}
+	this->dh->get_my_public_value(this->dh, &chunk);
+	if (params)
+	{
+		writer->write_data16(writer, chunk);
+	}
+	else
+	{	/* ECP uses 8bit length header only, but a point format */
+		writer->write_uint8(writer, chunk.len + 1);
+		writer->write_uint8(writer, TLS_ANSI_UNCOMPRESSED);
+		writer->write_data(writer, chunk);
+	}
+	free(chunk.ptr);
+
+	chunk = chunk_cat("ccc", chunk_from_thing(this->client_random),
+				chunk_from_thing(this->server_random), writer->get_buf(writer));
+	if (!this->private || !this->crypto->sign(this->crypto, this->private,
+											  writer, chunk, this->hashsig))
+	{
+		DBG1(DBG_TLS, "signing DH parameters failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		free(chunk.ptr);
+		return NEED_MORE;
+	}
+	free(chunk.ptr);
+	*type = TLS_SERVER_KEY_EXCHANGE;
+	this->state = STATE_KEY_EXCHANGE_SENT;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Hello Done
+ */
+static status_t send_hello_done(private_tls_server_t *this,
+							tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	*type = TLS_SERVER_HELLO_DONE;
+	this->state = STATE_HELLO_DONE;
+	this->crypto->append_handshake(this->crypto, *type, writer->get_buf(writer));
+	return NEED_MORE;
+}
+
+/**
+ * Send Finished
+ */
+static status_t send_finished(private_tls_server_t *this,
+							  tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	char buf[12];
+
+	if (!this->crypto->calculate_finished(this->crypto, "server finished", buf))
+	{
+		DBG1(DBG_TLS, "calculating server finished data failed");
+		this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+		return FAILED;
+	}
+
+	writer->write_data(writer, chunk_from_thing(buf));
+
+	*type = TLS_FINISHED;
+	this->state = STATE_FINISHED_SENT;
+	this->crypto->derive_eap_msk(this->crypto,
+								 chunk_from_thing(this->client_random),
+								 chunk_from_thing(this->server_random));
+	return NEED_MORE;
+}
+
+METHOD(tls_handshake_t, build, status_t,
+	private_tls_server_t *this, tls_handshake_type_t *type, tls_writer_t *writer)
+{
+	diffie_hellman_group_t group;
+
+	switch (this->state)
+	{
+		case STATE_HELLO_RECEIVED:
+			return send_server_hello(this, type, writer);
+		case STATE_HELLO_SENT:
+			return send_certificate(this, type, writer);
+		case STATE_CERT_SENT:
+			group = this->crypto->get_dh_group(this->crypto);
+			if (group)
+			{
+				return send_server_key_exchange(this, type, writer, group);
+			}
+			/* otherwise fall through to next state */
+		case STATE_KEY_EXCHANGE_SENT:
+			if (this->peer)
+			{
+				return send_certificate_request(this, type, writer);
+			}
+			/* otherwise fall through to next state */
+		case STATE_CERTREQ_SENT:
+			return send_hello_done(this, type, writer);
+		case STATE_CIPHERSPEC_CHANGED_OUT:
+			return send_finished(this, type, writer);
+		case STATE_FINISHED_SENT:
+			return INVALID_STATE;
+		default:
+			return INVALID_STATE;
+	}
+}
+
+METHOD(tls_handshake_t, cipherspec_changed, bool,
+	private_tls_server_t *this)
+{
+	if (this->state == STATE_FINISHED_RECEIVED)
+	{
+		this->crypto->change_cipher(this->crypto, FALSE);
+		this->state = STATE_CIPHERSPEC_CHANGED_OUT;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, change_cipherspec, bool,
+	private_tls_server_t *this)
+{
+	if ((this->peer && this->state == STATE_CERT_VERIFY_RECEIVED) ||
+	   (!this->peer && this->state == STATE_KEY_EXCHANGE_RECEIVED))
+	{
+		this->crypto->change_cipher(this->crypto, TRUE);
+		this->state = STATE_CIPHERSPEC_CHANGED_IN;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_handshake_t, finished, bool,
+	private_tls_server_t *this)
+{
+	return this->state == STATE_FINISHED_SENT;
+}
+
+METHOD(tls_handshake_t, destroy, void,
+	private_tls_server_t *this)
+{
+	DESTROY_IF(this->private);
+	DESTROY_IF(this->dh);
+	this->peer_auth->destroy(this->peer_auth);
+	this->server_auth->destroy(this->server_auth);
+	free(this->hashsig.ptr);
+	free(this->curves.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_server_t *tls_server_create(tls_t *tls,
+						tls_crypto_t *crypto, tls_alert_t *alert,
+						identification_t *server, identification_t *peer)
+{
+	private_tls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.handshake = {
+				.process = _process,
+				.build = _build,
+				.cipherspec_changed = _cipherspec_changed,
+				.change_cipherspec = _change_cipherspec,
+				.finished = _finished,
+				.destroy = _destroy,
+			},
+		},
+		.tls = tls,
+		.crypto = crypto,
+		.alert = alert,
+		.server = server,
+		.peer = peer,
+		.state = STATE_INIT,
+		.peer_auth = auth_cfg_create(),
+		.server_auth = auth_cfg_create(),
+	);
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_server.h b/src/libtls/tls_server.h
new file mode 100644
index 000000000..6289dc8eb
--- /dev/null
+++ b/src/libtls/tls_server.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_server tls_server
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_SERVER_H_
+#define TLS_SERVER_H_
+
+typedef struct tls_server_t tls_server_t;
+
+#include "tls_handshake.h"
+#include "tls_crypto.h"
+
+#include <library.h>
+
+/**
+ * TLS handshake protocol handler as peer.
+ */
+struct tls_server_t {
+
+	/**
+	 * Implements the TLS handshake protocol handler.
+	 */
+	tls_handshake_t handshake;
+};
+
+/**
+ * Create a tls_server instance.
+ *
+ * @param tls		TLS stack
+ * @param crypto	TLS crypto helper
+ * @param alert		TLS alert handler
+ * @param server	server identity
+ * @param peer		peer identity
+ */
+tls_server_t *tls_server_create(tls_t *tls,
+						tls_crypto_t *crypto, tls_alert_t *alert,
+						identification_t *server, identification_t *peer);
+
+#endif /** TLS_SERVER_H_ @}*/
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
new file mode 100644
index 000000000..e0c440a4c
--- /dev/null
+++ b/src/libtls/tls_socket.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_socket.h"
+
+#include <unistd.h>
+
+#include <debug.h>
+
+typedef struct private_tls_socket_t private_tls_socket_t;
+typedef struct private_tls_application_t private_tls_application_t;
+
+struct private_tls_application_t {
+
+	/**
+	 * Implements tls_application layer.
+	 */
+	tls_application_t application;
+
+	/**
+	 * Chunk of data to send
+	 */
+	chunk_t out;
+
+	/**
+	 * Chunk of data received
+	 */
+	chunk_t in;
+};
+
+/**
+ * Private data of an tls_socket_t object.
+ */
+struct private_tls_socket_t {
+
+	/**
+	 * Public tls_socket_t interface.
+	 */
+	tls_socket_t public;
+
+	/**
+	 * TLS application implementation
+	 */
+	private_tls_application_t app;
+
+	/**
+	 * TLS stack
+	 */
+	tls_t *tls;
+
+	/**
+	 * Underlying OS socket
+	 */
+	int fd;
+};
+
+METHOD(tls_application_t, process, status_t,
+	private_tls_application_t *this, tls_reader_t *reader)
+{
+	chunk_t data;
+
+	if (!reader->read_data(reader, reader->remaining(reader), &data))
+	{
+		return FAILED;
+	}
+	this->in = chunk_cat("mc", this->in, data);
+	return NEED_MORE;
+}
+
+METHOD(tls_application_t, build, status_t,
+	private_tls_application_t *this, tls_writer_t *writer)
+{
+	if (this->out.len)
+	{
+		writer->write_data(writer, this->out);
+		this->out = chunk_empty;
+		return NEED_MORE;
+	}
+	return INVALID_STATE;
+}
+
+/**
+ * TLS data exchange loop
+ */
+static bool exchange(private_tls_socket_t *this, bool wr)
+{
+	char buf[1024];
+	ssize_t len;
+	int round = 0;
+
+	for (round = 0; TRUE; round++)
+	{
+		while (TRUE)
+		{
+			len = sizeof(buf);
+			switch (this->tls->build(this->tls, buf, &len, NULL))
+			{
+				case NEED_MORE:
+				case ALREADY_DONE:
+					len = write(this->fd, buf, len);
+					if (len == -1)
+					{
+						return FALSE;
+					}
+					continue;
+				case INVALID_STATE:
+					break;
+				default:
+					return FALSE;
+			}
+			break;
+		}
+		if (wr)
+		{
+			if (this->app.out.len == 0)
+			{	/* all data written */
+				return TRUE;
+			}
+		}
+		else
+		{
+			if (this->app.in.len)
+			{	/* some data received */
+				return TRUE;
+			}
+			if (round > 0)
+			{	/* did some handshaking, return empty chunk to not block */
+				return TRUE;
+			}
+		}
+		len = read(this->fd, buf, sizeof(buf));
+		if (len <= 0)
+		{
+			return FALSE;
+		}
+		if (this->tls->process(this->tls, buf, len) != NEED_MORE)
+		{
+			return FALSE;
+		}
+	}
+}
+
+METHOD(tls_socket_t, read_, bool,
+	private_tls_socket_t *this, chunk_t *buf)
+{
+	if (exchange(this, FALSE))
+	{
+		*buf = this->app.in;
+		this->app.in = chunk_empty;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_socket_t, write_, bool,
+	private_tls_socket_t *this, chunk_t buf)
+{
+	this->app.out = buf;
+	if (exchange(this, TRUE))
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(tls_socket_t, destroy, void,
+	private_tls_socket_t *this)
+{
+	this->tls->destroy(this->tls);
+	free(this->app.in.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
+								identification_t *peer, int fd)
+{
+	private_tls_socket_t *this;
+
+	INIT(this,
+		.public = {
+			.read = _read_,
+			.write = _write_,
+			.destroy = _destroy,
+		},
+		.app = {
+			.application = {
+				.build = _build,
+				.process = _process,
+				.destroy = (void*)nop,
+			},
+		},
+		.fd = fd,
+	);
+
+	this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC,
+						   &this->app.application);
+	if (!this->tls)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
new file mode 100644
index 000000000..ac714a385
--- /dev/null
+++ b/src/libtls/tls_socket.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_socket tls_socket
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_SOCKET_H_
+#define TLS_SOCKET_H_
+
+#include "tls.h"
+
+typedef struct tls_socket_t tls_socket_t;
+
+/**
+ * TLS secured socket.
+ *
+ * Wraps a blocking (socket) file descriptor for a reliable transport into a
+ * TLS secured socket. TLS negotiation happens on demand, certificates and
+ * private keys are fetched from any registered credential set.
+ */
+struct tls_socket_t {
+
+	/**
+	 * Read data from secured socket, return allocated chunk.
+	 *
+	 * This call is blocking, you may use select() on the underlying socket to
+	 * wait for data. If the there was non-application data available, the
+	 * read function can return an empty chunk.
+	 *
+	 * @param data		pointer to allocate received data
+	 * @return			TRUE if data received successfully
+	 */
+	bool (*read)(tls_socket_t *this, chunk_t *data);
+
+	/**
+	 * Write a chunk of data over the secured socket.
+	 *
+	 * @param data		data to send
+	 * @return			TRUE if data sent successfully
+	 */
+	bool (*write)(tls_socket_t *this, chunk_t data);
+
+	/**
+	 * Destroy a tls_socket_t.
+	 */
+	void (*destroy)(tls_socket_t *this);
+};
+
+/**
+ * Create a tls_socket instance.
+ *
+ * @param is_server			TRUE to act as TLS server
+ * @param server			server identity
+ * @param peer				client identity, NULL for no client authentication
+ * @param fd				socket to read/write from
+ * @return					TLS socket wrapper
+ */
+tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
+								identification_t *peer, int fd);
+
+#endif /** TLS_SOCKET_H_ @}*/
diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c
new file mode 100644
index 000000000..235dc2cdf
--- /dev/null
+++ b/src/libtls/tls_writer.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_writer.h"
+
+typedef struct private_tls_writer_t private_tls_writer_t;
+
+/**
+ * Private data of an tls_writer_t object.
+ */
+struct private_tls_writer_t {
+
+	/**
+	 * Public tls_writer_t interface.
+	 */
+	tls_writer_t public;
+
+	/**
+	 * Allocated buffer
+	 */
+	chunk_t buf;
+
+	/**
+	 * Used bytes in buffer
+	 */
+	size_t used;
+
+	/**
+	 * Number of bytes to increase buffer size
+	 */
+	size_t increase;
+};
+
+/**
+ * Increase buffer size
+ */
+static void increase(private_tls_writer_t *this)
+{
+	this->buf.len += this->increase;
+	this->buf.ptr = realloc(this->buf.ptr, this->buf.len);
+}
+
+METHOD(tls_writer_t, write_uint8, void,
+	private_tls_writer_t *this, u_int8_t value)
+{
+	if (this->used + 1 > this->buf.len)
+	{
+		increase(this);
+	}
+	this->buf.ptr[this->used] = value;
+	this->used += 1;
+}
+
+METHOD(tls_writer_t, write_uint16, void,
+	private_tls_writer_t *this, u_int16_t value)
+{
+	if (this->used + 2 > this->buf.len)
+	{
+		increase(this);
+	}
+	htoun16(this->buf.ptr + this->used, value);
+	this->used += 2;
+}
+
+METHOD(tls_writer_t, write_uint24, void,
+	private_tls_writer_t *this, u_int32_t value)
+{
+	if (this->used + 3 > this->buf.len)
+	{
+		increase(this);
+	}
+	value = htonl(value);
+	memcpy(this->buf.ptr + this->used, ((char*)&value) + 1, 3);
+	this->used += 3;
+}
+
+METHOD(tls_writer_t, write_uint32, void,
+	private_tls_writer_t *this, u_int32_t value)
+{
+	if (this->used + 4 > this->buf.len)
+	{
+		increase(this);
+	}
+	htoun32(this->buf.ptr + this->used, value);
+	this->used += 4;
+}
+
+METHOD(tls_writer_t, write_data, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	while (this->used + value.len > this->buf.len)
+	{
+		increase(this);
+	}
+	memcpy(this->buf.ptr + this->used, value.ptr, value.len);
+	this->used += value.len;
+}
+
+METHOD(tls_writer_t, write_data8, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint8(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, write_data16, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint16(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, write_data24, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint24(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, write_data32, void,
+	private_tls_writer_t *this, chunk_t value)
+{
+	write_uint32(this, value.len);
+	write_data(this, value);
+}
+
+METHOD(tls_writer_t, wrap8, void,
+	private_tls_writer_t *this)
+{
+	if (this->used + 1 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 1, this->buf.ptr, 1);
+	this->buf.ptr[0] = this->used;
+	this->used += 1;
+}
+
+METHOD(tls_writer_t, wrap16, void,
+	private_tls_writer_t *this)
+{
+	if (this->used + 2 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 2, this->buf.ptr, 2);
+	htoun16(this->buf.ptr, this->used);
+	this->used += 2;
+}
+
+METHOD(tls_writer_t, wrap24, void,
+	private_tls_writer_t *this)
+{
+	u_int32_t len;
+
+	if (this->used + 3 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 3, this->buf.ptr, 3);
+
+	len = htonl(this->used);
+	memcpy(this->buf.ptr, ((char*)&len) + 1, 3);
+	this->used += 3;
+}
+
+METHOD(tls_writer_t, wrap32, void,
+	private_tls_writer_t *this)
+{
+	if (this->used + 4 > this->buf.len)
+	{
+		increase(this);
+	}
+	memmove(this->buf.ptr + 4, this->buf.ptr, 4);
+	htoun32(this->buf.ptr, this->used);
+	this->used += 4;
+}
+
+METHOD(tls_writer_t, get_buf, chunk_t,
+	private_tls_writer_t *this)
+{
+	return chunk_create(this->buf.ptr, this->used);
+}
+
+METHOD(tls_writer_t, destroy, void,
+	private_tls_writer_t *this)
+{
+	free(this->buf.ptr);
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_writer_t *tls_writer_create(u_int32_t bufsize)
+{
+	private_tls_writer_t *this;
+
+	INIT(this,
+		.public = {
+			.write_uint8 = _write_uint8,
+			.write_uint16 = _write_uint16,
+			.write_uint24 = _write_uint24,
+			.write_uint32 = _write_uint32,
+			.write_data = _write_data,
+			.write_data8 = _write_data8,
+			.write_data16 = _write_data16,
+			.write_data24 = _write_data24,
+			.write_data32 = _write_data32,
+			.wrap8 = _wrap8,
+			.wrap16 = _wrap16,
+			.wrap24 = _wrap24,
+			.wrap32 = _wrap32,
+			.get_buf = _get_buf,
+			.destroy = _destroy,
+		},
+		.increase = bufsize ?: 32,
+	);
+	if (bufsize)
+	{
+		this->buf = chunk_alloc(bufsize);
+	}
+
+	return &this->public;
+}
diff --git a/src/libtls/tls_writer.h b/src/libtls/tls_writer.h
new file mode 100644
index 000000000..d3f09d5da
--- /dev/null
+++ b/src/libtls/tls_writer.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_writer tls_writer
+ * @{ @ingroup libtls
+ */
+
+#ifndef TLS_WRITER_H_
+#define TLS_WRITER_H_
+
+typedef struct tls_writer_t tls_writer_t;
+
+#include <library.h>
+
+/**
+ * TLS record generator.
+ */
+struct tls_writer_t {
+
+	/**
+	 * Append a 8-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint8)(tls_writer_t *this, u_int8_t value);
+
+	/**
+	 * Append a 16-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint16)(tls_writer_t *this, u_int16_t value);
+
+	/**
+	 * Append a 24-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint24)(tls_writer_t *this, u_int32_t value);
+
+	/**
+	 * Append a 32-bit integer to the buffer.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_uint32)(tls_writer_t *this, u_int32_t value);
+
+	/**
+	 * Append a chunk of data without a length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 8-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data8)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 16-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data16)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 24-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data24)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Append a chunk of data with a 32-bit length header.
+	 *
+	 * @param value		value to append
+	 */
+	void (*write_data32)(tls_writer_t *this, chunk_t value);
+
+	/**
+	 * Prepend a 8-bit length header to existing data.
+	 */
+	void (*wrap8)(tls_writer_t *this);
+
+	/**
+	 * Prepend a 16-bit length header to existing data.
+	 */
+	void (*wrap16)(tls_writer_t *this);
+
+	/**
+	 * Prepend a 24-bit length header to existing data.
+	 */
+	void (*wrap24)(tls_writer_t *this);
+
+	/**
+	 * Prepend a 32-bit length header to existing data.
+	 */
+	void (*wrap32)(tls_writer_t *this);
+
+	/**
+	 * Get the encoded data buffer.
+	 *
+	 * @return			chunk to internal buffer
+	 */
+	chunk_t (*get_buf)(tls_writer_t *this);
+
+	/**
+	 * Destroy a tls_writer_t.
+	 */
+	void (*destroy)(tls_writer_t *this);
+};
+
+/**
+ * Create a tls_writer instance.
+ *
+ * @param bufsize		initially allocated buffer size
+ */
+tls_writer_t *tls_writer_create(u_int32_t bufsize);
+
+#endif /** TLS_WRITER_H_ @}*/
diff --git a/src/manager/Makefile.am b/src/manager/Makefile.am
index e67335673..045c77896 100644
--- a/src/manager/Makefile.am
+++ b/src/manager/Makefile.am
@@ -17,7 +17,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_C
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${manager_plugins}\""
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 manager_templatesdir = ${managerdir}/templates
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 63a892ee7..5073d9686 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -181,6 +182,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -212,14 +215,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -234,24 +240,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -259,7 +272,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -285,7 +301,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast ${xml_C
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${manager_plugins}\""
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
diff --git a/src/medsrv/Makefile.am b/src/medsrv/Makefile.am
index bdec08190..171b086cf 100644
--- a/src/medsrv/Makefile.am
+++ b/src/medsrv/Makefile.am
@@ -14,7 +14,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${medsrv_plugins}\""
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
 medsrv_templatesdir = ${medsrvdir}/templates
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 415c35e79..07315cfd2 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -171,6 +172,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -202,14 +205,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -224,24 +230,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -249,7 +262,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -272,7 +288,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libfast
 AM_CFLAGS = -rdynamic \
   -DIPSECDIR=\"${ipsecdir}\" \
   -DIPSEC_PIDDIR=\"${piddir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${medsrv_plugins}\""
 
 
 # Don't forget to add templates to EXTRA_DIST !!! How to automate?
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index a278cdd17..0be040e87 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -5,6 +5,6 @@ dist_man_MANS = openac.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
   -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${openac_plugins}\""
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 openac.o :		$(top_builddir)/config.status
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 578ab7d39..fcac66226 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -46,6 +46,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -165,6 +166,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -196,14 +199,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -218,24 +224,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -243,7 +256,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -260,7 +276,7 @@ dist_man_MANS = openac.8
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
   -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-  -DPLUGINS=\""${libstrongswan_plugins}\""
+  -DPLUGINS=\""${openac_plugins}\""
 
 openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 3f28b0ac4..5de8f5b7c 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -36,6 +36,7 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/certificates/ac.h>
 #include <credentials/keys/private_key.h>
+#include <credentials/sets/mem_cred.h>
 #include <utils/optionsfrom.h>
 
 #define OPENAC_PATH   		IPSEC_CONFDIR "/openac"
@@ -437,10 +438,19 @@ int main(int argc, char **argv)
 	/* load the signer's RSA private key */
 	if (keyfile != NULL)
 	{
+		mem_cred_t *mem;
+		shared_key_t *shared;
+
+		mem = mem_cred_create();
+		lib->credmgr->add_set(lib->credmgr, &mem->set);
+		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+								   chunk_clone(passphrase));
+		mem->add_shared(mem, shared, NULL);
 		signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
 									   BUILD_FROM_FILE, keyfile,
-									   BUILD_PASSPHRASE, passphrase,
 									   BUILD_END);
+		lib->credmgr->remove_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
 		if (signerKey == NULL)
 		{
 			goto end;
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 99e9bc581..482f83834 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -16,4 +16,4 @@ pki.o :	$(top_builddir)/config.status
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pki_plugins}\""
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 8f08777bb..0ec6f9c0b 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -142,6 +143,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -173,14 +176,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -195,24 +201,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -220,7 +233,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -246,7 +262,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
 pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 AM_CFLAGS = \
-	-DPLUGINS=\""${libstrongswan_plugins}\""
+	-DPLUGINS=\""${pki_plugins}\""
 
 all: all-am
 
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 2002cd555..8ea852e31 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -35,7 +35,7 @@ static int issue()
 	public_key_t *public = NULL;
 	bool pkcs10 = FALSE;
 	char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
-	char *error = NULL;
+	char *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp;
 	int lifetime = 1095;
@@ -85,6 +85,9 @@ static int issue()
 			case 'k':
 				cakey = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case 'd':
 				dn = arg;
 				continue;
@@ -153,9 +156,9 @@ static int issue()
 		error = "--cacert is required";
 		goto usage;
 	}
-	if (!cakey)
+	if (!cakey && !keyid)
 	{
-		error = "--cakey is required";
+		error = "--cakey or --keyid is required";
 		goto usage;
 	}
 	if (dn)
@@ -190,12 +193,24 @@ static int issue()
 	}
 
 	DBG2(DBG_LIB, "Reading ca private key:");
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								 public->get_type(public),
-								 BUILD_FROM_FILE, cakey, BUILD_END);
+	if (cakey)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+									 public->get_type(public),
+									 BUILD_FROM_FILE, cakey, BUILD_END);
+	}
+	else
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	if (!private)
 	{
-		error = "parsing CA private key failed";
+		error = "loading CA private key failed";
 		goto end;
 	}
 	if (!private->belongs_to(private, public))
@@ -354,8 +369,8 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10]",
-		 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
+		{"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex",
+		 " --cacert file --dn subject-dn [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
 		 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
@@ -365,6 +380,7 @@ static void __attribute__ ((constructor))reg()
 			{"type",	't', 1, "type of input, default: pub"},
 			{"cacert",	'c', 1, "CA certificate file"},
 			{"cakey",	'k', 1, "CA private key file"},
+			{"cakeyid",	'x', 1, "keyid on smartcard of CA private key"},
 			{"dn",		'd', 1, "distinguished name to include as subject"},
 			{"san",		'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",'l', 1, "days the certificate is valid, default: 1095"},
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 6d5462783..870dca920 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -17,6 +17,7 @@
 
 #include <credentials/certificates/certificate.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
 #include <selectors/traffic_selector.h>
 
 #include <time.h>
@@ -29,7 +30,7 @@ static void print_pubkey(public_key_t *key)
 	chunk_t chunk;
 
 	printf("pubkey:    %N %d bits\n", key_type_names, key->get_type(key),
-		   key->get_keysize(key) * 8);
+		   key->get_keysize(key));
 	if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
 	{
 		printf("keyid:     %#B\n", &chunk);
@@ -202,6 +203,44 @@ static void print_x509(x509_t *x509)
 }
 
 /**
+ * Print CRL specific information
+ */
+static void print_crl(crl_t *crl)
+{
+	enumerator_t *enumerator;
+	time_t ts;
+	crl_reason_t reason;
+	chunk_t chunk;
+	int count = 0;
+	char buf[64];
+	struct tm tm;
+
+	chunk = crl->get_serial(crl);
+	printf("serial:    %#B\n", &chunk);
+	chunk = crl->get_authKeyIdentifier(crl);
+	printf("authKeyId: %#B\n", &chunk);
+
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+	{
+		count++;
+	}
+	enumerator->destroy(enumerator);
+
+	printf("%d revoked certificate%s%s\n", count,
+		   count == 1 ? "" : "s", count ? ":" : "");
+	enumerator = crl->create_enumerator(crl);
+	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
+	{
+		localtime_r(&ts, &tm);
+		strftime(buf, sizeof(buf), "%F %T", &tm);
+		printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
+		count++;
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
  * Print certificate information
  */
 static void print_cert(certificate_t *cert)
@@ -212,7 +251,10 @@ static void print_cert(certificate_t *cert)
 	now = time(NULL);
 
 	printf("cert:      %N\n", certificate_type_names, cert->get_type(cert));
-	printf("subject:  \"%Y\"\n", cert->get_subject(cert));
+	if (cert->get_type(cert) != CERT_X509_CRL)
+	{
+		printf("subject:  \"%Y\"\n", cert->get_subject(cert));
+	}
 	printf("issuer:   \"%Y\"\n", cert->get_issuer(cert));
 
 	cert->get_validity(cert, &now, &notBefore, &notAfter);
@@ -240,22 +282,20 @@ static void print_cert(certificate_t *cert)
 		case CERT_X509:
 			print_x509((x509_t*)cert);
 			break;
+		case CERT_X509_CRL:
+			print_crl((crl_t*)cert);
+			break;
 		default:
 			printf("parsing certificate subtype %N not implemented\n",
 				   certificate_type_names, cert->get_type(cert));
 			break;
 	}
-
 	key = cert->get_public_key(cert);
 	if (key)
 	{
 		print_pubkey(key);
 		key->destroy(key);
 	}
-	else
-	{
-		printf("unable to extract public key\n");
-	}
 }
 
 /**
@@ -280,6 +320,11 @@ static int print()
 					type = CRED_CERTIFICATE;
 					subtype = CERT_X509;
 				}
+				else if (streq(arg, "crl"))
+				{
+					type = CRED_CERTIFICATE;
+					subtype = CERT_X509_CRL;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -358,7 +403,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"},
+		{"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index fc2614c7d..30078a8fa 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -30,7 +30,7 @@ static int pub()
 	private_key_t *private;
 	public_key_t *public;
 	chunk_t encoding;
-	char *file = NULL;
+	char *file = NULL, *keyid = NULL;
 	void *cred;
 	char *arg;
 
@@ -75,6 +75,9 @@ static int pub()
 			case 'i':
 				file = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case EOF:
 				break;
 			default:
@@ -87,6 +90,15 @@ static int pub()
 		cred = lib->creds->create(lib->creds, type, subtype,
 									 BUILD_FROM_FILE, file, BUILD_END);
 	}
+	else if (keyid)
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		cred = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	else
 	{
 		cred = lib->creds->create(lib->creds, type, subtype,
@@ -145,10 +157,12 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file] [--type rsa|ecdsa|pkcs10|x509] [--outform der|pem|pgp]"},
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]",
+		 "[--outform der|pem|pgp]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
+			{"keyid",	'x', 1, "keyid on smartcard of private key"},
 			{"type",	't', 1, "type of credential, default: rsa"},
 			{"outform",	'f', 1, "encoding of extracted public key"},
 		}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index a1ae2f515..d1ca45e1a 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -127,7 +127,7 @@ static int req()
 							  BUILD_SIGNING_KEY, private,
 							  BUILD_SUBJECT, id,
 							  BUILD_SUBJECT_ALTNAMES, san,
-							  BUILD_PASSPHRASE, challenge_password,
+							  BUILD_CHALLENGE_PWD, challenge_password,
 							  BUILD_DIGEST_ALG, digest,
 							  BUILD_END);
 	if (!cert)
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 71776c745..5e6f0bd14 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -32,7 +32,7 @@ static int self()
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
 	public_key_t *public = NULL;
-	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL;
+	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp;
 	int lifetime = 1095;
@@ -78,6 +78,9 @@ static int self()
 			case 'i':
 				file = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case 'd':
 				dn = arg;
 				continue;
@@ -149,6 +152,15 @@ static int self()
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
 									 BUILD_FROM_FILE, file, BUILD_END);
 	}
+	else if (keyid)
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	else
 	{
 		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
@@ -156,7 +168,7 @@ static int self()
 	}
 	if (!private)
 	{
-		error = "parsing private key failed";
+		error = "loading private key failed";
 		goto end;
 	}
 	public = private->get_public_key(private);
@@ -242,7 +254,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{"[--in file] [--type rsa|ecdsa]",
+		{"[--in file | --keyid hex] [--type rsa|ecdsa]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|ocspSigning]+",
@@ -250,6 +262,7 @@ static void __attribute__ ((constructor))reg()
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
+			{"keyid",	'x', 1, "keyid on smartcard of private key"},
 			{"type",	't', 1, "type of input key, default: rsa"},
 			{"dn",		'd', 1, "subject and issuer distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in certificate"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index b7163a153..24bf9123f 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -110,7 +110,7 @@ static int sign_crl()
 	x509_t *x509;
 	hash_algorithm_t digest = HASH_SHA1;
 	char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
-	char serial[512], crl_serial[8];
+	char serial[512], crl_serial[8], *keyid = NULL;
 	int serial_len = 0;
 	crl_reason_t reason = CRL_REASON_UNSPECIFIED;
 	time_t thisUpdate, nextUpdate, date = time(NULL);
@@ -143,6 +143,9 @@ static int sign_crl()
 			case 'k':
 				cakey = arg;
 				continue;
+			case 'x':
+				keyid = arg;
+				continue;
 			case 'a':
 				lastupdate = arg;
 				continue;
@@ -245,9 +248,9 @@ static int sign_crl()
 		error = "--cacert is required";
 		goto usage;
 	}
-	if (!cakey)
+	if (!cakey && !keyid)
 	{
-		error = "--cakey is required";
+		error = "--cakey or --keyid is required";
 		goto usage;
 	}
 
@@ -270,12 +273,24 @@ static int sign_crl()
 		error = "extracting CA certificate public key failed";
 		goto error;
 	}
-	private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
-								 public->get_type(public),
-								 BUILD_FROM_FILE, cakey, BUILD_END);
+	if (cakey)
+	{
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+									 public->get_type(public),
+									 BUILD_FROM_FILE, cakey, BUILD_END);
+	}
+	else
+	{
+		chunk_t chunk;
+
+		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+		private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+									 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+		free(chunk.ptr);
+	}
 	if (!private)
 	{
-		error = "parsing CA private key failed";
+		error = "loading CA private key failed";
 		goto error;
 	}
 	if (!private->belongs_to(private, public))
@@ -359,7 +374,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		sign_crl, 'c', "signcrl",
 		"issue a CRL using a CA certificate and key",
-		{"--cacert file --cakey file --lifetime days",
+		{"--cacert file --cakey file | --cakeyid hex --lifetime days",
 		 "[  [--reason key-compromise|ca-compromise|affiliation-changed|",
 		 "             superseded|cessation-of-operation|certificate-hold]",
 		 "   [--date timestamp]",
@@ -369,6 +384,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",	'h', 0, "show usage information"},
 			{"cacert",	'c', 1, "CA certificate file"},
 			{"cakey",	'k', 1, "CA private key file"},
+			{"cakeyid",	'x', 1, "keyid on smartcard of CA private key"},
 			{"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"},
 			{"lastcrl",	'a', 1, "CRL of lastUpdate to copy revocations from"},
 			{"cert",	'z', 1, "certificate file to revoke"},
diff --git a/src/pki/pki.c b/src/pki/pki.c
index d5dd03fa0..3005d2fcd 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -16,7 +16,10 @@
 #include "command.h"
 #include "pki.h"
 
+#include <unistd.h>
+
 #include <debug.h>
+#include <credentials/sets/callback_cred.h>
 
 /**
  * Convert a form string to a encoding type
@@ -109,6 +112,67 @@ hash_algorithm_t get_digest(char *name)
 }
 
 /**
+ * Callback credential set pki uses
+ */
+static callback_cred_t *cb_set;
+
+/**
+ * Callback function to receive credentials
+ */
+static shared_key_t* cb(void *data, shared_key_type_t type,
+						identification_t *me, identification_t *other,
+						id_match_t *match_me, id_match_t *match_other)
+{
+	char buf[64], *label, *secret;
+
+	switch (type)
+	{
+		case SHARED_PIN:
+			label = "Smartcard PIN";
+			break;
+		case SHARED_PRIVATE_KEY_PASS:
+			label = "Private key passphrase";
+			break;
+		default:
+			return NULL;
+	}
+	snprintf(buf, sizeof(buf), "%s: ", label);
+	secret = getpass(buf);
+	if (secret)
+	{
+		if (match_me)
+		{
+			*match_me = ID_MATCH_PERFECT;
+		}
+		if (match_other)
+		{
+			*match_other = ID_MATCH_NONE;
+		}
+		return shared_key_create(type,
+							chunk_clone(chunk_create(secret, strlen(secret))));
+	}
+	return NULL;
+}
+
+/**
+ * Register PIN/Passphrase callback function
+ */
+static void add_callback()
+{
+	cb_set = callback_cred_create_shared(cb, NULL);
+	lib->credmgr->add_set(lib->credmgr, &cb_set->set);
+}
+
+/**
+ * Unregister PIN/Passphrase callback function
+ */
+static void remove_callback()
+{
+	lib->credmgr->remove_set(lib->credmgr, &cb_set->set);
+	cb_set->destroy(cb_set);
+}
+
+/**
  * Library initialization and operation parsing
  */
 int main(int argc, char *argv[])
@@ -129,6 +193,9 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
+
+	add_callback();
+	atexit(remove_callback);
 	return command_dispatch(argc, argv);
 }
 
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 9f631ca28..934b11a46 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -18,6 +18,7 @@ db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
 dnskey.c dnskey.h \
+event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
 ike_alg.c ike_alg.h \
@@ -25,8 +26,6 @@ ipsec_doi.c ipsec_doi.h \
 kameipsec.h \
 kernel.c kernel.h \
 kernel_alg.c kernel_alg.h \
-kernel_netlink.c kernel_netlink.h \
-kernel_noklips.c kernel_noklips.h \
 kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
@@ -74,10 +73,10 @@ AM_CFLAGS = -rdynamic \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DIPSEC_PIDDIR=\"${piddir}\" \
 -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
--DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \
+-DPLUGINS=\""${pluto_plugins}\"" \
 -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
--DPLUTO -DKLIPS -DDEBUG
+-DPLUTO -DDEBUG
 
 pluto_LDADD = \
 $(LIBSTRONGSWANDIR)/libstrongswan.la \
@@ -89,9 +88,7 @@ _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
 
-CLEANFILES = ipsec.secrets.5
-dist_man_MANS = pluto.8 ipsec.secrets.5
-EXTRA_DIST = ipsec.secrets.5.in
+dist_man_MANS = pluto.8
 
 # compile options
 #################
@@ -138,8 +135,3 @@ if USE_XAUTH
   SUBDIRS += plugins/xauth
 endif
 
-ipsec.secrets.5 : ipsec.secrets.5.in
-	sed \
-	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-	$(srcdir)/$@.in > $@
-
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 41fc4927e..080530f86 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -71,14 +71,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am__pluto_adns_OBJECTS = adns.$(OBJEXT)
 _pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
@@ -89,17 +89,17 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \
 	certs.$(OBJEXT) connections.$(OBJEXT) constants.$(OBJEXT) \
 	cookie.$(OBJEXT) crl.$(OBJEXT) crypto.$(OBJEXT) \
 	db_ops.$(OBJEXT) defs.$(OBJEXT) demux.$(OBJEXT) \
-	dnskey.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
-	ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) \
-	kernel_alg.$(OBJEXT) kernel_netlink.$(OBJEXT) \
-	kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \
-	lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \
-	nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \
-	pkcs7.$(OBJEXT) pluto.$(OBJEXT) plutomain.$(OBJEXT) \
-	rcv_whack.$(OBJEXT) server.$(OBJEXT) smartcard.$(OBJEXT) \
-	spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \
-	vendor.$(OBJEXT) virtual.$(OBJEXT) whack_attribute.$(OBJEXT) \
-	xauth_manager.$(OBJEXT) x509.$(OBJEXT) builder.$(OBJEXT)
+	dnskey.$(OBJEXT) event_queue.$(OBJEXT) fetch.$(OBJEXT) \
+	foodgroups.$(OBJEXT) ike_alg.$(OBJEXT) ipsec_doi.$(OBJEXT) \
+	kernel.$(OBJEXT) kernel_alg.$(OBJEXT) kernel_pfkey.$(OBJEXT) \
+	keys.$(OBJEXT) lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) \
+	modecfg.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \
+	packet.$(OBJEXT) pkcs7.$(OBJEXT) pluto.$(OBJEXT) \
+	plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) server.$(OBJEXT) \
+	smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
+	timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
+	whack_attribute.$(OBJEXT) xauth_manager.$(OBJEXT) \
+	x509.$(OBJEXT) builder.$(OBJEXT)
 pluto_OBJECTS = $(am_pluto_OBJECTS)
 pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
@@ -148,7 +148,6 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -251,6 +250,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -282,14 +283,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -304,24 +308,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -329,7 +340,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -355,6 +369,7 @@ db_ops.c db_ops.h \
 defs.c defs.h \
 demux.c demux.h \
 dnskey.c dnskey.h \
+event_queue.c event_queue.h \
 fetch.c fetch.h \
 foodgroups.c foodgroups.h \
 ike_alg.c ike_alg.h \
@@ -362,8 +377,6 @@ ipsec_doi.c ipsec_doi.h \
 kameipsec.h \
 kernel.c kernel.h \
 kernel_alg.c kernel_alg.h \
-kernel_netlink.c kernel_netlink.h \
-kernel_noklips.c kernel_noklips.h \
 kernel_pfkey.c kernel_pfkey.h \
 keys.c keys.h \
 lex.c lex.h \
@@ -405,11 +418,11 @@ INCLUDES = \
 AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
 	-DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \
-	-DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \
+	-DPLUGINS=\""${pluto_plugins}\"" \
 	-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \
-	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
-	$(am__append_1) $(am__append_2) $(am__append_3) \
-	$(am__append_4) $(am__append_5) $(am__append_7)
+	-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DDEBUG $(am__append_1) \
+	$(am__append_2) $(am__append_3) $(am__append_4) \
+	$(am__append_5) $(am__append_7)
 pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
 	$(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \
 	-lresolv $(PTHREADLIB) $(DLLIB) $(am__append_6)
@@ -417,9 +430,7 @@ _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv $(DLLIB)
 
-CLEANFILES = ipsec.secrets.5
-dist_man_MANS = pluto.8 ipsec.secrets.5
-EXTRA_DIST = ipsec.secrets.5.in
+dist_man_MANS = pluto.8
 
 # build optional plugins
 ########################
@@ -529,14 +540,13 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event_queue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_noklips.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
@@ -601,44 +611,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man5:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@@ -889,7 +861,7 @@ check: check-recursive
 all-am: Makefile $(PROGRAMS) $(MANS)
 installdirs: installdirs-recursive
 installdirs-am:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-recursive
@@ -909,7 +881,6 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -957,7 +928,7 @@ install-info: install-info-recursive
 
 install-info-am:
 
-install-man: install-man5 install-man8
+install-man: install-man8
 
 install-pdf: install-pdf-recursive
 
@@ -989,7 +960,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
 
-uninstall-man: uninstall-man5 uninstall-man8
+uninstall-man: uninstall-man8
 
 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
 	install-am install-strip tags-recursive
@@ -1002,24 +973,18 @@ uninstall-man: uninstall-man5 uninstall-man8
 	html-am info info-am install install-am install-data \
 	install-data-am install-dvi install-dvi-am install-exec \
 	install-exec-am install-html install-html-am install-info \
-	install-info-am install-ipsecPROGRAMS install-man install-man5 \
-	install-man8 install-pdf install-pdf-am install-ps \
-	install-ps-am install-strip installcheck installcheck-am \
-	installdirs installdirs-am maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags tags-recursive uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
+	install-info-am install-ipsecPROGRAMS install-man install-man8 \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-ipsecPROGRAMS uninstall-man \
 	uninstall-man8
 
 
 plutomain.o :	$(top_builddir)/config.status
 
-ipsec.secrets.5 : ipsec.secrets.5.in
-	sed \
-	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-	$(srcdir)/$@.in > $@
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index 32fd46ef4..d06e09007 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -414,7 +414,7 @@ struct alg_info_esp *alg_info_esp_create_from_str(char *alg_str)
 	alg_info_esp = malloc_thing (struct alg_info_esp);
 	zero(alg_info_esp);
 
-	pfs_name=index (alg_str, ';');
+	pfs_name=strchr(alg_str, ';');
 	if (pfs_name)
 	{
 		memcpy(esp_buf, alg_str, pfs_name-alg_str);
diff --git a/src/pluto/builder.c b/src/pluto/builder.c
index 0cba32bcf..d7ec3feb9 100644
--- a/src/pluto/builder.c
+++ b/src/pluto/builder.c
@@ -136,9 +136,9 @@ static x509crl_t *builder_load_crl(certificate_type_t type, va_list args)
 
 void init_builder(void)
 {
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CERT, FALSE,
 							(builder_function_t)builder_load_cert);
-	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL,
+	lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_PLUTO_CRL, FALSE,
 							(builder_function_t)builder_load_crl);
 }
 
diff --git a/src/pluto/certs.c b/src/pluto/certs.c
index 24e8ffb27..e866022df 100644
--- a/src/pluto/certs.c
+++ b/src/pluto/certs.c
@@ -74,20 +74,21 @@ void cert_free(cert_t *cert)
 cert_t* cert_add(cert_t *cert)
 {
 	certificate_t *certificate = cert->cert;
-	cert_t *c = certs;
+	cert_t *c;
 
-	while (c != NULL)
+	lock_certs_and_keys("cert_add");
+
+	for (c = certs; c != NULL; c = c->next)
 	{
-		if (certificate->equals(certificate, c->cert)) /* already in chain, free cert */
-		{
+		if (certificate->equals(certificate, c->cert))
+		{	/* already in chain, free cert */
+			unlock_certs_and_keys("cert_add");
 			cert_free(cert);
 			return c;
 		}
-		c = c->next;
 	}
 
 	/* insert new cert at the root of the chain */
-	lock_certs_and_keys("cert_add");
 	cert->next = certs;
 	certs = cert;
 	DBG(DBG_CONTROL | DBG_PARSING,
@@ -98,90 +99,6 @@ cert_t* cert_add(cert_t *cert)
 }
 
 /**
- * Passphrase callback to read from whack fd
- */
-chunk_t whack_pass_cb(prompt_pass_t *pass, int try)
-{
-	int n;
-
-	if (try > MAX_PROMPT_PASS_TRIALS)
-	{
-		whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
-		return chunk_empty;
-	}
-	if (try == 1)
-	{
-		whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
-	}
-	else
-	{
-		whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
-	}
-
-	n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
-
-	if (n == -1)
-	{
-		whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
-		return chunk_empty;
-	}
-
-	pass->secret[n-1] = '\0';
-
-	if (strlen(pass->secret) == 0)
-	{
-		whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
-		return chunk_empty;
-	}
-	return chunk_create(pass->secret, strlen(pass->secret));
-}
-
-/**
- *  Loads a PKCS#1 or PGP private key file
- */
-private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
-								key_type_t type)
-{
-	private_key_t *key = NULL;
-	char *path;
-
-	path = concatenate_paths(PRIVATE_KEY_PATH, filename);
-	if (pass && pass->prompt && pass->fd != NULL_FD)
-	{	/* use passphrase callback */
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path,
-								 BUILD_PASSPHRASE_CALLBACK, whack_pass_cb, pass,
-								 BUILD_END);
-		if (key)
-		{
-			whack_log(RC_SUCCESS, "valid passphrase");
-		}
-	}
-	else if (pass)
-	{	/* use a given passphrase */
-		chunk_t password = chunk_create(pass->secret, strlen(pass->secret));
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path,
-								 BUILD_PASSPHRASE, password, BUILD_END);
-	}
-	else
-	{	/* no passphrase */
-		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
-								 BUILD_FROM_FILE, path, BUILD_END);
-
-	}
-	if (key)
-	{
-		plog("  loaded private key from '%s'", filename);
-	}
-	else
-	{
-		plog("  syntax error in private key file");
-	}
-	return key;
-}
-
-/**
  *  Loads a X.509 or OpenPGP certificate
  */
 cert_t* load_cert(char *filename, const char *label, x509_flag_t flags)
@@ -316,7 +233,7 @@ void list_pgp_end_certs(bool utc)
 
 				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
 						key_type_names, key->get_type(key),
-						key->get_keysize(key) * BITS_PER_BYTE,
+						key->get_keysize(key),
 						has_private_key(cert)? ", has private key" : "");
 				if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid))
 				{
diff --git a/src/pluto/certs.h b/src/pluto/certs.h
index 21e856a3c..b31c4c3ed 100644
--- a/src/pluto/certs.h
+++ b/src/pluto/certs.h
@@ -65,8 +65,6 @@ extern const cert_t cert_empty;
  */
 extern bool no_cr_send;
 
-extern private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
-									   key_type_t type);
 extern cert_t* load_cert(char *filename, const char *label, x509_flag_t flags);
 extern cert_t* load_host_cert(char *filename);
 extern cert_t* load_ca_cert(char *filename);
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index e1f47f2d6..9f277e135 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -297,6 +297,7 @@ void delete_connection(connection_t *c, bool relations)
 {
 	modecfg_attribute_t *ca;
 	connection_t *old_cur_connection;
+	identification_t *client_id;
 
 	old_cur_connection = cur_connection == c? NULL : cur_connection;
 #ifdef DEBUG
@@ -367,12 +368,14 @@ void delete_connection(connection_t *c, bool relations)
 		free(c->spd.that.virt);
 	}
 
+	client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id;
+
 	/* release virtual IP address lease if any */
 	if (c->spd.that.modecfg && c->spd.that.pool &&
 		!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip))
 	{
 		hydra->attributes->release_address(hydra->attributes, c->spd.that.pool,
-										   c->spd.that.host_srcip, c->spd.that.id);
+										   c->spd.that.host_srcip, client_id);
 	}
 
 	/* release requested attributes if any */
@@ -388,7 +391,7 @@ void delete_connection(connection_t *c, bool relations)
 		while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS)
 		{
 			hydra->attributes->release(hydra->attributes, ca->handler,
-									   c->spd.that.id, ca->type, ca->value);
+									   client_id, ca->type, ca->value);
 			modecfg_attribute_destroy(ca);
 		}
 		c->attributes->destroy(c->attributes);
@@ -536,7 +539,7 @@ void check_orientations(void)
 				for (hp = host_pairs; hp != NULL; hp = hp->next)
 				{
 					if (sameaddr(&hp->him.addr, &i->addr)
-					&& (!no_klips || hp->him.port == pluto_port))
+						&& hp->him.port == pluto_port)
 					{
 						/* bad news: the whole chain of connections
 						 * hanging off this host pair has both sides
@@ -871,7 +874,8 @@ static void load_end_certificate(char *filename, struct end *dst)
 		/* cache the certificate that was last retrieved from the smartcard */
 		if (dst->sc)
 		{
-			if (!certificate->equals(certificate, dst->sc->last_cert->cert))
+			if (!dst->sc->last_cert ||
+			    !certificate->equals(certificate, dst->sc->last_cert->cert))
 			{
 				lock_certs_and_keys("load_end_certificates");
 				cert_release(dst->sc->last_cert);
@@ -1077,7 +1081,7 @@ void add_connection(const whack_message_t *wm)
 		if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
 		{
 			loglog(RC_COMMENT
-				, "ignoring --compress in \"%s\" because KLIPS is not configured to do IPCOMP"
+				, "ignoring --compress in \"%s\" because kernel does not support IPCOMP"
 				, c->name);
 		}
 
@@ -1191,7 +1195,12 @@ void add_connection(const whack_message_t *wm)
 		}
 
 		c->spd.next = NULL;
-		c->spd.reqid = gen_reqid();
+		c->spd.reqid = wm->reqid ?: gen_reqid();
+
+		c->spd.mark_in.value = wm->mark_in.value;
+		c->spd.mark_in.mask = wm->mark_in.mask;
+		c->spd.mark_out.value = wm->mark_out.value;
+		c->spd.mark_out.mask = wm->mark_out.mask;
 
 		/* set internal fields */
 		c->instance_serial = 0;
@@ -1884,7 +1893,7 @@ bool orient(connection_t *c)
 				{
 					/* check if this interface matches this end */
 					if (sameaddr(&sr->this.host_addr, &p->addr)
-					&& (!no_klips || sr->this.host_port == pluto_port))
+						&& sr->this.host_port == pluto_port)
 					{
 						if (oriented(*c))
 						{
@@ -1903,7 +1912,7 @@ bool orient(connection_t *c)
 
 					/* done with this interface if it doesn't match that end */
 					if (!(sameaddr(&sr->that.host_addr, &p->addr)
-					&& (!no_klips || sr->that.host_port == pluto_port)))
+						&& sr->that.host_port == pluto_port))
 						break;
 
 					/* swap ends and try again.
@@ -2146,27 +2155,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
 		}
 		return;
 	}
-
-#ifdef KLIPS
-	if (b->held)
-	{
-		/* Replace HOLD with b->failure_shunt.
-		 * If no b->failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
-		 */
-		if (b->failure_shunt == 0)
-		{
-			DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; installing %%pass"
-								  , ocb, pcb));
-		}
-
-		(void) replace_bare_shunt(&b->our_client, &b->peer_client
-			, b->policy_prio
-			, b->failure_shunt
-			, b->failure_shunt != 0
-			, b->transport_proto
-			, ugh);
-	}
-#endif
 }
 
 static void initiate_opportunistic_body(struct find_oppo_bundle *b
@@ -2203,16 +2191,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 	 */
 	whack_log_fd = whackfd;
 
-#ifdef KLIPS
-	/* Discover and record whether %hold has gone away.
-	 * This could have happened while we were awaiting DNS.
-	 * We must check BEFORE any call to cannot_oppo.
-	 */
-	if (was_held)
-		cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
-			, cr->b.transport_proto);
-#endif
-
 #ifdef DEBUG
 	/* if we're going to ignore the error, at least note it in debugging log */
 	if (cr->b.failure_ok && ugh)
@@ -2424,7 +2402,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		/* We've found a connection that can serve.
 		 * Do we have to initiate it?
 		 * Not if there is currently an IPSEC SA.
-		 * But if there is an IPSEC SA, then KLIPS would not
+		 * But if there is an IPSEC SA, then the kernel would not
 		 * have generated the acquire.  So we assume that there isn't one.
 		 * This may be redundant if a non-opportunistic
 		 * negotiation is already being attempted.
@@ -2445,13 +2423,11 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		/* otherwise, there is some kind of static conn that can handle
 		 * this connection, so we initiate it */
 
-#ifdef KLIPS
 		if (b->held)
 		{
 			/* what should we do on failure? */
 			(void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
 		}
-#endif
 		ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 		b->whackfd = NULL_FD;   /* protect from close */
 	}
@@ -2816,21 +2792,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 							"no suitable connection for opportunism "
 							"between %s and %s with %Y as peer",
 							 ocb, pcb, ac->gateways_from_dns->gw_id);
-
-#ifdef KLIPS
-					if (b->held)
-					{
-						/* Replace HOLD with PASS.
-						 * The type of replacement *ought* to be
-						 * specified by policy.
-						 */
-						(void) replace_bare_shunt(&b->our_client, &b->peer_client
-							, BOTTOM_PRIO
-							, SPI_PASS  /* fail into PASS */
-							, TRUE, b->transport_proto
-							, "no suitable connection");
-					}
-#endif
 				}
 				else
 				{
@@ -2839,7 +2800,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 					passert(c->gw_info != NULL);
 					passert(HAS_IPSEC_POLICY(c->policy));
 					passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
-#ifdef KLIPS
 					if (b->held)
 					{
 						/* what should we do on failure? */
@@ -2847,7 +2807,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 										   , b->transport_proto
 										   , &b->our_client, &b->peer_client);
 					}
-#endif
 					c->gw_info->key->last_tried_time = now();
 					ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 					b->whackfd = NULL_FD;       /* protect from close */
@@ -3161,6 +3120,10 @@ connection_t *route_owner(connection_t *c, struct spd_route **srp,
 				{
 					continue;
 				}
+				if (src->mark_out.value != srd->mark_out.value)
+				{
+					continue;
+				}
 				passert(oriented(*d));
 				if (srd->routing > best_routing)
 				{
@@ -3181,6 +3144,10 @@ connection_t *route_owner(connection_t *c, struct spd_route **srp,
 				{
 					continue;
 				}
+				if (src->mark_in.value != srd->mark_in.value)
+				{
+					continue;
+				}
 				if (srd->routing > best_erouting)
 				{
 					best_ero = d;
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index b67f0b562..e3775fcb0 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -168,6 +168,8 @@ struct spd_route {
 	so_serial_t eroute_owner;
 	enum routing_t routing;     /* level of routing in place */
 	uint32_t reqid;
+	mark_t mark_in;
+	mark_t mark_out;
 };
 
 typedef struct connection connection_t;
@@ -294,7 +296,7 @@ extern connection_t* find_connection_for_clients(struct spd_route **srp,
 												 const ip_address *peer_client,
 												 int transport_proto);
 extern void get_peer_ca_and_groups(connection_t *c,
-								   identification_t **peer_ca, 
+								   identification_t **peer_ca,
 								   ietf_attributes_t **peer_attributes);
 
 /* instantiating routines
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 63a37009b..ec7bfaf78 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -77,7 +77,6 @@ ENUM(dpd_action_names, DPD_ACTION_NONE, DPD_ACTION_RESTART,
 ENUM(timer_event_names, EVENT_NULL, EVENT_LOG_DAILY,
 	"EVENT_NULL",
 	"EVENT_REINIT_SECRET",
-	"EVENT_SHUNT_SCAN",
 	"EVENT_SO_DISCARD",
 	"EVENT_RETRANSMIT",
 	"EVENT_SA_REPLACE",
@@ -112,7 +111,7 @@ const char *const debug_bit_names[] = {
 	"emitting",
 	"control",
 	"lifecycle",
-	"klips",
+	"kernel",
 	"dns",
 	"natt",
 	"oppo",
@@ -132,6 +131,8 @@ const char *const debug_bit_names[] = {
 /* State of exchanges */
 
 static const char *const state_name[] = {
+	"STATE_UNDEFINED",
+
 	"STATE_MAIN_R0",
 	"STATE_MAIN_I1",
 	"STATE_MAIN_R1",
@@ -171,11 +172,12 @@ static const char *const state_name[] = {
 };
 
 enum_names state_names =
-	{ STATE_MAIN_R0, STATE_IKE_ROOF-1, state_name, NULL };
+	{ STATE_UNDEFINED, STATE_IKE_ROOF-1, state_name, NULL };
 
 /* story for state */
 
 const char *const state_story[] = {
+	"undefined state after error",			 /* STATE_UNDEFINED */
 	"expecting MI1",                         /* STATE_MAIN_R0 */
 	"sent MI1, expecting MR1",               /* STATE_MAIN_I1 */
 	"sent MR1, expecting MI2",               /* STATE_MAIN_R1 */
@@ -411,7 +413,7 @@ enum_names esp_transform_names =
 
 static const char *const ipcomp_transform_name[] = {
 	"IPCOMP_OUI",
-	"IPCOMP_DEFLAT",
+	"IPCOMP_DEFLATE",
 	"IPCOMP_LZS",
 	"IPCOMP_LZJH",
 };
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 790bbefa6..075579d6d 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -18,6 +18,8 @@
 
 #include <freeswan.h>
 
+#include <kernel/kernel_ipsec.h>
+
 #include <utils.h>
 #include <utils/identification.h>
 #include <crypto/hashers/hasher.h>
@@ -193,16 +195,9 @@ extern enum_names esp_transform_names;
 
 /* IPCOMP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
+ * now defined in kernel/kernel_ipsec.h
  */
 
-enum ipsec_comp_algo {
-	IPSCOMP_NONE   = 0,
-	IPCOMP_OUI     = 1,
-	IPCOMP_DEFLATE = 2,
-	IPCOMP_LZS     = 3,
-	IPCOMP_LZJH    = 4
-};
-
 extern enum_names ipcomp_transformid_names;
 
 /* Certificate type values
@@ -251,9 +246,6 @@ extern enum_name_t *timer_event_names;
 enum event_type {
 	EVENT_NULL, /* non-event */
 	EVENT_REINIT_SECRET,        /* Refresh cookie secret */
-#ifdef KLIPS
-	EVENT_SHUNT_SCAN,           /* scan shunt eroutes known to kernel */
-#endif
 	EVENT_SO_DISCARD,           /* discard unfinished state object */
 	EVENT_RETRANSMIT,           /* Retransmit packet */
 	EVENT_SA_REPLACE,           /* SA replacement event */
@@ -325,7 +317,7 @@ extern const char *const debug_bit_names[];
 #define DBG_EMITTING    LELEM(3)        /* show encoding of messages */
 #define DBG_CONTROL     LELEM(4)        /* control flow within Pluto */
 #define DBG_LIFECYCLE   LELEM(5)        /* SA lifecycle */
-#define DBG_KLIPS       LELEM(6)        /* messages to KLIPS */
+#define DBG_KERNEL      LELEM(6)        /* messages to kernel */
 #define DBG_DNS         LELEM(7)        /* DNS activity */
 #define DBG_NATT        LELEM(8)        /* NAT-T */
 #define DBG_OPPO        LELEM(9)        /* opportunism */
@@ -376,11 +368,6 @@ extern const char *const state_story[];
 enum state_kind {
 	STATE_UNDEFINED,    /* 0 -- most likely accident */
 
-	/*  Opportunism states: see "Opportunistic Encryption" 2.2 */
-
-	OPPO_ACQUIRE,       /* got an ACQUIRE message for this pair */
-	OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
-
 	/* IKE states */
 
 	STATE_MAIN_R0,
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index a62e7632d..0684de618 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -1,6 +1,10 @@
 /* crypto interfaces
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2007-2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 1998-2001 D. Hugh Redelmeier
- * Copyright (C) 2007-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,10 +30,10 @@ static struct encrypt_desc encrypt_desc_3des =
 	algo_id:         OAKLEY_3DES_CBC,
 	algo_next:       NULL,
 
-	enc_blocksize:	 DES_BLOCK_SIZE,
-	keydeflen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keyminlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
-	keymaxlen:		 DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	enc_blocksize:   DES_BLOCK_SIZE,
+	keydeflen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keyminlen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
+	keymaxlen:       DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
 };
 
 #define  AES_KEY_MIN_LEN	128
@@ -38,14 +42,14 @@ static struct encrypt_desc encrypt_desc_3des =
 
 static struct encrypt_desc encrypt_desc_aes =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_AES_CBC,
-	algo_next: 	     NULL,
-
-	enc_blocksize: 	 AES_BLOCK_SIZE,
-	keyminlen: 		 AES_KEY_MIN_LEN,
-	keydeflen: 		 AES_KEY_DEF_LEN,
-	keymaxlen: 		 AES_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_AES_CBC,
+	algo_next:       NULL,
+
+	enc_blocksize:   AES_BLOCK_SIZE,
+	keyminlen:       AES_KEY_MIN_LEN,
+	keydeflen:       AES_KEY_DEF_LEN,
+	keymaxlen:       AES_KEY_MAX_LEN,
 };
 
 #define  CAMELLIA_KEY_MIN_LEN	128
@@ -54,14 +58,14 @@ static struct encrypt_desc encrypt_desc_aes =
 
 static struct encrypt_desc encrypt_desc_camellia =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_CAMELLIA_CBC,
-	algo_next: 	     NULL,
-
-	enc_blocksize: 	 CAMELLIA_BLOCK_SIZE,
-	keyminlen: 		 CAMELLIA_KEY_MIN_LEN,
-	keydeflen: 		 CAMELLIA_KEY_DEF_LEN,
-	keymaxlen: 		 CAMELLIA_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_CAMELLIA_CBC,
+	algo_next:       NULL,
+
+	enc_blocksize:   CAMELLIA_BLOCK_SIZE,
+	keyminlen:       CAMELLIA_KEY_MIN_LEN,
+	keydeflen:       CAMELLIA_KEY_DEF_LEN,
+	keymaxlen:       CAMELLIA_KEY_MAX_LEN,
 };
 
 #define  BLOWFISH_KEY_MIN_LEN	128
@@ -73,10 +77,10 @@ static struct encrypt_desc encrypt_desc_blowfish =
 	algo_id:         OAKLEY_BLOWFISH_CBC,
 	algo_next:       NULL,
 
-	enc_blocksize:	 BLOWFISH_BLOCK_SIZE,
-	keyminlen:		 BLOWFISH_KEY_MIN_LEN,
-	keydeflen:		 BLOWFISH_KEY_MIN_LEN,
-	keymaxlen:		 BLOWFISH_KEY_MAX_LEN,
+	enc_blocksize:   BLOWFISH_BLOCK_SIZE,
+	keyminlen:       BLOWFISH_KEY_MIN_LEN,
+	keydeflen:       BLOWFISH_KEY_MIN_LEN,
+	keymaxlen:       BLOWFISH_KEY_MAX_LEN,
 };
 
 #define  SERPENT_KEY_MIN_LEN	128
@@ -85,14 +89,14 @@ static struct encrypt_desc encrypt_desc_blowfish =
 
 static struct encrypt_desc encrypt_desc_serpent =
 {
-	algo_type: 	    IKE_ALG_ENCRYPT,
-	algo_id:   	    OAKLEY_SERPENT_CBC,
-	algo_next: 	    NULL,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_SERPENT_CBC,
+	algo_next:       NULL,
 
 	enc_blocksize:   SERPENT_BLOCK_SIZE,
-	keyminlen:		 SERPENT_KEY_MIN_LEN,
-	keydeflen:		 SERPENT_KEY_DEF_LEN,
-	keymaxlen:		 SERPENT_KEY_MAX_LEN,
+	keyminlen:       SERPENT_KEY_MIN_LEN,
+	keydeflen:       SERPENT_KEY_DEF_LEN,
+	keymaxlen:       SERPENT_KEY_MAX_LEN,
 };
 
 #define  TWOFISH_KEY_MIN_LEN	128
@@ -101,62 +105,62 @@ static struct encrypt_desc encrypt_desc_serpent =
 
 static struct encrypt_desc encrypt_desc_twofish =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_TWOFISH_CBC,
-	algo_next: 	     NULL,
-
-	enc_blocksize:	 TWOFISH_BLOCK_SIZE,
-	keydeflen:		 TWOFISH_KEY_MIN_LEN,
-	keyminlen:		 TWOFISH_KEY_DEF_LEN,
-	keymaxlen:		 TWOFISH_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_TWOFISH_CBC,
+	algo_next:       NULL,
+
+	enc_blocksize:   TWOFISH_BLOCK_SIZE,
+	keydeflen:       TWOFISH_KEY_MIN_LEN,
+	keyminlen:       TWOFISH_KEY_DEF_LEN,
+	keymaxlen:       TWOFISH_KEY_MAX_LEN,
 };
 
 static struct encrypt_desc encrypt_desc_twofish_ssh =
 {
-	algo_type: 	     IKE_ALG_ENCRYPT,
-	algo_id:   	     OAKLEY_TWOFISH_CBC_SSH,
-	algo_next: 	     NULL,
-
-	enc_blocksize:	 TWOFISH_BLOCK_SIZE,
-	keydeflen:		 TWOFISH_KEY_MIN_LEN,
-	keyminlen:		 TWOFISH_KEY_DEF_LEN,
-	keymaxlen:		 TWOFISH_KEY_MAX_LEN,
+	algo_type:       IKE_ALG_ENCRYPT,
+	algo_id:         OAKLEY_TWOFISH_CBC_SSH,
+	algo_next:       NULL,
+
+	enc_blocksize:   TWOFISH_BLOCK_SIZE,
+	keydeflen:       TWOFISH_KEY_MIN_LEN,
+	keyminlen:       TWOFISH_KEY_DEF_LEN,
+	keymaxlen:       TWOFISH_KEY_MAX_LEN,
 };
 
 static struct hash_desc hash_desc_md5 =
 {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_MD5,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_MD5,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_MD5,
 };
 
 static struct hash_desc hash_desc_sha1 =
 {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA1,
 };
 
 static struct hash_desc hash_desc_sha2_256 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_256,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA2_256,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA256,
 };
 
 static struct hash_desc hash_desc_sha2_384 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_384,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA2_384,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA384,
 };
 
 static struct hash_desc hash_desc_sha2_512 = {
-	algo_type: IKE_ALG_HASH,
-	algo_id:   OAKLEY_SHA2_512,
-	algo_next: NULL,
+	algo_type:        IKE_ALG_HASH,
+	algo_id:          OAKLEY_SHA2_512,
+	algo_next:        NULL,
 	hash_digest_size: HASH_SIZE_SHA512,
 };
 
@@ -518,107 +522,117 @@ signature_scheme_t oakley_to_signature_scheme(int method)
 }
 
 /**
+ * Table to map IKEv2 encryption algorithms to IKEv1 (or IKEv1 ESP) and back
+ */
+struct {
+	encryption_algorithm_t alg;
+	int oakley;
+	int esp;
+} encr_map[] = {
+	{ENCR_DES,                OAKLEY_DES_CBC,         ESP_DES       },
+	{ENCR_3DES,               OAKLEY_3DES_CBC,        ESP_3DES      },
+	{ENCR_RC5,                OAKLEY_RC5_R16_B64_CBC, ESP_RC5       },
+	{ENCR_IDEA,               OAKLEY_IDEA_CBC,        ESP_IDEA      },
+	{ENCR_CAST,               OAKLEY_CAST_CBC,        ESP_CAST      },
+	{ENCR_BLOWFISH,           OAKLEY_BLOWFISH_CBC,    ESP_BLOWFISH  },
+	{ENCR_AES_CBC,            OAKLEY_AES_CBC,         ESP_AES       },
+	{ENCR_CAMELLIA_CBC,       OAKLEY_CAMELLIA_CBC,    ESP_CAMELLIA  },
+	{ENCR_SERPENT_CBC,        OAKLEY_SERPENT_CBC,     ESP_SERPENT   },
+	{ENCR_TWOFISH_CBC,        OAKLEY_TWOFISH_CBC,     ESP_TWOFISH   },
+	{ENCR_NULL,               0,                      ESP_NULL      },
+	{ENCR_AES_CTR,            0,                      ESP_AES_CTR   },
+	{ENCR_AES_CCM_ICV8,       0,                      ESP_AES_CCM_8 },
+	{ENCR_AES_CCM_ICV12,      0,                      ESP_AES_CCM_12},
+	{ENCR_AES_CCM_ICV16,      0,                      ESP_AES_CCM_16},
+	{ENCR_AES_GCM_ICV8,       0,                      ESP_AES_GCM_8 },
+	{ENCR_AES_GCM_ICV12,      0,                      ESP_AES_GCM_12},
+	{ENCR_AES_GCM_ICV16,      0,                      ESP_AES_GCM_16},
+	{ENCR_NULL_AUTH_AES_GMAC, 0,                      ESP_AES_GMAC  },
+};
+
+/**
  * Converts IKEv2 encryption to IKEv1 encryption algorithm
  */
 int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(encr_map); i++)
 	{
-		case ENCR_DES:
-			return OAKLEY_DES_CBC;
-		case ENCR_3DES:
-			return OAKLEY_3DES_CBC;
-		case ENCR_RC5:
-			return OAKLEY_RC5_R16_B64_CBC;
-		case ENCR_IDEA:
-			return OAKLEY_IDEA_CBC;
-		case ENCR_CAST:
-			return OAKLEY_CAST_CBC;
-		case ENCR_BLOWFISH:
-			return OAKLEY_BLOWFISH_CBC;
-		case ENCR_AES_CBC:
-			return OAKLEY_AES_CBC;
-		case ENCR_CAMELLIA_CBC:
-			return OAKLEY_CAMELLIA_CBC;
-		case ENCR_SERPENT_CBC:
-			return OAKLEY_SERPENT_CBC;
-	case ENCR_TWOFISH_CBC:
-			return OAKLEY_TWOFISH_CBC;
-		default:
-			return 0;
+		if (encr_map[i].alg == alg)
+		{
+			return encr_map[i].oakley;
+		}
 	}
+	return 0;
 }
 
 /**
- * Converts IKEv2 integrity to IKEv1 hash algorithm
+ * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
  */
-int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
+int esp_from_encryption_algorithm(encryption_algorithm_t alg)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(encr_map); i++)
 	{
-		case AUTH_HMAC_MD5_96:
-			return OAKLEY_MD5;
-		case AUTH_HMAC_SHA1_96:
-			return OAKLEY_SHA;
-		case AUTH_HMAC_SHA2_256_128:
-			return OAKLEY_SHA2_256;
-		case AUTH_HMAC_SHA2_384_192:
-			return OAKLEY_SHA2_384;
-		case AUTH_HMAC_SHA2_512_256:
-			return OAKLEY_SHA2_512;
-		default:
-			return 0;
+		if (encr_map[i].alg == alg)
+		{
+			return encr_map[i].esp;
+		}
 	}
+	return 0;
 }
 
 /**
- * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
+ * Converts IKEv1 ESP encryption to IKEv2 algorithm
  */
-int esp_from_encryption_algorithm(encryption_algorithm_t alg)
+encryption_algorithm_t encryption_algorithm_from_esp(int esp)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(encr_map); i++)
 	{
-		case ENCR_DES:
-			return ESP_DES;
-		case ENCR_3DES:
-			return ESP_3DES;
-		case ENCR_RC5:
-			return ESP_RC5;
-		case ENCR_IDEA:
-			return ESP_IDEA;
-		case ENCR_CAST:
-			return ESP_CAST;
-		case ENCR_BLOWFISH:
-			return ESP_BLOWFISH;
-		case ENCR_NULL:
-			return ESP_NULL;
-		case ENCR_AES_CBC:
-			return ESP_AES;
-		case ENCR_AES_CTR:
-			return ESP_AES_CTR;
-		case ENCR_AES_CCM_ICV8:
-			return ESP_AES_CCM_8;
-		case ENCR_AES_CCM_ICV12:
-			return ESP_AES_CCM_12;
-		case ENCR_AES_CCM_ICV16:
-			return ESP_AES_CCM_16;
-		case ENCR_AES_GCM_ICV8:
-			return ESP_AES_GCM_8;
-		case ENCR_AES_GCM_ICV12:
-			return ESP_AES_GCM_12;
-		case ENCR_AES_GCM_ICV16:
-			return ESP_AES_GCM_16;
-		case ENCR_CAMELLIA_CBC:
-			return ESP_CAMELLIA;
-		case ENCR_NULL_AUTH_AES_GMAC:
-			return ESP_AES_GMAC;
-		case ENCR_SERPENT_CBC:
-			return ESP_SERPENT;
-		case ENCR_TWOFISH_CBC:
-			return ESP_TWOFISH;
-		default:
-			return 0;
+		if (encr_map[i].esp == esp)
+		{
+			return encr_map[i].alg;
+		}
+	}
+	return 0;
+}
+
+/**
+ * Table to map IKEv2 integrity algorithms to IKEv1 (or IKEv1 ESP) and back
+ */
+struct {
+	integrity_algorithm_t alg;
+	int oakley;
+	int esp;
+} auth_map[] = {
+	{AUTH_HMAC_MD5_96,       OAKLEY_MD5,      AUTH_ALGORITHM_HMAC_MD5        },
+	{AUTH_HMAC_SHA1_96,      OAKLEY_SHA,      AUTH_ALGORITHM_HMAC_SHA1       },
+	{AUTH_HMAC_SHA2_256_96,  0,               AUTH_ALGORITHM_HMAC_SHA2_256_96},
+	{AUTH_HMAC_SHA2_256_128, OAKLEY_SHA2_256, AUTH_ALGORITHM_HMAC_SHA2_256   },
+	{AUTH_HMAC_SHA2_384_192, OAKLEY_SHA2_384, AUTH_ALGORITHM_HMAC_SHA2_384   },
+	{AUTH_HMAC_SHA2_512_256, OAKLEY_SHA2_512, AUTH_ALGORITHM_HMAC_SHA2_512   },
+	{AUTH_AES_XCBC_96,       0,               AUTH_ALGORITHM_AES_XCBC_MAC    },
+	{AUTH_AES_128_GMAC,      0,               AUTH_ALGORITHM_AES_128_GMAC    },
+	{AUTH_AES_192_GMAC,      0,               AUTH_ALGORITHM_AES_192_GMAC    },
+	{AUTH_AES_256_GMAC,      0,               AUTH_ALGORITHM_AES_256_GMAC    },
+};
+
+
+/**
+ * Converts IKEv2 integrity to IKEv1 hash algorithm
+ */
+int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
+{
+	int i;
+	for (i = 0; i < countof(auth_map); i++)
+	{
+		if (auth_map[i].alg == alg)
+		{
+			return auth_map[i].oakley;
+		}
 	}
+	return 0;
 }
 
 /**
@@ -626,29 +640,30 @@ int esp_from_encryption_algorithm(encryption_algorithm_t alg)
  */
 int esp_from_integrity_algorithm(integrity_algorithm_t alg)
 {
-	switch (alg)
+	int i;
+	for (i = 0; i < countof(auth_map); i++)
 	{
-		case AUTH_HMAC_MD5_96:
-			return AUTH_ALGORITHM_HMAC_MD5;
-		case AUTH_HMAC_SHA1_96:
-			return AUTH_ALGORITHM_HMAC_SHA1;
-		case AUTH_AES_XCBC_96:
-			return AUTH_ALGORITHM_AES_XCBC_MAC;
-		case AUTH_HMAC_SHA2_256_96:
-			return AUTH_ALGORITHM_HMAC_SHA2_256_96;
-		case AUTH_HMAC_SHA2_256_128:
-			return AUTH_ALGORITHM_HMAC_SHA2_256;
-		case AUTH_HMAC_SHA2_384_192:
-			return AUTH_ALGORITHM_HMAC_SHA2_384;
-		case AUTH_HMAC_SHA2_512_256:
-			return AUTH_ALGORITHM_HMAC_SHA2_512;
-		case AUTH_AES_128_GMAC:
-			return AUTH_ALGORITHM_AES_128_GMAC;
-		case AUTH_AES_192_GMAC:
-			return AUTH_ALGORITHM_AES_192_GMAC;
-		case AUTH_AES_256_GMAC:
-			return AUTH_ALGORITHM_AES_256_GMAC;
-		default:
-			return 0;
+		if (auth_map[i].alg == alg)
+		{
+			return auth_map[i].esp;
+		}
 	}
+	return 0;
 }
+
+/**
+ * Converts IKEv1 ESP authentication to IKEv2 integrity algorithm
+ */
+integrity_algorithm_t integrity_algorithm_from_esp(int esp)
+{
+	int i;
+	for (i = 0; i < countof(auth_map); i++)
+	{
+		if (auth_map[i].esp == esp)
+		{
+			return auth_map[i].alg;
+		}
+	}
+	return 0;
+}
+
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
index 019ba5764..16ad12780 100644
--- a/src/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -1,4 +1,9 @@
 /* crypto interfaces
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 1998, 1999  D. Hugh Redelmeier.
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,4 +59,6 @@ extern int oakley_from_encryption_algorithm(encryption_algorithm_t alg);
 extern int oakley_from_integrity_algorithm(integrity_algorithm_t alg);
 extern int esp_from_encryption_algorithm(encryption_algorithm_t alg);
 extern int esp_from_integrity_algorithm(integrity_algorithm_t alg);
+extern encryption_algorithm_t encryption_algorithm_from_esp(int esp);
+extern integrity_algorithm_t integrity_algorithm_from_esp(int esp);
 
diff --git a/src/pluto/defs.h b/src/pluto/defs.h
index 8491f4ae8..532652e5b 100644
--- a/src/pluto/defs.h
+++ b/src/pluto/defs.h
@@ -21,12 +21,6 @@
 
 #include <chunk.h>
 
-#ifdef KLIPS
-# define USED_BY_KLIPS  /* ignore */
-#else
-# define USED_BY_KLIPS  UNUSED
-#endif
-
 #ifdef DEBUG
 # define USED_BY_DEBUG  /* ignore */
 #else
@@ -66,15 +60,6 @@ extern const char* check_expiry(time_t expiration_date,
 #define MAX_PROMPT_PASS_TRIALS  5
 #define PROMPT_PASS_LEN         64
 
-/* struct used to prompt for a secret passphrase
- * from a console with file descriptor fd
- */
-typedef struct {
-	char secret[PROMPT_PASS_LEN+1];
-	bool prompt;
-	int fd;
-} prompt_pass_t;
-
 /* filter eliminating the directory entries '.' and '..' */
 typedef struct dirent dirent_t;
 extern int file_select(const dirent_t *entry);
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 617353c6c..0590a3585 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -1782,7 +1782,7 @@ process_packet(struct msg_digest **mdp)
 		 * the last phase 1 block, not the last block sent.
 		 */
 		{
-			size_t crypter_block_size;
+			size_t crypter_block_size, crypter_iv_size;
 			encryption_algorithm_t enc_alg;
 			crypter_t *crypter;
 			chunk_t data, iv;
@@ -1791,6 +1791,7 @@ process_packet(struct msg_digest **mdp)
 			enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
 			crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
 			crypter_block_size = crypter->get_block_size(crypter);
+			crypter_iv_size = crypter->get_iv_size(crypter);
 
 			if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
 			{
@@ -1817,17 +1818,17 @@ process_packet(struct msg_digest **mdp)
 			}
 
 			/* form iv by truncation */
-			st->st_new_iv_len = crypter_block_size;
+			st->st_new_iv_len = crypter_iv_size;
 			iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
-			new_iv = alloca(crypter_block_size);
-			memcpy(new_iv, data.ptr + data.len - crypter_block_size,
-				   crypter_block_size);
+			new_iv = alloca(crypter_iv_size);
+			memcpy(new_iv, data.ptr + data.len - crypter_iv_size,
+				   crypter_iv_size);
 
 			crypter->set_key(crypter, st->st_enc_key);
 			crypter->decrypt(crypter, data, iv, NULL);
 			crypter->destroy(crypter);
 
-		memcpy(st->st_new_iv, new_iv, crypter_block_size);
+			memcpy(st->st_new_iv, new_iv, crypter_iv_size);
 			if (restore_iv)
 			{
 				memcpy(st->st_new_iv, new_iv, new_iv_len);
@@ -2307,7 +2308,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 
 			/* tell whack and log of progress */
 			{
-				const char *story = state_story[st->st_state - STATE_MAIN_R0];
+				const char *story = state_story[st->st_state];
 				enum rc_type w = RC_NEW_STATE + st->st_state;
 				char sadetails[128];
 
diff --git a/src/pluto/event_queue.c b/src/pluto/event_queue.c
new file mode 100644
index 000000000..55d064f26
--- /dev/null
+++ b/src/pluto/event_queue.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "event_queue.h"
+
+#include <debug.h>
+#include <threading/mutex.h>
+#include <utils/linked_list.h>
+
+typedef struct private_event_queue_t private_event_queue_t;
+
+/**
+ * Private data of event_queue_t class.
+ */
+struct private_event_queue_t {
+	/**
+	 * Public event_queue_t interface.
+	 */
+	event_queue_t public;
+
+	/**
+	 * List of queued events (event_t*).
+	 */
+	linked_list_t *events;
+
+	/**
+	 * Mutex for event list.
+	 */
+	mutex_t *mutex;
+
+	/**
+	 * Read end of the notification pipe.
+	 */
+	int read_fd;
+
+	/**
+	 * Write end of the notification pipe.
+	 */
+	int write_fd;
+
+};
+
+typedef struct event_t event_t;
+
+struct event_t {
+	/**
+	 * Callback function.
+	 */
+	void (*callback)(void *data);
+
+	/**
+	 * Data to supply to the callback.
+	 */
+	void *data;
+
+	/**
+	 * Cleanup function.
+	 */
+	void (*cleanup)(void *data);
+};
+
+static event_t *event_create(void (*callback)(void *data), void *data,
+							 void (*cleanup)(void *data))
+{
+	event_t *this;
+	INIT(this,
+		.callback = callback,
+		.data = data,
+		.cleanup = cleanup,
+	);
+	return this;
+}
+
+static void event_destroy(event_t *this)
+{
+	if (this->cleanup)
+	{
+		this->cleanup(this->data);
+	}
+	free(this);
+}
+
+METHOD(event_queue_t, get_event_fd, int,
+	   private_event_queue_t *this)
+{
+	return this->read_fd;
+}
+
+METHOD(event_queue_t, handle, void,
+	   private_event_queue_t *this)
+{
+	char buf[10];
+	linked_list_t *events;
+	event_t *event;
+	this->mutex->lock(this->mutex);
+	/* flush pipe */
+	while (read(this->read_fd, &buf, sizeof(buf)) == sizeof(buf));
+	/* replace the list, so we can unlock the mutex while executing the jobs */
+	events = this->events;
+	this->events = linked_list_create();
+	this->mutex->unlock(this->mutex);
+
+	while (events->remove_first(events, (void**)&event) == SUCCESS)
+	{
+		event->callback(event->data);
+		event_destroy(event);
+	}
+	events->destroy(events);
+}
+
+METHOD(event_queue_t, queue, void,
+	   private_event_queue_t *this, void (*callback)(void *data), void *data,
+	   void (*cleanup)(void *data))
+{
+	event_t *event = event_create(callback, data, cleanup);
+	char c = 0;
+	this->mutex->lock(this->mutex);
+	this->events->insert_last(this->events, event);
+	ignore_result(write(this->write_fd, &c, 1));
+	this->mutex->unlock(this->mutex);
+}
+
+METHOD(event_queue_t, destroy, void,
+	   private_event_queue_t *this)
+{
+	this->mutex->lock(this->mutex);
+	this->events->destroy_function(this->events, (void*)event_destroy);
+	this->mutex->unlock(this->mutex);
+	this->mutex->destroy(this->mutex);
+	close(this->read_fd);
+	close(this->write_fd);
+	free(this);
+}
+
+bool set_nonblock(int socket)
+{
+	int flags = fcntl(socket, F_GETFL);
+	return flags != -1 && fcntl(socket, F_SETFL, flags | O_NONBLOCK) != -1;
+}
+
+bool set_cloexec(int socket)
+{
+	int flags = fcntl(socket, F_GETFD);
+	return flags != -1 && fcntl(socket, F_SETFD, flags | FD_CLOEXEC) != -1;
+}
+
+/*
+ * Described in header.
+ */
+event_queue_t *event_queue_create()
+{
+	private_event_queue_t *this;
+	int fd[2];
+
+	INIT(this,
+		.public = {
+			.get_event_fd = _get_event_fd,
+			.handle = _handle,
+			.queue = _queue,
+			.destroy = _destroy,
+		},
+		.events = linked_list_create(),
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+	);
+
+	if (pipe(fd) == -1 ||
+		!set_nonblock(fd[0]) || !set_cloexec(fd[0]) ||
+		!set_nonblock(fd[1]) || !set_cloexec(fd[1]))
+	{
+		DBG1(DBG_JOB, "failed to create pipe for job queue");
+		_destroy(this);
+		return NULL;
+	}
+
+	this->read_fd = fd[0];
+	this->write_fd = fd[1];
+
+	return &this->public;
+}
+
diff --git a/src/pluto/event_queue.h b/src/pluto/event_queue.h
new file mode 100644
index 000000000..343729e25
--- /dev/null
+++ b/src/pluto/event_queue.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup event_queue event_queue
+ * @{ @ingroup pluto
+ */
+
+#ifndef EVENT_QUEUE_H_
+#define EVENT_QUEUE_H_
+
+typedef struct event_queue_t event_queue_t;
+
+/**
+ * The event queue facility can be used to synchronize thread-pool threads
+ * with the pluto main thread.  That is, all queued callbacks are executed
+ * asynchronously by the pluto main thread.
+ */
+struct event_queue_t {
+
+	/**
+	 * Returns the file descriptor used to notify the main thread.
+	 *
+	 * @return				fd to use in the main thread
+	 */
+	int (*get_event_fd) (event_queue_t *this);
+
+	/**
+	 * Handle all queued events.
+	 */
+	void (*handle) (event_queue_t *this);
+
+	/**
+	 * Add an event to the queue.
+	 *
+	 * @param callback		callback function to add to the queue
+	 * @param data			data supplied to the callback function
+	 * @param cleanup		optional cleanup function
+	 */
+	void (*queue) (event_queue_t *this, void (*callback)(void *data),
+				   void *data, void (*cleanup)(void *data));
+
+	/**
+	 * Destroy this instance.
+	 */
+	void (*destroy) (event_queue_t *this);
+
+};
+
+/**
+ * Create the event queue.
+ *
+ * @return					created object
+ */
+event_queue_t *event_queue_create();
+
+#endif /** EVENT_QUEUE_H_ @}*/
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index 7521dd33b..08353907e 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -194,18 +194,16 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
 
 		if (policy & POLICY_PUBKEY)
 		{
-			int auth_method = 0;
-			size_t key_size = 0;
+			int auth_method = 0, key_size = 0;
 			key_type_t key_type = KEY_ANY;
 
-
 			if (c->spd.this.cert)
 			{
 				certificate_t *certificate = c->spd.this.cert->cert;
 				public_key_t *key = certificate->get_public_key(certificate);
 
 				if (key == NULL)
-				{				
+				{
 					plog("ike alg: unable to retrieve my public key");
 					continue;
 				}
@@ -233,13 +231,13 @@ struct db_context *ike_alg_db_new(connection_t *c, lset_t policy)
 				case KEY_ECDSA:
 					switch (key_size)
 					{
-						case 32:
+						case 256:
 							auth_method = OAKLEY_ECDSA_256;
 							break;
-						case 48:
+						case 384:
 							auth_method = OAKLEY_ECDSA_384;
 							break;
-						case 66:
+						case 521:
 							auth_method = OAKLEY_ECDSA_521;
 							break;
 						default:
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 4a6a7c872..7ec547b0c 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -1753,7 +1753,7 @@ bool encrypt_message(pb_stream *pbs, struct state *st)
 	size_t enc_len = pbs_offset(pbs) - sizeof(struct isakmp_hdr);
 	chunk_t data, iv;
     char *new_iv;
-	size_t crypter_block_size;
+	size_t crypter_block_size, crypter_iv_size;
 	encryption_algorithm_t enc_alg;
 	crypter_t *crypter;
 
@@ -1761,6 +1761,7 @@ bool encrypt_message(pb_stream *pbs, struct state *st)
 	enc_alg = oakley_to_encryption_algorithm(st->st_oakley.encrypt);
 	crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, st->st_enc_key.len);
 	crypter_block_size = crypter->get_block_size(crypter);
+	crypter_iv_size = crypter->get_iv_size(crypter);
 
 	/* Pad up to multiple of encryption blocksize.
 	 * See the description associated with the definition of
@@ -1781,15 +1782,15 @@ bool encrypt_message(pb_stream *pbs, struct state *st)
 	data = chunk_create(enc_start, enc_len);
 
 	/* form iv by truncation */
-	st->st_new_iv_len = crypter_block_size;
+	st->st_new_iv_len = crypter_iv_size;
 	iv = chunk_create(st->st_new_iv, st->st_new_iv_len);
 
 	crypter->set_key(crypter, st->st_enc_key);
 	crypter->encrypt(crypter, data, iv, NULL);
 	crypter->destroy(crypter);
 
-	new_iv = data.ptr + data.len - crypter_block_size;
-	memcpy(st->st_new_iv, new_iv, crypter_block_size);
+	new_iv = data.ptr + data.len - crypter_iv_size;
+	memcpy(st->st_new_iv, new_iv, crypter_iv_size);
 	update_iv(st);
 	DBG_cond_dump(DBG_CRYPT, "next IV:", st->st_iv, st->st_iv_len);
 	close_message(pbs);
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index dd7ed8893..e57822ffb 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1,7 +1,11 @@
 /* routines that interface with the kernel's IPsec mechanism
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier
+ * Copyright (C) 1997 Angelos D. Keromytis
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -32,16 +36,16 @@
 #include <freeswan.h>
 
 #include <library.h>
+#include <hydra.h>
 #include <crypto/rngs/rng.h>
+#include <kernel/kernel_listener.h>
 
-#ifdef KLIPS
 #include <signal.h>
 #include <sys/time.h>   /* for select(2) */
 #include <sys/types.h>  /* for select(2) */
 #include <pfkeyv2.h>
 #include <pfkey.h>
 #include "kameipsec.h"
-#endif /* KLIPS */
 
 #include "constants.h"
 #include "defs.h"
@@ -49,28 +53,21 @@
 #include "state.h"
 #include "timer.h"
 #include "kernel.h"
-#include "kernel_netlink.h"
 #include "kernel_pfkey.h"
-#include "kernel_noklips.h"
 #include "log.h"
 #include "ca.h"
 #include "server.h"
 #include "whack.h"      /* for RC_LOG_SERIOUS */
 #include "keys.h"
+#include "crypto.h"
 #include "nat_traversal.h"
 #include "alg_info.h"
 #include "kernel_alg.h"
+#include "pluto.h"
 
 
 bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
 
-/* How far can IPsec messages arrive out of order before the anti-replay
- * logic loses track and swats them?  64 is the best KLIPS can do.
- * And 32 is the best XFRM can do...
- */
-#define REPLAY_WINDOW   64
-#define REPLAY_WINDOW_XFRM      32
-
 /* test if the routes required for two different connections agree
  * It is assumed that the destination subnets agree; we are only
  * testing that the interfaces and nexthops match.
@@ -78,282 +75,115 @@ bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
 #define routes_agree(c, d) ((c)->interface == (d)->interface \
 		&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
 
-#ifndef KLIPS
-
-bool no_klips = TRUE;   /* don't actually use KLIPS */
-
-#else /* !KLIPS */
-
-/* bare (connectionless) shunt (eroute) table
- *
- * Bare shunts are those that don't "belong" to a connection.
- * This happens because some %trapped traffic hasn't yet or cannot be
- * assigned to a connection.  The usual reason is that we cannot discover
- * the peer SG.  Another is that even when the peer has been discovered,
- * it may be that no connection matches all the particulars.
- * We record them so that, with scanning, we can discover
- * which %holds are news and which others should expire.
- */
+/* forward declaration */
+static bool shunt_eroute(connection_t *c, struct spd_route *sr,
+						 enum routing_t rt_kind, unsigned int op,
+						 const char *opname);
 
-#define SHUNT_SCAN_INTERVAL     (60 * 2)   /* time between scans of eroutes */
+static void set_text_said(char *text_said, const ip_address *dst,
+						  ipsec_spi_t spi, int proto);
 
-/* SHUNT_PATIENCE only has resolution down to a multiple of the sample rate,
- * SHUNT_SCAN_INTERVAL.
- * By making SHUNT_PATIENCE an odd multiple of half of SHUNT_SCAN_INTERVAL,
- * we minimize the effects of jitter.
+/**
+ * Default IPsec SA config (e.g. to install trap policies).
  */
-#define SHUNT_PATIENCE  (SHUNT_SCAN_INTERVAL * 15 / 2)  /* inactivity timeout */
-
-struct bare_shunt {
-	policy_prio_t policy_prio;
-	ip_subnet ours;
-	ip_subnet his;
-	ip_said said;
-	int transport_proto;
-	unsigned long count;
-	time_t last_activity;
-	char *why;
-	struct bare_shunt *next;
+static ipsec_sa_cfg_t null_ipsec_sa = {
+	.mode = MODE_TRANSPORT,
+	.esp = {
+		.use = TRUE,
+	},
 };
 
-static struct bare_shunt *bare_shunts = NULL;
-
-#ifdef DEBUG
-static void DBG_bare_shunt(const char *op, const struct bare_shunt *bs)
+/**
+ * Helper function that converts an ip_subnet to a traffic_selector_t.
+ */
+static traffic_selector_t *traffic_selector_from_subnet(const ip_subnet *client,
+														const u_int8_t proto)
 {
-	DBG(DBG_KLIPS,
-		{
-			int ourport = ntohs(portof(&(bs)->ours.addr));
-			int hisport = ntohs(portof(&(bs)->his.addr));
-			char ourst[SUBNETTOT_BUF];
-			char hist[SUBNETTOT_BUF];
-			char sat[SATOT_BUF];
-			char prio[POLICY_PRIO_BUF];
-
-			subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
-			subnettot(&(bs)->his, 0, hist, sizeof(hist));
-			satot(&(bs)->said, 0, sat, sizeof(sat));
-			fmt_policy_prio(bs->policy_prio, prio);
-			DBG_log("%s bare shunt %p %s:%d -> %s:%d => %s:%d %s    %s"
-				, op, (const void *)(bs), ourst, ourport, hist, hisport
-				, sat, (bs)->transport_proto, prio, (bs)->why);
-		});
+	traffic_selector_t *ts;
+	host_t *net;
+	net = host_create_from_sockaddr((sockaddr_t*)&client->addr);
+	ts = traffic_selector_create_from_subnet(net, client->maskbits, proto,
+											 net->get_port(net));
+	return ts;
 }
-#else /* !DEBUG */
-#define DBG_bare_shunt(op, bs) {}
-#endif /* !DEBUG */
 
-/* The orphaned_holds table records %holds for which we
- * scan_proc_shunts found no representation of in any connection.
- * The corresponding ACQUIRE message might have been lost.
+/**
+ * Helper function that converts a traffic_selector_t to an ip_subnet.
  */
-struct eroute_info *orphaned_holds = NULL;
-
-/* forward declaration */
-static bool shunt_eroute(connection_t *c, struct spd_route *sr,
-						 enum routing_t rt_kind, unsigned int op,
-						 const char *opname);
-
-static void set_text_said(char *text_said, const ip_address *dst,
-						  ipsec_spi_t spi, int proto);
-
-bool no_klips = FALSE;  /* don't actually use KLIPS */
+static ip_subnet subnet_from_traffic_selector(traffic_selector_t *ts)
+{
+	ip_subnet subnet;
+	host_t *net;
+	u_int8_t mask;
+	ts->to_subnet(ts, &net, &mask);
+	subnet.addr = *(ip_address*)net->get_sockaddr(net);
+	subnet.maskbits = mask;
+	net->destroy(net);
+	return subnet;
+}
 
-static const struct pfkey_proto_info null_proto_info[2] = {
-		{
-				proto: IPPROTO_ESP,
-				encapsulation: ENCAPSULATION_MODE_TRANSPORT,
-				reqid: 0
-		},
-		{
-				proto: 0,
-				encapsulation: 0,
-				reqid: 0
-		}
-};
 
 void record_and_initiate_opportunistic(const ip_subnet *ours,
 									   const ip_subnet *his,
 									   int transport_proto, const char *why)
 {
+	ip_address src, dst;
 	passert(samesubnettype(ours, his));
 
-	/* Add to bare shunt list.
-	 * We need to do this because the shunt was installed by KLIPS
-	 * which can't do this itself.
-	 */
-	{
-		struct bare_shunt *bs = malloc_thing(struct bare_shunt);
-
-		bs->why = clone_str(why);
-		bs->ours = *ours;
-		bs->his = *his;
-		bs->transport_proto = transport_proto;
-		bs->policy_prio = BOTTOM_PRIO;
-
-		bs->said.proto = SA_INT;
-		bs->said.spi = htonl(SPI_HOLD);
-		bs->said.dst = *aftoinfo(subnettypeof(ours))->any;
-
-		bs->count = 0;
-		bs->last_activity = now();
-
-		bs->next = bare_shunts;
-		bare_shunts = bs;
-		DBG_bare_shunt("add", bs);
-	}
-
 	/* actually initiate opportunism */
-	{
-		ip_address src, dst;
-
-		networkof(ours, &src);
-		networkof(his, &dst);
-		initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
-	}
-
-	/* if present, remove from orphaned_holds list.
-	 * NOTE: we do this last in case ours or his is a pointer into a member.
-	 */
-	{
-		struct eroute_info **pp, *p;
-
-		for (pp = &orphaned_holds; (p = *pp) != NULL; pp = &p->next)
-		{
-			if (samesubnet(ours, &p->ours)
-			&& samesubnet(his, &p->his)
-			&& transport_proto == p->transport_proto
-			&& portof(&ours->addr) == portof(&p->ours.addr)
-			&& portof(&his->addr) == portof(&p->his.addr))
-			{
-				*pp = p->next;
-				free(p);
-				break;
-			}
-		}
-	}
-}
-
-#endif /* KLIPS */
-
-static unsigned get_proto_reqid(unsigned base, int proto)
-{
-	switch (proto)
-	{
-	default:
-	case IPPROTO_COMP:
-		base++;
-		/* fall through */
-	case IPPROTO_ESP:
-		base++;
-		/* fall through */
-	case IPPROTO_AH:
-		break;
-	}
-
-	return base;
+	networkof(ours, &src);
+	networkof(his, &dst);
+	initiate_opportunistic(&src, &dst, transport_proto, TRUE, NULL_FD);
 }
 
 /* Generate Unique SPI numbers.
  *
- * The specs say that the number must not be less than IPSEC_DOI_SPI_MIN.
- * Pluto generates numbers not less than IPSEC_DOI_SPI_OUR_MIN,
- * reserving numbers in between for manual keying (but we cannot so
- * restrict numbers generated by our peer).
- * XXX This should be replaced by a call to the kernel when
- * XXX we get an API.
  * The returned SPI is in network byte order.
- * We use a random number as the initial SPI so that there is
- * a good chance that different Pluto instances will choose
- * different SPIs.  This is good for two reasons.
- * - the keying material for the initiator and responder only
- *   differs if the SPIs differ.
- * - if Pluto is restarted, it would otherwise recycle the SPI
- *   numbers and confuse everything.  When the kernel generates
- *   SPIs, this will no longer matter.
- * We then allocate numbers sequentially.  Thus we don't have to
- * check if the number was previously used (assuming that no
- * SPI lives longer than 4G of its successors).
  */
 ipsec_spi_t get_ipsec_spi(ipsec_spi_t avoid, int proto, struct spd_route *sr,
 						  bool tunnel)
 {
-	static ipsec_spi_t spi = 0; /* host order, so not returned directly! */
-	char text_said[SATOT_BUF];
-	rng_t *rng;
+	host_t *host_src, *host_dst;
+	u_int32_t spi;
 
-	set_text_said(text_said, &sr->this.host_addr, 0, proto);
+	host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
 
-	if (kernel_ops->get_spi)
+	if (hydra->kernel_interface->get_spi(hydra->kernel_interface, host_src,
+								host_dst, proto, sr->reqid, &spi) != SUCCESS)
 	{
-		return kernel_ops->get_spi(&sr->that.host_addr
-			, &sr->this.host_addr, proto, tunnel
-			, get_proto_reqid(sr->reqid, proto)
-			, IPSEC_DOI_SPI_OUR_MIN, 0xffffffff
-			, text_said);
+		spi = 0;
 	}
 
-	spi++;
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	while (spi < IPSEC_DOI_SPI_OUR_MIN || spi == ntohl(avoid))
-	{
-		rng->get_bytes(rng, sizeof(spi), (u_char *)&spi);
-	}
-	rng->destroy(rng);
-	DBG(DBG_CONTROL,
-		{
-			ipsec_spi_t spi_net = htonl(spi);
-
-			DBG_dump("generate SPI:", (u_char *)&spi_net, sizeof(spi_net));
-		});
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
 
-	return htonl(spi);
+	return spi;
 }
 
 /* Generate Unique CPI numbers.
  * The result is returned as an SPI (4 bytes) in network order!
  * The real bits are in the nework-low-order 2 bytes.
- * Modelled on get_ipsec_spi, but range is more limited:
- * 256-61439.
- * If we can't find one easily, return 0 (a bad SPI,
- * no matter what order) indicating failure.
  */
 ipsec_spi_t get_my_cpi(struct spd_route *sr, bool tunnel)
 {
-	static cpi_t first_busy_cpi = 0, latest_cpi;
-	char text_said[SATOT_BUF];
-	rng_t *rng;
+	host_t *host_src, *host_dst;
+	u_int16_t cpi;
 
-	set_text_said(text_said, &sr->this.host_addr, 0, IPPROTO_COMP);
+	host_src = host_create_from_sockaddr((sockaddr_t*)&sr->that.host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&sr->this.host_addr);
 
-	if (kernel_ops->get_spi)
-	{
-		return kernel_ops->get_spi(&sr->that.host_addr
-			, &sr->this.host_addr, IPPROTO_COMP, tunnel
-			, get_proto_reqid(sr->reqid, IPPROTO_COMP)
-			, IPCOMP_FIRST_NEGOTIATED, IPCOMP_LAST_NEGOTIATED
-			, text_said);
-	}
+	if (hydra->kernel_interface->get_cpi(hydra->kernel_interface, host_src,
+										 host_dst, sr->reqid, &cpi) != SUCCESS)
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	while (!(IPCOMP_FIRST_NEGOTIATED <= first_busy_cpi && first_busy_cpi < IPCOMP_LAST_NEGOTIATED))
 	{
-		rng->get_bytes(rng, sizeof(first_busy_cpi), (u_char *)&first_busy_cpi);
-		latest_cpi = first_busy_cpi;
+		cpi = 0;
 	}
-	rng->destroy(rng);
 
-	latest_cpi++;
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
 
-	if (latest_cpi == first_busy_cpi)
-	{
-		find_my_cpi_gap(&latest_cpi, &first_busy_cpi);
-	}
-	if (latest_cpi > IPCOMP_LAST_NEGOTIATED)
-	{
-		latest_cpi = IPCOMP_FIRST_NEGOTIATED;
-	}
-	return htonl((ipsec_spi_t)latest_cpi);
+	return htonl((u_int32_t)ntohs(cpi));
 }
 
 /* Replace the shell metacharacters ', \, ", `, and $ in a character string
@@ -420,7 +250,7 @@ static void escape_metachar(const char *src, char *dst, size_t dstlen)
 # define DEFAULT_UPDOWN "ipsec _updown"
 #endif
 
-static bool do_command(connection_t *c, struct spd_route *sr,
+static bool do_command(connection_t *c, struct spd_route *sr, struct state *st,
 					   const char *verb)
 {
 	char cmd[1536];     /* arbitrary limit on shell command length */
@@ -464,6 +294,9 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			peerclientnet_str[ADDRTOT_BUF],
 			peerclientmask_str[ADDRTOT_BUF],
 			peerca_str[BUF_LEN],
+			mark_in[BUF_LEN] = "",
+			mark_out[BUF_LEN] = "",
+			udp_encap[BUF_LEN] = "",
 			xauth_id_str[BUF_LEN] = "",
 			secure_myid_str[BUF_LEN] = "",
 			secure_peerid_str[BUF_LEN] = "",
@@ -491,11 +324,29 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 
 			strcpy(srcip_str, "PLUTO_MY_SOURCEIP='");
 			n = srcip_str + strlen(srcip_str);
-			snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", 
+			snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H",
 						sr->this.host_srcip);
 			strncat(srcip_str, "' ", sizeof(srcip_str));
 		}
 
+		if (sr->mark_in.value)
+		{
+			snprintf(mark_in, sizeof(mark_in), "PLUTO_MARK_IN='%u/0x%08x' ",
+					 sr->mark_in.value, sr->mark_in.mask);
+		}
+
+		if (sr->mark_out.value)
+		{
+			snprintf(mark_out, sizeof(mark_out), "PLUTO_MARK_OUT='%u/0x%08x' ",
+					 sr->mark_out.value, sr->mark_out.mask);
+		}
+
+		if (st && (st->nat_traversal & NAT_T_DETECTED))
+		{
+			snprintf(udp_encap, sizeof(udp_encap), "PLUTO_UDP_ENC='%u' ",
+					 sr->that.host_port);
+		}
+
 		addrtot(&sr->this.host_addr, 0, me_str, sizeof(me_str));
 		snprintf(myid_str, sizeof(myid_str), "%Y", sr->this.id);
 		escape_metachar(myid_str, secure_myid_str, sizeof(secure_myid_str));
@@ -536,7 +387,7 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			{
 				if (key->issuer)
 				{
-					snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);	
+					snprintf(peerca_str, BUF_LEN, "%Y", key->issuer);
 					escape_metachar(peerca_str, secure_peerca_str, BUF_LEN);
 				}
 				else
@@ -573,13 +424,16 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			"PLUTO_PEER_CA='%s' "
 			"%s"        /* optional PLUTO_MY_SRCIP */
 			"%s"        /* optional PLUTO_XAUTH_ID */
+			"%s"        /* optional PLUTO_MARK_IN */
+			"%s"        /* optional PLUTO_MARK_OUT */
+			"%s"        /* optional PLUTO_UDP_ENC */
 			"%s"        /* actual script */
 			, verb, verb_suffix
 			, c->name
 			, nexthop_str
 			, c->interface->vname
 			, sr->this.hostaccess? "PLUTO_HOST_ACCESS='1' " : ""
-			, sr->reqid + 1     /* ESP requid */
+			, sr->reqid
 			, me_str
 			, secure_myid_str
 			, myclient_str
@@ -597,6 +451,9 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			, secure_peerca_str
 			, srcip_str
 			, xauth_id_str
+			, mark_in
+			, mark_out
+			, udp_encap
 			, sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown))
 		{
 			loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix);
@@ -607,88 +464,83 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
 		, verb, verb_suffix, cmd));
 
-#ifdef KLIPS
-	if (!no_klips)
+	/* invoke the script, catching stderr and stdout
+	 * It may be of concern that some file descriptors will
+	 * be inherited.  For the ones under our control, we
+	 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+	 * Any used by library routines (perhaps the resolver or syslog)
+	 * will remain.
+	 */
+	FILE *f = popen(cmd, "r");
+
+	if (f == NULL)
 	{
-		/* invoke the script, catching stderr and stdout
-		 * It may be of concern that some file descriptors will
-		 * be inherited.  For the ones under our control, we
-		 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
-		 * Any used by library routines (perhaps the resolver or syslog)
-		 * will remain.
-		 */
-		FILE *f = popen(cmd, "r");
+		loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+		return FALSE;
+	}
 
-		if (f == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
-			return FALSE;
-		}
+	/* log any output */
+	for (;;)
+	{
+		/* if response doesn't fit in this buffer, it will be folded */
+		char resp[256];
 
-		/* log any output */
-		for (;;)
+		if (fgets(resp, sizeof(resp), f) == NULL)
 		{
-			/* if response doesn't fit in this buffer, it will be folded */
-			char resp[256];
-
-			if (fgets(resp, sizeof(resp), f) == NULL)
+			if (ferror(f))
 			{
-				if (ferror(f))
-				{
-					log_errno((e, "fgets failed on output of %s%s command"
-						, verb, verb_suffix));
-					return FALSE;
-				}
-				else
-				{
-					passert(feof(f));
-					break;
-				}
+				log_errno((e, "fgets failed on output of %s%s command"
+					, verb, verb_suffix));
+				return FALSE;
 			}
 			else
 			{
-				char *e = resp + strlen(resp);
-
-				if (e > resp && e[-1] == '\n')
-					e[-1] = '\0';       /* trim trailing '\n' */
-				plog("%s%s output: %s", verb, verb_suffix, resp);
+				passert(feof(f));
+				break;
 			}
 		}
-
-		/* report on and react to return code */
+		else
 		{
-			int r = pclose(f);
+			char *e = resp + strlen(resp);
 
-			if (r == -1)
-			{
-				log_errno((e, "pclose failed for %s%s command"
-					, verb, verb_suffix));
-				return FALSE;
-			}
-			else if (WIFEXITED(r))
-			{
-				if (WEXITSTATUS(r) != 0)
-				{
-					loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
-						, verb, verb_suffix, WEXITSTATUS(r));
-					return FALSE;
-				}
-			}
-			else if (WIFSIGNALED(r))
-			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
-					, verb, verb_suffix, WTERMSIG(r));
-				return FALSE;
-			}
-			else
+			if (e > resp && e[-1] == '\n')
+				e[-1] = '\0';       /* trim trailing '\n' */
+			plog("%s%s output: %s", verb, verb_suffix, resp);
+		}
+	}
+
+	/* report on and react to return code */
+	{
+		int r = pclose(f);
+
+		if (r == -1)
+		{
+			log_errno((e, "pclose failed for %s%s command"
+				, verb, verb_suffix));
+			return FALSE;
+		}
+		else if (WIFEXITED(r))
+		{
+			if (WEXITSTATUS(r) != 0)
 			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
-					, verb, verb_suffix, r);
+				loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+					, verb, verb_suffix, WEXITSTATUS(r));
 				return FALSE;
 			}
 		}
+		else if (WIFSIGNALED(r))
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+				, verb, verb_suffix, WTERMSIG(r));
+			return FALSE;
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+				, verb, verb_suffix, r);
+			return FALSE;
+		}
 	}
-#endif /* KLIPS */
 	return TRUE;
 }
 
@@ -731,10 +583,9 @@ static enum routability could_route(connection_t *c)
 	}
 
 	/* if routing would affect IKE messages, reject */
-	if (!no_klips
-	&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-	&& c->spd.this.host_port != IKE_UDP_PORT
-	&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+	if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+	 && c->spd.this.host_port != IKE_UDP_PORT
+	 && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
 	{
 		loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
 		return route_impossible;
@@ -754,7 +605,6 @@ static enum routability could_route(connection_t *c)
 									 using the eroute */
 	}
 
-#ifdef KLIPS
 	/* if there is an eroute for another connection, there is a problem */
 	if (ero != NULL && ero != c)
 	{
@@ -838,10 +688,9 @@ static enum routability could_route(connection_t *c)
 			loglog(RC_LOG_SERIOUS
 				, "cannot install eroute -- it is in use for \"%s\"%s #%lu"
 				, ero->name, inst, esr->eroute_owner);
-			return FALSE;       /* another connection already using the eroute */
+			return route_impossible;
 		}
 	}
-#endif /* KLIPS */
 	return route_easy;
 }
 
@@ -886,9 +735,7 @@ void unroute_connection(connection_t *c)
 		{
 			/* cannot handle a live one */
 			passert(sr->routing != RT_ROUTED_TUNNEL);
-#ifdef KLIPS
 			shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
-#endif
 		}
 
 		sr->routing = RT_UNROUTED;  /* do now so route_owner won't find us */
@@ -896,14 +743,12 @@ void unroute_connection(connection_t *c)
 		/* only unroute if no other connection shares it */
 		if (routed(cr) && route_owner(c, NULL, NULL, NULL) == NULL)
 		{
-			(void) do_command(c, sr, "unroute");
+			(void) do_command(c, sr, NULL, "unroute");
 		}
 	}
 }
 
 
-#ifdef KLIPS
-
 static void set_text_said(char *text_said, const ip_address *dst,
 						  ipsec_spi_t spi, int proto)
 {
@@ -913,99 +758,36 @@ static void set_text_said(char *text_said, const ip_address *dst,
 	satot(&said, 0, text_said, SATOT_BUF);
 }
 
-/* find an entry in the bare_shunt table.
- * Trick: return a pointer to the pointer to the entry;
- * this allows the entry to be deleted.
- */
-static struct bare_shunt** bare_shunt_ptr(const ip_subnet *ours,
-										  const ip_subnet *his,
-										  int transport_proto)
-{
-	struct bare_shunt *p, **pp;
 
-	for (pp = &bare_shunts; (p = *pp) != NULL; pp = &p->next)
-	{
-		if (samesubnet(ours, &p->ours)
-		&& samesubnet(his, &p->his)
-		&& transport_proto == p->transport_proto
-		&& portof(&ours->addr) == portof(&p->ours.addr)
-		&& portof(&his->addr) == portof(&p->his.addr))
-			return pp;
-	}
-	return NULL;
-}
-
-/* free a bare_shunt entry, given a pointer to the pointer */
-static void free_bare_shunt(struct bare_shunt **pp)
-{
-	if (pp == NULL)
-	{
-		DBG(DBG_CONTROL,
-			DBG_log("delete bare shunt: null pointer")
-		)
-	}
-	else
-	{
-		struct bare_shunt *p = *pp;
-
-		*pp = p->next;
-		DBG_bare_shunt("delete", p);
-		free(p->why);
-		free(p);
-	}
-}
-
-void
-show_shunt_status(void)
-{
-	struct bare_shunt *bs;
-
-	for (bs = bare_shunts; bs != NULL; bs = bs->next)
-	{
-		/* Print interesting fields.  Ignore count and last_active. */
-
-		int ourport = ntohs(portof(&bs->ours.addr));
-		int hisport = ntohs(portof(&bs->his.addr));
-		char ourst[SUBNETTOT_BUF];
-		char hist[SUBNETTOT_BUF];
-		char sat[SATOT_BUF];
-		char prio[POLICY_PRIO_BUF];
-
-		subnettot(&(bs)->ours, 0, ourst, sizeof(ourst));
-		subnettot(&(bs)->his, 0, hist, sizeof(hist));
-		satot(&(bs)->said, 0, sat, sizeof(sat));
-		fmt_policy_prio(bs->policy_prio, prio);
-
-		whack_log(RC_COMMENT, "%s:%d -> %s:%d => %s:%d %s    %s"
-			, ourst, ourport, hist, hisport, sat, bs->transport_proto
-			, prio, bs->why);
-	}
-	if (bare_shunts != NULL)
-		whack_log(RC_COMMENT, BLANK_FORMAT);    /* spacer */
-}
-
-/* Setup an IPsec route entry.
+/**
+ * Setup an IPsec route entry.
  * op is one of the ERO_* operators.
  */
-
 static bool raw_eroute(const ip_address *this_host,
 					   const ip_subnet *this_client,
 					   const ip_address *that_host,
 					   const ip_subnet *that_client,
+					   mark_t mark,
 					   ipsec_spi_t spi,
 					   unsigned int proto,
 					   unsigned int satype,
 					   unsigned int transport_proto,
-					   const struct pfkey_proto_info *proto_info,
-					   time_t use_lifetime,
+					   ipsec_sa_cfg_t *sa,
 					   unsigned int op,
 					   const char *opname USED_BY_DEBUG)
 {
+	traffic_selector_t *ts_src, *ts_dst;
+	host_t *host_src, *host_dst;
+	policy_type_t type = POLICY_IPSEC;
+	policy_dir_t dir = POLICY_OUT;
 	char text_said[SATOT_BUF];
+	bool ok = TRUE, routed = FALSE,
+		 deleting = (op & ERO_MASK) == ERO_DELETE,
+		 replacing = op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT);
 
 	set_text_said(text_said, that_host, spi, proto);
 
-	DBG(DBG_CONTROL | DBG_KLIPS,
+	DBG(DBG_CONTROL | DBG_KERNEL,
 		{
 			int sport = ntohs(portof(&this_client->addr));
 			int dport = ntohs(portof(&that_client->addr));
@@ -1019,104 +801,86 @@ static bool raw_eroute(const ip_address *this_host,
 				, text_said, transport_proto);
 		});
 
-	return kernel_ops->raw_eroute(this_host, this_client
-		, that_host, that_client, spi, satype, transport_proto, proto_info
-		, use_lifetime, op, text_said);
-}
-
-/* test to see if %hold remains */
-bool has_bare_hold(const ip_address *src, const ip_address *dst,
-				   int transport_proto)
-{
-	ip_subnet this_client, that_client;
-	struct bare_shunt **bspp;
-
-	passert(addrtypeof(src) == addrtypeof(dst));
-	happy(addrtosubnet(src, &this_client));
-	happy(addrtosubnet(dst, &that_client));
-	bspp = bare_shunt_ptr(&this_client, &that_client, transport_proto);
-	return bspp != NULL
-		&& (*bspp)->said.proto == SA_INT && (*bspp)->said.spi == htonl(SPI_HOLD);
-}
+	if (satype == SADB_X_SATYPE_INT)
+	{
+		switch (ntohl(spi))
+		{
+			case SPI_PASS:
+				type = POLICY_PASS;
+				break;
+			case SPI_DROP:
+			case SPI_REJECT:
+				type = POLICY_DROP;
+				break;
+			case SPI_TRAP:
+			case SPI_TRAPSUBNET:
+			case SPI_HOLD:
+				if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+				{
+					return TRUE;
+				}
+				routed = TRUE;
+				break;
+		}
+	}
 
+	if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
+	{
+		dir = POLICY_IN;
+	}
 
-/* Replace (or delete) a shunt that is in the bare_shunts table.
- * Issues the PF_KEY commands and updates the bare_shunts table.
- */
-bool replace_bare_shunt(const ip_address *src, const ip_address *dst,
-						policy_prio_t policy_prio, ipsec_spi_t shunt_spi,
-						bool repl, unsigned int transport_proto, const char *why)
-{
-	ip_subnet this_client, that_client;
-	ip_subnet this_broad_client, that_broad_client;
-	const ip_address *null_host = aftoinfo(addrtypeof(src))->any;
+	host_src = host_create_from_sockaddr((sockaddr_t*)this_host);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)that_host);
+	ts_src = traffic_selector_from_subnet(this_client, transport_proto);
+	ts_dst = traffic_selector_from_subnet(that_client, transport_proto);
 
-	passert(addrtypeof(src) == addrtypeof(dst));
-	happy(addrtosubnet(src, &this_client));
-	happy(addrtosubnet(dst, &that_client));
-	this_broad_client = this_client;
-	that_broad_client = that_client;
-	setportof(0, &this_broad_client.addr);
-	setportof(0, &that_broad_client.addr);
+	if (deleting || replacing)
+	{
+		hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						ts_src, ts_dst, dir, mark, routed);
+	}
 
-	if (repl)
+	if (!deleting)
 	{
-		struct bare_shunt **bs_pp = bare_shunt_ptr(&this_broad_client
-												 , &that_broad_client, 0);
+		ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						host_src, host_dst, ts_src, ts_dst, dir, type, sa,
+						mark, routed) == SUCCESS;
+	}
 
-		/* is there already a broad host-to-host bare shunt? */
-		if (bs_pp == NULL)
+	if (dir == POLICY_IN)
+	{	/* handle forward policy */
+		dir = POLICY_FWD;
+		if (deleting || replacing)
 		{
-			if (raw_eroute(null_host, &this_broad_client, null_host, &that_broad_client
-						   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
-						   , 0, null_proto_info
-						   , SHUNT_PATIENCE, ERO_ADD, why))
-			{
-				struct bare_shunt *bs = malloc_thing(struct bare_shunt);
-
-				bs->ours = this_broad_client;
-				bs->his =  that_broad_client;
-				bs->transport_proto = 0;
-				bs->said.proto = SA_INT;
-				bs->why = clone_str(why);
-				bs->policy_prio = policy_prio;
-				bs->said.spi = htonl(shunt_spi);
-				bs->said.dst = *null_host;
-				bs->count = 0;
-				bs->last_activity = now();
-				bs->next = bare_shunts;
-				bare_shunts = bs;
-				DBG_bare_shunt("add", bs);
-			}
+			hydra->kernel_interface->del_policy(hydra->kernel_interface,
+						ts_src, ts_dst, dir, mark, routed);
+		}
+
+		if (!deleting && ok &&
+			(sa->mode == MODE_TUNNEL || satype == SADB_X_SATYPE_INT))
+		{
+			ok = hydra->kernel_interface->add_policy(hydra->kernel_interface,
+						host_src, host_dst, ts_src, ts_dst, dir, type, sa,
+						mark, routed) == SUCCESS;
 		}
-		shunt_spi = SPI_HOLD;
 	}
 
-	if (raw_eroute(null_host, &this_client, null_host, &that_client
-				   , htonl(shunt_spi), SA_INT, SADB_X_SATYPE_INT
-				   , transport_proto, null_proto_info
-				   , SHUNT_PATIENCE, ERO_DELETE, why))
-	{
-		struct bare_shunt **bs_pp = bare_shunt_ptr(&this_client, &that_client
-										, transport_proto);
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
+	ts_src->destroy(ts_src);
+	ts_dst->destroy(ts_dst);
 
-		/* delete bare eroute */
-		free_bare_shunt(bs_pp);
-		return TRUE;
-	}
-	else
-	{
-		return FALSE;
-	}
+	return ok;
 }
 
 static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
 							  unsigned int proto, unsigned int satype,
-							  const struct pfkey_proto_info *proto_info,
-							  unsigned int op, const char *opname)
+							  ipsec_sa_cfg_t *sa, unsigned int op,
+							  const char *opname)
 {
 	const ip_address *peer = &sr->that.host_addr;
 	char buf2[256];
+	bool ok;
 
 	snprintf(buf2, sizeof(buf2)
 			 , "eroute_connection %s", opname);
@@ -1125,11 +889,13 @@ static bool eroute_connection(struct spd_route *sr, ipsec_spi_t spi,
 	{
 		peer = aftoinfo(addrtypeof(peer))->any;
 	}
-	return raw_eroute(&sr->this.host_addr, &sr->this.client
-					  , peer
-					  , &sr->that.client
-					  , spi, proto, satype
-					  , sr->this.protocol, proto_info, 0, op, buf2);
+	ok = raw_eroute(peer, &sr->that.client,
+					&sr->this.host_addr, &sr->this.client, sr->mark_in,
+					spi, proto, satype, sr->this.protocol,
+					sa, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), buf2);
+	return raw_eroute(&sr->this.host_addr, &sr->this.client, peer,
+					  &sr->that.client, sr->mark_out, spi, proto, satype,
+					  sr->this.protocol, sa, op, buf2) && ok;
 }
 
 /* assign a bare hold to a connection */
@@ -1162,31 +928,24 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
 		break;
 	}
 
-	/* we need a broad %hold, not the narrow one.
+	/* We need a broad %hold
 	 * First we ensure that there is a broad %hold.
 	 * There may already be one (race condition): no need to create one.
 	 * There may already be a %trap: replace it.
 	 * There may not be any broad eroute: add %hold.
-	 * Once the broad %hold is in place, delete the narrow one.
 	 */
 	if (rn != ro)
 	{
 		if (erouted(ro)
-		? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
-				, null_proto_info
-				, ERO_REPLACE, "replace %trap with broad %hold")
-		: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT
-				, null_proto_info
-				, ERO_ADD, "add broad %hold"))
+		? !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
+							 &null_ipsec_sa, ERO_REPLACE,
+							 "replace %trap with broad %hold")
+		: !eroute_connection(sr, htonl(SPI_HOLD), SA_INT, SADB_X_SATYPE_INT,
+							 &null_ipsec_sa, ERO_ADD, "add broad %hold"))
 		{
 			return FALSE;
 		}
 	}
-	if (!replace_bare_shunt(src, dst, BOTTOM_PRIO, SPI_HOLD, FALSE
-	, transport_proto, "delete narrow %hold"))
-	{
-		return FALSE;
-	}
 	sr->routing = rn;
 	return TRUE;
 }
@@ -1195,32 +954,21 @@ bool assign_hold(connection_t *c USED_BY_DEBUG, struct spd_route *sr,
 static bool sag_eroute(struct state *st, struct spd_route *sr,
 					   unsigned op, const char *opname)
 {
-	u_int inner_proto = 0;
-	u_int inner_satype = 0;
+	u_int inner_proto, inner_satype;
 	ipsec_spi_t inner_spi = 0;
-	struct pfkey_proto_info proto_info[4];
-	int i;
-	bool tunnel;
-
-	/* figure out the SPI and protocol (in two forms)
-	 * for the innermost transformation.
-	 */
-
-	i = sizeof(proto_info) / sizeof(proto_info[0]) - 1;
-	proto_info[i].proto = 0;
-	tunnel = FALSE;
+	ipsec_sa_cfg_t sa = {
+		.mode = MODE_TRANSPORT,
+	};
+	bool tunnel = FALSE;
 
 	if (st->st_ah.present)
 	{
 		inner_spi = st->st_ah.attrs.spi;
 		inner_proto = SA_AH;
 		inner_satype = SADB_SATYPE_AH;
-
-		i--;
-		proto_info[i].proto = IPPROTO_AH;
-		proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
-		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		proto_info[i].reqid = sr->reqid;
+		sa.ah.use = TRUE;
+		sa.ah.spi = inner_spi;
+		tunnel |= st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 	}
 
 	if (st->st_esp.present)
@@ -1228,12 +976,9 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
 		inner_spi = st->st_esp.attrs.spi;
 		inner_proto = SA_ESP;
 		inner_satype = SADB_SATYPE_ESP;
-
-		i--;
-		proto_info[i].proto = IPPROTO_ESP;
-		proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
-		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		proto_info[i].reqid = sr->reqid + 1;
+		sa.esp.use = TRUE;
+		sa.esp.spi = inner_spi;
+		tunnel |= st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 	}
 
 	if (st->st_ipcomp.present)
@@ -1241,37 +986,28 @@ static bool sag_eroute(struct state *st, struct spd_route *sr,
 		inner_spi = st->st_ipcomp.attrs.spi;
 		inner_proto = SA_COMP;
 		inner_satype = SADB_X_SATYPE_COMP;
-
-		i--;
-		proto_info[i].proto = IPPROTO_COMP;
-		proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
-		tunnel |= proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-		proto_info[i].reqid = sr->reqid + 2;
+		sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
+		sa.ipcomp.cpi = htons(ntohl(inner_spi));
+		tunnel |= st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 	}
 
-	if (i == sizeof(proto_info) / sizeof(proto_info[0]) - 1)
+	if (!sa.ah.use && !sa.esp.use && !sa.ipcomp.transform)
 	{
 		impossible();   /* no transform at all! */
 	}
 
 	if (tunnel)
 	{
-		int j;
-
 		inner_spi = st->st_tunnel_out_spi;
 		inner_proto = SA_IPIP;
 		inner_satype = SADB_X_SATYPE_IPIP;
-
-		proto_info[i].encapsulation = ENCAPSULATION_MODE_TUNNEL;
-		for (j = i + 1; proto_info[j].proto; j++)
-		{
-			proto_info[j].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-		}
+		sa.mode = MODE_TUNNEL;
 	}
 
-	return eroute_connection(sr
-		, inner_spi, inner_proto, inner_satype, proto_info + i
-		, op, opname);
+	sa.reqid = sr->reqid;
+
+	return eroute_connection(sr, inner_spi, inner_proto, inner_satype,
+							 &sa, op, opname);
 }
 
 /* compute a (host-order!) SPI to implement the policy in connection c */
@@ -1318,7 +1054,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 	 * The SPI signifies the kind of shunt.
 	 */
 	ipsec_spi_t spi = shunt_policy_spi(c, rt_kind == RT_ROUTED_PROSPECTIVE);
-	bool ok;
 
 	if (spi == 0)
 	{
@@ -1377,599 +1112,120 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 		}
 	}
 
-	ok = TRUE;
-	if (kernel_ops->inbound_eroute)
-	{
-		ok = raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-			, &c->spd.this.host_addr, &c->spd.this.client
-			, htonl(spi), SA_INT, SADB_X_SATYPE_INT
-			, 0, null_proto_info, 0
-			, op | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT), opname);
-	}
-	return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT
-		, null_proto_info, op, opname) && ok;
-}
-
-
-/*
- * This is only called when s is a likely SAID with  trailing protocol i.e.
- * it has the form :-
- *
- *   %<keyword>:p
- *   <ip-proto><spi>@a.b.c.d:p
- *
- * The task here is to remove the ":p" part so that the rest can be read
- * by another routine.
- */
-static const char *read_proto(const char * s, size_t * len, int * transport_proto)
-{
-	const char * p;
-	const char * ugh;
-	unsigned long proto;
-	size_t l;
-
-	l = *len;
-	p = memchr(s, ':', l);
-	if (p == 0)
-	{
-		*transport_proto = 0;
-		return 0;
-	}
-	ugh = ttoul(p+1, l-((p-s)+1), 10, &proto);
-	if (ugh != 0)
-	{
-		return ugh;
-	}
-	if (proto > 65535)
-	{
-		return "protocol number is too large, legal range is 0-65535";
-	}
-	*len = p-s;
-	*transport_proto = proto;
-	return 0;
+	return eroute_connection(sr, htonl(spi), SA_INT, SADB_X_SATYPE_INT,
+							 &null_ipsec_sa, op, opname);
 }
 
-
-/* scan /proc/net/ipsec_eroute every once in a while, looking for:
- *
- * - %hold shunts of which Pluto isn't aware.  This situation could
- *   be caused by lost ACQUIRE messages.  When found, they will
- *   added to orphan_holds.  This in turn will lead to Opportunistic
- *   initiation.
- *
- * - other kinds of shunts that haven't been used recently.  These will be
- *   deleted.  They represent OE failures.
- *
- * - recording recent uses of tunnel eroutes so that rekeying decisions
- *   can be made for OE connections.
- *
- * Here are some sample lines:
- * 10         10.3.2.1.0/24    -> 0.0.0.0/0          => %trap
- * 259        10.3.2.1.115/32  -> 10.19.75.161/32    => tun0x1002@10.19.75.145
- * 71         10.44.73.97/32   -> 0.0.0.0/0          => %trap
- * 4119       10.44.73.97/32   -> 10.114.121.41/32   => %pass
- * Newer versions of KLIPS start each line with a 32-bit packet count.
- * If available, the count is used to detect whether a %pass shunt is in use.
- *
- * NOTE: execution time is quadratic in the number of eroutes since the
- * searching for each is sequential.  If this becomes a problem, faster
- * searches could be implemented (hash or radix tree, for example).
- */
-void scan_proc_shunts(void)
-{
-	static const char procname[] = "/proc/net/ipsec_eroute";
-	FILE *f;
-	time_t nw = now();
-	int lino;
-	struct eroute_info *expired = NULL;
-
-	event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
-
-	DBG(DBG_CONTROL,
-		DBG_log("scanning for shunt eroutes")
-	)
-
-	/* free any leftover entries: they will be refreshed if still current */
-	while (orphaned_holds != NULL)
-	{
-		struct eroute_info *p = orphaned_holds;
-
-		orphaned_holds = p->next;
-		free(orphaned_holds);
-	}
-
-	/* decode the /proc file.  Don't do anything strenuous to it
-	 * (certainly no PF_KEY stuff) to minimize the chance that it
-	 * might change underfoot.
-	 */
-
-	f = fopen(procname, "r");
-	if (f == NULL)
-	{
-		return;
-	}
-
-	/* for each line... */
-	for (lino = 1; ; lino++)
-	{
-		unsigned char buf[1024];  /* should be big enough */
-		chunk_t field[10];        /* 10 is loose upper bound */
-		chunk_t *ff = NULL;       /* fixed fields (excluding optional count) */
-		int fi;
-		struct eroute_info eri;
-		char *cp;
-		err_t context = ""
-			, ugh = NULL;
-
-		cp = fgets(buf, sizeof(buf), f);
-		if (cp == NULL)
-		{
-			break;
-		}
-
-		/* break out each field
-		 * Note: if there are too many fields, just stop;
-		 * it will be diagnosed a little later.
-		 */
-		for (fi = 0; fi < (int)countof(field); fi++)
-		{
-			static const char sep[] = " \t\n";  /* field-separating whitespace */
-			size_t w;
-
-			cp += strspn(cp, sep);      /* find start of field */
-			w = strcspn(cp, sep);       /* find width of field */
-			field[fi] = chunk_create(cp, w);
-			cp += w;
-			if (w == 0)
-			{
-				break;
-			}
-		}
-
-		/* This odd do-hickey is to share error reporting code.
-		 * A break will get to that common code.  The setting
-		 * of "ugh" and "context" parameterize it.
-		 */
-		do {
-			/* Old entries have no packet count; new ones do.
-			 * check if things are as they should be.
-			 */
-			if (fi == 5)
-			{
-				ff = &field[0]; /* old form, with no count */
-			}
-			else if (fi == 6)
-			{
-				ff = &field[1]; /* new form, with count */
-			}
-			else
-			{
-				ugh = "has wrong number of fields";
-				break;
-			}
-
-			if (ff[1].len != 2
-			|| strncmp(ff[1].ptr, "->", 2) != 0
-			|| ff[3].len != 2
-			|| strncmp(ff[3].ptr, "=>", 2) != 0)
-			{
-				ugh = "is missing -> or =>";
-				break;
-			}
-
-			/* actually digest fields of interest */
-
-			/* packet count */
-
-			eri.count = 0;
-			if (ff != field)
-			{
-				context = "count field is malformed: ";
-				ugh = ttoul(field[0].ptr, field[0].len, 10, &eri.count);
-				if (ugh != NULL)
-				{
-					break;
-				}
-			}
-
-			/* our client */
-
-			context = "source subnet field malformed: ";
-			ugh = ttosubnet(ff[0].ptr, ff[0].len, AF_INET, &eri.ours);
-			if (ugh != NULL)
-			{
-				break;
-			}
-
-			/* his client */
-
-			context = "destination subnet field malformed: ";
-			ugh = ttosubnet(ff[2].ptr, ff[2].len, AF_INET, &eri.his);
-			if (ugh != NULL)
-			{
-				break;
-			}
-
-			/* SAID */
-
-			context = "SA ID field malformed: ";
-			ugh = read_proto(ff[4].ptr, &ff[4].len, &eri.transport_proto);
-			if (ugh != NULL)
-			{
-				break;
-			}
-			ugh = ttosa(ff[4].ptr, ff[4].len, &eri.said);
-		} while (FALSE);
-
-		if (ugh != NULL)
-		{
-			plog("INTERNAL ERROR: %s line %d %s%s"
-				, procname, lino, context, ugh);
-			continue;   /* ignore rest of line */
-		}
-
-		/* Now we have decoded eroute, let's consider it.
-		 * For shunt eroutes:
-		 *
-		 * %hold: if not known, add to orphaned_holds list for initiation
-		 *    because ACQUIRE might have been lost.
-		 *
-		 * %pass, %drop, %reject: determine if idle; if so, blast it away.
-		 *    Can occur bare (if DNS provided insufficient information)
-		 *    or with a connection (failure context).
-		 *    Could even be installed by ipsec manual.
-		 *
-		 * %trap: always welcome.
-		 *
-		 * For other eroutes: find state and record count change
-		 */
-		if (eri.said.proto == SA_INT)
-		{
-			/* shunt eroute */
-			switch (ntohl(eri.said.spi))
-			{
-			case SPI_HOLD:
-				if (bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto) == NULL
-				&& shunt_owner(&eri.ours, &eri.his) == NULL)
-				{
-					int ourport = ntohs(portof(&eri.ours.addr));
-					int hisport = ntohs(portof(&eri.his.addr));
-					char ourst[SUBNETTOT_BUF];
-					char hist[SUBNETTOT_BUF];
-					char sat[SATOT_BUF];
-
-					subnettot(&eri.ours, 0, ourst, sizeof(ourst));
-					subnettot(&eri.his, 0, hist, sizeof(hist));
-					satot(&eri.said, 0, sat, sizeof(sat));
-
-					DBG(DBG_CONTROL,
-						DBG_log("add orphaned shunt %s:%d -> %s:%d => %s:%d"
-							, ourst, ourport, hist, hisport, sat, eri.transport_proto)
-					 )
-					eri.next = orphaned_holds;
-					orphaned_holds = clone_thing(eri);
-				}
-				break;
-
-			case SPI_PASS:
-			case SPI_DROP:
-			case SPI_REJECT:
-				/* nothing sensible to do if we don't have counts */
-				if (ff != field)
-				{
-					struct bare_shunt **bs_pp
-						= bare_shunt_ptr(&eri.ours, &eri.his, eri.transport_proto);
-
-					if (bs_pp != NULL)
-					{
-						struct bare_shunt *bs = *bs_pp;
-
-						if (eri.count != bs->count)
-						{
-							bs->count = eri.count;
-							bs->last_activity = nw;
-						}
-						else if (nw - bs->last_activity > SHUNT_PATIENCE)
-						{
-							eri.next = expired;
-							expired = clone_thing(eri);
-						}
-					}
-				}
-				break;
-
-			case SPI_TRAP:
-				break;
-
-			default:
-				bad_case(ntohl(eri.said.spi));
-			}
-		}
-		else
-		{
-			/* regular (non-shunt) eroute */
-			state_eroute_usage(&eri.ours, &eri.his, eri.count, nw);
-		}
-	}   /* for each line */
-	fclose(f);
-
-	/* Now that we've finished processing the /proc file,
-	 * it is safe to delete the expired %pass shunts.
-	 */
-	while (expired != NULL)
-	{
-		struct eroute_info *p = expired;
-		ip_address src, dst;
-
-		networkof(&p->ours, &src);
-		networkof(&p->his, &dst);
-		(void) replace_bare_shunt(&src, &dst
-			, BOTTOM_PRIO       /* not used because we are deleting.  This value is a filler */
-			, SPI_PASS  /* not used because we are deleting.  This value is a filler */
-			, FALSE, p->transport_proto, "delete expired bare shunts");
-		expired = p->next;
-		free(p);
-	}
-}
-
-static bool del_spi(ipsec_spi_t spi, int proto,
-					const ip_address *src, const ip_address *dest)
-{
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;
-
-	set_text_said(text_said, dest, spi, proto);
-
-	DBG(DBG_KLIPS, DBG_log("delete %s", text_said));
-
-	memset(&sa, 0, sizeof(sa));
-	sa.spi = spi;
-	sa.proto = proto;
-	sa.src = src;
-	sa.dst = dest;
-	sa.text_said = text_said;
-
-	return kernel_ops->del_sa(&sa);
-}
-
-/* Setup a pair of SAs. Code taken from setsa.c and spigrp.c, in
- * ipsec-0.5.
- */
-
 static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 {
-	/* Build an inbound or outbound SA */
-
+	host_t *host_src, *host_dst;
 	connection_t *c = st->st_connection;
-	ip_subnet src, dst;
-	ip_subnet src_client, dst_client;
-	ipsec_spi_t inner_spi = 0;
-	u_int proto = 0;
-	u_int satype = SADB_SATYPE_UNSPEC;
-	bool replace;
-
-	/* SPIs, saved for spigrouping or undoing, if necessary */
-	struct kernel_sa
-		said[EM_MAXRELSPIS],
-		*said_next = said;
-
-	char text_said[SATOT_BUF];
-	int encapsulation;
-
-	replace = inbound && (kernel_ops->get_spi != NULL);
-
-	src.maskbits = 0;
-	dst.maskbits = 0;
-
+	struct end *src, *dst;
+	ipsec_mode_t mode = MODE_TRANSPORT;
+	ipsec_sa_cfg_t sa = { .mode = 0 };
+	lifetime_cfg_t lt_none = { .time = { .rekey = 0 } };
+	mark_t mark;
+	bool ok = TRUE;
+	/* SPIs, saved for undoing, if necessary */
+	struct kernel_sa said[EM_MAXRELSPIS], *said_next = said;
 	if (inbound)
 	{
-		src.addr = c->spd.that.host_addr;
-		dst.addr = c->spd.this.host_addr;
-		src_client = c->spd.that.client;
-		dst_client = c->spd.this.client;
+		src = &c->spd.that;
+		dst = &c->spd.this;
+		mark = c->spd.mark_in;
 	}
 	else
 	{
-		src.addr = c->spd.this.host_addr,
-		dst.addr = c->spd.that.host_addr;
-		src_client = c->spd.this.client;
-		dst_client = c->spd.that.client;
+		src = &c->spd.this;
+		dst = &c->spd.that;
+		mark = c->spd.mark_out;
 	}
 
-	encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
+
 	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 		|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 		|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
 	{
-		encapsulation = ENCAPSULATION_MODE_TUNNEL;
+		mode = MODE_TUNNEL;
 	}
 
-	memset(said, 0, sizeof(said));
-
-	/* If we are tunnelling, set up IP in IP pseudo SA */
-
-	if (kernel_ops->inbound_eroute)
-	{
-		inner_spi = 256;
-		proto = SA_IPIP;
-		satype = SADB_SATYPE_UNSPEC;
-	}
-	else if (encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		/* XXX hack alert -- we SHOULD NOT HAVE TO HAVE A DIFFERENT SPI
-		 * XXX FOR IP-in-IP ENCAPSULATION!
-		 */
-
-		ipsec_spi_t ipip_spi;
-
-		/* Allocate an SPI for the tunnel.
-		 * Since our peer will never see this,
-		 * and it comes from its own number space,
-		 * it is purely a local implementation wart.
-		 */
-		{
-			static ipsec_spi_t last_tunnel_spi = IPSEC_DOI_SPI_OUR_MIN;
-
-			ipip_spi = htonl(++last_tunnel_spi);
-			if (inbound)
-			{
-				st->st_tunnel_in_spi = ipip_spi;
-			}
-			else
-			{
-				st->st_tunnel_out_spi = ipip_spi;
-			}
-		}
-
-		set_text_said(text_said
-			, &c->spd.that.host_addr, ipip_spi, SA_IPIP);
-
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
-		said_next->spi = ipip_spi;
-		said_next->satype = SADB_X_SATYPE_IPIP;
-		said_next->text_said = text_said;
-
-		if (!kernel_ops->add_sa(said_next, replace))
-			goto fail;
-
-		said_next++;
+	sa.mode = mode;
+	sa.reqid = c->spd.reqid;
 
-		inner_spi = ipip_spi;
-		proto = SA_IPIP;
-		satype = SADB_X_SATYPE_IPIP;
-	}
+	memset(said, 0, sizeof(said));
 
 	/* set up IPCOMP SA, if any */
 
 	if (st->st_ipcomp.present)
 	{
-		ipsec_spi_t ipcomp_spi = inbound? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
-		unsigned compalg;
+		ipsec_spi_t ipcomp_spi = inbound ? st->st_ipcomp.our_spi
+										 : st->st_ipcomp.attrs.spi;
 
 		switch (st->st_ipcomp.attrs.transid)
 		{
 			case IPCOMP_DEFLATE:
-				compalg = SADB_X_CALG_DEFLATE;
 				break;
 
 			default:
-				loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented"
-					, enum_name(&ipcomp_transformid_names, st->st_ipcomp.attrs.transid));
+				loglog(RC_LOG_SERIOUS, "IPCOMP transform %s not implemented",
+					   enum_name(&ipcomp_transformid_names,
+								 st->st_ipcomp.attrs.transid));
 				goto fail;
 		}
 
-		set_text_said(text_said, &dst.addr, ipcomp_spi, SA_COMP);
+		sa.ipcomp.cpi = htons(ntohl(ipcomp_spi));
+		sa.ipcomp.transform = st->st_ipcomp.attrs.transid;
 
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
 		said_next->spi = ipcomp_spi;
-		said_next->satype = SADB_X_SATYPE_COMP;
-		said_next->compalg = compalg;
-		said_next->encapsulation = encapsulation;
-		said_next->reqid = c->spd.reqid + 2;
-		said_next->text_said = text_said;
+		said_next->proto = IPPROTO_COMP;
 
-		if (!kernel_ops->add_sa(said_next, replace))
+		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+						host_dst, ipcomp_spi, said_next->proto, c->spd.reqid,
+						mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+						AUTH_UNDEFINED, chunk_empty, mode,
+						st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE,
+						inbound, NULL, NULL) != SUCCESS)
 		{
 			goto fail;
 		}
 		said_next++;
-		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		mode = MODE_TRANSPORT;
 	}
 
 	/* set up ESP SA, if any */
 
 	if (st->st_esp.present)
 	{
-		ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-		u_char *esp_dst_keymat = inbound? st->st_esp.our_keymat : st->st_esp.peer_keymat;
+		ipsec_spi_t esp_spi = inbound ? st->st_esp.our_spi
+									  : st->st_esp.attrs.spi;
+		u_char *esp_dst_keymat = inbound ? st->st_esp.our_keymat
+										 : st->st_esp.peer_keymat;
+		bool encap = st->nat_traversal & NAT_T_DETECTED;
+		encryption_algorithm_t enc_alg;
+		integrity_algorithm_t auth_alg;
 		const struct esp_info *ei;
+		chunk_t enc_key, auth_key;
 		u_int16_t key_len;
 
-		static const struct esp_info esp_info[] = {
-			{ ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
-				0, HMAC_MD5_KEY_LEN,
-				SADB_EALG_NULL, SADB_AALG_MD5HMAC },
-			{ ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
-				0, HMAC_SHA1_KEY_LEN,
-				SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
-
-			{ ESP_DES, AUTH_ALGORITHM_NONE,
-				DES_CBC_BLOCK_SIZE, 0,
-				SADB_EALG_DESCBC, SADB_AALG_NONE },
-			{ ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
-				DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
-				SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
-			{ ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
-				DES_CBC_BLOCK_SIZE,
-				HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
-
-			{ ESP_3DES, AUTH_ALGORITHM_NONE,
-				DES_CBC_BLOCK_SIZE * 3, 0,
-				SADB_EALG_3DESCBC, SADB_AALG_NONE },
-			{ ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
-				DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
-				SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
-			{ ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
-				DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
-				SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
-		};
-
-		u_int8_t natt_type = 0;
-		u_int16_t natt_sport = 0;
-		u_int16_t natt_dport = 0;
-		ip_address natt_oa;
-
-		if (st->nat_traversal & NAT_T_DETECTED)
-		{
-			natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
-						 ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
-			natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
-			natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-			natt_oa = st->nat_oa;
-		}
-
-		for (ei = esp_info; ; ei++)
+		if ((ei = kernel_alg_esp_info(st->st_esp.attrs.transid,
+									  st->st_esp.attrs.auth)) == NULL)
 		{
-			if (ei == &esp_info[countof(esp_info)])
-			{
-				/* Check for additional kernel alg */
-				if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
-										st->st_esp.attrs.auth))!=NULL)
-				{
-					break;
-				}
-
-				/* note: enum_show may use a static buffer, so two
-				 * calls in one printf would be a mistake.
-				 * enum_name does the same job, without a static buffer,
-				 * assuming the name will be found.
-				 */
-				loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
-					, enum_name(&esp_transform_names, st->st_esp.attrs.transid)
-					, enum_name(&auth_alg_names, st->st_esp.attrs.auth));
-				goto fail;
-			}
-
-			if (st->st_esp.attrs.transid == ei->transid &&
-				st->st_esp.attrs.auth == ei->auth)
-			{
-				break;
-			}
+			loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s"
+				   " not implemented yet",
+				   enum_name(&esp_transform_names, st->st_esp.attrs.transid),
+				   enum_name(&auth_alg_names, st->st_esp.attrs.auth));
+			goto fail;
 		}
 
-		key_len = st->st_esp.attrs.key_len/8;
+		key_len = st->st_esp.attrs.key_len / 8;
 		if (key_len)
 		{
 			/* XXX: must change to check valid _range_ key_len */
 			if (key_len > ei->enckeylen)
 			{
-				loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+				loglog(RC_LOG_SERIOUS, "ESP transform %s: key_len=%d > %d",
 					enum_name(&esp_transform_names, st->st_esp.attrs.transid),
 					(int)key_len, (int)ei->enckeylen);
 				goto fail;
@@ -2012,290 +1268,144 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				break;
 		}
 
-		/* divide up keying material */
-		set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
-		said_next->spi = esp_spi;
-		said_next->satype = SADB_SATYPE_ESP;
-		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
-									REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
-		said_next->authalg = ei->authalg;
-		said_next->authkeylen = ei->authkeylen;
-		said_next->authkey = esp_dst_keymat + key_len;
-		said_next->encalg = ei->encryptalg;
-		said_next->enckeylen = key_len;
-		said_next->enckey = esp_dst_keymat;
-		said_next->encapsulation = encapsulation;
-		said_next->reqid = c->spd.reqid + 1;
-		said_next->natt_sport = natt_sport;
-		said_next->natt_dport = natt_dport;
-		said_next->transid = st->st_esp.attrs.transid;
-		said_next->natt_type = natt_type;
-		said_next->natt_oa = &natt_oa;
-		said_next->text_said = text_said;
-
-		if (!kernel_ops->add_sa(said_next, replace))
+		if (encap)
 		{
-			goto fail;
+			host_src->set_port(host_src, src->host_port);
+			host_dst->set_port(host_dst, dst->host_port);
+			// st->nat_oa is currently unused
 		}
-		said_next++;
-		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-	}
-
-	/* set up AH SA, if any */
 
-	if (st->st_ah.present)
-	{
-		ipsec_spi_t ah_spi = inbound? st->st_ah.our_spi : st->st_ah.attrs.spi;
-		u_char *ah_dst_keymat = inbound? st->st_ah.our_keymat : st->st_ah.peer_keymat;
+		/* divide up keying material */
+		enc_alg = encryption_algorithm_from_esp(st->st_esp.attrs.transid);
+		enc_key.ptr = esp_dst_keymat;
+		enc_key.len = key_len;
+		auth_alg = integrity_algorithm_from_esp(st->st_esp.attrs.auth);
+		auth_alg = auth_alg ? : AUTH_UNDEFINED;
+		auth_key.ptr = esp_dst_keymat + key_len;
+		auth_key.len = ei->authkeylen;
 
-		unsigned char authalg;
+		sa.esp.use = TRUE;
+		sa.esp.spi = esp_spi;
 
-		switch (st->st_ah.attrs.auth)
-		{
-			case AUTH_ALGORITHM_HMAC_MD5:
-				authalg = SADB_AALG_MD5HMAC;
-				break;
-			case AUTH_ALGORITHM_HMAC_SHA1:
-				authalg = SADB_AALG_SHA1HMAC;
-				break;
-			default:
-				loglog(RC_LOG_SERIOUS, "%s not implemented yet",
-					   enum_show(&auth_alg_names, st->st_ah.attrs.auth));
-			goto fail;
-		}
+		said_next->spi = esp_spi;
+		said_next->proto = IPPROTO_ESP;
 
-		set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
-		said_next->src = &src.addr;
-		said_next->dst = &dst.addr;
-		said_next->src_client = &src_client;
-		said_next->dst_client = &dst_client;
-		said_next->spi = ah_spi;
-		said_next->satype = SADB_SATYPE_AH;
-		said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
-									REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
-		said_next->authalg = authalg;
-		said_next->authkeylen = st->st_ah.keymat_len;
-		said_next->authkey = ah_dst_keymat;
-		said_next->encapsulation = encapsulation;
-		said_next->reqid = c->spd.reqid;
-		said_next->text_said = text_said;
-
-		if (!kernel_ops->add_sa(said_next, replace))
+		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+						host_dst, esp_spi, said_next->proto, c->spd.reqid,
+						mark, &lt_none, enc_alg, enc_key,
+						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
+						encap, inbound, NULL, NULL) != SUCCESS)
 		{
 			goto fail;
 		}
 		said_next++;
-		encapsulation = ENCAPSULATION_MODE_TRANSPORT;
+		mode = MODE_TRANSPORT;
 	}
 
-	if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
-	|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		encapsulation = ENCAPSULATION_MODE_TUNNEL;
-	}
+	/* set up AH SA, if any */
 
-	if (kernel_ops->inbound_eroute ? c->spd.eroute_owner == SOS_NOBODY
-		: encapsulation == ENCAPSULATION_MODE_TUNNEL)
+	if (st->st_ah.present)
 	{
-		/* If inbound, and policy does not specifie DISABLEARRIVALCHECK,
-		 * tell KLIPS to enforce the IP addresses appropriate for this tunnel.
-		 * Note reversed ends.
-		 * Not much to be done on failure.
-		 */
-		if (inbound && (c->policy & POLICY_DISABLEARRIVALCHECK) == 0)
-		{
-			struct pfkey_proto_info proto_info[4];
-			int i = 0;
-
-			if (st->st_ipcomp.present)
-			{
-				proto_info[i].proto = IPPROTO_COMP;
-				proto_info[i].encapsulation = st->st_ipcomp.attrs.encapsulation;
-				proto_info[i].reqid = c->spd.reqid + 2;
-				i++;
-			}
-
-			if (st->st_esp.present)
-			{
-				proto_info[i].proto = IPPROTO_ESP;
-				proto_info[i].encapsulation = st->st_esp.attrs.encapsulation;
-				proto_info[i].reqid = c->spd.reqid + 1;
-				i++;
-			}
-
-			if (st->st_ah.present)
-			{
-				proto_info[i].proto = IPPROTO_AH;
-				proto_info[i].encapsulation = st->st_ah.attrs.encapsulation;
-				proto_info[i].reqid = c->spd.reqid;
-				i++;
-			}
-
-			proto_info[i].proto = 0;
-
-			if (kernel_ops->inbound_eroute
-				&& encapsulation == ENCAPSULATION_MODE_TUNNEL)
-			{
-				proto_info[0].encapsulation = ENCAPSULATION_MODE_TUNNEL;
-				for (i = 1; proto_info[i].proto; i++)
-				{
-					proto_info[i].encapsulation = ENCAPSULATION_MODE_TRANSPORT;
-				}
-			}
+		ipsec_spi_t ah_spi = inbound ? st->st_ah.our_spi
+									 : st->st_ah.attrs.spi;
+		u_char *ah_dst_keymat = inbound ? st->st_ah.our_keymat
+										: st->st_ah.peer_keymat;
+		integrity_algorithm_t auth_alg;
+		chunk_t auth_key;
 
-			/* MCR - should be passed a spd_eroute structure here */
-			(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-							  , &c->spd.this.host_addr, &c->spd.this.client
-							  , inner_spi, proto, satype, c->spd.this.protocol
-							  , proto_info, 0
-							  , ERO_ADD_INBOUND, "add inbound");
-		}
-	}
+		auth_alg = integrity_algorithm_from_esp(st->st_ah.attrs.auth);
+		auth_key.ptr = ah_dst_keymat;
+		auth_key.len = st->st_ah.keymat_len;
 
-	/* If there are multiple SPIs, group them. */
+		sa.ah.use = TRUE;
+		sa.ah.spi = ah_spi;
 
-	if (kernel_ops->grp_sa && said_next > &said[1])
-	{
-		struct kernel_sa *s;
+		said_next->spi = ah_spi;
+		said_next->proto = IPPROTO_AH;
 
-		/* group SAs, two at a time, inner to outer (backwards in said[])
-		 * The grouping is by pairs.  So if said[] contains ah esp ipip,
-		 * the grouping would be ipip:esp, esp:ah.
-		 */
-		for (s = said; s < said_next-1; s++)
+		if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src,
+						host_dst, ah_spi, said_next->proto, c->spd.reqid,
+						mark, &lt_none, ENCR_UNDEFINED, chunk_empty,
+						auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */,
+						FALSE, inbound, NULL, NULL) != SUCCESS)
 		{
-			char
-				text_said0[SATOT_BUF],
-				text_said1[SATOT_BUF];
-
-			/* group s[1] and s[0], in that order */
-
-			set_text_said(text_said0, s[0].dst, s[0].spi, s[0].proto);
-			set_text_said(text_said1, s[1].dst, s[1].spi, s[1].proto);
-
-			DBG(DBG_KLIPS, DBG_log("grouping %s and %s", text_said1, text_said0));
-
-			s[0].text_said = text_said0;
-			s[1].text_said = text_said1;
-
-			if (!kernel_ops->grp_sa(s + 1, s))
-			{
-				goto fail;
-			}
+			goto fail;
 		}
-		/* could update said, but it will not be used */
+		said_next++;
+		mode = MODE_TRANSPORT;
 	}
 
-	return TRUE;
+	goto cleanup;
 
 fail:
+	/* undo the done SPIs */
+	while (said_next-- != said)
 	{
-		/* undo the done SPIs */
-		while (said_next-- != said)
-		{
-			(void) del_spi(said_next->spi, said_next->proto, &src.addr,
-						   said_next->dst);
-		}
-		return FALSE;
+		hydra->kernel_interface->del_sa(hydra->kernel_interface, host_src,
+										host_dst, said_next->spi,
+										said_next->proto, 0 /* cpi */,
+										mark);
 	}
-}
+	ok = FALSE;
 
-/* teardown_ipsec_sa is a canibalized version of setup_ipsec_sa */
+cleanup:
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
+	return ok;
+}
 
 static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
 {
-	/* We need to delete AH, ESP, and IP in IP SPIs.
-	 * But if there is more than one, they have been grouped
-	 * so deleting any one will do.  So we just delete the
-	 * first one found.  It may or may not be the only one.
-	 */
 	connection_t *c = st->st_connection;
-	struct {
-		unsigned proto;
-		struct ipsec_proto_info *info;
-	} protos[4];
-	int i;
-	bool result;
+	const struct end *src, *dst;
+	host_t *host_src, *host_dst;
+	ipsec_spi_t spi;
+	mark_t mark;
+	bool result = TRUE;
 
-	i = 0;
-	if (kernel_ops->inbound_eroute && inbound
-		&& c->spd.eroute_owner == SOS_NOBODY)
+	if (inbound)
 	{
-		(void) raw_eroute(&c->spd.that.host_addr, &c->spd.that.client
-			, &c->spd.this.host_addr, &c->spd.this.client
-			, 256, IPSEC_PROTO_ANY, SADB_SATYPE_UNSPEC, c->spd.this.protocol
-			, null_proto_info, 0
-			, ERO_DEL_INBOUND, "delete inbound");
+		src = &c->spd.that;
+		dst = &c->spd.this;
+		mark = c->spd.mark_in;
 	}
-
-	if (!kernel_ops->grp_sa)
+	else
 	{
-		if (st->st_ah.present)
-		{
-			protos[i].info = &st->st_ah;
-			protos[i].proto = SA_AH;
-			i++;
-		}
+		src = &c->spd.this;
+		dst = &c->spd.that;
+		mark = c->spd.mark_out;
+	}
 
-		if (st->st_esp.present)
-		{
-			protos[i].info = &st->st_esp;
-			protos[i].proto = SA_ESP;
-			i++;
-		}
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
 
-		if (st->st_ipcomp.present)
-		{
-			protos[i].info = &st->st_ipcomp;
-			protos[i].proto = SA_COMP;
-			i++;
-		}
-	}
-	else if (st->st_ah.present)
-	{
-		protos[i].info = &st->st_ah;
-		protos[i].proto = SA_AH;
-		i++;
-	}
-	else if (st->st_esp.present)
+	if (st->st_ah.present)
 	{
-		protos[i].info = &st->st_esp;
-		protos[i].proto = SA_ESP;
-		i++;
+		spi = inbound ? st->st_ah.our_spi : st->st_ah.attrs.spi;
+		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+								host_src, host_dst, spi, IPPROTO_AH,
+								0 /* cpi */, mark) == SUCCESS;
 	}
-	else
+
+	if (st->st_esp.present)
 	{
-		impossible();   /* neither AH nor ESP in outbound SA bundle! */
+		spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
+		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+								host_src, host_dst, spi, IPPROTO_ESP,
+								0 /* cpi */, mark) == SUCCESS;
 	}
-	protos[i].proto = 0;
 
-	result = TRUE;
-	for (i = 0; protos[i].proto; i++)
+	if (st->st_ipcomp.present)
 	{
-		unsigned proto = protos[i].proto;
-		ipsec_spi_t spi;
-		const ip_address *src, *dst;
+		spi = inbound ? st->st_ipcomp.our_spi : st->st_ipcomp.attrs.spi;
+		result &= hydra->kernel_interface->del_sa(hydra->kernel_interface,
+								host_src, host_dst, spi, IPPROTO_COMP,
+								0 /* cpi */, mark) == SUCCESS;
+	}
 
-		if (inbound)
-		{
-			spi = protos[i].info->our_spi;
-			src = &c->spd.that.host_addr;
-			dst = &c->spd.this.host_addr;
-		}
-		else
-		{
-			spi = protos[i].info->attrs.spi;
-			src = &c->spd.this.host_addr;
-			dst = &c->spd.that.host_addr;
-		}
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
 
-		result &= del_spi(spi, proto, src, dst);
-	}
 	return result;
 }
 
@@ -2304,126 +1414,198 @@ static bool teardown_half_ipsec_sa(struct state *st, bool inbound)
  */
 bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
 {
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;
 	connection_t *c = st->st_connection;
+	traffic_selector_t *ts_src = NULL, *ts_dst = NULL;
+	host_t *host_src = NULL, *host_dst = NULL;
+	const struct end *src, *dst;
+	ipsec_spi_t spi;
+	mark_t mark;
+	u_int64_t bytes_kernel = 0;
+	bool result = FALSE;
 
 	*use_time = UNDEFINED_TIME;
 
-	if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+	if (!st->st_esp.present)
 	{
-		return FALSE;
+		goto failed;
 	}
-	memset(&sa, 0, sizeof(sa));
-	sa.proto = SA_ESP;
 
 	if (inbound)
 	{
-		sa.src = &c->spd.that.host_addr;
-		sa.dst = &c->spd.this.host_addr;
-		sa.spi = st->st_esp.our_spi;
+		src = &c->spd.that;
+		dst = &c->spd.this;
+		mark = c->spd.mark_in;
+		spi = st->st_esp.our_spi;
 	}
 	else
 	{
-		sa.src = &c->spd.this.host_addr;
-		sa.dst = &c->spd.that.host_addr;
-		sa.spi = st->st_esp.attrs.spi;
+		src = &c->spd.this;
+		dst = &c->spd.that;
+		mark = c->spd.mark_out;
+		spi = st->st_esp.attrs.spi;
 	}
-	set_text_said(text_said, sa.dst, sa.spi, sa.proto);
 
-	sa.text_said = text_said;
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
 
-	DBG(DBG_KLIPS,
-		DBG_log("get %s", text_said)
-	)
-	if (!kernel_ops->get_sa(&sa, bytes))
+	switch(hydra->kernel_interface->query_sa(hydra->kernel_interface, host_src,
+											 host_dst, spi, IPPROTO_ESP,
+											 mark, &bytes_kernel))
 	{
-		return FALSE;
+		case FAILED:
+			goto failed;
+		case SUCCESS:
+			*bytes = bytes_kernel;
+			break;
+		case NOT_SUPPORTED:
+		default:
+			break;
 	}
-	DBG(DBG_KLIPS,
-		DBG_log("  current: %d bytes", *bytes)
-	)
 
 	if (st->st_serialno == c->spd.eroute_owner)
 	{
-		DBG(DBG_KLIPS,
-			DBG_log("get %sbound policy with reqid %u"
-				, inbound? "in":"out", (u_int)c->spd.reqid + 1)
-		)
-		sa.transport_proto = c->spd.this.protocol;
-		sa.encapsulation = st->st_esp.attrs.encapsulation;
+		u_int32_t time_kernel;
 
-		if (inbound)
-		{
-			sa.src_client = &c->spd.that.client;
-			sa.dst_client = &c->spd.this.client;
-		}
-		else
+		ts_src = traffic_selector_from_subnet(&src->client, src->protocol);
+		ts_dst = traffic_selector_from_subnet(&dst->client, dst->protocol);
+
+		if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
+							ts_src, ts_dst, inbound ? POLICY_IN : POLICY_OUT,
+							mark, &time_kernel) != SUCCESS)
 		{
-			sa.src_client = &c->spd.this.client;
-			sa.dst_client = &c->spd.that.client;
+			goto failed;
 		}
-		if (!kernel_ops->get_policy(&sa, inbound, use_time))
+		*use_time = time_kernel;
+
+		if (inbound &&
+			st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
 		{
-			return FALSE;
+			if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
+							ts_src, ts_dst, POLICY_FWD, mark,
+							&time_kernel) != SUCCESS)
+			{
+				goto failed;
+			}
+			*use_time = max(*use_time, time_kernel);
 		}
-		DBG(DBG_KLIPS,
-			DBG_log("  use_time: %T", use_time, FALSE)
-		)
 	}
-	return TRUE;
+
+	result = TRUE;
+
+failed:
+	DESTROY_IF(host_src);
+	DESTROY_IF(host_dst);
+	DESTROY_IF(ts_src);
+	DESTROY_IF(ts_dst);
+	return result;
 }
 
-const struct kernel_ops *kernel_ops;
+/**
+ * Handler for kernel events (called by thread-pool thread)
+ */
+kernel_listener_t *kernel_handler;
 
-#endif /* KLIPS */
+/**
+ * Data for acquire events
+ */
+typedef struct {
+	/** Subnets */
+	ip_subnet src, dst;
+	/** Transport protocol */
+	int proto;
+} acquire_data_t;
 
-void init_kernel(void)
+/**
+ * Callback for acquire events (called by main thread)
+ */
+void handle_acquire(acquire_data_t *this)
 {
-#ifdef KLIPS
+	record_and_initiate_opportunistic(&this->src, &this->dst, this->proto,
+									  "%acquire");
+}
 
-	if (no_klips)
+METHOD(kernel_listener_t, acquire, bool,
+	   kernel_listener_t *this, u_int32_t reqid,
+	   traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+{
+	if (src_ts && dst_ts)
 	{
-		kernel_ops = &noklips_kernel_ops;
-		return;
+		acquire_data_t *data;
+		DBG(DBG_CONTROL,
+			DBG_log("creating acquire event for policy %R === %R "
+					"with reqid {%u}", src_ts, dst_ts, reqid));
+		INIT(data,
+			.src = subnet_from_traffic_selector(src_ts),
+			.dst = subnet_from_traffic_selector(dst_ts),
+			.proto = src_ts->get_protocol(src_ts),
+		);
+		pluto->events->queue(pluto->events, (void*)handle_acquire, data, free);
 	}
+	else
+	{
+		DBG(DBG_CONTROL,
+			DBG_log("ignoring acquire without traffic selectors for policy "
+					"with reqid {%u}", reqid));
+	}
+	DESTROY_IF(src_ts);
+	DESTROY_IF(dst_ts);
+	return TRUE;
+}
 
-	init_pfkey();
-
-	kernel_ops = &klips_kernel_ops;
+/**
+ * Data for mapping events
+ */
+typedef struct {
+	/** reqid, spi of affected SA */
+	u_int32_t reqid, spi;
+	/** new endpont */
+	ip_address new_end;
+} mapping_data_t;
 
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-	{
-		bool linux_ipsec = 0;
-		struct stat buf;
+/**
+ * Callback for mapping events (called by main thread)
+ */
+void handle_mapping(mapping_data_t *this)
+{
+	process_nat_t_new_mapping(this->reqid, this->spi, &this->new_end);
+}
 
-		linux_ipsec = (stat("/proc/net/pfkey", &buf) == 0);
-		if (linux_ipsec)
-			{
-				plog("Using Linux 2.6 IPsec interface code");
-				kernel_ops = &linux_kernel_ops;
-			}
-		else
-			{
-				plog("Using KLIPS IPsec interface code");
-			}
-	}
-#endif
 
-	if (kernel_ops->init)
-	{
-		kernel_ops->init();
-	}
+METHOD(kernel_listener_t, mapping, bool,
+	   kernel_listener_t *this, u_int32_t reqid, u_int32_t spi, host_t *remote)
+{
+	mapping_data_t *data;
+	DBG(DBG_CONTROL,
+		DBG_log("creating mapping event for SA with SPI %.8x and reqid {%u}",
+				spi, reqid));
+	INIT(data,
+		.reqid = reqid,
+		.spi = spi,
+		.new_end = *(ip_address*)remote->get_sockaddr(remote),
+	);
+	pluto->events->queue(pluto->events, (void*)handle_mapping, data, free);
+	return TRUE;
+}
 
+void init_kernel(void)
+{
 	/* register SA types that we can negotiate */
-	can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
-	kernel_ops->pfkey_register();
+	can_do_IPcomp = FALSE;  /* until we get a response from the kernel */
+	pfkey_register();
+
+	INIT(kernel_handler,
+		.acquire = _acquire,
+		.mapping = _mapping,
+	);
+	hydra->kernel_interface->add_listener(hydra->kernel_interface,
+										  kernel_handler);
+}
 
-	if (!kernel_ops->policy_lifetime)
-	{
-		event_schedule(EVENT_SHUNT_SCAN, SHUNT_SCAN_INTERVAL, NULL);
-	}
-#endif
+void kernel_finalize()
+{
+	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+											 kernel_handler);
+	free(kernel_handler);
 }
 
 /* Note: install_inbound_ipsec_sa is only used by the Responder.
@@ -2482,13 +1664,8 @@ bool install_inbound_ipsec_sa(struct state *st)
 			return FALSE;
 	}
 
-#ifdef KLIPS
 	/* (attempt to) actually set up the SAs */
 	return setup_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
-	return TRUE;
-#endif /* !KLIPS */
 }
 
 /* Install a route and then a prospective shunt eroute or an SA group eroute.
@@ -2496,11 +1673,8 @@ bool install_inbound_ipsec_sa(struct state *st)
  * Any SA Group must have already been created.
  * On failure, steps will be unwound.
  */
-bool route_and_eroute(connection_t *c USED_BY_KLIPS,
-					  struct spd_route *sr USED_BY_KLIPS,
-					  struct state *st USED_BY_KLIPS)
+bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
 {
-#ifdef KLIPS
 	struct spd_route *esr;
 	struct spd_route *rosr;
 	connection_t *ero      /* who, if anyone, owns our eroute? */
@@ -2510,7 +1684,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 		, route_installed = FALSE;
 
 	connection_t *ero_top;
-	struct bare_shunt **bspp;
 
 	DBG(DBG_CONTROLMORE,
 		DBG_log("route_and_eroute with c: %s (next: %s) ero:%s esr:{%p} ro:%s rosr:{%p} and state: %lu"
@@ -2537,15 +1710,9 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 			break;
 #endif
 
-	bspp = (ero == NULL)
-		? bare_shunt_ptr(&sr->this.client, &sr->that.client, sr->this.protocol)
-		: NULL;
-
 	/* install the eroute */
 
-	passert(bspp == NULL || ero == NULL);       /* only one non-NULL */
-
-	if (bspp != NULL || ero != NULL)
+	if (ero != NULL)
 	{
 		/* We're replacing an eroute */
 
@@ -2571,7 +1738,6 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 				&& samesubnet(&esr->that.client, &sr->that.client));
 		}
 #endif
-		/* remember to free bspp iff we make it out of here alive */
 	}
 	else
 	{
@@ -2601,7 +1767,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 		 */
 		firewall_notified = st == NULL  /* not a tunnel eroute */
 			|| sr->eroute_owner != SOS_NOBODY   /* already notified */
-			|| do_command(c, sr, "up"); /* go ahead and notify */
+			|| do_command(c, sr, st, "up"); /* go ahead and notify */
 	}
 
 	/* install the route */
@@ -2616,8 +1782,8 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 	else if (ro == NULL)
 	{
 		/* a new route: no deletion required, but preparation is */
-		(void) do_command(c, sr, "prepare");    /* just in case; ignore failure */
-		route_installed = do_command(c, sr, "route");
+		(void) do_command(c, sr, st, "prepare");    /* just in case; ignore failure */
+		route_installed = do_command(c, sr, st, "route");
 	}
 	else if (routed(sr->routing) || routes_agree(ro, c))
 	{
@@ -2636,13 +1802,13 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 		 */
 		if (sameaddr(&sr->this.host_nexthop, &esr->this.host_nexthop))
 		{
-			(void) do_command(ro, sr, "unroute");
-			route_installed = do_command(c, sr, "route");
+			(void) do_command(ro, sr, st, "unroute");
+			route_installed = do_command(c, sr, st, "route");
 		}
 		else
 		{
-			route_installed = do_command(c, sr, "route");
-			(void) do_command(ro, sr, "unroute");
+			route_installed = do_command(c, sr, st, "route");
+			(void) do_command(ro, sr, st, "unroute");
 		}
 
 		/* record unrouting */
@@ -2663,11 +1829,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 	{
 		/* Success! */
 
-		if (bspp != NULL)
-		{
-			free_bare_shunt(bspp);
-		}
-		else if (ero != NULL && ero != c)
+		if (ero != NULL && ero != c)
 		{
 			/* check if ero is an ancestor of c. */
 			connection_t *ero2;
@@ -2713,7 +1875,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 	{
 		/* Failure!  Unwind our work. */
 		if (firewall_notified && sr->eroute_owner == SOS_NOBODY)
-			(void) do_command(c, sr, "down");
+			(void) do_command(c, sr, st, "down");
 
 		if (eroute_installed)
 		{
@@ -2721,28 +1883,7 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 			 * Since there is nothing much to be done if the restoration
 			 * fails, ignore success or failure.
 			 */
-			if (bspp != NULL)
-			{
-				/* Restore old bare_shunt.
-				 * I don't think that this case is very likely.
-				 * Normally a bare shunt would have been assigned
-				 * to a connection before we've gotten this far.
-				 */
-				struct bare_shunt *bs = *bspp;
-
-				(void) raw_eroute(&bs->said.dst /* should be useless */
-					, &bs->ours
-					, &bs->said.dst     /* should be useless */
-					, &bs->his
-					, bs->said.spi      /* network order */
-					, SA_INT
-					, SADB_X_SATYPE_INT
-					, 0
-					, null_proto_info
-					, SHUNT_PATIENCE
-					, ERO_REPLACE, "restore");
-			}
-			else if (ero != NULL)
+			if (ero != NULL)
 			{
 				/* restore ero's former glory */
 				if (esr->eroute_owner == SOS_NOBODY)
@@ -2781,14 +1922,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 
 		return FALSE;
 	}
-#else /* !KLIPS */
-	return TRUE;
-#endif /* !KLIPS */
 }
 
-bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
+bool install_ipsec_sa(struct state *st, bool inbound_also)
 {
-#ifdef KLIPS
 	struct spd_route *sr;
 
 	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
@@ -2838,21 +1975,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 			}
 		}
 	}
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
-		, inbound_also? "inbound and oubound" : "outbound only"));
-
-	switch (could_route(st->st_connection))
-	{
-		case route_easy:
-		case route_nearconflict:
-			break;
-		default:
-			return FALSE;
-	}
-
-
-#endif /* !KLIPS */
 
 	return TRUE;
 }
@@ -2861,10 +1983,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
  * we may not succeed, but we bull ahead anyway because
  * we cannot do anything better by recognizing failure
  */
-void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
-					 bool inbound_only USED_BY_KLIPS)
+void delete_ipsec_sa(struct state *st, bool inbound_only)
 {
-#ifdef KLIPS
 	if (!inbound_only)
 	{
 		/* If the state is the eroute owner, we must adjust
@@ -2890,7 +2010,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 				sr->routing = (c->policy & POLICY_FAIL_MASK) == POLICY_FAIL_NONE
 					? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
 
-				(void) do_command(c, sr, "down");
+				(void) do_command(c, sr, st, "down");
 				if ((c->policy & POLICY_DONT_REKEY)	&& c->kind == CK_INSTANCE)
 				{
 					/* in this special case, even if the connection
@@ -2911,46 +2031,41 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 		(void) teardown_half_ipsec_sa(st, FALSE);
 	}
 	(void) teardown_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
-#endif /* !KLIPS */
 }
 
-#ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
 	connection_t *c = st->st_connection;
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;
-	ip_address
-		src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
-		dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
-
-	ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
-
-	u_int16_t
-		natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
-		natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-
-	set_text_said(text_said, &dst, esp_spi, SA_ESP);
-
-	memset(&sa, 0, sizeof(sa));
-	sa.spi = esp_spi;
-	sa.src = &src;
-	sa.dst = &dst;
-	sa.text_said = text_said;
-	sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
-	sa.natt_sport = natt_sport;
-	sa.natt_dport = natt_dport;
-	sa.transid = st->st_esp.attrs.transid;
-
-	return kernel_ops->add_sa(&sa, TRUE);
+	host_t *host_src, *host_dst, *new_src, *new_dst;
+	ipsec_spi_t spi = inbound ? st->st_esp.our_spi : st->st_esp.attrs.spi;
+	struct end *src = inbound ? &c->spd.that : &c->spd.this,
+			   *dst = inbound ? &c->spd.this : &c->spd.that;
+	mark_t mark = inbound ? c->spd.mark_in : c->spd.mark_out;
+	bool result;
+
+	host_src = host_create_from_sockaddr((sockaddr_t*)&src->host_addr);
+	host_dst = host_create_from_sockaddr((sockaddr_t*)&dst->host_addr);
+
+	new_src = host_src->clone(host_src);
+	new_dst = host_dst->clone(host_dst);
+	new_src->set_port(new_src, src->host_port);
+	new_dst->set_port(new_dst, dst->host_port);
+
+	result = hydra->kernel_interface->update_sa(hydra->kernel_interface,
+					spi, IPPROTO_ESP, 0 /* cpi */, host_src, host_dst,
+					new_src, new_dst, TRUE /* encap */, TRUE /* new_encap */,
+					mark) == SUCCESS;
+
+	host_src->destroy(host_src);
+	host_dst->destroy(host_dst);
+	new_src->destroy(new_src);
+	new_dst->destroy(new_dst);
+
+	return result;
 }
-#endif
 
-bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
+bool update_ipsec_sa (struct state *st)
 {
-#ifdef KLIPS
 	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
 	{
 		if (st->st_esp.present && (
@@ -2973,10 +2088,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
 		return FALSE;
 	}
 	return TRUE;
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
-	return TRUE;
-#endif /* !KLIPS */
 }
 
 /* Check if there was traffic on given SA during the last idle_max
@@ -2986,102 +2097,17 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
  */
 bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
 {
-	static const char procname[] = "/proc/net/ipsec_spi";
-	FILE *f;
-	char buf[1024];
+	time_t use_time;
 	u_int bytes;
 	int ret = TRUE;
 
 	passert(st != NULL);
 
-	f = fopen(procname, "r");
-	if (f == NULL)
+	if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
 	{
-		/* Can't open the file, perhaps were are on 26sec? */
-		time_t use_time;
-
-		if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
-		{
-			*idle_time = time(NULL) - use_time;
-			ret = *idle_time >= idle_max;
-		}
+		*idle_time = time_monotonic(NULL) - use_time;
+		ret = *idle_time >= idle_max;
 	}
-	else
-	{
-		while (f != NULL)
-		{
-			char *line;
-			char text_said[SATOT_BUF];
-			u_int8_t proto = 0;
-			ip_address dst;
-			ip_said said;
-			ipsec_spi_t spi = 0;
-			static const char idle[] = "idle=";
-
-			dst = st->st_connection->spd.this.host_addr; /* inbound SA */
-			if (st->st_ah.present)
-			{
-				proto = SA_AH;
-				spi = st->st_ah.our_spi;
-			}
-			if (st->st_esp.present)
-			{
-				proto = SA_ESP;
-				spi = st->st_esp.our_spi;
-			}
-
-			if (proto == 0 && spi == 0)
-			{
-				ret = TRUE;
-				break;
-			}
 
-			initsaid(&dst, spi, proto, &said);
-			satot(&said, 'x', text_said, SATOT_BUF);
-
-			line = fgets(buf, sizeof(buf), f);
-			if (line == NULL)
-			{
-				/* Reached end of list */
-				ret = TRUE;
-				break;
-			}
-
-			if (strneq(line, text_said, strlen(text_said)))
-			{
-				/* we found a match, now try to find idle= */
-				char *p = strstr(line, idle);
-
-				if (p == NULL)
-				{
-					/* SAs which haven't been used yet don't have it */
-					ret = TRUE; /* it didn't have traffic */
-					break;
-				}
-				p += sizeof(idle)-1;
-				if (*p == '\0')
-				{
-					ret = TRUE; /* be paranoid */
-					break;
-				}
-				if (sscanf(p, "%d", (int *) idle_time) <= 0)
-				{
-					ret = TRUE;
-					break;
-				}
-				if (*idle_time >= idle_max)
-				{
-					ret = TRUE;
-					break;
-				}
-				else
-				{
-					ret = FALSE;
-					break;
-				}
-			}
-		}
-		fclose(f);
-	}
 	return ret;
 }
diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h
index 06850abfd..1fa11c50e 100644
--- a/src/pluto/kernel.h
+++ b/src/pluto/kernel.h
@@ -14,10 +14,8 @@
 
 #include "connections.h"
 
-extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 
-#ifdef KLIPS
 /* Declare eroute things early enough for uses.
  *
  * Flags are encoded above the low-order byte of verbs.
@@ -32,8 +30,6 @@ extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 #define ERO_DELETE      SADB_X_DELFLOW
 #define ERO_ADD SADB_X_ADDFLOW
 #define ERO_REPLACE     (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
-#define ERO_ADD_INBOUND (SADB_X_ADDFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-#define ERO_DEL_INBOUND (SADB_X_DELFLOW | (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
 
 struct pfkey_proto_info {
 		int proto;
@@ -75,69 +71,6 @@ struct kernel_sa {
 		const char *text_said;
 };
 
-struct kernel_ops {
-		enum {
-				KERNEL_TYPE_NONE,
-				KERNEL_TYPE_KLIPS,
-				KERNEL_TYPE_LINUX,
-		} type;
-		bool inbound_eroute;
-		bool policy_lifetime;
-		int *async_fdp;
-
-		void (*init)(void);
-		void (*pfkey_register)(void);
-		void (*pfkey_register_response)(const struct sadb_msg *msg);
-		void (*process_queue)(void);
-		void (*process_msg)(void);
-		bool (*raw_eroute)(const ip_address *this_host,
-						   const ip_subnet *this_client,
-						   const ip_address *that_host,
-						   const ip_subnet *that_client,
-						   ipsec_spi_t spi,
-						   unsigned int satype,
-						   unsigned int transport_proto,
-						   const struct pfkey_proto_info *proto_info,
-						   time_t use_lifetime,
-						   unsigned int op,
-						   const char *text_said);
-		bool (*get_policy)(const struct kernel_sa *sa, bool inbound,
-						   time_t *use_time);
-		bool (*add_sa)(const struct kernel_sa *sa, bool replace);
-		bool (*grp_sa)(const struct kernel_sa *sa_outer,
-					   const struct kernel_sa *sa_inner);
-		bool (*del_sa)(const struct kernel_sa *sa);
-		bool (*get_sa)(const struct kernel_sa *sa, u_int *bytes);
-		ipsec_spi_t (*get_spi)(const ip_address *src,
-							   const ip_address *dst,
-							   int proto,
-							   bool tunnel_mode,
-							   unsigned reqid,
-							   ipsec_spi_t min,
-							   ipsec_spi_t max,
-							   const char *text_said);
-};
-
-
-extern const struct kernel_ops *kernel_ops;
-
-/* information from /proc/net/ipsec_eroute */
-
-struct eroute_info {
-	unsigned long count;
-	ip_subnet ours;
-	ip_subnet his;
-	ip_address dst;
-	ip_said     said;
-	int transport_proto;
-	struct eroute_info *next;
-};
-
-extern struct eroute_info *orphaned_holds;
-
-extern void show_shunt_status(void);
-#endif
-
 /* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
  * Is there a PF_KEY equivalent?
  */
@@ -151,22 +84,11 @@ extern void record_and_initiate_opportunistic(const ip_subnet *
 											  , const char *why);
 
 extern void init_kernel(void);
-
-extern void scan_proc_shunts(void);
+extern void kernel_finalize(void);
 
 extern bool trap_connection(struct connection *c);
 extern void unroute_connection(struct connection *c);
 
-extern bool has_bare_hold(const ip_address *src, const ip_address *dst
-						  , int transport_proto);
-
-extern bool replace_bare_shunt(const ip_address *src, const ip_address *dst
-							   , policy_prio_t policy_prio
-							   , ipsec_spi_t shunt_spi  /* in host order! */
-							   , bool repl
-							   , unsigned int transport_proto
-							   , const char *why);
-
 extern bool assign_hold(struct connection *c
 						, struct spd_route *sr
 						, int transport_proto
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 7c2855edc..2a195cffc 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -105,7 +105,7 @@ const struct sadb_alg* kernel_alg_sadb_alg_get(int satype, int exttype,
  */
 static void kernel_alg_init(void)
 {
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("alg_init(): memset(%p, 0, %d) memset(%p, 0, %d)",
 				&esp_aalg,  (int)sizeof (esp_aalg),
 				&esp_ealg,  (int)sizeof (esp_ealg))
@@ -121,7 +121,7 @@ static int kernel_alg_add(int satype, int exttype,
 	struct sadb_alg *alg_p = NULL;
 	int alg_id = sadb_alg->sadb_alg_id;
 
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("kernel_alg_add(): satype=%d, exttype=%d, alg_id=%d",
 				satype, exttype, sadb_alg->sadb_alg_id)
 	)
@@ -131,7 +131,7 @@ static int kernel_alg_add(int satype, int exttype,
 	/* This logic "mimics" KLIPS: first algo implementation will be used */
 	if (alg_p->sadb_alg_id)
 	{
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_add(): discarding already setup "
 					"satype=%d, exttype=%d, alg_id=%d",
 					satype, exttype, sadb_alg->sadb_alg_id)
@@ -172,7 +172,7 @@ bool kernel_alg_esp_enc_ok(u_int alg_id, u_int key_len,
 out:
 	if (ret)
 	{
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_esp_enc_ok(%d,%d): "
 					"alg_id=%d, "
 					"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
@@ -188,7 +188,7 @@ out:
 	}
 	else
 	{
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_esp_enc_ok(%d,%d): NO", alg_id, key_len);
 		)
 	}
@@ -253,66 +253,6 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
 }
 
 /**
- * Load kernel_alg arrays from /proc used in manual mode from klips/utils/spi.c
- */
-int kernel_alg_proc_read(void)
-{
-	int satype;
-	int supp_exttype;
-	int alg_id, ivlen, minbits, maxbits;
-	struct sadb_alg sadb_alg;
-	int ret;
-	char buf[128];
-
-	FILE *fp=fopen("/proc/net/pf_key_supported", "r");
-
-	if (!fp)
-		return -1;
-
-	kernel_alg_init();
-
-	while (fgets(buf, sizeof(buf), fp))
-	{
-		if (buf[0] != ' ') /* skip titles */
-			continue;
-
-		sscanf(buf, "%d %d %d %d %d %d"
-				,&satype, &supp_exttype
-				, &alg_id, &ivlen
-				, &minbits, &maxbits);
-
-		switch (satype)
-		{
-		case SADB_SATYPE_ESP:
-			switch(supp_exttype)
-			{
-			case SADB_EXT_SUPPORTED_AUTH:
-			case SADB_EXT_SUPPORTED_ENCRYPT:
-				sadb_alg.sadb_alg_id = alg_id;
-				sadb_alg.sadb_alg_ivlen = ivlen;
-				sadb_alg.sadb_alg_minbits = minbits;
-				sadb_alg.sadb_alg_maxbits = maxbits;
-				ret = kernel_alg_add(satype, supp_exttype, &sadb_alg);
-				DBG(DBG_CRYPT,
-					DBG_log("kernel_alg_proc_read() alg_id=%d, "
-							"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
-							"ret=%d"
-							, sadb_alg.sadb_alg_id
-							, sadb_alg.sadb_alg_ivlen
-							, sadb_alg.sadb_alg_minbits
-							, sadb_alg.sadb_alg_maxbits
-							, ret)
-				)
-			}
-		default:
-			continue;
-		}
-	}
-	fclose(fp);
-	return 0;
-}
-
-/**
  * Load kernel_alg arrays pluto's SADB_REGISTER user by pluto/kernel.c
  */
 void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
@@ -346,7 +286,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 		int supp_exttype = sadb.supported->sadb_supported_exttype;
 		int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
 
-		DBG(DBG_KLIPS,
+		DBG(DBG_KERNEL,
 			DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
 					"sadb_msg_len=%d sadb_supported_len=%d"
 					, satype==SADB_SATYPE_ESP? "ESP" : "AH"
@@ -363,7 +303,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
 		{
 			kernel_alg_add(satype, supp_exttype, sadb.alg);
 
-			DBG(DBG_KLIPS,
+			DBG(DBG_KERNEL,
 				DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
 						"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
 						"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
@@ -438,7 +378,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
 	}
 
 none:
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
 				alg_id, keylen)
 	)
@@ -450,7 +390,7 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id)
 	struct sadb_alg *sadb_alg = (ESP_EALG_PRESENT(alg_id))
 				? &esp_ealg[alg_id] : NULL;
 
-	DBG(DBG_KLIPS,
+	DBG(DBG_KERNEL,
 		DBG_log("kernel_alg_esp_sadb_alg(): alg_id=%d, sadb_alg=%p"
 				, alg_id, sadb_alg)
 	)
diff --git a/src/pluto/kernel_alg.h b/src/pluto/kernel_alg.h
index 5ce8c3003..4c757db41 100644
--- a/src/pluto/kernel_alg.h
+++ b/src/pluto/kernel_alg.h
@@ -33,7 +33,6 @@ extern bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg, struc
 extern u_int kernel_alg_esp_enc_keylen(u_int alg_id);
 extern bool kernel_alg_esp_auth_ok(u_int auth, struct alg_info_esp *nfo);
 extern u_int kernel_alg_esp_auth_keylen(u_int auth);
-extern int kernel_alg_proc_read(void);
 extern void kernel_alg_list(void);
 
 /* get sadb_alg for passed args */
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
deleted file mode 100644
index 75d0c98d3..000000000
--- a/src/pluto/kernel_netlink.c
+++ /dev/null
@@ -1,1319 +0,0 @@
-/* netlink interface to the kernel's IPsec mechanism
- * Copyright (C) 2003 Herbert Xu.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/queue.h>
-#include <unistd.h>
-#include <linux/xfrm.h>
-#include <linux/rtnetlink.h>
-
-#include "kameipsec.h"
-
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "kernel.h"
-#include "kernel_netlink.h"
-#include "kernel_pfkey.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "kernel_alg.h"
-
-/** required for Linux 2.6.26 kernel and later */
-#ifndef XFRM_STATE_AF_UNSPEC
-#define XFRM_STATE_AF_UNSPEC	32
-#endif
-
-/* Minimum priority number in SPD used by pluto. */
-#define MIN_SPD_PRIORITY 1024
-
-static int netlinkfd = NULL_FD;
-static int netlink_bcast_fd = NULL_FD;
-
-#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
-
-static sparse_names xfrm_type_names = {
-	NE(NLMSG_NOOP),
-	NE(NLMSG_ERROR),
-	NE(NLMSG_DONE),
-	NE(NLMSG_OVERRUN),
-
-	NE(XFRM_MSG_NEWSA),
-	NE(XFRM_MSG_DELSA),
-	NE(XFRM_MSG_GETSA),
-
-	NE(XFRM_MSG_NEWPOLICY),
-	NE(XFRM_MSG_DELPOLICY),
-	NE(XFRM_MSG_GETPOLICY),
-
-	NE(XFRM_MSG_ALLOCSPI),
-	NE(XFRM_MSG_ACQUIRE),
-	NE(XFRM_MSG_EXPIRE),
-
-	NE(XFRM_MSG_UPDPOLICY),
-	NE(XFRM_MSG_UPDSA),
-
-	NE(XFRM_MSG_POLEXPIRE),
-
-	NE(XFRM_MSG_MAX),
-
-	{ 0, sparse_end }
-};
-
-#undef NE
-
-/* Authentication algorithms */
-static sparse_names aalg_list = {
-	{ SADB_X_AALG_NULL,            "digest_null" },
-	{ SADB_AALG_MD5HMAC,           "md5" },
-	{ SADB_AALG_SHA1HMAC,          "sha1" },
-	{ SADB_X_AALG_SHA2_256_96HMAC, "sha256" },
-	{ SADB_X_AALG_SHA2_256HMAC,    "hmac(sha256)" },
-	{ SADB_X_AALG_SHA2_384HMAC,    "hmac(sha384)" },
-	{ SADB_X_AALG_SHA2_512HMAC,    "hmac(sha512)" },
-	{ SADB_X_AALG_RIPEMD160HMAC,   "ripemd160" },
-	{ SADB_X_AALG_AES_XCBC_MAC,    "xcbc(aes)"},
-	{ 0, sparse_end }
-};
-
-/* Encryption algorithms */
-static sparse_names ealg_list = {
-	{ SADB_EALG_NULL,            "cipher_null" },
-	{ SADB_EALG_DESCBC,          "des" },
-	{ SADB_EALG_3DESCBC,         "des3_ede" },
-	{ SADB_X_EALG_CASTCBC,       "cast128" },
-	{ SADB_X_EALG_BLOWFISHCBC,   "blowfish" },
-	{ SADB_X_EALG_AESCBC,        "aes" },
-	{ SADB_X_EALG_AESCTR,        "rfc3686(ctr(aes))" },
-	{ SADB_X_EALG_AES_CCM_ICV8,  "rfc4309(ccm(aes))" },
-	{ SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
-	{ SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
-	{ SADB_X_EALG_AES_GCM_ICV8,  "rfc4106(gcm(aes))" },
-	{ SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
-	{ SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
-	{ SADB_X_EALG_NULL_AES_GMAC, "rfc4543(gcm(aes))" },
-	{ SADB_X_EALG_CAMELLIACBC,   "cbc(camellia)" },
-	{ SADB_X_EALG_SERPENTCBC,    "serpent" },
-	{ SADB_X_EALG_TWOFISHCBC,    "twofish" },
-	{ 0, sparse_end }
-};
-
-/* Compression algorithms */
-static sparse_names calg_list = {
-	{ SADB_X_CALG_DEFLATE, "deflate" },
-	{ SADB_X_CALG_LZS,     "lzs" },
-	{ SADB_X_CALG_LZJH,    "lzjh" },
-	{ 0, sparse_end }
-};
-
-/** ip2xfrm - Take an IP address and convert to an xfrm.
- *
- * @param addr ip_address
- * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here.
- */
-static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
-{
-	if (addr->u.v4.sin_family == AF_INET)
-	{
-		xaddr->a4 = addr->u.v4.sin_addr.s_addr;
-	}
-	else
-	{
-		memcpy(xaddr->a6, &addr->u.v6.sin6_addr, sizeof(xaddr->a6));
-	}
-}
-
-/** init_netlink - Initialize the netlink inferface.  Opens the sockets and
- * then binds to the broadcast socket.
- */
-static void init_netlink(void)
-{
-	struct sockaddr_nl addr;
-
-	netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
-
-	if (netlinkfd < 0)
-	{
-		exit_log_errno((e, "socket() in init_netlink()"));
-	}
-	if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
-	{
-		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
-	}
-	netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
-
-	if (netlink_bcast_fd < 0)
-	{
-		exit_log_errno((e, "socket() for bcast in init_netlink()"));
-	}
-	if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
-	{
-		exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
-	}
-	if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
-	{
-		exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
-	}
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = getpid();
-	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
-	if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
-	{
-		exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
-	}
-}
-
-/** send_netlink_msg
- *
- * @param hdr - Data to be sent.
- * @param rbuf - Return Buffer - contains data returned from the send.
- * @param rbuf_len - Length of rbuf
- * @param description - String - user friendly description of what is
- *                      being attempted.  Used for diagnostics
- * @param text_said - String
- * @return bool True if the message was succesfully sent.
- */
-static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf,
-							 size_t rbuf_len, const char *description,
-							 const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		struct nlmsgerr e;
-		char data[1024];
-	} rsp;
-
-	size_t len;
-	ssize_t r;
-	struct sockaddr_nl addr;
-	static uint32_t seq;
-
-	if (no_klips)
-	{
-		return TRUE;
-	}
-
-	hdr->nlmsg_seq = ++seq;
-	len = hdr->nlmsg_len;
-	do {
-		r = write(netlinkfd, hdr, len);
-	}
-	while (r < 0 && errno == EINTR);
-
-	if (r < 0)
-	{
-		log_errno((e
-			, "netlink write() of %s message"
-			  " for %s %s failed"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said));
-		return FALSE;
-	}
-	else if ((size_t)r != len)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "ERROR: netlink write() of %s message"
-			  " for %s %s truncated: %ld instead of %lu"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said
-			, (long)r, (unsigned long)len);
-		return FALSE;
-	}
-
-	for (;;)
-	{
-		socklen_t alen;
-
-		alen = sizeof(addr);
-		r = recvfrom(netlinkfd, &rsp, sizeof(rsp), 0
-			, (struct sockaddr *)&addr, &alen);
-		if (r < 0)
-		{
-			if (errno == EINTR)
-			{
-				continue;
-			}
-			log_errno((e
-				, "netlink recvfrom() of response to our %s message"
-				  " for %s %s failed"
-				, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-				, description, text_said));
-			return FALSE;
-		}
-		else if ((size_t) r < sizeof(rsp.n))
-		{
-			plog("netlink read truncated message: %ld bytes; ignore message"
-				, (long) r);
-			continue;
-		}
-		else if (addr.nl_pid != 0)
-		{
-			/* not for us: ignore */
-			DBG(DBG_KLIPS,
-				DBG_log("netlink: ignoring %s message from process %u"
-					, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
-					, addr.nl_pid));
-			continue;
-		}
-		else if (rsp.n.nlmsg_seq != seq)
-		{
-			DBG(DBG_KLIPS,
-				DBG_log("netlink: ignoring out of sequence (%u/%u) message %s"
-					, rsp.n.nlmsg_seq, seq
-					, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
-			continue;
-		}
-		break;
-	}
-
-	if (rsp.n.nlmsg_len > (size_t) r)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "netlink recvfrom() of response to our %s message"
-			  " for %s %s was truncated: %ld instead of %lu"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said
-			, (long) len, (unsigned long) rsp.n.nlmsg_len);
-		return FALSE;
-	}
-	else if (rsp.n.nlmsg_type != NLMSG_ERROR
-	&& (rbuf && rsp.n.nlmsg_type != rbuf->nlmsg_type))
-	{
-		loglog(RC_LOG_SERIOUS
-			, "netlink recvfrom() of response to our %s message"
-			  " for %s %s was of wrong type (%s)"
-			, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-			, description, text_said
-			, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type));
-		return FALSE;
-	}
-	else if (rbuf)
-	{
-		if ((size_t) r > rbuf_len)
-		{
-			loglog(RC_LOG_SERIOUS
-				, "netlink recvfrom() of response to our %s message"
-				  " for %s %s was too long: %ld > %lu"
-				, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-				, description, text_said
-				, (long)r, (unsigned long)rbuf_len);
-			return FALSE;
-		}
-		memcpy(rbuf, &rsp, r);
-		return TRUE;
-	}
-	else if (rsp.n.nlmsg_type == NLMSG_ERROR && rsp.e.error)
-	{
-		loglog(RC_LOG_SERIOUS
-			, "ERROR: netlink response for %s %s included errno %d: %s"
-			, description, text_said
-			, -rsp.e.error
-			, strerror(-rsp.e.error));
-		return FALSE;
-	}
-
-	return TRUE;
-}
-
-/** netlink_policy -
- *
- * @param hdr - Data to check
- * @param enoent_ok - Boolean - OK or not OK.
- * @param text_said - String
- * @return boolean
- */
-static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
-						   const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		struct nlmsgerr e;
-		char data[1024];
-	} rsp;
-	int error;
-
-	rsp.n.nlmsg_type = NLMSG_ERROR;
-	if (!send_netlink_msg(hdr, &rsp.n, sizeof(rsp), "policy", text_said))
-	{
-		return FALSE;
-	}
-
-	error = -rsp.e.error;
-	if (!error)
-	{
-		return TRUE;
-	}
-
-	if (error == ENOENT && enoent_ok)
-	{
-		return TRUE;
-	}
-
-	loglog(RC_LOG_SERIOUS
-		, "ERROR: netlink %s response for flow %s included errno %d: %s"
-		, sparse_val_show(xfrm_type_names, hdr->nlmsg_type)
-		, text_said
-		, error
-		, strerror(error));
-	return FALSE;
-}
-
-/** netlink_raw_eroute
- *
- * @param this_host ip_address
- * @param this_client ip_subnet
- * @param that_host ip_address
- * @param that_client ip_subnet
- * @param spi
- * @param proto int (Currently unused) Contains protocol (u=tcp, 17=udp, etc...)
- * @param transport_proto int (Currently unused) 0=tunnel, 1=transport
- * @param satype int
- * @param proto_info
- * @param lifetime (Currently unused)
- * @param ip int
- * @return boolean True if successful
- */
-static bool netlink_raw_eroute(const ip_address *this_host
-							 , const ip_subnet *this_client
-							 , const ip_address *that_host
-							 , const ip_subnet *that_client
-							 , ipsec_spi_t spi
-							 , unsigned int satype
-							 , unsigned int transport_proto
-							 , const struct pfkey_proto_info *proto_info
-							 , time_t use_lifetime UNUSED
-							 , unsigned int op
-							 , const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct xfrm_userpolicy_info p;
-			struct xfrm_userpolicy_id id;
-		} u;
-		char data[1024];
-	} req;
-	int shift;
-	int dir;
-	int family;
-	int policy;
-	bool ok;
-	bool enoent_ok;
-
-	policy = IPSEC_POLICY_IPSEC;
-
-	if (satype == SADB_X_SATYPE_INT)
-	{
-		/* shunt route */
-		switch (ntohl(spi))
-		{
-		case SPI_PASS:
-			policy = IPSEC_POLICY_NONE;
-			break;
-		case SPI_DROP:
-		case SPI_REJECT:
-		default:
-			policy = IPSEC_POLICY_DISCARD;
-			break;
-		case SPI_TRAP:
-		case SPI_TRAPSUBNET:
-		case SPI_HOLD:
-			if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-			{
-				return TRUE;
-			}
-			break;
-		}
-	}
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-
-	family = that_client->addr.u.v4.sin_family;
-	shift = (family == AF_INET) ? 5 : 7;
-
-	req.u.p.sel.sport = portof(&this_client->addr);
-	req.u.p.sel.dport = portof(&that_client->addr);
-	req.u.p.sel.sport_mask = (req.u.p.sel.sport) ? ~0:0;
-	req.u.p.sel.dport_mask = (req.u.p.sel.dport) ? ~0:0;
-	ip2xfrm(&this_client->addr, &req.u.p.sel.saddr);
-	ip2xfrm(&that_client->addr, &req.u.p.sel.daddr);
-	req.u.p.sel.prefixlen_s = this_client->maskbits;
-	req.u.p.sel.prefixlen_d = that_client->maskbits;
-	req.u.p.sel.proto = transport_proto;
-	req.u.p.sel.family = family;
-
-	dir = XFRM_POLICY_OUT;
-	if (op & (SADB_X_SAFLAGS_INFLOW << ERO_FLAG_SHIFT))
-	{
-		dir = XFRM_POLICY_IN;
-	}
-
-	if ((op & ERO_MASK) == ERO_DELETE)
-	{
-		req.u.id.dir = dir;
-		req.n.nlmsg_type = XFRM_MSG_DELPOLICY;
-		req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.id)));
-	}
-	else
-	{
-		int src, dst;
-
-		req.u.p.dir = dir;
-
-		src = req.u.p.sel.prefixlen_s;
-		dst = req.u.p.sel.prefixlen_d;
-		if (dir != XFRM_POLICY_OUT) {
-			src = req.u.p.sel.prefixlen_d;
-			dst = req.u.p.sel.prefixlen_s;
-		}
-		req.u.p.priority = MIN_SPD_PRIORITY
-			+ (((2 << shift) - src) << shift)
-			+ (2 << shift) - dst;
-
-		req.u.p.action = XFRM_POLICY_ALLOW;
-		if (policy == IPSEC_POLICY_DISCARD)
-		{
-			req.u.p.action = XFRM_POLICY_BLOCK;
-		}
-		req.u.p.lft.soft_use_expires_seconds = use_lifetime;
-		req.u.p.lft.soft_byte_limit = XFRM_INF;
-		req.u.p.lft.soft_packet_limit = XFRM_INF;
-		req.u.p.lft.hard_byte_limit = XFRM_INF;
-		req.u.p.lft.hard_packet_limit = XFRM_INF;
-
-		req.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-		if (op & (SADB_X_SAFLAGS_REPLACEFLOW << ERO_FLAG_SHIFT))
-		{
-			req.n.nlmsg_type = XFRM_MSG_UPDPOLICY;
-		}
-		req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.u.p)));
-	}
-
-	if (policy == IPSEC_POLICY_IPSEC && (op & ERO_MASK) != ERO_DELETE)
-	{
-		struct rtattr *attr;
-		struct xfrm_user_tmpl tmpl[4];
-		int i;
-
-		memset(tmpl, 0, sizeof(tmpl));
-		for (i = 0; proto_info[i].proto; i++)
-		{
-			tmpl[i].reqid = proto_info[i].reqid;
-			tmpl[i].id.proto = proto_info[i].proto;
-			tmpl[i].optional =
-				proto_info[i].proto == IPPROTO_COMP && dir != XFRM_POLICY_OUT;
-			tmpl[i].aalgos = tmpl[i].ealgos = tmpl[i].calgos = ~0;
-			tmpl[i].family = that_host->u.v4.sin_family;
-			tmpl[i].mode =
-				proto_info[i].encapsulation == ENCAPSULATION_MODE_TUNNEL;
-			if (!tmpl[i].mode)
-			{
-				continue;
-			}
-
-			ip2xfrm(this_host, &tmpl[i].saddr);
-			ip2xfrm(that_host, &tmpl[i].id.daddr);
-		}
-
-		attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
-		attr->rta_type = XFRMA_TMPL;
-		attr->rta_len = i * sizeof(tmpl[0]);
-		memcpy(RTA_DATA(attr), tmpl, attr->rta_len);
-		attr->rta_len = RTA_LENGTH(attr->rta_len);
-		req.n.nlmsg_len += attr->rta_len;
-	}
-
-	enoent_ok = FALSE;
-	if (op == ERO_DEL_INBOUND)
-	{
-		enoent_ok = TRUE;
-	}
-	else if (op == ERO_DELETE && ntohl(spi) == SPI_HOLD)
-	{
-		enoent_ok = TRUE;
-	}
-
-	ok = netlink_policy(&req.n, enoent_ok, text_said);
-	switch (dir)
-	{
-	case XFRM_POLICY_IN:
-		if (req.n.nlmsg_type == XFRM_MSG_DELPOLICY)
-		{
-			req.u.id.dir = XFRM_POLICY_FWD;
-		}
-		else if (!ok)
-		{
-			break;
-		}
-		else if (proto_info[0].encapsulation != ENCAPSULATION_MODE_TUNNEL
-		&& satype != SADB_X_SATYPE_INT)
-		{
-			break;
-		}
-		else
-		{
-			req.u.p.dir = XFRM_POLICY_FWD;
-		}
-		ok &= netlink_policy(&req.n, enoent_ok, text_said);
-		break;
-	}
-
-	return ok;
-}
-
-/** netlink_add_sa - Add an SA into the kernel SPDB via netlink
- *
- * @param sa Kernel SA to add/modify
- * @param replace boolean - true if this replaces an existing SA
- * @return bool True if successfull
- */
-static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_usersa_info p;
-		char data[1024];
-	} req;
-	struct rtattr *attr;
-	u_int16_t icv_size = 64;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	req.n.nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
-
-	ip2xfrm(sa->src, &req.p.saddr);
-	ip2xfrm(sa->dst, &req.p.id.daddr);
-
-	req.p.id.spi = sa->spi;
-	req.p.id.proto = satype2proto(sa->satype);
-	req.p.family = sa->src->u.v4.sin_family;
-	if (sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		req.p.mode = XFRM_MODE_TUNNEL;
-		req.p.flags |= XFRM_STATE_AF_UNSPEC;
-	}
-	else
-	{
-		req.p.mode = XFRM_MODE_TRANSPORT;
-	}
-	req.p.replay_window = sa->replay_window;
-	req.p.reqid = sa->reqid;
-	req.p.lft.soft_byte_limit = XFRM_INF;
-	req.p.lft.soft_packet_limit = XFRM_INF;
-	req.p.lft.hard_byte_limit = XFRM_INF;
-	req.p.lft.hard_packet_limit = XFRM_INF;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.p)));
-
-	attr = (struct rtattr *)((char *)&req + req.n.nlmsg_len);
-
-	if (sa->authalg)
-	{
-		const char *name;
-
-		name = sparse_name(aalg_list, sa->authalg);
-		if (!name)
-		{
-			loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
-				, sa->authalg);
-			return FALSE;
-		}
-		DBG(DBG_CRYPT,
-			DBG_log("configured authentication algorithm %s with key size %d",
-					enum_show(&auth_alg_names, sa->authalg),
-					sa->authkeylen * BITS_PER_BYTE)
-			)
-
-		if (sa->authalg == SADB_X_AALG_SHA2_256HMAC)
-		{
-			struct xfrm_algo_auth algo;
-
-			/* the kernel uses SHA256 with 96 bit truncation by default,
-			 * use specified truncation size supported by newer kernels */
-			strcpy(algo.alg_name, name);
-			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
-			algo.alg_trunc_len = 128;
-
-			attr->rta_type = XFRMA_ALG_AUTH_TRUNC;
-			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
-
-			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-				, sa->authkeylen);
-		}
-		else
-		{
-			struct xfrm_algo algo;
-
-			strcpy(algo.alg_name, name);
-			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
-
-			attr->rta_type = XFRMA_ALG_AUTH;
-			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
-
-			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-				, sa->authkeylen);
-		}
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
-	}
-
-	switch (sa->encalg)
-	{
-		case SADB_EALG_NONE:
-			/* no encryption */
-			break;
-		case SADB_X_EALG_AES_CCM_ICV16:
-		case SADB_X_EALG_AES_GCM_ICV16:
-		case SADB_X_EALG_NULL_AES_GMAC:
-			icv_size += 32;
-			/* FALL */
-		case SADB_X_EALG_AES_CCM_ICV12:
-		case SADB_X_EALG_AES_GCM_ICV12:
-			icv_size += 32;
-			/* FALL */
-		case SADB_X_EALG_AES_CCM_ICV8:
-		case SADB_X_EALG_AES_GCM_ICV8:
-		{
-			struct xfrm_algo_aead *algo;
-			const char *name;
-
-			name = sparse_name(ealg_list, sa->encalg);
-			if (!name)
-			{
-				loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
-					   sa->encalg);
-				return FALSE;
-			}
-			DBG(DBG_CRYPT,
-				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transform_names, sa->encalg),
-						sa->enckeylen * BITS_PER_BYTE)
-			)
-			attr->rta_type = XFRMA_ALG_AEAD;
-			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
-			req.n.nlmsg_len += attr->rta_len;
-
-			algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
-			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-			algo->alg_icv_len = icv_size;
-			strcpy(algo->alg_name, name);
-			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
-
-			attr = (struct rtattr *)((char *)attr + attr->rta_len);
-			break;
-		}
-		default:
-		{
-			struct xfrm_algo *algo;
-			const char *name;
-
-			name = sparse_name(ealg_list, sa->encalg);
-			if (!name)
-			{
-				loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
-					   sa->encalg);
-				return FALSE;
-			}
-			DBG(DBG_CRYPT,
-				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transform_names, sa->encalg),
-						sa->enckeylen * BITS_PER_BYTE)
-			)
-			attr->rta_type = XFRMA_ALG_CRYPT;
-			attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen);
-			req.n.nlmsg_len += attr->rta_len;
-
-			algo = (struct xfrm_algo*)RTA_DATA(attr);
-			algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-			strcpy(algo->alg_name, name);
-			memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
-
-			attr = (struct rtattr *)((char *)attr + attr->rta_len);
-		}
-	}
-
-	if (sa->compalg)
-	{
-		struct xfrm_algo algo;
-		const char *name;
-
-		name = sparse_name(calg_list, sa->compalg);
-		if (!name)
-		{
-			loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
-				, sa->compalg);
-			return FALSE;
-		}
-
-		strcpy(algo.alg_name, name);
-		algo.alg_key_len = 0;
-
-		attr->rta_type = XFRMA_ALG_COMP;
-		attr->rta_len = RTA_LENGTH(sizeof(algo));
-
-		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
-	}
-
-	if (sa->natt_type)
-	{
-		struct xfrm_encap_tmpl natt;
-
-		natt.encap_type = sa->natt_type;
-		natt.encap_sport = ntohs(sa->natt_sport);
-		natt.encap_dport = ntohs(sa->natt_dport);
-		memset (&natt.encap_oa, 0, sizeof (natt.encap_oa));
-
-		attr->rta_type = XFRMA_ENCAP;
-		attr->rta_len = RTA_LENGTH(sizeof(natt));
-
-		memcpy(RTA_DATA(attr), &natt, sizeof(natt));
-
-		req.n.nlmsg_len += attr->rta_len;
-		attr = (struct rtattr *)((char *)attr + attr->rta_len);
-	}
-
-	return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
-}
-
-/** netlink_del_sa - Delete an SA from the Kernel
- *
- * @param sa Kernel SA to be deleted
- * @return bool True if successfull
- */
-static bool netlink_del_sa(const struct kernel_sa *sa)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_usersa_id id;
-		char data[1024];
-	} req;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
-	req.n.nlmsg_type = XFRM_MSG_DELSA;
-
-	ip2xfrm(sa->dst, &req.id.daddr);
-
-	req.id.spi = sa->spi;
-	req.id.family = sa->src->u.v4.sin_family;
-	req.id.proto = sa->proto;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-
-	return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
-}
-
-static bool netlink_error(const char *req_type, const struct nlmsghdr *n,
-						  const struct nlmsgerr *e, int rsp_size)
-{
-	if (n->nlmsg_type == NLMSG_ERROR)
-	{
-		DBG(DBG_KLIPS,
-			DBG_log("%s returned with errno %d: %s"
-			, req_type
-			, -e->error
-			, strerror(-e->error))
-		)
-		return TRUE;
-	}
-	if (n->nlmsg_len < NLMSG_LENGTH(rsp_size))
-	{
-		plog("%s returned message with length %lu < %lu bytes"
-			, req_type
-			, (unsigned long) n->nlmsg_len
-			, (unsigned long) rsp_size);
-		return TRUE;
-	}
-	return FALSE;
-}
-
-static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound,
-							   time_t *use_time)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_userpolicy_id id;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_userpolicy_info info;
-		} u;
-		char data[1024];
-	} rsp;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
-
-	req.id.sel.sport = portof(&sa->src_client->addr);
-	req.id.sel.dport = portof(&sa->dst_client->addr);
-	req.id.sel.sport_mask = (req.id.sel.sport) ? ~0:0;
-	req.id.sel.dport_mask = (req.id.sel.dport) ? ~0:0;
-	ip2xfrm(&sa->src_client->addr, &req.id.sel.saddr);
-	ip2xfrm(&sa->dst_client->addr, &req.id.sel.daddr);
-	req.id.sel.prefixlen_s = sa->src_client->maskbits;
-	req.id.sel.prefixlen_d = sa->dst_client->maskbits;
-	req.id.sel.proto = sa->transport_proto;
-	req.id.sel.family = sa->dst_client->addr.u.v4.sin_family;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-
-	req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	{
-		return FALSE;
-	}
-	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	{
-		return FALSE;
-	}
-	*use_time = (time_t)rsp.u.info.curlft.use_time;
-
-	if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
-	{
-		time_t use_time_fwd;
-
-		req.id.dir = XFRM_POLICY_FWD;
-
-		if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-		{
-			return FALSE;
-		}
-		if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-		{
-			return FALSE;
-		}
-		use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
-		*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
-	}
-	return TRUE;
-}
-
-
-/** netlink_get_sa - Get information about an SA from the Kernel
- *
- * @param sa Kernel SA to be queried
- * @return bool True if successfull
- */
-static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_usersa_id id;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_usersa_info info;
-		} u;
-		char data[1024];
-	} rsp;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_GETSA;
-
-	ip2xfrm(sa->dst, &req.id.daddr);
-
-	req.id.spi = sa->spi;
-	req.id.family = sa->src->u.v4.sin_family;
-	req.id.proto = sa->proto;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
-	{
-		return FALSE;
-	}
-	if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
-	{
-		return FALSE;
-	}
-	*bytes = (u_int) rsp.u.info.curlft.bytes;
-	return TRUE;
-}
-
-static void linux_pfkey_register_response(const struct sadb_msg *msg)
-{
-	switch (msg->sadb_msg_satype)
-	{
-	case SADB_SATYPE_ESP:
-#ifndef NO_KERNEL_ALG
-			kernel_alg_register_pfkey(msg, msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-#endif
-			break;
-	case SADB_X_SATYPE_IPCOMP:
-		can_do_IPcomp = TRUE;
-		break;
-	default:
-		break;
-	}
-}
-
-/** linux_pfkey_register - Register via PFKEY our capabilities
- *
- */
-static void linux_pfkey_register(void)
-{
-	pfkey_register_proto(SADB_SATYPE_AH, "AH");
-	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-	pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
-	pfkey_close();
-}
-
-/** Create ip_address out of xfrm_address_t.
- *
- * @param family
- * @param src xfrm formatted IP address
- * @param dst ip_address formatted destination
- * @return err_t NULL if okay, otherwise an error
- */
-static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src,
-								ip_address *dst)
-{
-	switch (family)
-	{
-	case AF_INET:   /* IPv4 */
-	case AF_UNSPEC: /* Unspecified, we assume IPv4 */
-		initaddr((const void *) &src->a4, sizeof(src->a4), AF_INET, dst);
-		return NULL;
-	case AF_INET6:  /* IPv6 */
-		initaddr((const void *) &src->a6, sizeof(src->a6), AF_INET6, dst);
-		return NULL;
-	default:
-		return "unknown address family";
-	}
-}
-
-/* Create a pair of ip_address's out of xfrm_sel.
- *
- * @param sel xfrm selector
- * @param src ip_address formatted source
- * @param dst ip_address formatted destination
- * @return err_t NULL if okay, otherwise an error
- */
-static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel,
-								 ip_address *src, ip_address *dst)
-{
-	int family;
-	err_t ugh;
-
-	family = sel->family;
-
-	if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
-		|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
-	{
-		return ugh;
-	}
-
-	/* family has been verified in xfrm_to_ip_address. */
-	if (family == AF_INET)
-	{
-		src->u.v4.sin_port = sel->sport;
-		dst->u.v4.sin_port = sel->dport;
-	}
-	else
-	{
-		src->u.v6.sin6_port = sel->sport;
-		dst->u.v6.sin6_port = sel->dport;
-	}
-
-   return NULL;
-}
-
-static void netlink_acquire(struct nlmsghdr *n)
-{
-	struct xfrm_user_acquire *acquire;
-	ip_address src, dst;
-	ip_subnet ours, his;
-	unsigned transport_proto;
-	err_t ugh = NULL;
-
-	if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*acquire)))
-	{
-		plog("netlink_acquire got message with length %lu < %lu bytes; ignore message"
-			, (unsigned long) n->nlmsg_len
-			, (unsigned long) sizeof(*acquire));
-		return;
-	}
-
-	acquire = NLMSG_DATA(n);
-	transport_proto = acquire->sel.proto;
-
-	/* XXX also the type of src/dst should be checked to make sure
-	 *     that they aren't v4 to v6 or something goofy
-	 */
-
-	if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
-	&& !(ugh = addrtosubnet(&src, &ours))
-	&& !(ugh = addrtosubnet(&dst, &his)))
-	{
-		record_and_initiate_opportunistic(&ours, &his, transport_proto
-			, "%acquire-netlink");
-	}
-	if (ugh != NULL)
-	{
-		plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
-	}
-}
-
-static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
-{
-	ip_address src, dst;
-	unsigned transport_proto;
-	err_t ugh = NULL;
-
-	transport_proto = pol->sel.proto;
-
-	if (!(ugh = xfrm_sel_to_ip_pair(&pol->sel, &src, &dst)))
-	{
-		plog("XFRM_MSG_POLEXPIRE message from kernel malformed: %s", ugh);
-		return;
-	}
-
-	replace_bare_shunt(&src, &dst, BOTTOM_PRIO, SPI_PASS, FALSE, transport_proto
-		, "delete expired bare shunt");
-}
-
-static void netlink_policy_expire(struct nlmsghdr *n)
-{
-	struct xfrm_user_polexpire *upe;
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_userpolicy_id id;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_userpolicy_info pol;
-		} u;
-		char data[1024];
-	} rsp;
-
-	if (n->nlmsg_len < NLMSG_LENGTH(sizeof(*upe)))
-	{
-		plog("netlink_policy_expire got message with length %lu < %lu bytes; ignore message"
-			, (unsigned long) n->nlmsg_len
-			, (unsigned long) sizeof(*upe));
-		return;
-	}
-
-	upe = NLMSG_DATA(n);
-	req.id.dir = upe->pol.dir;
-	req.id.index = upe->pol.index;
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_GETPOLICY;
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.id)));
-
-	rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
-	{
-		return;
-	}
-	if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
-	{
-		return;
-	}
-	if (req.id.index != rsp.u.pol.index)
-	{
-		DBG(DBG_KLIPS,
-			DBG_log("netlink_policy_expire: policy was replaced: "
-					"dir=%d, oldindex=%d, newindex=%d"
-				, req.id.dir, req.id.index, rsp.u.pol.index));
-		return;
-	}
-
-	if (upe->pol.curlft.add_time != rsp.u.pol.curlft.add_time)
-	{
-		DBG(DBG_KLIPS,
-			DBG_log("netlink_policy_expire: policy was replaced "
-					" and you have won the lottery: "
-					"dir=%d, index=%d"
-				, req.id.dir, req.id.index));
-		return;
-	}
-
-	switch (upe->pol.dir)
-	{
-	case XFRM_POLICY_OUT:
-		netlink_shunt_expire(&rsp.u.pol);
-		break;
-	}
-}
-
-static bool netlink_get(void)
-{
-	struct {
-		struct nlmsghdr n;
-		char data[1024];
-	} rsp;
-	ssize_t r;
-	struct sockaddr_nl addr;
-	socklen_t alen;
-
-	alen = sizeof(addr);
-	r = recvfrom(netlink_bcast_fd, &rsp, sizeof(rsp), 0
-		, (struct sockaddr *)&addr, &alen);
-	if (r < 0)
-	{
-		if (errno == EAGAIN)
-			return FALSE;
-		if (errno != EINTR)
-			log_errno((e, "recvfrom() failed in netlink_get"));
-		return TRUE;
-	}
-	else if ((size_t) r < sizeof(rsp.n))
-	{
-		plog("netlink_get read truncated message: %ld bytes; ignore message"
-			, (long) r);
-		return TRUE;
-	}
-	else if (addr.nl_pid != 0)
-	{
-		/* not for us: ignore */
-		DBG(DBG_KLIPS,
-			DBG_log("netlink_get: ignoring %s message from process %u"
-				, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)
-				, addr.nl_pid));
-		return TRUE;
-	}
-	else if ((size_t) r != rsp.n.nlmsg_len)
-	{
-		plog("netlink_get read message with length %ld that doesn't equal nlmsg_len %lu bytes; ignore message"
-			, (long) r
-			, (unsigned long) rsp.n.nlmsg_len);
-		return TRUE;
-	}
-
-	DBG(DBG_KLIPS,
-		DBG_log("netlink_get: %s message"
-				, sparse_val_show(xfrm_type_names, rsp.n.nlmsg_type)));
-
-	switch (rsp.n.nlmsg_type)
-	{
-	case XFRM_MSG_ACQUIRE:
-		netlink_acquire(&rsp.n);
-		break;
-	case XFRM_MSG_POLEXPIRE:
-		netlink_policy_expire(&rsp.n);
-		break;
-	default:
-		/* ignored */
-		break;
-	}
-
-	return TRUE;
-}
-
-static void netlink_process_msg(void)
-{
-	while (netlink_get());
-}
-
-static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst,
-								  int proto, bool tunnel_mode, unsigned reqid,
-								  ipsec_spi_t min, ipsec_spi_t max,
-								  const char *text_said)
-{
-	struct {
-		struct nlmsghdr n;
-		struct xfrm_userspi_info spi;
-	} req;
-
-	struct {
-		struct nlmsghdr n;
-		union {
-			struct nlmsgerr e;
-			struct xfrm_usersa_info sa;
-		} u;
-		char data[1024];
-	} rsp;
-
-	memset(&req, 0, sizeof(req));
-	req.n.nlmsg_flags = NLM_F_REQUEST;
-	req.n.nlmsg_type = XFRM_MSG_ALLOCSPI;
-
-	ip2xfrm(src, &req.spi.info.saddr);
-	ip2xfrm(dst, &req.spi.info.id.daddr);
-	req.spi.info.mode = tunnel_mode;
-	req.spi.info.reqid = reqid;
-	req.spi.info.id.proto = proto;
-	req.spi.info.family = src->u.v4.sin_family;
-	req.spi.min = min;
-	req.spi.max = max;
-
-	req.n.nlmsg_len = NLMSG_ALIGN(NLMSG_LENGTH(sizeof(req.spi)));
-	rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
-
-	if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
-	{
-		return 0;
-	}
-	if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
-	{
-		return 0;
-	}
-	DBG(DBG_KLIPS,
-		DBG_log("netlink_get_spi: allocated 0x%x for %s"
-			, ntohl(rsp.u.sa.id.spi), text_said));
-	return rsp.u.sa.id.spi;
-}
-
-const struct kernel_ops linux_kernel_ops = {
-		type: KERNEL_TYPE_LINUX,
-		inbound_eroute: 1,
-		policy_lifetime: 1,
-		async_fdp: &netlink_bcast_fd,
-
-		init: init_netlink,
-		pfkey_register: linux_pfkey_register,
-		pfkey_register_response: linux_pfkey_register_response,
-		process_msg: netlink_process_msg,
-		raw_eroute: netlink_raw_eroute,
-		get_policy: netlink_get_policy,
-		add_sa: netlink_add_sa,
-		del_sa: netlink_del_sa,
-		get_sa: netlink_get_sa,
-		process_queue: NULL,
-		grp_sa: NULL,
-		get_spi: netlink_get_spi,
-};
-#endif /* linux && KLIPS */
diff --git a/src/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c
deleted file mode 100644
index e99efe062..000000000
--- a/src/pluto/kernel_noklips.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* interface to fake kernel interface, used for testing pluto in-vitro.
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
- * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
- * Copyright (C) 2003 Herbert Xu.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/select.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/queue.h>
-
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "constants.h"
-#include "defs.h"
-#include "kernel.h"
-#include "kernel_noklips.h"
-#include "log.h"
-#include "whack.h"      /* for RC_LOG_SERIOUS */
-
-void
-init_noklips(void)
-{
-  return;
-}
-
-/* asynchronous messages from our queue */
-static void
-noklips_dequeue(void)
-{
-}
-
-/* asynchronous messages directly from PF_KEY socket */
-static void
-noklips_event(void)
-{
-}
-
-static void
-noklips_register_response(const struct sadb_msg *msg UNUSED)
-{
-}
-
-static void
-noklips_register(void)
-{
-}
-
-static bool
-noklips_raw_eroute(const ip_address *this_host UNUSED
-				   , const ip_subnet *this_client UNUSED
-				   , const ip_address *that_host UNUSED
-				   , const ip_subnet *that_client UNUSED
-				   , ipsec_spi_t spi UNUSED
-				   , unsigned int satype UNUSED
-				   , unsigned int transport_proto UNUSED
-				   , const struct pfkey_proto_info *proto_info UNUSED
-				   , time_t use_lifetime UNUSED
-				   , unsigned int op UNUSED
-				   , const char *text_said UNUSED)
-{
-  return TRUE;
-}
-
-static bool
-noklips_add_sa(const struct kernel_sa *sa UNUSED
-			   , bool replace UNUSED)
-{
-  return TRUE;
-}
-
-static bool
-noklips_grp_sa(const struct kernel_sa *sa0 UNUSED
-			   , const struct kernel_sa *sa1 UNUSED)
-{
-  return TRUE;
-}
-
-static bool
-noklips_del_sa(const struct kernel_sa *sa UNUSED)
-{
-  return TRUE;
-}
-
-
-const struct kernel_ops noklips_kernel_ops = {
-		type: KERNEL_TYPE_NONE,
-		async_fdp: NULL,
-
-		init: init_noklips,
-		pfkey_register: noklips_register,
-		pfkey_register_response: noklips_register_response,
-		process_queue: noklips_dequeue,
-		process_msg: noklips_event,
-		raw_eroute: noklips_raw_eroute,
-		add_sa: noklips_add_sa,
-		grp_sa: noklips_grp_sa,
-		del_sa: noklips_del_sa,
-		get_sa: NULL,
-		get_spi: NULL,
-		inbound_eroute: FALSE,
-		policy_lifetime: FALSE
-};
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
index 99ba4ff30..77fff2f9e 100644
--- a/src/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@@ -1,7 +1,9 @@
-/* pfkey interface to the kernel's IPsec mechanism
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Herbert Xu.
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 1997 Angelos D. Keromytis.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -14,41 +16,29 @@
  * for more details.
  */
 
-#ifdef KLIPS
-
 #include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
 #include <unistd.h>
 
 #include <sys/select.h>
-#include <sys/time.h>
 #include <sys/socket.h>
 #include <sys/types.h>
-#include <sys/queue.h>
 
 #include <freeswan.h>
 #include <pfkeyv2.h>
 #include <pfkey.h>
 
 #include "constants.h"
-#include "defs.h"
 #include "kernel.h"
 #include "kernel_pfkey.h"
 #include "log.h"
 #include "whack.h"      /* for RC_LOG_SERIOUS */
-#include "demux.h"
-#include "nat_traversal.h"
-#include "alg_info.h"
 #include "kernel_alg.h"
 
 
 static int pfkeyfd = NULL_FD;
 
 typedef u_int32_t pfkey_seq_t;
-static pfkey_seq_t pfkey_seq = 0;       /* sequence number for our PF_KEY messages */
+static pfkey_seq_t pfkey_seq = 0; /* sequence number for our PF_KEY messages */
 
 static pid_t pid;
 
@@ -77,106 +67,19 @@ static sparse_names pfkey_type_names = {
 		{ 0, sparse_end }
 };
 
-#ifdef NEVER /* not needed yet */
-static sparse_names pfkey_ext_names = {
-		NE(SADB_EXT_RESERVED),
-		NE(SADB_EXT_SA),
-		NE(SADB_EXT_LIFETIME_CURRENT),
-		NE(SADB_EXT_LIFETIME_HARD),
-		NE(SADB_EXT_LIFETIME_SOFT),
-		NE(SADB_EXT_ADDRESS_SRC),
-		NE(SADB_EXT_ADDRESS_DST),
-		NE(SADB_EXT_ADDRESS_PROXY),
-		NE(SADB_EXT_KEY_AUTH),
-		NE(SADB_EXT_KEY_ENCRYPT),
-		NE(SADB_EXT_IDENTITY_SRC),
-		NE(SADB_EXT_IDENTITY_DST),
-		NE(SADB_EXT_SENSITIVITY),
-		NE(SADB_EXT_PROPOSAL),
-		NE(SADB_EXT_SUPPORTED_AUTH),
-		NE(SADB_EXT_SUPPORTED_ENCRYPT),
-		NE(SADB_EXT_SPIRANGE),
-		NE(SADB_X_EXT_KMPRIVATE),
-		NE(SADB_X_EXT_SATYPE2),
-		NE(SADB_X_EXT_SA2),
-		NE(SADB_X_EXT_ADDRESS_DST2),
-		NE(SADB_X_EXT_ADDRESS_SRC_FLOW),
-		NE(SADB_X_EXT_ADDRESS_DST_FLOW),
-		NE(SADB_X_EXT_ADDRESS_SRC_MASK),
-		NE(SADB_X_EXT_ADDRESS_DST_MASK),
-		NE(SADB_X_EXT_DEBUG),
-		{ 0, sparse_end }
-};
-#endif /* NEVER */
-
 #undef NE
 
-void
-init_pfkey(void)
-{
-	pid = getpid();
-
-	/* open PF_KEY socket */
-
-	pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
-
-	if (pfkeyfd == -1)
-		exit_log_errno((e, "socket() in init_pfkeyfd()"));
-
-#ifdef NEVER    /* apparently unsupported! */
-	if (fcntl(pfkeyfd, F_SETFL, O_NONBLOCK) != 0)
-		exit_log_errno((e, "fcntl(O_NONBLOCK) in init_pfkeyfd()"));
-#endif
-	if (fcntl(pfkeyfd, F_SETFD, FD_CLOEXEC) != 0)
-		exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_pfkeyfd()"));
-
-	DBG(DBG_KLIPS,
-		DBG_log("process %u listening for PF_KEY_V2 on file descriptor %d", (unsigned)pid, pfkeyfd));
-}
-
-/* Kinds of PF_KEY message from the kernel:
- * - response to a request from us
- *   + ACK/NAK
- *   + Register: indicates transforms supported by kernel
- *   + SPI requested by getspi
- * - Acquire, requesting us to deal with trapped clear packet
- * - expiration of of one of our SAs
- * - messages to other processes
- *
- * To minimize the effect on the event-driven structure of Pluto,
- * responses are dealt with synchronously.  We hope that the Kernel
- * produces them synchronously.  We must "read ahead" in the PF_KEY
- * stream, saving Acquire and Expiry messages that are encountered.
- * We ignore messages to other processes.
- */
-
 typedef union {
 		unsigned char bytes[PFKEYv2_MAX_MSGSIZE];
 		struct sadb_msg msg;
 	} pfkey_buf;
 
-/* queue of unprocessed PF_KEY messages input from kernel
- * Note that the pfkey_buf may be partly allocated, reflecting
- * the variable length nature of the messages.  So the link field
- * must come first.
- */
-typedef struct pfkey_item {
-		struct pfkey_item *next;
-		pfkey_buf buf;
-	} pfkey_item;
-
-static pfkey_item *pfkey_iq_head = NULL;        /* oldest */
-static pfkey_item *pfkey_iq_tail;       /* youngest */
-
 static bool
 pfkey_input_ready(void)
 {
-	fd_set readfds;
 	int ndes;
-	struct timeval tm;
-
-	tm.tv_sec = 0;      /* don't wait at all */
-	tm.tv_usec = 0;
+	fd_set readfds;
+	struct timeval tm = { .tv_sec = 0 }; /* don't wait, polling */
 
 	FD_ZERO(&readfds);  /* we only care about pfkeyfd */
 	FD_SET(pfkeyfd, &readfds);
@@ -190,16 +93,16 @@ pfkey_input_ready(void)
 		log_errno((e, "select() failed in pfkey_get()"));
 		return FALSE;
 	}
-
-	if (ndes == 0)
+	else if (ndes == 0)
+	{
 		return FALSE;   /* nothing to read */
-
+	}
 	passert(ndes == 1 && FD_ISSET(pfkeyfd, &readfds));
 	return TRUE;
 }
 
 /* get a PF_KEY message from kernel.
- * Returns TRUE is message found, FALSE if no message pending,
+ * Returns TRUE if message found, FALSE if no message pending,
  * and aborts or keeps trying when an error is encountered.
  * The only validation of the message is that the message length
  * received matches that in the message header, and that the message
@@ -216,48 +119,48 @@ pfkey_get(pfkey_buf *buf)
 		ssize_t len;
 
 		if (!pfkey_input_ready())
+		{
 			return FALSE;
+		}
 
 		len = read(pfkeyfd, buf->bytes, sizeof(buf->bytes));
 
 		if (len < 0)
 		{
 			if (errno == EAGAIN)
+			{
 				return FALSE;
-
+			}
 			log_errno((e, "read() failed in pfkey_get()"));
 			return FALSE;
 		}
-		else if ((size_t) len < sizeof(buf->msg))
+		else if ((size_t)len < sizeof(buf->msg))
 		{
-			plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring message"
-				, (int) len);
+			plog("pfkey_get read truncated PF_KEY message: %d bytes; ignoring",
+				 (int)len);
 		}
-		else if ((size_t) len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
+		else if ((size_t)len != buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
 		{
-			plog("pfkey_get read PF_KEY message with length %d that doesn't equal sadb_msg_len %u * %u; ignoring message"
-				, (int) len
-				, (unsigned) buf->msg.sadb_msg_len
-				, (unsigned) IPSEC_PFKEYv2_ALIGN);
+			plog("pfkey_get read PF_KEY message with length %d that doesn't"
+				 " equal sadb_msg_len %u * %u; ignoring message", (int)len,
+				 (unsigned)buf->msg.sadb_msg_len, (unsigned)IPSEC_PFKEYv2_ALIGN);
 		}
-		else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
-		|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
-		|| (buf->msg.sadb_msg_type == SADB_REGISTER)
-		|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
+		else if (buf->msg.sadb_msg_pid != (unsigned)pid)
 		{
 			/* not for us: ignore */
-			DBG(DBG_KLIPS,
-				DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process %u"
-					, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-					, buf->msg.sadb_msg_seq
-					, buf->msg.sadb_msg_pid));
+			DBG(DBG_KERNEL,
+				DBG_log("pfkey_get: ignoring PF_KEY %s message %u for process"
+						" %u", sparse_val_show(pfkey_type_names,
+											   buf->msg.sadb_msg_type),
+						buf->msg.sadb_msg_seq, buf->msg.sadb_msg_pid));
 		}
 		else
 		{
-			DBG(DBG_KLIPS,
-				DBG_log("pfkey_get: %s message %u"
-					, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-					, buf->msg.sadb_msg_seq));
+			DBG(DBG_KERNEL,
+				DBG_log("pfkey_get: %s message %u",
+						sparse_val_show(pfkey_type_names,
+										buf->msg.sadb_msg_type),
+						buf->msg.sadb_msg_seq));
 			return TRUE;
 		}
 	}
@@ -269,285 +172,49 @@ pfkey_get_response(pfkey_buf *buf, pfkey_seq_t seq)
 {
 	while (pfkey_get(buf))
 	{
-		if (buf->msg.sadb_msg_pid == (unsigned)pid
-		&& buf->msg.sadb_msg_seq == seq)
+		if (buf->msg.sadb_msg_seq == seq)
 		{
 			return TRUE;
 		}
-		else
-		{
-			/* Not for us: queue it. */
-			size_t bl = buf->msg.sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
-			pfkey_item *it = malloc(offsetof(pfkey_item, buf) + bl);
-
-			memcpy(&it->buf, buf, bl);
-
-			it->next = NULL;
-			if (pfkey_iq_head == NULL)
-			{
-				pfkey_iq_head = it;
-			}
-			else
-			{
-				pfkey_iq_tail->next = it;
-			}
-			pfkey_iq_tail = it;
-		}
 	}
 	return FALSE;
 }
 
-/* Process a SADB_REGISTER message from the kernel.
- * This will be a response to one of ours, but it may be asynchronous
- * (if kernel modules are loaded and unloaded).
- * Some sanity checking has already been performed.
- */
-static void
-klips_pfkey_register_response(const struct sadb_msg *msg)
-{
-	/* Find out what the kernel can support.
-	 * In fact, the only question at the moment
-	 * is whether it can support IPcomp.
-	 * So we ignore the rest.
-	 * ??? we really should pay attention to what transforms are supported.
-	 */
-	switch (msg->sadb_msg_satype)
-	{
-	case SADB_SATYPE_AH:
-		break;
-	case SADB_SATYPE_ESP:
-#ifndef NO_KERNEL_ALG
-		kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
-#endif
-		break;
-	case SADB_X_SATYPE_COMP:
-		/* ??? There ought to be an extension to list the
-		 * supported algorithms, but RFC 2367 doesn't
-		 * list one for IPcomp.  KLIPS uses SADB_X_CALG_DEFLATE.
-		 * Since we only implement deflate, we'll assume this.
-		 */
-		can_do_IPcomp = TRUE;
-		break;
-	case SADB_X_SATYPE_IPIP:
-		break;
-	default:
-		break;
-	}
-}
-
-/* Processs a SADB_ACQUIRE message from KLIPS.
- * Try to build an opportunistic connection!
- * See RFC 2367 "PF_KEY Key Management API, Version 2" 3.1.6
- * <base, address(SD), (address(P)), (identity(SD),) (sensitivity,) proposal>
- * - extensions for source and data IP addresses
- * - optional extensions for identity [not useful for us?]
- * - optional extension for sensitivity [not useful for us?]
- * - expension for proposal [not useful for us?]
- *
- * ??? We must use the sequence number in creating an SA.
- * We actually need to create up to 4 SAs each way.  Which one?
- * I guess it depends on the protocol present in the sadb_msg_satype.
- * For now, we'll ignore this requirement.
- *
- * ??? We need some mechanism to make sure that multiple ACQUIRE messages
- * don't cause a whole bunch of redundant negotiations.
- */
-static void
-process_pfkey_acquire(pfkey_buf *buf, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
-	struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
-	int src_proto = srcx->sadb_address_proto;
-	int dst_proto = dstx->sadb_address_proto;
-	ip_address *src = (ip_address*)&srcx[1];
-	ip_address *dst = (ip_address*)&dstx[1];
-	ip_subnet ours, his;
-	err_t ugh = NULL;
-
-	/* assumption: we're only catching our own outgoing packets
-	 * so source is our end and destination is the other end.
-	 * Verifying this is not actually convenient.
-	 *
-	 * This stylized control structure yields a complaint or
-	 * desired results.  For compactness, a pointer value is
-	 * treated as a boolean.  Logically, the structure is:
-	 * keep going as long as things are OK.
-	 */
-	if (buf->msg.sadb_msg_pid == 0      /* we only wish to hear from kernel */
-	&& !(ugh = src_proto == dst_proto? NULL : "src and dst protocols differ")
-	&& !(ugh = addrtypeof(src) == addrtypeof(dst)? NULL : "conflicting address types")
-	&& !(ugh = addrtosubnet(src, &ours))
-	&& !(ugh = addrtosubnet(dst, &his)))
-		record_and_initiate_opportunistic(&ours, &his, src_proto, "%acquire");
-
-	if (ugh != NULL)
-		plog("SADB_ACQUIRE message from KLIPS malformed: %s", ugh);
-
-}
-
-/* Handle PF_KEY messages from the kernel that are not dealt with
- * synchronously.  In other words, all but responses to PF_KEY messages
- * that we sent.
- */
-static void
-pfkey_async(pfkey_buf *buf)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	if (pfkey_msg_parse(&buf->msg, NULL, extensions, EXT_BITS_OUT))
-	{
-		plog("pfkey_async:"
-			" unparseable PF_KEY message:"
-			" %s len=%d, errno=%d, seq=%d, pid=%d; message ignored"
-			, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-			, buf->msg.sadb_msg_len
-			, buf->msg.sadb_msg_errno
-			, buf->msg.sadb_msg_seq
-			, buf->msg.sadb_msg_pid);
-	}
-	else
-	{
-		DBG(DBG_CONTROL | DBG_KLIPS, DBG_log("pfkey_async:"
-			" %s len=%u, errno=%u, satype=%u, seq=%u, pid=%u"
-			, sparse_val_show(pfkey_type_names, buf->msg.sadb_msg_type)
-			, buf->msg.sadb_msg_len
-			, buf->msg.sadb_msg_errno
-			, buf->msg.sadb_msg_satype
-			, buf->msg.sadb_msg_seq
-			, buf->msg.sadb_msg_pid));
-
-		switch (buf->msg.sadb_msg_type)
-		{
-		case SADB_REGISTER:
-			kernel_ops->pfkey_register_response(&buf->msg);
-			break;
-		case SADB_ACQUIRE:
-			/* to simulate loss of ACQUIRE, delete this call */
-			process_pfkey_acquire(buf, extensions);
-			break;
-		case SADB_X_NAT_T_NEW_MAPPING:
-			process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
-			break;
-		default:
-			/* ignored */
-			break;
-		}
-	}
-}
-
-/* asynchronous messages from our queue */
-static void
-pfkey_dequeue(void)
-{
-	while (pfkey_iq_head != NULL)
-	{
-		pfkey_item *it = pfkey_iq_head;
-
-		pfkey_async(&it->buf);
-		pfkey_iq_head = it->next;
-		free(it);
-	}
-
-	/* Handle any orphaned holds, but only if no pfkey input is pending.
-	 * For each, we initiate Opportunistic.
-	 * note: we don't need to advance the pointer because
-	 * record_and_initiate_opportunistic will remove the current
-	 * record each time we call it.
-	 */
-	while (orphaned_holds != NULL && !pfkey_input_ready())
-	  record_and_initiate_opportunistic(&orphaned_holds->ours
-										, &orphaned_holds->his
-										, orphaned_holds->transport_proto
-										, "%hold found-pfkey");
-
-}
-
-/* asynchronous messages directly from PF_KEY socket */
-static void
-pfkey_event(void)
-{
-	pfkey_buf buf;
-
-	if (pfkey_get(&buf))
-		pfkey_async(&buf);
-}
-
 static bool
-pfkey_build(int error
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+pfkey_build(int error, const char *description, const char *text_said,
+			struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
-	if (error == 0)
-	{
-		return TRUE;
-	}
-	else
+	if (error != 0)
 	{
-		loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d"
-			, description, text_said, error);
+		loglog(RC_LOG_SERIOUS, "building of %s %s failed, code %d", description,
+							   text_said, error);
 		pfkey_extensions_free(extensions);
 		return FALSE;
 	}
+	return TRUE;
 }
 
 /* pfkey_extensions_init + pfkey_build + pfkey_msg_hdr_build */
 static bool
-pfkey_msg_start(u_int8_t msg_type
-, u_int8_t satype
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
+pfkey_msg_start(u_int8_t msg_type, u_int8_t satype, const char *description,
+				const char *text_said,
+				struct sadb_ext *extensions[SADB_EXT_MAX + 1])
 {
 	pfkey_extensions_init(extensions);
-	return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type
-			, satype, 0, ++pfkey_seq, pid)
-		, description, text_said, extensions);
-}
-
-/* pfkey_build + pfkey_address_build */
-static bool
-pfkeyext_address(u_int16_t exttype
-, const ip_address *address
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	/* the following variable is only needed to silence
-	 * a warning caused by the fact that the argument
-	 * to sockaddrof is NOT pointer to const!
-	 */
-	ip_address t = *address;
-
-	return pfkey_build(pfkey_address_build(extensions + exttype
-			, exttype, 0, 0, sockaddrof(&t))
-		, description, text_said, extensions);
-}
-
-/* pfkey_build + pfkey_x_protocol_build */
-static bool
-pfkeyext_protocol(int transport_proto
-, const char *description
-, const char *text_said
-, struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	return (transport_proto == 0)? TRUE
-		: pfkey_build(
-			pfkey_x_protocol_build(extensions + SADB_X_EXT_PROTOCOL, transport_proto)
-			, description, text_said, extensions);
+	return pfkey_build(pfkey_msg_hdr_build(&extensions[0], msg_type, satype, 0,
+										   ++pfkey_seq, pid),
+					   description, text_said, extensions);
 }
 
-
 /* Finish (building, sending, accepting response for) PF_KEY message.
  * If response isn't NULL, the response from the kernel will be
  * placed there (and its errno field will not be examined).
  * Returns TRUE iff all appears well.
  */
 static bool
-finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1]
-, const char *description
-, const char *text_said
-, pfkey_buf *response)
+finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
+				 const char *description, const char *text_said,
+				 pfkey_buf *response)
 {
 	struct sadb_msg *pfkey_msg;
 	bool success = TRUE;
@@ -557,368 +224,157 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1]
 
 	if (error != 0)
 	{
-		loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d"
-			, description, text_said, error);
+		loglog(RC_LOG_SERIOUS, "pfkey_msg_build of %s %s failed, code %d",
+							   description, text_said, error);
 		success = FALSE;
 	}
 	else
 	{
 		size_t len = pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN;
 
-		DBG(DBG_KLIPS,
-			DBG_log("finish_pfkey_msg: %s message %u for %s %s"
-				, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-				, pfkey_msg->sadb_msg_seq
-				, description, text_said);
+		DBG(DBG_KERNEL,
+			DBG_log("finish_pfkey_msg: %s message %u for %s %s",
+					sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type),
+					pfkey_msg->sadb_msg_seq, description, text_said);
 			DBG_dump(NULL, (void *) pfkey_msg, len));
 
-		if (!no_klips)
-		{
-			ssize_t r = write(pfkeyfd, pfkey_msg, len);
+		ssize_t r = write(pfkeyfd, pfkey_msg, len);
 
-			if (r != (ssize_t)len)
+		if (r != (ssize_t)len)
+		{
+			if (r < 0)
 			{
-				if (r < 0)
-				{
-					log_errno((e
-						, "pfkey write() of %s message %u"
-						  " for %s %s failed"
-						, sparse_val_show(pfkey_type_names
-							, pfkey_msg->sadb_msg_type)
-						, pfkey_msg->sadb_msg_seq
-						, description, text_said));
-				}
-				else
-				{
-					loglog(RC_LOG_SERIOUS
-						, "ERROR: pfkey write() of %s message %u"
-						  " for %s %s truncated: %ld instead of %ld"
-						, sparse_val_show(pfkey_type_names
-							, pfkey_msg->sadb_msg_type)
-						, pfkey_msg->sadb_msg_seq
-						, description, text_said
-						, (long)r, (long)len);
-				}
-				success = FALSE;
+				log_errno((e, "pfkey write() of %s message %u for %s %s"
+						  " failed", sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+						  description, text_said));
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
+					   " %u for %s %s truncated: %ld instead of %ld",
+					   sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+						description, text_said, (long)r, (long)len);
+			}
+			success = FALSE;
 
-				/* if we were compiled with debugging, but we haven't already
-				 * dumped the KLIPS command, do so.
-				 */
+			/* if we were compiled with debugging, but we haven't already
+			 * dumped the command, do so.
+			 */
 #ifdef DEBUG
-				if ((cur_debugging & DBG_KLIPS) == 0)
-					DBG_dump(NULL, (void *) pfkey_msg, len);
+			if ((cur_debugging & DBG_KERNEL) == 0)
+				DBG_dump(NULL, (void *) pfkey_msg, len);
 #endif
+		}
+		else
+		{
+			/* Check response from kernel.
+			 * It ought to be an echo, perhaps with additional info.
+			 * If the caller wants it, response will point to space.
+			 */
+			pfkey_buf b;
+			pfkey_buf *bp = response != NULL? response : &b;
+
+			if (!pfkey_get_response(bp,
+						((struct sadb_msg *)extensions[0])->sadb_msg_seq))
+			{
+				loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
+					   " message for %s %s", sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), description, text_said);
+				success = FALSE;
 			}
-			else
+			else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
 			{
-				/* Check response from KLIPS.
-				 * It ought to be an echo, perhaps with additional info.
-				 * If the caller wants it, response will point to space.
-				 */
-				pfkey_buf b;
-				pfkey_buf *bp = response != NULL? response : &b;
-
-				if (!pfkey_get_response(bp, ((struct sadb_msg *) extensions[0])->sadb_msg_seq))
-				{
-					loglog(RC_LOG_SERIOUS
-						, "ERROR: no response to our PF_KEY %s message for %s %s"
-						, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-						, description, text_said);
-					success = FALSE;
-				}
-				else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
-				{
-					loglog(RC_LOG_SERIOUS
-						, "FreeS/WAN ERROR: response to our PF_KEY %s message for %s %s was of wrong type (%s)"
-						, sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type)
-						, description, text_said
-						, sparse_val_show(pfkey_type_names, bp->msg.sadb_msg_type));
-					success = FALSE;
-				}
-				else if (response == NULL && bp->msg.sadb_msg_errno != 0)
-				{
-					/* KLIPS is signalling a problem */
-					loglog(RC_LOG_SERIOUS
-						, "ERROR: PF_KEY %s response for %s %s included errno %u: %s"
-						, sparse_val_show(pfkey_type_names, pfkey_msg->sadb_msg_type)
-						, description, text_said
-						, (unsigned) bp->msg.sadb_msg_errno
-						, strerror(bp->msg.sadb_msg_errno));
-					success = FALSE;
-				}
+				loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
+					   " message for %s %s was of wrong type (%s)",
+					   sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
+					   description, text_said, sparse_val_show(pfkey_type_names,
+							bp->msg.sadb_msg_type));
+				success = FALSE;
+			}
+			else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+			{
+				/* Kernel is signalling a problem */
+				loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
+					   " included errno %u: %s",
+					   sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), description, text_said,
+					   (unsigned) bp->msg.sadb_msg_errno,
+					   strerror(bp->msg.sadb_msg_errno));
+				success = FALSE;
 			}
 		}
 	}
-
-	/* all paths must exit this way to free resources */
 	pfkey_extensions_free(extensions);
 	pfkey_msg_free(&pfkey_msg);
 	return success;
 }
 
-/*  register SA types that can be negotiated */
-void
-pfkey_register_proto(unsigned satype, const char *satypename)
+/* Process a SADB_REGISTER message from the kernel.
+ * This will be a response to one of ours, but it may be asynchronous
+ * (if kernel modules are loaded and unloaded).
+ * Some sanity checking has already been performed.
+ */
+static void
+pfkey_register_response(const struct sadb_msg *msg)
 {
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	pfkey_buf pfb;
-
-	if (!(pfkey_msg_start(SADB_REGISTER
-	  , satype
-	  , satypename, NULL, extensions)
-	&& finish_pfkey_msg(extensions, satypename, "", &pfb)))
-	{
-		/* ??? should this be loglog */
-		plog("no KLIPS support for %s", satypename);
-	}
-	else
+	/* Find out what the kernel can support.
+	 */
+	switch (msg->sadb_msg_satype)
 	{
-		kernel_ops->pfkey_register_response(&pfb.msg);
-		DBG(DBG_KLIPS,
-			DBG_log("%s registered with kernel.", satypename));
+	case SADB_SATYPE_ESP:
+#ifndef NO_KERNEL_ALG
+		kernel_alg_register_pfkey(msg, sizeof (pfkey_buf));
+#endif
+		break;
+	case SADB_X_SATYPE_IPCOMP:
+		/* ??? There ought to be an extension to list the
+		 * supported algorithms, but RFC 2367 doesn't
+		 * list one for IPcomp.
+		 */
+		can_do_IPcomp = TRUE;
+		break;
+	default:
+		break;
 	}
 }
 
+/**  register SA types that can be negotiated */
 static void
-klips_pfkey_register(void)
-{
-	pfkey_register_proto(SADB_SATYPE_AH, "AH");
-	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
-	can_do_IPcomp = FALSE;  /* until we get a response from KLIPS */
-	pfkey_register_proto(SADB_X_SATYPE_COMP, "IPCOMP");
-	pfkey_register_proto(SADB_X_SATYPE_IPIP, "IPIP");
-}
-
-static bool
-pfkey_raw_eroute(const ip_address *this_host
-				 , const ip_subnet *this_client
-				 , const ip_address *that_host
-				 , const ip_subnet *that_client
-				 , ipsec_spi_t spi
-				 , unsigned int satype
-				 , unsigned int transport_proto
-				 , const struct pfkey_proto_info *proto_info UNUSED
-				 , time_t use_lifetime UNUSED
-				 , unsigned int op
-				 , const char *text_said)
+pfkey_register_proto(unsigned satype, const char *satypename)
 {
 	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	ip_address
-		sflow_ska,
-		dflow_ska,
-		smask_ska,
-		dmask_ska;
-	int sport = ntohs(portof(&this_client->addr));
-	int dport = ntohs(portof(&that_client->addr));
-
-	networkof(this_client, &sflow_ska);
-	maskof(this_client, &smask_ska);
-	setportof(sport ? ~0:0, &smask_ska);
-
-	networkof(that_client, &dflow_ska);
-	maskof(that_client, &dmask_ska);
-	setportof(dport ? ~0:0, &dmask_ska);
-
-	if (!pfkey_msg_start(op & ERO_MASK, satype
-					   , "pfkey_msg_hdr flow", text_said, extensions))
-	{
-		return FALSE;
-	}
-
-	if (op != ERO_DELETE)
-	{
-		if (!(pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-										 , SADB_EXT_SA
-										 , spi  /* in network order */
-										 , 0, 0, 0, 0, op >> ERO_FLAG_SHIFT)
-						  , "pfkey_sa add flow", text_said, extensions)
-
-			&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, this_host
-				, "pfkey_addr_s add flow", text_said, extensions)
-
-			&& pfkeyext_address(SADB_EXT_ADDRESS_DST, that_host
-								, "pfkey_addr_d add flow", text_said
-								, extensions)))
-		{
-			return FALSE;
-		}
-	}
-
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_FLOW, &sflow_ska
-						  , "pfkey_addr_sflow", text_said, extensions))
-	{
-		return FALSE;
-	}
-
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_FLOW, &dflow_ska
-						, "pfkey_addr_dflow", text_said, extensions))
-	{
-		return FALSE;
-	}
-
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_SRC_MASK, &smask_ska
-						, "pfkey_addr_smask", text_said, extensions))
-	{
-		return FALSE;
-	}
+	pfkey_buf pfb;
 
-	if (!pfkeyext_address(SADB_X_EXT_ADDRESS_DST_MASK, &dmask_ska
-						, "pfkey_addr_dmask", text_said, extensions))
+	if (!(pfkey_msg_start(SADB_REGISTER, satype, satypename, NULL, extensions)
+		  && finish_pfkey_msg(extensions, satypename, "", &pfb)))
 	{
-		return FALSE;
+		/* ??? should this be loglog */
+		plog("no kernel support for %s", satypename);
 	}
-
-	if (!pfkeyext_protocol(transport_proto
-						, "pfkey_x_protocol", text_said, extensions))
+	else
 	{
-		return FALSE;
+		pfkey_register_response(&pfb.msg);
+		DBG(DBG_KERNEL,
+			DBG_log("%s registered with kernel.", satypename));
 	}
-
-	return finish_pfkey_msg(extensions, "flow", text_said, NULL);
-}
-
-static bool
-pfkey_add_sa(const struct kernel_sa *sa, bool replace)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	return pfkey_msg_start(replace ? SADB_UPDATE : SADB_ADD, sa->satype
-		, "pfkey_msg_hdr Add SA", sa->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-			, SADB_EXT_SA
-			, sa->spi   /* in network order */
-			, sa->replay_window, SADB_SASTATE_MATURE
-			, sa->authalg, sa->encalg ? sa->encalg: sa->compalg, 0)
-		, "pfkey_sa Add SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
-		, "pfkey_addr_s Add SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
-		, "pfkey_addr_d Add SA", sa->text_said, extensions)
-
-	&& (sa->authkeylen == 0
-		|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH]
-				, SADB_EXT_KEY_AUTH, sa->authkeylen * BITS_PER_BYTE
-				, sa->authkey)
-			, "pfkey_key_a Add SA", sa->text_said, extensions))
-
-	&& (sa->enckeylen == 0
-		|| pfkey_build(pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT]
-				, SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
-				, sa->enckey)
-			, "pfkey_key_e Add SA", sa->text_said, extensions))
-
-	&& (sa->natt_type == 0
-		|| pfkey_build(pfkey_x_nat_t_type_build(
-				&extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
-				"pfkey_nat_t_type Add ESP SA",  sa->text_said, extensions))
-	&& (sa->natt_sport == 0
-		|| pfkey_build(pfkey_x_nat_t_port_build(
-						&extensions[SADB_X_EXT_NAT_T_SPORT], SADB_X_EXT_NAT_T_SPORT,
-						sa->natt_sport), "pfkey_nat_t_sport Add ESP SA", sa->text_said,
-						extensions))
-	&& (sa->natt_dport == 0
-		|| pfkey_build(pfkey_x_nat_t_port_build(
-						&extensions[SADB_X_EXT_NAT_T_DPORT], SADB_X_EXT_NAT_T_DPORT,
-						sa->natt_dport), "pfkey_nat_t_dport Add ESP SA", sa->text_said,
-						extensions))
-	&& (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
-		|| pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
-			, "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
-
-	&& finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
-
-}
-
-static bool
-pfkey_grp_sa(const struct kernel_sa *sa0, const struct kernel_sa *sa1)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	return pfkey_msg_start(SADB_X_GRPSA, sa1->satype
-		, "pfkey_msg_hdr group", sa1->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-			, SADB_EXT_SA
-			, sa1->spi  /* in network order */
-			, 0, 0, 0, 0, 0)
-		, "pfkey_sa group", sa1->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa1->dst
-		, "pfkey_addr_d group", sa1->text_said, extensions)
-
-	&& pfkey_build(pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2]
-			, sa0->satype)
-		, "pfkey_satype group", sa0->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_X_EXT_SA2]
-			, SADB_X_EXT_SA2
-			, sa0->spi  /* in network order */
-			, 0, 0, 0, 0, 0)
-		, "pfkey_sa2 group", sa0->text_said, extensions)
-
-	&& pfkeyext_address(SADB_X_EXT_ADDRESS_DST2, sa0->dst
-		, "pfkey_addr_d2 group", sa0->text_said, extensions)
-
-	&& finish_pfkey_msg(extensions, "group", sa1->text_said, NULL);
-}
-
-static bool
-pfkey_del_sa(const struct kernel_sa *sa)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-
-	return pfkey_msg_start(SADB_DELETE, proto2satype(sa->proto)
-		, "pfkey_msg_hdr delete SA", sa->text_said, extensions)
-
-	&& pfkey_build(pfkey_sa_build(&extensions[SADB_EXT_SA]
-			, SADB_EXT_SA
-			, sa->spi   /* in host order */
-			, 0, SADB_SASTATE_MATURE, 0, 0, 0)
-		, "pfkey_sa delete SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_SRC, sa->src
-		, "pfkey_addr_s delete SA", sa->text_said, extensions)
-
-	&& pfkeyext_address(SADB_EXT_ADDRESS_DST, sa->dst
-		, "pfkey_addr_d delete SA", sa->text_said, extensions)
-
-	&& finish_pfkey_msg(extensions, "Delete SA", sa->text_said, NULL);
 }
 
 void
-pfkey_close(void)
+pfkey_register(void)
 {
-	while (pfkey_iq_head != NULL)
-	{
-		pfkey_item *it = pfkey_iq_head;
+	pid = getpid();
 
-		pfkey_iq_head = it->next;
-		free(it);
+	pfkeyfd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (pfkeyfd == -1)
+	{
+		exit_log_errno((e, "socket() in init_pfkeyfd()"));
 	}
 
+	pfkey_register_proto(SADB_SATYPE_AH, "AH");
+	pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
+	pfkey_register_proto(SADB_X_SATYPE_IPCOMP, "IPCOMP");
+
 	close(pfkeyfd);
-	pfkeyfd = NULL_FD;
 }
-
-const struct kernel_ops klips_kernel_ops = {
-		type: KERNEL_TYPE_KLIPS,
-		async_fdp: &pfkeyfd,
-
-		pfkey_register: klips_pfkey_register,
-		pfkey_register_response: klips_pfkey_register_response,
-		process_queue: pfkey_dequeue,
-		process_msg: pfkey_event,
-		raw_eroute: pfkey_raw_eroute,
-		add_sa: pfkey_add_sa,
-		grp_sa: pfkey_grp_sa,
-		del_sa: pfkey_del_sa,
-		get_sa: NULL,
-		get_spi: NULL,
-		inbound_eroute: FALSE,
-		policy_lifetime: FALSE,
-		init: NULL
-};
-#endif /* KLIPS */
diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h
index ad20a5888..b50ad6c37 100644
--- a/src/pluto/kernel_pfkey.h
+++ b/src/pluto/kernel_pfkey.h
@@ -1,6 +1,6 @@
-/* declarations of routines that interface with the kernel's pfkey mechanism
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- * Copyright (C) 2003  Herbert Xu
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -13,9 +13,8 @@
  * for more details.
  */
 
-#ifdef KLIPS
-extern void init_pfkey(void);
-extern void pfkey_register_proto(unsigned satype, const char *satypename);
-extern void pfkey_close(void);
-extern const struct kernel_ops klips_kernel_ops;
-#endif
+/**
+ * Register our capabilities via PF_KEY, also learn the kernel's capabilities,
+ * i.e. the supported algorithms.
+ */
+void pfkey_register();
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 6db757ba7..a79c2c0d2 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -37,6 +37,8 @@
 #include <library.h>
 #include <asn1/asn1.h>
 #include <credentials/certificates/pgp_certificate.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/sets/callback_cred.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -539,6 +541,128 @@ end:
 	return ugh;
 }
 
+/* struct used to prompt for a secret passphrase
+ * from a console with file descriptor fd
+ */
+typedef struct {
+	char secret[PROMPT_PASS_LEN+1];
+	bool prompt;
+	int fd;
+	int try;
+} prompt_pass_t;
+
+/**
+ * Passphrase callback to read from whack fd
+ */
+static shared_key_t* whack_pass_cb(prompt_pass_t *pass, shared_key_type_t type,
+								identification_t *me, identification_t *other,
+								id_match_t *match_me, id_match_t *match_other)
+{
+	int n;
+
+	if (type != SHARED_ANY && type != SHARED_PRIVATE_KEY_PASS)
+	{
+		return NULL;
+	}
+
+	if (pass->try > MAX_PROMPT_PASS_TRIALS)
+	{
+		whack_log(RC_LOG_SERIOUS, "invalid passphrase, too many trials");
+		return NULL;
+	}
+	if (pass->try == 1)
+	{
+		whack_log(RC_ENTERSECRET, "need passphrase for 'private key'");
+	}
+	else
+	{
+		whack_log(RC_ENTERSECRET, "invalid passphrase, please try again");
+	}
+	pass->try++;
+
+	n = read(pass->fd, pass->secret, PROMPT_PASS_LEN);
+	if (n == -1)
+	{
+		whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
+		return NULL;
+	}
+	pass->secret[n-1] = '\0';
+
+	if (strlen(pass->secret) == 0)
+	{
+		whack_log(RC_LOG_SERIOUS, "no passphrase entered, aborted");
+		return NULL;
+	}
+	if (match_me)
+	{
+		*match_me = ID_MATCH_PERFECT;
+	}
+	if (match_other)
+	{
+		*match_other = ID_MATCH_NONE;
+	}
+	return shared_key_create(SHARED_PRIVATE_KEY_PASS,
+				chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
+}
+
+/**
+ *  Loads a PKCS#1 or PGP private key file
+ */
+static private_key_t* load_private_key(char* filename, prompt_pass_t *pass,
+									   key_type_t type)
+{
+	private_key_t *key = NULL;
+	char *path;
+
+	path = concatenate_paths(PRIVATE_KEY_PATH, filename);
+	if (pass && pass->prompt && pass->fd != NULL_FD)
+	{	/* use passphrase callback */
+		callback_cred_t *cb;
+
+		cb = callback_cred_create_shared((void*)whack_pass_cb, pass);
+		lib->credmgr->add_local_set(lib->credmgr, &cb->set);
+
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		lib->credmgr->remove_local_set(lib->credmgr, &cb->set);
+		cb->destroy(cb);
+		if (key)
+		{
+			whack_log(RC_SUCCESS, "valid passphrase");
+		}
+	}
+	else if (pass)
+	{	/* use a given passphrase */
+		mem_cred_t *mem;
+		shared_key_t *shared;
+
+		mem = mem_cred_create();
+		lib->credmgr->add_local_set(lib->credmgr, &mem->set);
+		shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
+				chunk_clone(chunk_create(pass->secret, strlen(pass->secret))));
+		mem->add_shared(mem, shared, NULL);
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+		lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
+		mem->destroy(mem);
+	}
+	else
+	{	/* no passphrase */
+		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+								 BUILD_FROM_FILE, path, BUILD_END);
+
+	}
+	if (key)
+	{
+		plog("  loaded private key from '%s'", filename);
+	}
+	else
+	{
+		plog("  syntax error in private key file");
+	}
+	return key;
+}
+
 /**
  * process a key file protected with optional passphrase which can either be
  * read from ipsec.secrets or prompted for by using whack
@@ -552,6 +676,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
 	memset(pass.secret,'\0', sizeof(pass.secret));
 	pass.prompt = FALSE;
 	pass.fd = whackfd;
+	pass.try = 1;
 
 	/* we expect the filename of a PKCS#1 private key file */
 
@@ -1324,7 +1449,7 @@ void list_public_keys(bool utc)
 		whack_log(RC_COMMENT, "  identity: '%Y'", key->id);
 		whack_log(RC_COMMENT, "  pubkey:    %N %4d bits, until %T %s",
 			key_type_names, public->get_type(public),
-			public->get_keysize(public) * BITS_PER_BYTE,
+			public->get_keysize(public),
 			&key->until_time, utc,
 			check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE));
 		if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
diff --git a/src/pluto/log.c b/src/pluto/log.c
index 444ac2220..6e70898a5 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -862,9 +862,6 @@ void show_status(bool all, const char *name)
 	}
 	show_connections_status(all, name);
 	show_states_status(all, name);
-#ifdef KLIPS
-	show_shunt_status();
-#endif
 }
 
 /* ip_str: a simple to use variant of addrtot.
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index 0d0cd899c..a2acce23a 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -419,7 +419,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody,
 		close_output_pbs(&attrval);
 	}
 	enumerator->destroy(enumerator);
-	close_message(&strattr);
+	close_output_pbs(&strattr);
 	
 	modecfg_hash(r_hashval, r_hash_start, rbody->cur, st);
 	close_message(rbody);
diff --git a/src/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
index feedf2aad..5e9353b72 100644
--- a/src/pluto/nat_traversal.c
+++ b/src/pluto/nat_traversal.c
@@ -1,6 +1,9 @@
-/* FreeS/WAN NAT-Traversal
- * Copyright (C) 2002-2005 Mathieu Lafon - Arkoon Network Security
- * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Copyright (C) 2009 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2002-2005 Mathieu Lafon
+ * Arkoon Network Security
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -24,10 +27,6 @@
 #include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
 #include <sys/queue.h>
 
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
 #include <library.h>
 #include <crypto/hashers/hasher.h>
 
@@ -796,80 +795,51 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st)
 	}
 }
 
-struct _new_klips_mapp_nfo {
-		struct sadb_sa *sa;
-		ip_address src, dst;
-		u_int16_t sport, dport;
+struct _new_kernel_mapp_nfo {
+		u_int32_t reqid;
+		u_int32_t spi;
+		ip_address *addr;
 };
 
-static void nat_t_new_klips_mapp (struct state *st, void *data)
+static void nat_t_new_kernel_mapp (struct state *st, void *data)
 {
 	connection_t *c = st->st_connection;
-	struct _new_klips_mapp_nfo *nfo = (struct _new_klips_mapp_nfo *)data;
+	struct _new_kernel_mapp_nfo *nfo = (struct _new_kernel_mapp_nfo *)data;
 
 	if (c != NULL && st->st_esp.present
-	&&  sameaddr(&c->spd.that.host_addr, &(nfo->src))
-	&&  st->st_esp.our_spi == nfo->sa->sadb_sa_spi)
-	{
-		nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
-								  &(nfo->dst), nfo->dport);
-	}
-}
-
-void process_pfkey_nat_t_new_mapping(
-		struct sadb_msg *msg __attribute__ ((unused)),
-		struct sadb_ext *extensions[SADB_EXT_MAX + 1])
-{
-	struct _new_klips_mapp_nfo nfo;
-	struct sadb_address *srcx = (void *) extensions[SADB_EXT_ADDRESS_SRC];
-	struct sadb_address *dstx = (void *) extensions[SADB_EXT_ADDRESS_DST];
-	struct sockaddr *srca, *dsta;
-	err_t ugh = NULL;
-
-	nfo.sa = (void *) extensions[SADB_EXT_SA];
-
-	if (!nfo.sa || !srcx || !dstx)
+		&&  nfo->spi == st->st_esp.our_spi
+		&&  nfo->reqid == c->spd.reqid)
 	{
-		plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: "
-				"got NULL params");
-		return;
-	}
-
-	srca = ((struct sockaddr *)(void *)&srcx[1]);
-	dsta = ((struct sockaddr *)(void *)&dstx[1]);
+		u_int16_t port = ntohs(portof(nfo->addr));
 
-	if (srca->sa_family != AF_INET || dsta->sa_family != AF_INET)
-	{
-		ugh = "only AF_INET supported";
-	}
-	else
-	{
-		char text_said[SATOT_BUF];
-		char _srca[ADDRTOT_BUF], _dsta[ADDRTOT_BUF];
-		ip_said said;
-
-		initaddr((const void *) &((const struct sockaddr_in *)srca)->sin_addr,
-						sizeof(((const struct sockaddr_in *)srca)->sin_addr),
-						srca->sa_family, &(nfo.src));
-		nfo.sport = ntohs(((const struct sockaddr_in *)srca)->sin_port);
-		initaddr((const void *) &((const struct sockaddr_in *)dsta)->sin_addr,
-						sizeof(((const struct sockaddr_in *)dsta)->sin_addr),
-						dsta->sa_family, &(nfo.dst));
-		nfo.dport = ntohs(((const struct sockaddr_in *)dsta)->sin_port);
+		DBG(DBG_NATT, {
+			char text_said[SATOT_BUF];
+			char olda[ADDRTOT_BUF];
+			char newa[ADDRTOT_BUF];
+			ip_said said;
 
-		DBG(DBG_NATT,
-			initsaid(&nfo.src, nfo.sa->sadb_sa_spi, SA_ESP, &said);
+			initsaid(&c->spd.that.host_addr, nfo->spi, SA_ESP, &said);
 			satot(&said, 0, text_said, SATOT_BUF);
-			addrtot(&nfo.src, 0, _srca, ADDRTOT_BUF);
-			addrtot(&nfo.dst, 0, _dsta, ADDRTOT_BUF);
-			DBG_log("new klips mapping %s %s:%d %s:%d",
-						text_said, _srca, nfo.sport, _dsta, nfo.dport);
-		)
+			addrtot(&c->spd.that.host_addr, 0, olda, ADDRTOT_BUF);
+			addrtot(nfo->addr, 0, newa, ADDRTOT_BUF);
+
+			DBG_log("new kernel mapping %s %s:%d %s:%d",
+					text_said, olda, c->spd.that.host_port, newa, port);
+		})
 
-		for_each_state((void *)nat_t_new_klips_mapp, &nfo);
+		nat_traversal_new_mapping(&c->spd.that.host_addr, c->spd.that.host_port,
+								  nfo->addr, port);
 	}
+}
 
-	if (ugh != NULL)
-		plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
+void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi,
+							   ip_address *new_end)
+{
+	struct _new_kernel_mapp_nfo nfo = {
+		.reqid = reqid,
+		.spi = spi,
+		.addr = new_end,
+	};
+	for_each_state((void *)nat_t_new_kernel_mapp, &nfo);
 }
 
diff --git a/src/pluto/nat_traversal.h b/src/pluto/nat_traversal.h
index 98b0a2bc0..80bdaf787 100644
--- a/src/pluto/nat_traversal.h
+++ b/src/pluto/nat_traversal.h
@@ -1,5 +1,8 @@
-/* FreeS/WAN NAT-Traversal
- * Copyright (C) 2002-2003 Mathieu Lafon - Arkoon Network Security
+/*
+ * Copyright (C) 2010 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2002-2003 Mathieu Lafon
+ * Arkoon Network Security
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -115,11 +118,8 @@ void nat_traversal_change_port_lookup(struct msg_digest *md, struct state *st);
 /**
  * New NAT mapping
  */
-#ifdef __PFKEY_V2_H
-void process_pfkey_nat_t_new_mapping(
-		struct sadb_msg *,
-		struct sadb_ext *[SADB_EXT_MAX + 1]);
-#endif
+void process_nat_t_new_mapping(u_int32_t reqid, u_int32_t spi,
+							   ip_address *new_end);
 
 /**
  * IKE port floating
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index c0fd041a7..10b2a4d5a 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -407,7 +407,7 @@ bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
 			}
 			break;
 		case PKCS7_ENCRYPTED_KEY:
-			if (!key->decrypt(key, object, &symmetric_key))
+			if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key))
 			{
 				DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa");
 				goto end;
@@ -473,7 +473,7 @@ end:
 			DBG1(DBG_LIB, "symmetric key length %d is wrong", symmetric_key.len);
 			goto failed;
 		}
-		if (iv.len != crypter->get_block_size(crypter))
+		if (iv.len != crypter->get_iv_size(crypter))
 		{
 			DBG1(DBG_LIB, "IV length %d is wrong", iv.len);
 			goto failed;
@@ -668,7 +668,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 		rng->destroy(rng);
 
 		rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-		rng->allocate_bytes(rng, crypter->get_block_size(crypter), &iv);
+		rng->allocate_bytes(rng, crypter->get_iv_size(crypter), &iv);
 		DBG4(DBG_LIB, "initialization vector: %B", &iv);
 		rng->destroy(rng);
 	}
@@ -710,7 +710,7 @@ chunk_t pkcs7_build_envelopedData(chunk_t data, certificate_t *cert, int enc_alg
 			chunk_free(&out);
 			return chunk_empty;
 		}
-		key->encrypt(key, symmetricKey, &protectedKey);
+		key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey);
 		key->destroy(key);
 	}
 
diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in
index 13749e5af..b2ffb11db 100644
--- a/src/pluto/plugins/xauth/Makefile.in
+++ b/src/pluto/plugins/xauth/Makefile.in
@@ -44,6 +44,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -163,6 +164,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -194,14 +197,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -216,24 +222,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -241,7 +254,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8
index b80d13772..58cb15091 100644
--- a/src/pluto/pluto.8
+++ b/src/pluto/pluto.8
@@ -15,7 +15,6 @@ ipsec pluto
 \fIfilename\fP]
 [\-\-nofork]
 [\-\-stderrlog]
-[\-\-noklips]
 [\-\-uniqueids]
 [\fB\-\-interface\fP \fIinterfacename\fP]
 [\-\-ikeport\ \c
@@ -37,7 +36,7 @@ ipsec pluto
 [\-\-debug\(hyemitting]
 [\-\-debug\(hycontrol]
 [\-\-debug\(hylifecycle]
-[\-\-debug\(hyklips]
+[\-\-debug\(hykernel]
 [\-\-debug\(hydns]
 [\-\-debug\(hyoppo]
 [\-\-debug\(hyprivate]
@@ -209,7 +208,7 @@ ipsec whack
 [\-\-debug\(hyemitting]
 [\-\-debug\(hycontrol]
 [\-\-debug\(hylifecycle]
-[\-\-debug\(hyklips]
+[\-\-debug\(hykernel]
 [\-\-debug\(hydns]
 [\-\-debug\(hyoppo]
 [\-\-debug\(hyprivate]
@@ -256,10 +255,7 @@ In other words,
 .BR pluto
 can eliminate much of the work of manual keying.
 The actual
-secure transmission of packets is the responsibility of other parts of
-the system (see
-.BR KLIPS ,
-the companion implementation of IPsec).
+secure transmission of packets is the responsibility of the Linux kernel.
 \fIipsec_auto\fP(8) provides a more convenient interface to
 \fBpluto\fP and \fBwhack\fP.
 .SS IKE's Job
@@ -314,8 +310,8 @@ are considered policy and are left in the system administrator's hands.
 .SS Pluto
 .LP
 \fBpluto\fP is an implementation of IKE.  It runs as a daemon on a network
-node.  Currently, this network node must be a LINUX system running the
-\fBKLIPS\fP implementation of IPsec.
+node.  Currently, this network node must be a Linux 2.6 system running the
+native \fBNETKEY\fP IPsec stack.
 .LP
 \fBpluto\fP only implements a subset of IKE.  This is enough for it to
 interoperate with other instances of \fBpluto\fP, and many other IKE
@@ -331,13 +327,13 @@ peers with whom it is negotiating.
 .LP
 \fBpluto\fP initiates negotiation of a Security Association when it is
 manually prodded: the program \fBwhack\fP is run to trigger this.
-It will also initiate a negotiation when \fBKLIPS\fP traps an outbound packet
-for Opportunistic Encryption.
+It will also initiate a negotiation when the Linux kernel traps an outbound
+packet for Opportunistic Encryption.
 .LP
 \fBpluto\fP implements ISAKMP SAs itself.  After it has negotiated the
-characteristics of an IPsec SA, it directs \fBKLIPS\fP to implement it.
+characteristics of an IPsec SA, it directs the Linux kernel to implement it.
 It also invokes a script to adjust any firewall and issue \fIroute\fP(8)
-commands to direct IP packets through \fBKLIPS\fP.
+commands.
 .LP
 When \fBpluto\fP shuts down, it closes all Security Associations.
 .SS Before Running Pluto
@@ -345,8 +341,8 @@ When \fBpluto\fP shuts down, it closes all Security Associations.
 \fBpluto\fP runs as a daemon with userid root.  Before running it, a few
 things must be set up.
 .LP
-\fBpluto\fP requires \fBKLIPS\fP, the FreeS/WAN implementation of IPsec.
-All of the components of \fBKLIPS\fP and \fBpluto\fP should be installed.
+\fBpluto\fP requires a Linux 2.6 kernel with the modules for the native IPsec
+stack enabled.
 .LP
 \fBpluto\fP supports multiple public networks (that is, networks
 that are considered insecure and thus need to have their traffic
@@ -355,11 +351,8 @@ public interfaces to use by looking at all interfaces that are
 configured (the \fB\-\-interface\fP option can be used to limit
 the interfaces considered).
 It does this only when \fBwhack\fP tells it to \-\-listen,
-so the interfaces must be configured by then.  Each interface with a name of the form
-\fBipsec\fP[\fB0\fP-\fB9\fP] is taken as a \fBKLIPS\fP virtual public interface.
-Another network interface with the same IP address (there should be only
-one) is taken as the corresponding real public
-interface.  \fIifconfig\fP(8) with the \fB\-a\fP flag will show
+so the interfaces must be configured by then.
+\fIifconfig\fP(8) with the \fB\-a\fP flag will show
 the name and status of each network interface.
 .LP
 \fBpluto\fP requires a database of preshared secrets and RSA private keys.
@@ -368,33 +361,6 @@ This is described in the
 \fBpluto\fP is told of RSA public keys via \fBwhack\fP commands.
 If the connection is Opportunistic, and no RSA public key is known,
 \fBpluto\fP will attempt to fetch RSA keys using the Domain Name System.
-.SS Setting up \fBKLIPS\fP for \fBpluto\fP
-.LP
-The most basic network topology that \fBpluto\fP supports has two security
-gateways negotiating on behalf of client subnets.  The diagram of RGB's
-testbed is a good example (see \fIklips/doc/rgb_setup.txt\fP).
-.LP
-The file \fIINSTALL\fP in the base directory of this distribution
-explains how to start setting up the whole system, including \fBKLIPS\fP.
-.LP
-Make sure that the security gateways have routes to each other.  This
-is usually covered by the default route, but may require issuing
-.IR route (8)
-commands.  The route must go through a particular IP
-interface (we will assume it is \fIeth0\fP, but it need not be).  The
-interface that connects the security gateway to its client must be a
-different one.
-.LP
-It is necessary to issue a
-.IR ipsec_tncfg (8)
-command on each gateway.  The required command is:
-
-\ \ \ ipsec tncfg \-\-attach\ \-\-virtual\ ipsec0 \-\-physical\ eth0
-
-A command to set up the ipsec0 virtual interface will also need to be
-run.  It will have the same parameters as the command used to set up
-the physical interface to which it has just been connected using
-.IR ipsec_tncfg (8).
 .SS ipsec.secrets file
 .LP
 A \fBpluto\fP daemon and another IKE daemon (for example, another instance
@@ -473,13 +439,6 @@ corresponding to a particular connection.
 Often there is one representing an ISAKMP SA and another representing
 an IPsec SA.
 .LP
-\fBKLIPS\fP hooks into the routing code in a LINUX kernel.
-Traffic to be processed by an IPsec SA must be directed through
-\fBKLIPS\fP by routing commands.  Furthermore, the processing to be
-done is specified by \fIipsec eroute(8)\fP commands.
-\fBpluto\fP takes the responsibility of managing both of these special
-kinds of routes.
-.LP
 Each connection may be routed, and must be while it has an IPsec SA.
 The connection specifies the characteristics of the route: the
 interface on this machine, the ``gateway'' (the nexthop),
@@ -519,9 +478,9 @@ SA for the same connection already has an eroute, all its outgoing traffic
 is taken over by the new eroute.  The incoming traffic will still be
 processed.  This characteristic is exploited during rekeying.
 .LP
-All of these routing characteristics are expected change when
-\fBKLIPS\fP is modified to use the firewall hooks in the LINUX 2.4.x
-kernel.
+Some of these routing characteristics are specific to \fBKLIPS\fP, the FreeS/WAN
+implementation of IPsec and are not relevant when running pluto on the native
+Linux 2.6 IPsec stack.
 .SS Using Whack
 .LP
 \fBwhack\fP is used to command a running \fBpluto\fP.
@@ -691,7 +650,7 @@ Note that this has nothing to do with IKE authentication.
 .TP
 \fB\-\-compress\fP
 All proposed IPsec SAs will include IPCOMP (compression).
-This will be ignored if KLIPS is not configured with IPCOMP support.
+This will be ignored if the kernel is not configured with IPCOMP support.
 .TP
 \fB\-\-tunnel\fP
 the IPsec SA should use tunneling.  Implicit if the SA is for clients.
@@ -1304,9 +1263,6 @@ disable ``daemon fork'' (default is to fork).  In addition, after the
 lock file and control socket are created, print the line ``Pluto
 initialized'' to standard out.
 .TP
-\fB\-\-noklips\fP
-don't actually implement negotiated IPsec SAs
-.TP
 \fB\-\-uniqueids\fP
 if this option has been selected, whenever a new ISAKMP SA is
 established, any connection with the same Peer ID but a different
@@ -1317,12 +1273,6 @@ then regained at another IP address.
 \fB\-\-stderrlog\fP
 log goes to standard out {default is to use \fIsyslogd\fP(8))
 .LP
-For example
-.TP
-pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
-.LP
-lets one test \fBpluto\fP without using the superuser account.
-.LP
 \fBpluto\fP is willing to produce a prodigious amount of debugging
 information.  To do so, it must be compiled with \-DDEBUG.  There are
 several classes of debugging output, and \fBpluto\fP may be directed to
@@ -1351,8 +1301,8 @@ show \fBpluto\fP's decision making
 \fB\-\-debug-lifecycle\fP
 [this option is temporary] log more detail of lifecycle of SAs
 .TP
-\fB\-\-debug-klips\fP
-show \fBpluto\fP's interaction with \fBKLIPS\fP
+\fB\-\-debug-kernel\fP
+show \fBpluto\fP's interaction with the kernel
 .TP
 \fB\-\-debug-dns\fP
 show \fBpluto\fP's interaction with \fBDNS\fP for KEY and TXT records
@@ -1418,11 +1368,6 @@ system (\fBpluto\fP didn't send a reply because it wasn't happy with
 the previous message).
 .SS Notes
 .LP
-If \fBpluto\fP is compiled without \-DKLIPS, it negotiates Security
-Associations but never ask the kernel to put them in place and never
-makes routing changes.  This allows \fBpluto\fP to be tested on systems
-without \fBKLIPS\fP, but makes it rather useless.
-.LP
 Each IPsec SA is assigned an SPI, a 32-bit number used to refer to the SA.
 The IKE protocol lets the destination of the SA choose the SPI.
 The range 0 to 0xFF is reserved for IANA.
@@ -1469,7 +1414,7 @@ component.  The selection is controlled by the \-\-encrypt and
 .IP \(bu
 Each of these may be combined with IPCOMP Deflate compression,
 but only if the potential connection specifies compression and only
-if KLIPS is configured with IPCOMP support.
+if the kernel is configured with IPCOMP support.
 .IP \(bu
 The IPSEC SAs may be tunnel or transport mode, where appropriate.
 The \-\-tunnel flag controls this when \fBpluto\fP is initiating.
diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c
index e9c7c316b..66fdb30b9 100644
--- a/src/pluto/pluto.c
+++ b/src/pluto/pluto.c
@@ -41,6 +41,7 @@ pluto_t *pluto;
 void pluto_deinit()
 {
 	private_pluto_t *this = (private_pluto_t*)pluto;
+	this->public.events->destroy(this->public.events);
 	this->public.xauth->destroy(this->public.xauth);
 	free(this);
 	pluto = NULL;
@@ -55,6 +56,7 @@ bool pluto_init(char *file)
 
 	INIT(this,
 		.public = {
+			.events = event_queue_create(),
 			.xauth = xauth_manager_create(),
 		},
 	);
diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h
index 37e6e3f33..2440093ca 100644
--- a/src/pluto/pluto.h
+++ b/src/pluto/pluto.h
@@ -31,6 +31,7 @@
 
 typedef struct pluto_t pluto_t;
 
+#include <event_queue.h>
 #include <xauth/xauth_manager.h>
 
 #include <library.h>
@@ -41,9 +42,15 @@ typedef struct pluto_t pluto_t;
 struct pluto_t {
 
 	/**
+	 * event queue (callbacks, executed by the pluto main thread)
+	 */
+	event_queue_t *events;
+
+	/**
 	 * manager for payload attributes
 	 */
 	xauth_manager_t *xauth;
+
 };
 
 /**
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 89123bb8a..627176c1b 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -79,6 +79,11 @@
 #include "whack_attribute.h"
 #include "pluto.h"
 
+/**
+ * Number of threads in the thread pool, if not specified in config.
+ */
+#define DEFAULT_THREADS 4
+
 static void usage(const char *mess)
 {
 	if (mess != NULL && *mess != '\0')
@@ -91,7 +96,6 @@ static void usage(const char *mess)
 			" \\\n\t"
 			"[--nofork]"
 			" [--stderrlog]"
-			" [--noklips]"
 			" [--nocrsend]"
 			" \\\n\t"
 			"[--strictcrlpolicy]"
@@ -125,7 +129,7 @@ static void usage(const char *mess)
 			" \\\n\t"
 			"[--debug-control]"
 			" [--debug-lifecycle]"
-			" [--debug-klips]"
+			" [--debug-kernel]"
 			" [--debug-dns]"
 			" \\\n\t"
 			"[--debug-oppo]"
@@ -295,7 +299,6 @@ int main(int argc, char **argv)
 			{ "optionsfrom", required_argument, NULL, '+' },
 			{ "nofork", no_argument, NULL, 'd' },
 			{ "stderrlog", no_argument, NULL, 'e' },
-			{ "noklips", no_argument, NULL, 'n' },
 			{ "nocrsend", no_argument, NULL, 'c' },
 			{ "strictcrlpolicy", no_argument, NULL, 'r' },
 			{ "crlcheckinterval", required_argument, NULL, 'x'},
@@ -333,7 +336,8 @@ int main(int argc, char **argv)
 			{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
 			{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
 			{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
-			{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
+			{ "debug-klips", no_argument, NULL, DBG_KERNEL + DBG_OFFSET },
+			{ "debug-kernel", no_argument, NULL, DBG_KERNEL + DBG_OFFSET },
 			{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
 			{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
 			{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
@@ -396,10 +400,6 @@ int main(int argc, char **argv)
 			log_to_stderr_desired = TRUE;
 			continue;
 
-		case 'n':       /* --noklips */
-			no_klips = TRUE;
-			continue;
-
 		case 'c':       /* --nocrsend */
 			no_cr_send = TRUE;
 			continue;
@@ -621,27 +621,19 @@ int main(int argc, char **argv)
 		fflush(stdout);
 	}
 
-	/* Close everything but ctl_fd and (if needed) stderr.
-	 * There is some danger that a library that we don't know
-	 * about is using some fd that we don't know about.
-	 * I guess we'll soon find out.
+	/* Redirect stdin, stdout and stderr to /dev/null
 	 */
 	{
-		int i;
-
-		for (i = getdtablesize() - 1; i >= 0; i--)  /* Bad hack */
-		{
-			if ((!log_to_stderr || i != 2) && i != ctl_fd)
-				close(i);
-		}
-
-		/* make sure that stdin, stdout, stderr are reserved */
-		if (open("/dev/null", O_RDONLY) != 0)
+		int fd;
+		if ((fd = open("/dev/null", O_RDWR)) == -1)
+			abort();
+		if (dup2(fd, 0) != 0)
 			abort();
-		if (dup2(0, 1) != 1)
+		if (dup2(fd, 1) != 1)
 			abort();
-		if (!log_to_stderr && dup2(0, 2) != 2)
+		if (!log_to_stderr && dup2(fd, 2) != 2)
 			abort();
+		close(fd);
 	}
 
 	init_constants();
@@ -764,6 +756,10 @@ int main(int argc, char **argv)
 	/* loading attribute certificates (experimental) */
 	ac_load_certs();
 
+	lib->processor->set_threads(lib->processor,
+			lib->settings->get_int(lib->settings, "pluto.threads",
+								   DEFAULT_THREADS));
+
 	daily_log_event();
 	call_server();
 	return -1;  /* Shouldn't ever reach this */
@@ -779,11 +775,13 @@ int main(int argc, char **argv)
  */
 void exit_pluto(int status)
 {
+	lib->processor->set_threads(lib->processor, 0);
 	reset_globals();    /* needed because we may be called in odd state */
 	free_preshared_secrets();
 	free_remembered_public_keys();
 	delete_every_connection();
 	whack_attribute_finalize(); /* free in-memory pools */
+	kernel_finalize();
 	fetch_finalize();           /* stop fetching thread */
 	free_crl_fetch();           /* free chain of crl fetch requests */
 	free_ocsp_fetch();          /* free chain of ocsp fetch requests */
diff --git a/src/pluto/server.c b/src/pluto/server.c
index 21f65f4f8..4d07843c1 100644
--- a/src/pluto/server.c
+++ b/src/pluto/server.c
@@ -56,6 +56,7 @@
 #include "adns.h"       /* needs <resolv.h> */
 #include "dnskey.h"     /* needs keys.h and adns.h */
 #include "whack.h"      /* for RC_LOG_SERIOUS */
+#include "pluto.h"
 
 #include <pfkeyv2.h>
 #include <pfkey.h>
@@ -467,7 +468,6 @@ create_socket(struct raw_iface *ifp, const char *v_name, int port)
 #endif
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-	if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 	{
 		struct sadb_x_policy policy;
 		int level, opt;
@@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 	for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
 	{
 		struct raw_iface *v = NULL;     /* matching ipsecX interface */
-		struct raw_iface fake_v;
 		bool after = FALSE; /* has vfp passed ifp on the list? */
 		bool bad = FALSE;
 		struct raw_iface *vfp;
@@ -578,7 +577,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 					 * "after" allows us to avoid double reporting.
 					 */
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-					if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 					{
 						if (after)
 						{
@@ -603,7 +601,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 			continue;
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
-		if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
 		{
 			v = ifp;
 			goto add_entry;
@@ -613,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces)
 		/* what if we didn't find a virtual interface? */
 		if (v == NULL)
 		{
-			if (no_klips)
-			{
-				/* kludge for testing: invent a virtual device */
-				static const char fvp[] = "virtual";
-				fake_v = *ifp;
-				passert(sizeof(fake_v.name) > sizeof(fvp));
-				strcpy(fake_v.name, fvp);
-				addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
-					, sizeof(fake_v.name) - (sizeof(fvp) - 1));
-				v = &fake_v;
-			}
-			else
-			{
-				DBG(DBG_CONTROL,
-						DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
-							, ifp->name, ip_str(&ifp->addr)));
-				continue;
-			}
+			DBG(DBG_CONTROL,
+				DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+					, ifp->name, ip_str(&ifp->addr)));
+			continue;
 		}
 
 		/* We've got all we need; see if this is a new thing:
@@ -811,7 +794,7 @@ call_server(void)
 	{
 		fd_set readfds;
 		fd_set writefds;
-		int ndes;
+		int ndes, events_fd;
 
 		/* wait for next interesting thing */
 
@@ -853,19 +836,10 @@ call_server(void)
 				FD_SET(adns_afd, &readfds);
 			}
 
-#ifdef KLIPS
-			if (!no_klips)
-			{
-				int fd = *kernel_ops->async_fdp;
-
-				if (kernel_ops->process_queue)
-					kernel_ops->process_queue();
-				if (maxfd < fd)
-					maxfd = fd;
-				passert(!FD_ISSET(fd, &readfds));
-				FD_SET(fd, &readfds);
-			}
-#endif
+			events_fd = pluto->events->get_event_fd(pluto->events);
+			if (maxfd < events_fd)
+				maxfd = events_fd;
+			FD_SET(events_fd, &readfds);
 
 			if (listening)
 			{
@@ -947,18 +921,16 @@ call_server(void)
 				ndes--;
 			}
 
-#ifdef KLIPS
-			if (!no_klips && FD_ISSET(*kernel_ops->async_fdp, &readfds))
+			if (FD_ISSET(events_fd, &readfds))
 			{
 				passert(ndes > 0);
 				DBG(DBG_CONTROL,
 					DBG_log(BLANK_FORMAT);
-					DBG_log("*received kernel message"));
-				kernel_ops->process_msg();
+					DBG_log("*handling asynchronous events"));
+				pluto->events->handle(pluto->events);
 				passert(GLOBALS_ARE_RESET());
 				ndes--;
 			}
-#endif
 
 			for (ifp = interfaces; ifp != NULL; ifp = ifp->next)
 			{
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index f1a3932a6..85e246ac4 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -502,9 +502,9 @@ static cert_t* scx_find_cert_object(CK_SESSION_HANDLE session,
 	*cert = cert_empty;
 	cert->smartcard = TRUE;
 	cert->cert = lib->creds->create(lib->creds,
-							  		CRED_CERTIFICATE, CERT_X509,
-							  		BUILD_BLOB_ASN1_DER, blob,
-							  		BUILD_END);
+									CRED_CERTIFICATE, CERT_X509,
+									BUILD_BLOB_ASN1_DER, blob,
+									BUILD_END);
 	if (cert->cert)
 	{
 		return cert;
@@ -539,6 +539,7 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		CK_ULONG obj_count = 0;
 		time_t valid_until;
 		smartcard_t *sc;
+		cert_t *cert;
 		certificate_t *certificate;
 		x509_t *x509;
 
@@ -559,8 +560,8 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		*sc = empty_sc;
 		sc->any_slot = FALSE;
 		sc->slot  = slot;
-		sc->last_cert = scx_find_cert_object(session, object, sc);
-		if (sc->last_cert == NULL)
+		cert = scx_find_cert_object(session, object, sc);
+		if (!cert)
 		{
 			scx_free(sc);
 			continue;
@@ -571,9 +572,10 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		)
 
 		/* check validity of certificate */
-		certificate = sc->last_cert->cert;
+		certificate = cert->cert;
 		if (!certificate->get_validity(certificate, NULL, NULL, &valid_until))
 		{
+			cert_free(cert);
 			scx_free(sc);
 			continue;
 		}
@@ -582,17 +584,17 @@ static void scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 		)
 
 		sc = scx_add(sc);
-		x509 = (x509_t*)certificate;
 
 		/* put end entity and ca certificates into different chains */
+		x509 = (x509_t*)certificate;
 		if (x509->get_flags(x509) & X509_CA)
 		{
-			sc->last_cert = add_authcert(sc->last_cert, X509_CA);
+			sc->last_cert = add_authcert(cert, X509_CA);
 		}
 		else
 		{
-			add_public_key_from_cert(sc->last_cert, valid_until, DAL_LOCAL);
-			sc->last_cert = cert_add(sc->last_cert);
+			add_public_key_from_cert(cert, valid_until, DAL_LOCAL);
+			sc->last_cert = cert_add(cert);
 		}
 
 		cert_share(sc->last_cert);
@@ -1078,7 +1080,7 @@ cert_t* scx_load_cert(const char *filename, smartcard_t **scp, bool *cached)
 	*scp = sc = scx_add(scx_parse_number_slot_id(number_slot_id));
 
 	/* is there a cached smartcard certificate? */
-	*cached = sc->last_cert && 
+	*cached = sc->last_cert &&
 			  (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;
 
 	if (*cached)
@@ -1451,7 +1453,7 @@ bool scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen, u_char *out,
 			{
 				return FALSE;
 			}
-			key->encrypt(key, plain_text, &cipher_text);
+			key->encrypt(key, ENCRYPT_RSA_PKCS1, plain_text, &cipher_text);
 			key->destroy(key);
 
 			if (cipher_text.ptr == NULL)
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index cdf2cb21b..2ed07bdfc 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -234,7 +234,7 @@ out_attr(int type
 				, val, enum_show(d, val)));
 	return TRUE;
 }
-#define return_on(var, val) do { var=val;goto return_out; } while(0);
+#define return_on(var, val) do { var=val;goto return_out; } while(0)
 /* Output an SA, as described by a db_sa.
  * This has the side-effect of allocating SPIs for us.
  */
@@ -448,7 +448,7 @@ out_sa(pb_stream *outs
 							, &st->st_connection->spd
 							, tunnel_mode);
 						if (*spi_ptr == 0)
-							return FALSE;
+							return_on(ret, FALSE);
 						*spi_generated = TRUE;
 					}
 					if (!out_raw((u_char *)spi_ptr, IPSEC_DOI_SPI_SIZE
@@ -2176,7 +2176,7 @@ parse_ipsec_sa_body(
 #endif
 			if (!can_do_IPcomp)
 			{
-				plog("compression proposed by %s, but KLIPS is not configured with IPCOMP"
+				plog("compression proposed by %s, but kernel does not support IPCOMP"
 					, ip_str(&c->spd.that.host_addr));
 				continue;
 			}
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 29d78fb3d..3639f944d 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -734,7 +734,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 		, st->st_serialno
 		, c->name, inst
 		, enum_name(&state_names, st->st_state)
-		, state_story[st->st_state - STATE_MAIN_R0]
+		, state_story[st->st_state]
 		, timer_event_names, st->st_event->ev_type
 		, delta
 		, np1, np2, eo, dpd);
@@ -782,7 +782,7 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 		}
 		if (st->st_esp.present)
 		{
-			time_t now = time(NULL);
+			time_t now = time_monotonic(NULL);
 
 			add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
 			add_sa_info(st, FALSE);
@@ -794,12 +794,10 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 			add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
 			add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
 		}
-#ifdef KLIPS
 		tunnel =  st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 			   || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 			   || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 		p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
-#endif
 
 		snprintf(state_buf2, state_buf2_len
 			, "#%lu: \"%s\"%s%s"
@@ -897,56 +895,6 @@ void show_states_status(bool all, const char *name)
 	free(array);
 }
 
-/* Given that we've used up a range of unused CPI's,
- * search for a new range of currently unused ones.
- * Note: this is very expensive when not trivial!
- * If we can't find one easily, choose 0 (a bad SPI,
- * no matter what order) indicating failure.
- */
-void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi)
-{
-	int tries = 0;
-	cpi_t base = *latest_cpi;
-	cpi_t closest;
-	int i;
-
-startover:
-	closest = ~0;       /* not close at all */
-	for (i = 0; i < STATE_TABLE_SIZE; i++)
-	{
-		struct state *st;
-
-		for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
-		{
-			if (st->st_ipcomp.present)
-			{
-				cpi_t c = ntohl(st->st_ipcomp.our_spi) - base;
-
-				if (c < closest)
-				{
-					if (c == 0)
-					{
-						/* oops: next spot is occupied; start over */
-						if (++tries == 20)
-						{
-							/* FAILURE */
-							*latest_cpi = *first_busy_cpi = 0;
-							return;
-						}
-						base++;
-						if (base > IPCOMP_LAST_NEGOTIATED)
-							base = IPCOMP_FIRST_NEGOTIATED;
-						goto startover; /* really a tail call */
-					}
-					closest = c;
-				}
-			}
-		}
-	}
-	*latest_cpi = base; /* base is first in next free range */
-	*first_busy_cpi = closest + base;   /* and this is the roof */
-}
-
 /* Muck with high-order 16 bits of this SPI in order to make
  * the corresponding SAID unique.
  * Its low-order 16 bits hold a well-known IPCOMP CPI.
diff --git a/src/pluto/state.h b/src/pluto/state.h
index c4e8db485..a307d9f69 100644
--- a/src/pluto/state.h
+++ b/src/pluto/state.h
@@ -127,10 +127,8 @@ struct state
 	struct ipsec_proto_info st_ah;
 	struct ipsec_proto_info st_esp;
 	struct ipsec_proto_info st_ipcomp;
-#ifdef KLIPS
 	ipsec_spi_t        st_tunnel_in_spi;          /* KLUDGE */
 	ipsec_spi_t        st_tunnel_out_spi;         /* KLUDGE */
-#endif
 
 	const struct dh_desc *st_pfs_group;        /* group for Phase 2 PFS */
 
@@ -267,7 +265,6 @@ extern struct state
 
 extern void show_states_status(bool all, const char *name);
 extern void for_each_state(void *(f)(struct state *, void *data), void *data);
-extern void find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi);
 extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st);
 extern void fmt_state(bool all, struct state *st, time_t n
 					 , char *state_buf, size_t state_buf_len
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index b112d67f6..c1ad55f5e 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -233,13 +233,6 @@ void handle_timer_event(void)
 			init_secret();
 			break;
 
-#ifdef KLIPS
-		case EVENT_SHUNT_SCAN:
-			passert(st == NULL);
-			scan_proc_shunts();
-			break;
-#endif
-
 		case EVENT_LOG_DAILY:
 			daily_log_event();
 			break;
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 2b8681246..d717beb15 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -427,7 +427,7 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
 			{
 				whack_log(RC_COMMENT, "  pubkey:    %N %4d bits%s",
 					key_type_names, key->get_type(key),
-					key->get_keysize(key) * BITS_PER_BYTE,
+					key->get_keysize(key),
 					cert->smartcard ? ", on smartcard" :
 					(has_private_key(cert)? ", has private key" : ""));
 
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index dd4a4a63d..897b49ac3 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -21,7 +21,7 @@ INCLUDES = \
 
 AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
--DPLUGINS=\""${pluto_plugins}\"" \
+-DPLUGINS=\""${scepclient_plugins}\"" \
 -DDEBUG -DNO_PLUTO
 
 LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 7832e5f66..a20fa2eb9 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -50,6 +50,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -173,6 +174,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -204,14 +207,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -226,24 +232,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -251,7 +264,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -280,7 +296,7 @@ INCLUDES = \
 -I$(WHACKDIR)
 
 AM_CFLAGS = -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-	-DPLUGINS=\""${pluto_plugins}\"" -DDEBUG -DNO_PLUTO \
+	-DPLUGINS=\""${scepclient_plugins}\"" -DDEBUG -DNO_PLUTO \
 	$(am__append_1)
 LIBSTRONGSWANBUILDDIR = $(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR = $(top_builddir)/src/libfreeswan
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 5c32bbdef..448854acd 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -807,7 +807,7 @@ int main(int argc, char **argv)
 	public_key = private_key->get_public_key(private_key);
 
 	/* check for minimum key length */
-	if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS)
+	if (private_key->get_keysize(private_key) < RSA_MIN_OCTETS / BITS_PER_BYTE)
 	{
 		exit_scepclient("length of RSA key has to be at least %d bits"
 			,RSA_MIN_OCTETS * BITS_PER_BYTE);
@@ -859,7 +859,7 @@ int main(int argc, char **argv)
 						BUILD_SIGNING_KEY, private_key,
 						BUILD_SUBJECT, subject,
 						BUILD_SUBJECT_ALTNAMES, subjectAltNames,
-						BUILD_PASSPHRASE, challengePassword,
+						BUILD_CHALLENGE_PWD, challengePassword,
 						BUILD_DIGEST_ALG, pkcs10_signature_alg,
 						BUILD_END);
 		if (!pkcs10_req)
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 9813a0c06..75297f767 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -9,6 +9,7 @@ INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
@@ -23,9 +24,8 @@ AM_CFLAGS = \
 -DDEBUG
 
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
-dist_man_MANS = ipsec.conf.5 starter.8
-CLEANFILES = ipsec.conf.5
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
@@ -43,11 +43,6 @@ if USE_LOAD_WARNING
   AM_CFLAGS += -DLOAD_WARNING
 endif
 
-ipsec.conf.5:	ipsec.conf.5.in
-		sed \
-		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-		$(srcdir)/$@.in > $@
-
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index d06c8974d..446f183f1 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -49,14 +49,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
@@ -106,7 +106,6 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -178,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -209,14 +210,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -231,24 +235,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -256,7 +267,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -278,6 +292,7 @@ INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
@@ -288,9 +303,8 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \
 	$(am__append_2) $(am__append_3)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
-dist_man_MANS = ipsec.conf.5 starter.8
-CLEANFILES = ipsec.conf.5
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR = $(top_srcdir)/src/pluto
 SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
@@ -424,44 +438,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man5:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@@ -600,7 +576,7 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -620,7 +596,6 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -669,7 +644,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man5 install-man8
+install-man: install-man8
 
 install-pdf: install-pdf-am
 
@@ -701,7 +676,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
 
-uninstall-man: uninstall-man5 uninstall-man8
+uninstall-man: uninstall-man8
 
 .MAKE: install-am install-strip
 
@@ -712,20 +687,14 @@ uninstall-man: uninstall-man5 uninstall-man8
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-exec-local \
 	install-html install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-man5 install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
-	uninstall-man8
-
-
-ipsec.conf.5:	ipsec.conf.5.in
-		sed \
-		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-		$(srcdir)/$@.in > $@
+	install-ipsecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-man uninstall-man8
+
 
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
diff --git a/src/starter/README b/src/starter/README
index 12a60a11d..4aff64978 100644
--- a/src/starter/README
+++ b/src/starter/README
@@ -18,8 +18,6 @@ Usage:
 FEATURES
 --------
 
-o Load and unload KLIPS (ipsec.o kernel module)
-
 o Load modules of the native Linux 2.6 IPsec stack
 
 o Launch and monitor pluto
@@ -50,8 +48,7 @@ o /var/run/dynip/xxxx can be used to use a virtual interface name in
 
 o %auto can be used to automaticaly name the connections
 
-o kill -TERM can be used to stop FS. pluto will be stopped and KLIPS unloaded
-  (if it has been loaded).
+o kill -TERM can be used to stop FS. pluto will be stopped.
 
 o Can be used to start strongSwan and load lots of connections in a few
   seconds.
diff --git a/src/starter/args.c b/src/starter/args.c
index ab6b60509..37d600283 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -208,6 +208,7 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
 	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
+	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 399e17844..3367616ca 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -19,6 +19,8 @@
 
 #include <freeswan.h>
 
+#include <eap/eap.h>
+
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
@@ -461,7 +463,7 @@ static void handle_firewall(const char *label, starter_end_t *end,
 	}
 }
 
-static bool handle_mark(char *value, mark_t *mark)	
+static bool handle_mark(char *value, mark_t *mark)
 {
 	char *pos, *endptr;
 
@@ -671,31 +673,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				}
 				break;
 			}
-			if (streq(kw->value, "aka"))
-			{
-				conn->eap_type = 23;
-			}
-			else if (streq(kw->value, "sim"))
-			{
-				conn->eap_type = 18;
-			}
-			else if (streq(kw->value, "md5"))
-			{
-				conn->eap_type = 4;
-			}
-			else if (streq(kw->value, "gtc"))
-			{
-				conn->eap_type = 6;
-			}
-			else if (streq(kw->value, "mschapv2"))
-			{
-				conn->eap_type = 26;
-			}
-			else if (streq(kw->value, "radius"))
-			{	/* pseudo-type */
-				conn->eap_type = 253;
-			}
-			else
+			conn->eap_type = eap_type_from_string(kw->value);
+			if (conn->eap_type == 0)
 			{
 				conn->eap_type = atoi(kw->value);
 				if (conn->eap_type == 0)
@@ -739,7 +718,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				if (*endptr != '\0')
 				{
 					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
-		    		cfg->err++;
+					cfg->err++;
 				}
 			}
 			break;
@@ -815,7 +794,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 				DBG(DBG_CONTROL,
 					DBG_log("  also=%s", kw->value)
 				)
-	    	}
+			}
 			continue;
 		}
 
@@ -879,7 +858,7 @@ static void load_also_conns(starter_conn_t *conn, also_t *also,
 /*
  * find a conn included by also
  */
-static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, 
+static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
 								 starter_config_t *cfg)
 {
 	starter_conn_t *c = cfg->conn_first;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 5e4356ea3..982d1d206 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -95,13 +95,6 @@ struct also {
 		also_t          *next;
 };
 
-typedef struct mark_t mark_t;
-
-struct mark_t{
-		u_int32_t value;
-		u_int32_t mask;
-};
-
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
@@ -117,6 +110,7 @@ struct starter_conn {
 		u_int32_t       eap_type;
 		u_int32_t       eap_vendor;
 		char            *eap_identity;
+		char            *aaa_identity;
 		char            *xauth_identity;
 		lset_t          policy;
 		time_t          sa_ike_life_seconds;
@@ -129,8 +123,8 @@ struct starter_conn {
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
 		u_int32_t       reqid;
-		mark_t			mark_in;
-		mark_t			mark_out;
+		mark_t          mark_in;
+		mark_t          mark_out;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 92b2c74a4..ef26cdce5 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -56,7 +56,7 @@ get_defaultroute(defaultroute_t *defaultroute)
 	ssize_t msglen;
 	int fd;
 
-	bzero(&rtu, sizeof(rtu));
+	memset(&rtu, 0, sizeof(rtu));
 	rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
 	rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
 	rtu.m.nh.nlmsg_type = RTM_GETROUTE;
@@ -142,7 +142,7 @@ get_defaultroute(defaultroute_t *defaultroute)
 				plog("could not open AF_INET socket");
 				break;
 			}
-			bzero(&req, sizeof(req));
+			memset(&req, 0, sizeof(req));
 			req.ifr_ifindex = iface_idx;
 			if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
 				ioctl(fd, SIOCGIFADDR, &req) < 0)
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 1d7cae00b..0c24c7dcf 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.3 */
 /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t  */
-/* Computed positions: -k'1-2,6,$' */
+/* Computed positions: -k'2-3,6,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 126
+#define TOTAL_KEYWORDS 127
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 20
-#define MAX_HASH_VALUE 220
-/* maximum key range = 201, duplicates = 0 */
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 238
+/* maximum key range = 227, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221,  35,
-       77, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221,   8, 221,  31, 221,  20,
-       28,   5,  75,  26,  88,   5, 221,  97,   5,  50,
-       39,  67,  29, 221,   7,  13,   6,  89,  15, 221,
-        5,  24,   7, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239,   2,
+      104, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239,  15, 239,  20,  14,  58,
+       51,   1,   7,   1,  81,   1, 239, 132,  47,   4,
+        1,  49,  10,   9,  23,   1,  20,  48,   4, 239,
+      239,  35,   1, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239
     };
   register int hval = len;
 
@@ -112,11 +112,10 @@ hash (str, len)
       case 5:
       case 4:
       case 3:
+        hval += asso_values[(unsigned char)str[2]];
+      /*FALLTHROUGH*/
       case 2:
         hval += asso_values[(unsigned char)str[1]];
-      /*FALLTHROUGH*/
-      case 1:
-        hval += asso_values[(unsigned char)str[0]];
         break;
     }
   return hval + asso_values[(unsigned char)str[len - 1]];
@@ -124,159 +123,161 @@ hash (str, len)
 
 static const struct kw_entry wordlist[] =
   {
-    {"left",              KW_LEFT},
-    {"right",             KW_RIGHT},
+    {"pfs",               KW_PFS},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"lifetime",          KW_KEYLIFE},
+    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"rightnatip",        KW_RIGHTNATIP},
+    {"esp",               KW_ESP},
+    {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"right",             KW_RIGHT},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"left",              KW_LEFT},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"rightsubnet",       KW_RIGHTSUBNET},
+    {"rightikeport",      KW_RIGHTIKEPORT},
+    {"rightsendcert",     KW_RIGHTSENDCERT},
     {"leftcert",          KW_LEFTCERT,},
-    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"interfaces",        KW_INTERFACES},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"leftsendcert",      KW_LEFTSENDCERT},
-    {"rightikeport",      KW_RIGHTIKEPORT},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {"type",              KW_TYPE},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"rekey",             KW_REKEY},
-    {"rightsubnet",       KW_RIGHTSUBNET},
-    {"crluri",            KW_CRLURI},
-    {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"reqid",             KW_REQID},
-    {"rightcert",         KW_RIGHTCERT},
-    {"certuribase",       KW_CERTURIBASE},
-    {"esp",               KW_ESP},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"rightid",           KW_RIGHTID},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"eap",               KW_EAP},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"type",              KW_TYPE},
+    {"keylife",           KW_KEYLIFE},
+    {"mark_in",           KW_MARK_IN},
     {"lifebytes",         KW_LIFEBYTES},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"leftca",            KW_LEFTCA},
+    {"margintime",        KW_REKEYMARGIN},
+    {"marginbytes",       KW_MARGINBYTES},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"rightgroups",       KW_RIGHTGROUPS},
-    {"plutostart",        KW_PLUTOSTART},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"eap",               KW_EAP},
-    {"cacert",            KW_CACERT},
-    {"rightca",           KW_RIGHTCA},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"certuribase",       KW_CERTURIBASE},
     {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"leftid",            KW_LEFTID},
-    {"crluri1",           KW_CRLURI},
-    {"ldapbase",          KW_LDAPBASE},
-    {"leftca",            KW_LEFTCA},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"rightallowany",     KW_RIGHTALLOWANY},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"rightid",           KW_RIGHTID},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"compress",          KW_COMPRESS},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"reqid",             KW_REQID},
     {"inactivity",        KW_INACTIVITY},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {"installpolicy",     KW_INSTALLPOLICY},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"cachecrls",         KW_CACHECRLS},
-    {"dpddelay",          KW_DPDDELAY},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"me_peerid",         KW_ME_PEERID},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {"leftcert2",         KW_LEFTCERT2,},
-    {"rightid2",          KW_RIGHTID2},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftfirewall",      KW_LEFTFIREWALL},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"ocspuri",           KW_OCSPURI},
-    {"also",              KW_ALSO},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"mobike",	           KW_MOBIKE},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"me_peerid",         KW_ME_PEERID},
+    {"crluri",            KW_CRLURI},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"crluri1",           KW_CRLURI},
     {"mediation",         KW_MEDIATION},
-    {"ike",               KW_IKE},
-    {"dpdaction",         KW_DPDACTION},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"compress",          KW_COMPRESS},
-    {"ldaphost",          KW_LDAPHOST},
+    {"dumpdir",           KW_DUMPDIR},
+    {"forceencaps",       KW_FORCEENCAPS},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"crluri2",           KW_CRLURI2},
-    {"rightca2",          KW_RIGHTCA2},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightcert2",        KW_RIGHTCERT2},
-    {"pfs",               KW_PFS},
-    {"leftid2",           KW_LEFTID2},
+    {"rightca",           KW_RIGHTCA},
+    {"rightcert",         KW_RIGHTCERT},
+    {"ocspuri",           KW_OCSPURI},
+    {"dpdaction",         KW_DPDACTION},
+    {"ocspuri1",          KW_OCSPURI},
     {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"leftca2",           KW_LEFTCA2},
+    {"installpolicy",     KW_INSTALLPOLICY},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"xauth",             KW_XAUTH},
-    {"rightauth2",        KW_RIGHTAUTH2},
-    {"mark_in",           KW_MARK_IN},
-    {"mobike",	           KW_MOBIKE},
-    {"margintime",        KW_REKEYMARGIN},
-    {"dumpdir",           KW_DUMPDIR},
-    {"ocspuri1",          KW_OCSPURI},
+    {"ldapbase",          KW_LDAPBASE},
+    {"also",              KW_ALSO},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"force_keepalive",   KW_FORCE_KEEPALIVE},
     {"keyexchange",       KW_KEYEXCHANGE},
-    {"fragicmp",          KW_FRAGICMP},
+    {"hidetos",           KW_HIDETOS},
+    {"klipsdebug",        KW_KLIPSDEBUG},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
     {"rightauth",         KW_RIGHTAUTH},
-    {"interfaces",        KW_INTERFACES},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"marginpackets",     KW_MARGINPACKETS},
-    {"nocrsend",          KW_NOCRSEND},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"rightid2",          KW_RIGHTID2},
+    {"leftid",            KW_LEFTID},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"fragicmp",          KW_FRAGICMP},
     {"mark_out",          KW_MARK_OUT},
+    {"auto",              KW_AUTO},
+    {"leftcert2",         KW_LEFTCERT2,},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"cacert",            KW_CACERT},
+    {"plutostart",        KW_PLUTOSTART},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"prepluto",          KW_PREPLUTO},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
     {"charonstart",       KW_CHARONSTART},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"forceencaps",       KW_FORCEENCAPS},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"ike",               KW_IKE},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"leftca2",           KW_LEFTCA2},
     {"authby",            KW_AUTHBY},
+    {"leftauth",          KW_LEFTAUTH},
+    {"cachecrls",         KW_CACHECRLS},
+    {"ldaphost",          KW_LDAPHOST},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"dpddelay",          KW_DPDDELAY},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"auth",              KW_AUTH},
+    {"xauth",             KW_XAUTH},
     {"postpluto",         KW_POSTPLUTO},
-    {"pkcs11module",      KW_PKCS11MODULE},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"hidetos",           KW_HIDETOS},
-    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"mark",              KW_MARK},
-    {"charondebug",       KW_CHARONDEBUG},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"modeconfig",        KW_MODECONFIG},
+    {"nocrsend",          KW_NOCRSEND},
     {"leftauth2",         KW_LEFTAUTH2},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"keylife",           KW_KEYLIFE},
-    {"auto",              KW_AUTO},
-    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftid2",           KW_LEFTID2},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"rightca2",          KW_RIGHTCA2},
+    {"rekey",             KW_REKEY},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"mark",              KW_MARK},
+    {"crluri2",           KW_CRLURI2},
     {"reauth",            KW_REAUTH},
-    {"leftauth",          KW_LEFTAUTH},
-    {"pkcs11proxy",       KW_PKCS11PROXY},
-    {"prepluto",          KW_PREPLUTO},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"auth",              KW_AUTH},
-    {"modeconfig",        KW_MODECONFIG}
+    {"ocspuri2",          KW_OCSPURI2},
+    {"pkcs11module",      KW_PKCS11MODULE},
+    {"pkcs11initargs",    KW_PKCS11INITARGS},
+    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
+    {"pkcs11proxy",       KW_PKCS11PROXY}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,   0,   1,  -1,   2,  -1,  -1,   3,  -1,
+     -1,   4,  -1,   5,   6,   7,   8,   9,  -1,  10,
+     11,  -1,  12,  13,  14,  15,  16,  17,  -1,  18,
+     19,  20,  21,  22,  -1,  -1,  23,  24,  -1,  25,
+     26,  27,  28,  29,  30,  31,  32,  33,  34,  35,
+     36,  37,  38,  39,  40,  41,  42,  43,  44,  45,
+     46,  47,  48,  49,  50,  51,  -1,  52,  53,  54,
+     55,  -1,  56,  57,  -1,  58,  59,  60,  -1,  61,
+     62,  63,  64,  -1,  -1,  65,  -1,  66,  -1,  67,
+     68,  69,  70,  71,  -1,  -1,  72,  -1,  -1,  73,
+     74,  75,  76,  77,  78,  79,  80,  -1,  81,  82,
+     83,  84,  85,  86,  87,  -1,  88,  -1,  89,  90,
+     -1,  91,  92,  93,  94,  -1,  95,  96,  97,  98,
+     -1,  -1,  -1,  -1,  99, 100, 101,  -1, 102, 103,
+    104, 105, 106, 107, 108, 109,  -1, 110,  -1,  -1,
+    111,  -1,  -1,  -1,  -1,  -1,  -1, 112,  -1, 113,
+    114, 115, 116, 117, 118,  -1,  -1,  -1,  -1, 119,
+     -1,  -1, 120,  -1,  -1,  -1,  -1,  -1,  -1, 121,
+     -1,  -1,  -1,  -1, 122,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 123,  -1, 124, 125,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-      0,  -1,  -1,   1,  -1,  -1,  -1,  -1,   2,   3,
-     -1,  -1,   4,   5,  -1,   6,   7,  -1,  -1,   8,
-      9,  10,  11,  12,  13,  14,  -1,  15,  16,  -1,
-     17,  18,  19,  20,  -1,  21,  22,  23,  -1,  -1,
-     24,  25,  26,  27,  28,  29,  -1,  30,  31,  32,
-     33,  34,  35,  -1,  36,  -1,  -1,  37,  38,  39,
-     40,  41,  42,  43,  -1,  44,  45,  46,  47,  -1,
-     48,  -1,  49,  50,  51,  52,  53,  54,  55,  -1,
-     56,  57,  58,  59,  60,  61,  62,  63,  -1,  64,
-     65,  66,  67,  68,  69,  70,  71,  72,  73,  74,
-     75,  -1,  76,  77,  78,  79,  -1,  -1,  80,  81,
-     82,  -1,  83,  84,  -1,  85,  86,  87,  88,  89,
-     90,  -1,  91,  -1,  92,  -1,  93,  94,  95,  -1,
-     -1,  96,  97,  -1,  98,  99,  -1,  -1,  -1,  -1,
-     -1,  -1, 100,  -1, 101,  -1, 102,  -1,  -1,  -1,
-    103, 104,  -1,  -1, 105,  -1,  -1, 106, 107, 108,
-    109, 110, 111,  -1, 112, 113,  -1, 114, 115, 116,
-     -1, 117,  -1, 118, 119, 120, 121,  -1,  -1,  -1,
-    122,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 123,  -1,
-     -1,  -1, 124,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-    125
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 126
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 25d2ce4b9..1dae65a99 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -71,6 +71,7 @@ typedef enum {
 	KW_AUTHBY,
 	KW_EAP,
 	KW_EAP_IDENTITY,
+	KW_AAA_IDENTITY,
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
 	KW_IKELIFETIME,
@@ -122,8 +123,8 @@ typedef enum {
 
    /* end keywords */
 	KW_HOST,
-	KW_NEXTHOP,
 	KW_IKEPORT,
+	KW_NEXTHOP,
 	KW_SUBNET,
 	KW_SUBNETWITHIN,
 	KW_PROTOPORT,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index fcdc60cff..06705635a 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -49,6 +49,7 @@ force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
+aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
 pkcs11module,      KW_PKCS11MODULE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9c69ab9e5..9ba569d47 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -40,15 +40,6 @@
 #define IPV6_LEN	16
 
 /**
- * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h
- */
-enum ipsec_mode_t {
-	MODE_TRANSPORT = 1,
-	MODE_TUNNEL,
-	MODE_BEET
-};
-
-/**
  * Authentication methods, must be the same as in charons authenticator.h
  */
 enum auth_method_t {
@@ -204,7 +195,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
-	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
+	msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
 
 	/* PUBKEY is preferred to PSK and EAP */
@@ -223,6 +214,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.eap_type = conn->eap_type;
 	msg.add_conn.eap_vendor = conn->eap_vendor;
 	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
+	msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
 
 	if (conn->policy & POLICY_TUNNEL)
 	{
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 58034d96b..b7d916eae 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -277,7 +277,7 @@ int starter_whack_add_conn(starter_conn_t *conn)
 	msg.whack_connection = TRUE;
 	msg.name = connection_name(conn, name, sizeof(name));
 
-	msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
+	msg.ikev1                 = conn->keyexchange == KEY_EXCHANGE_IKEV1;
 	msg.addr_family           = conn->addr_family;
 	msg.tunnel_addr_family    = conn->tunnel_addr_family;
 	msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index c7f264730..c490be114 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -142,6 +143,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -173,14 +176,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -195,24 +201,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -220,7 +233,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 4fa0f76a8..103617f08 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -56,9 +56,8 @@ static char* push_string(stroke_msg_t *msg, char *string)
 static int send_stroke_msg (stroke_msg_t *msg)
 {
 	struct sockaddr_un ctl_addr;
-	int sock;
-	char buffer[512];
-	int byte_count;
+	int sock, byte_count;
+	char buffer[512], *pass;
 
 	ctl_addr.sun_family = AF_UNIX;
 	strcpy(ctl_addr.sun_path, STROKE_SOCKET);
@@ -90,17 +89,30 @@ static int send_stroke_msg (stroke_msg_t *msg)
 	while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
 	{
 		buffer[byte_count] = '\0';
-		printf("%s", buffer);
 
-		/* we prompt if we receive the "Passphrase:" magic keyword */
-		if (byte_count >= 12 &&
-			strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0)
+		/* we prompt if we receive the "Passphrase:"/"PIN:" magic keyword */
+		if ((byte_count >= 12 &&
+			 strcmp(buffer + byte_count - 12, "Passphrase:\n") == 0) ||
+			(byte_count >= 5 &&
+			 strcmp(buffer + byte_count - 5, "PIN:\n") == 0))
 		{
-			if (fgets(buffer, sizeof(buffer), stdin))
+			/* remove trailing newline */
+			pass = strrchr(buffer, '\n');
+			if (pass)
 			{
-				ignore_result(write(sock, buffer, strlen(buffer)));
+				*pass = ' ';
+			}
+			pass = getpass(buffer);
+			if (pass)
+			{
+				ignore_result(write(sock, pass, strlen(pass)));
+				ignore_result(write(sock, "\n", 1));
 			}
 		}
+		else
+		{
+			printf("%s", buffer);
+		}
 	}
 	if (byte_count < 0)
 	{
@@ -276,9 +288,23 @@ static int purge(stroke_keyword_t kw)
 	return send_stroke_msg(&msg);
 }
 
-static int leases(stroke_keyword_t kw, char *pool, char *address)
+static int export_flags[] = {
+	EXPORT_X509,
+};
+
+static int export(stroke_keyword_t kw, char *selector)
 {
+	stroke_msg_t msg;
 
+	msg.type = STR_EXPORT;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.export.selector = push_string(&msg, selector);
+	msg.export.flags = export_flags[kw - STROKE_EXPORT_FIRST];
+	return send_stroke_msg(&msg);
+}
+
+static int leases(stroke_keyword_t kw, char *pool, char *address)
+{
 	stroke_msg_t msg;
 
 	msg.type = STR_LEASES;
@@ -349,6 +375,8 @@ static void exit_usage(char *error)
 	printf("    stroke purgeocsp\n");
 	printf("  Purge IKE_SAs without a CHILD_SA:\n");
 	printf("    stroke purgeike\n");
+	printf("  Export credentials to the console:\n");
+	printf("    stroke exportx509 DN\n");
 	printf("  Show leases of a pool:\n");
 	printf("    stroke leases [POOL [ADDRESS]]\n");
 	exit_error(error);
@@ -466,6 +494,13 @@ int main(int argc, char *argv[])
 		case STROKE_PURGE_IKE:
 			res = purge(token->kw);
 			break;
+		case STROKE_EXPORT_X509:
+			if (argc != 3)
+			{
+				exit_usage("\"exportx509\" needs a distinguished name");
+			}
+			res = export(token->kw, argv[2]);
+			break;
 		case STROKE_LEASES:
 			res = leases(token->kw, argc > 2 ? argv[2] : NULL,
 						 argc > 3 ? argv[3] : NULL);
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index bb9705743..c2d79176e 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -54,7 +54,7 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 33
+#define TOTAL_KEYWORDS 34
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
 #define MIN_HASH_VALUE 3
@@ -79,15 +79,15 @@ hash (str, len)
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
-      40, 40, 40, 40, 40, 17, 40, 40, 40, 40,
+      40, 40, 40, 40, 40, 18, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40,  0,  4,  1,
-       1,  0, 40, 17, 40, 18, 40,  4,  0, 40,
-      40, 12, 17, 40,  6,  3, 19, 12, 40, 40,
-      40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+       1,  0, 40, 17, 40, 20, 40,  3,  0, 40,
+      40, 12, 19, 40,  6,  3, 20, 12, 40, 40,
+      10, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
       40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
@@ -148,14 +148,15 @@ static const struct stroke_token wordlist[] =
     {"listocsp",        STROKE_LIST_OCSP},
     {"statusall",       STROKE_STATUSALL},
     {"listalgs",        STROKE_LIST_ALGS},
+    {"exportx509",      STROKE_EXPORT_X509},
     {"delete",          STROKE_DELETE},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"purgeike",        STROKE_PURGE_IKE},
-    {"listcainfos",     STROKE_LIST_CAINFOS},
     {"unroute",         STROKE_UNROUTE},
-    {"listpubkeys",     STROKE_LIST_PUBKEYS},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
     {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
+    {"listpubkeys",     STROKE_LIST_PUBKEYS},
     {"down-srcip",      STROKE_DOWN_SRCIP},
     {"listgroups",      STROKE_LIST_GROUPS}
   };
@@ -164,7 +165,7 @@ static const short lookup[] =
   {
     -1, -1, -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10,
     11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
-    25, 26, 27, 28, 29, 30, 31, -1, -1, -1, -1, 32
+    25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 6332000db..4a3826536 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -49,12 +49,14 @@ typedef enum {
 	STROKE_REREAD_ALL,
 	STROKE_PURGE_OCSP,
 	STROKE_PURGE_IKE,
-	STROKE_LEASES
+	STROKE_EXPORT_X509,
+	STROKE_LEASES,
 } stroke_keyword_t;
 
 #define STROKE_LIST_FIRST		STROKE_LIST_PUBKEYS
 #define STROKE_REREAD_FIRST		STROKE_REREAD_SECRETS
 #define STROKE_PURGE_FIRST		STROKE_PURGE_OCSP
+#define STROKE_EXPORT_FIRST		STROKE_EXPORT_X509
 
 typedef struct stroke_token stroke_token_t;
 
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 96fa0bf3a..0b8092985 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -56,4 +56,5 @@ rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
 purgeike,        STROKE_PURGE_IKE
+exportx509,      STROKE_EXPORT_X509
 leases,          STROKE_LEASES
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index a36cc9038..9466cf0b0 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -109,6 +109,16 @@ enum purge_flag_t {
 	PURGE_IKE =			0x0002,
 };
 
+typedef enum export_flag_t export_flag_t;
+
+/**
+ * Definition of the export flags
+ */
+enum export_flag_t {
+	/** export an X509 certificate */
+	EXPORT_X509 =		0x0001,
+};
+
 /**
  * CRL certificate validation policy
  */
@@ -193,6 +203,8 @@ struct stroke_msg_t {
 		STR_PURGE,
 		/* show pool leases */
 		STR_LEASES,
+		/* export credentials */
+		STR_EXPORT,
 		/* more to come */
 	} type;
 
@@ -220,6 +232,7 @@ struct stroke_msg_t {
 			u_int32_t eap_type;
 			u_int32_t eap_vendor;
 			char *eap_identity;
+			char *aaa_identity;
 			int mode;
 			int mobike;
 			int force_encap;
@@ -301,6 +314,12 @@ struct stroke_msg_t {
 			purge_flag_t flags;
 		} purge;
 
+		/* data for STR_EXPORT */
+		struct {
+			export_flag_t flags;
+			char *selector;
+		} export;
+
 		/* data for STR_LEASES */
 		struct {
 			char *pool;
diff --git a/src/whack/Makefile.am b/src/whack/Makefile.am
index 27f856231..316a83312 100644
--- a/src/whack/Makefile.am
+++ b/src/whack/Makefile.am
@@ -5,6 +5,7 @@ whack_SOURCES = whack.c whack.h
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 whack_LDADD = \
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index d163f2b58..270e8fe50 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -141,6 +142,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -172,14 +175,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -194,24 +200,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -219,7 +232,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -235,6 +251,7 @@ whack_SOURCES = whack.c whack.h
 INCLUDES = \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto
 
 whack_LDADD = \
diff --git a/src/whack/whack.c b/src/whack/whack.c
index 643e4be04..c5fe3b458 100644
--- a/src/whack/whack.c
+++ b/src/whack/whack.c
@@ -471,7 +471,7 @@ enum {
 	DBGOPT_EMITTING,    /* same order as DBG_* */
 	DBGOPT_CONTROL,     /* same order as DBG_* */
 	DBGOPT_LIFECYCLE,   /* same order as DBG_* */
-	DBGOPT_KLIPS,       /* same order as DBG_* */
+	DBGOPT_KERNEL,      /* same order as DBG_* */
 	DBGOPT_DNS,         /* same order as DBG_* */
 	DBGOPT_NATT,        /* same order as DBG_* */
 	DBGOPT_OPPO,        /* same order as DBG_* */
@@ -659,7 +659,8 @@ static const struct option long_opts[] = {
 	{ "debug-emitting", no_argument, NULL, DBGOPT_EMITTING + OO },
 	{ "debug-control", no_argument, NULL, DBGOPT_CONTROL + OO },
 	{ "debug-lifecycle", no_argument, NULL, DBGOPT_LIFECYCLE + OO },
-	{ "debug-klips", no_argument, NULL, DBGOPT_KLIPS + OO },
+	{ "debug-klips", no_argument, NULL, DBGOPT_KERNEL + OO },
+	{ "debug-kernel", no_argument, NULL, DBGOPT_KERNEL + OO },
 	{ "debug-dns", no_argument, NULL, DBGOPT_DNS + OO },
 	{ "debug-natt", no_argument, NULL, DBGOPT_NATT + OO },
 	{ "debug-oppo", no_argument, NULL, DBGOPT_OPPO + OO },
@@ -1595,7 +1596,7 @@ int main(int argc, char **argv)
 		case DBGOPT_EMITTING:   /* --debug-emitting */
 		case DBGOPT_CONTROL:    /* --debug-control */
 		case DBGOPT_LIFECYCLE:  /* --debug-lifecycle */
-		case DBGOPT_KLIPS:      /* --debug-klips */
+		case DBGOPT_KERNEL:     /* --debug-kernel, --debug-klips */
 		case DBGOPT_DNS:        /* --debug-dns */
 		case DBGOPT_NATT:       /* --debug-natt */
 		case DBGOPT_OPPO:       /* --debug-oppo */
diff --git a/testing/INSTALL b/testing/INSTALL
index 27db50013..5e42925f7 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,23 +53,23 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.3.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.34.1.tar.bz2
 
-    * The Linux kernel 2.6.33.3 does not require any patches for the uml guest kernel
-      to successfully start up but the aes_gmac patch must be applied for
-      ESP AES-GMAC support.
+    * The Linux kernel 2.6.34.1 does not require any patches for the uml guest kernel
+      to successfully start up but the xfrm_mark patch must be applied for
+      XFRM MARK support.
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.33
+      http://download.strongswan.org/uml/.config-2.6.34
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
-      http://download.strongswan.org/uml/gentoo-fs-20090615.tar.bz2
+      http://download.strongswan.org/uml/gentoo-fs-20100703.tar.bz2
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.4.1.tar.bz2
+      http://download.strongswan.org/strongswan-4.4.2.tar.bz2
 
 
 3. Creating the environment
diff --git a/testing/Makefile.am b/testing/Makefile.am
index 130b87b43..2aa7d70bc 100644
--- a/testing/Makefile.am
+++ b/testing/Makefile.am
@@ -1,7 +1,7 @@
 noinst_SCRIPTS = do-tests
 CLEANFILES = do-tests
 EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf hosts images scripts tests INSTALL README
+             testing.conf ssh_config hosts images scripts tests INSTALL README
 
 do-tests : do-tests.in
 	sed \
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 010f4c81b..82b751fd2 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -45,6 +45,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
@@ -120,6 +121,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -151,14 +154,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -173,24 +179,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -198,7 +211,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -213,7 +229,7 @@ xml_LIBS = @xml_LIBS@
 noinst_SCRIPTS = do-tests
 CLEANFILES = do-tests
 EXTRA_DIST = do-tests.in make-testing start-testing stop-testing \
-             testing.conf hosts images scripts tests INSTALL README
+             testing.conf ssh_config hosts images scripts tests INSTALL README
 
 all: all-am
 
diff --git a/testing/do-tests.in b/testing/do-tests.in
index 2a869515d..2e67e9367 100755
--- a/testing/do-tests.in
+++ b/testing/do-tests.in
@@ -101,6 +101,16 @@ done
 
 
 ##############################################################################
+# open ssh sessions
+#
+for host in $STRONGSWANHOSTS
+do
+    ssh $SSHCONF -N root@`eval echo \\\$ipv4_$host` &
+    eval ssh_pid_$host="`echo $!`"
+done
+
+
+##############################################################################
 # create header for the results html file
 #
 
@@ -350,7 +360,7 @@ do
 		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
 		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &"
 		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
-		ssh root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
+		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
 		eval TDUP_${host}="true"
 	    done
 	fi
@@ -367,7 +377,7 @@ do
 	    if ($2 != "")
 	    {
 		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
 		printf("echo;\n")
 	    }
 	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
@@ -379,7 +389,7 @@ do
 
 	function stop_tcpdump {
 	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
-	    eval ssh root@\$ipv4_${1} killall tcpdump
+	    eval ssh $SSHCONF root@\$ipv4_${1} killall tcpdump
 	    eval TDUP_${1}="false"
 	    echo ""
 	}
@@ -405,12 +415,12 @@ do
 		{
 		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
 		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
-		    printf("ssh root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
 		}
 		else
 		{
 		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
-		    printf("ssh root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
+		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
 		}
 		printf("cmd_exit=\044?; ")
 		printf("echo; ")
@@ -465,26 +475,26 @@ do
 
 	    for command in statusall listall
 	    do
-		ssh $HOSTLOGIN ipsec $command \
+		ssh $SSHCONF $HOSTLOGIN ipsec $command \
 		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
 	    done
 
 	    for file in strongswan.conf ipsec.conf ipsec.secrets
 	    do
-		scp $HOSTLOGIN:/etc/$file \
+		scp $SSHCONF $HOSTLOGIN:/etc/$file \
 		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
 	    done
 
-	    scp $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
+	    scp $SSHCONF $HOSTLOGIN:/etc/ipsec.d/ipsec.sql \
 	    	$TESTRESULTDIR/${host}.ipsec.sql  > /dev/null 2>&1
 
-	    ssh $HOSTLOGIN ip -s xfrm policy \
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm policy \
 		    > $TESTRESULTDIR/${host}.ip.policy 2>/dev/null
-	    ssh $HOSTLOGIN ip -s xfrm state \
+	    ssh $SSHCONF $HOSTLOGIN ip -s xfrm state \
 		    > $TESTRESULTDIR/${host}.ip.state 2>/dev/null
-	    ssh $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \
+	    ssh $SSHCONF $HOSTLOGIN ip route list table $SOURCEIP_ROUTING_TABLE \
 		    > $TESTRESULTDIR/${host}.ip.route 2>/dev/null
-	    ssh $HOSTLOGIN $IPTABLES_CMD \
+	    ssh $SSHCONF $HOSTLOGIN $IPTABLES_CMD \
 		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
 	    chmod a+r $TESTRESULTDIR/*
 	    cat >> $TESTRESULTDIR/index.html <<@EOF
@@ -521,6 +531,48 @@ do
 
 	done
 
+	for host in $RADIUSHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for file in clients.conf eap.conf radiusd.conf proxy.conf users
+	    do
+		scp $SSHCONF $HOSTLOGIN:/etc/raddb/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+	    scp $SSHCONF $HOSTLOGIN:/var/log/radius/radius.log \
+	    	$TESTRESULTDIR/${host}.radius.log  > /dev/null 2>&1
+
+	    chmod a+r $TESTRESULTDIR/*
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
+    <h3>$host</h3>
+      <table border="0" cellspacing="0" width="600">
+      <tr>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.clients.conf">clients.conf</a></li>
+	    <li><a href="$host.radiusd.conf">radiusd.conf</a></li>
+	  </ul>
+	</td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.eap.conf">eap.conf</a></li>
+	    <li><a href="$host.radius.log">radius.log</a></li>
+	  </ul>
+      </td>
+	<td valign="top">
+	  <ul>
+	    <li><a href="$host.proxy.conf">proxy.conf</a></li>
+	    <li><a href="$host.users">users</a></li>
+	  </ul>
+      </td>
+    </tr>
+    </table>
+@EOF
+
+	done
+
 	cat >> $TESTRESULTDIR/index.html <<@EOF
   </td></tr>
   <tr><td align="right">
@@ -543,7 +595,7 @@ do
 	    if ($2 != "")
 	    {
 		printf("echo \"%s# %s\"; ", $1, $2)
-		printf("ssh root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
 		printf("echo;\n")
 	    }
 	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
@@ -556,10 +608,10 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $HOSTLOGIN grep pluto /var/log/auth.log \
+	    ssh $SSHCONF $HOSTLOGIN grep pluto /var/log/auth.log \
 		> $TESTRESULTDIR/${host}.auth.log
 	    echo >> $TESTRESULTDIR/${host}.auth.log
-	    ssh $HOSTLOGIN grep charon /var/log/auth.log \
+	    ssh $SSHCONF $HOSTLOGIN grep charon /var/log/auth.log \
 		>> $TESTRESULTDIR/${host}.auth.log
 	done
 
@@ -571,10 +623,10 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $HOSTLOGIN grep pluto /var/log/daemon.log \
+	    ssh $SSHCONF $HOSTLOGIN grep pluto /var/log/daemon.log \
 		> $TESTRESULTDIR/${host}.daemon.log
 	    echo >> $TESTRESULTDIR/${host}.daemon.log
-	    ssh $HOSTLOGIN grep charon /var/log/daemon.log \
+	    ssh $SSHCONF $HOSTLOGIN grep charon /var/log/daemon.log \
 		>> $TESTRESULTDIR/${host}.daemon.log
 	done
 
@@ -588,7 +640,7 @@ do
 	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
 	    then
 		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
-		eval ssh root@\$ipv4_$host killall tcpdump
+		eval ssh $SSHCONF root@\$ipv4_$host killall tcpdump
 		eval TDUP_${host}="false"
 	    fi
 	done
@@ -639,7 +691,7 @@ do
 	for host in $IPSECHOSTS
 	do
 	    eval HOSTLOGIN=root@\$ipv4_${host}
-	    ssh $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
+	    ssh $SSHCONF $HOSTLOGIN 'if [ -f /var/run/charon.pid ]; then rm /var/run/charon.pid; echo "    removed charon.pid on `hostname`"; fi'
 	done
 
     done
@@ -694,10 +746,20 @@ cecho ""
 HTDOCS="/var/www/localhost/htdocs"
 
 cecho-n "Copying test results to winnetou.."
-ssh root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
-scp -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
-ssh root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
+ssh $SSHCONF root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
+scp $SSHCONF -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
+ssh $SSHCONF root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
 cgecho "done"
 cecho ""
 cecho "The results are available in $TODAYDIR"
 cecho "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
+
+
+##########################################################################
+# close ssh sessions
+#
+for host in $STRONGSWANHOSTS
+do
+    kill `eval echo \\\$ssh_pid_$host`
+done
+
diff --git a/testing/hosts/alice/etc/init.d/radiusd b/testing/hosts/alice/etc/init.d/radiusd
new file mode 100755
index 000000000..8334385f9
--- /dev/null
+++ b/testing/hosts/alice/etc/init.d/radiusd
@@ -0,0 +1,64 @@
+#!/sbin/runscript
+
+opts="${opts} reload"
+
+depend() {
+	need net
+	use dns
+}
+
+checkconfig() {
+	# set the location of log files
+	if ! cd /var/log/radius ; then
+		eerror "Failed to change current directory to /var/log/radius"
+		return 1
+	fi
+
+	if [ ! -d /var/run/radiusd ] && ! mkdir /var/run/radiusd ; then
+		eerror "Failed to create /var/run/radiusd"
+		return 1
+	fi
+	
+	if [ ! -f /etc/raddb/radiusd.conf ] ; then
+		eerror "No /etc/raddb/radiusd.conf file exists!"
+		return 1
+	fi
+
+	RADIUSD_OPTS="-xx"
+	RADIUSD_USER=`grep '^ *user *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
+	RADIUSD_GROUP=`grep '^ *group *=' /etc/raddb/radiusd.conf | cut -d ' ' -f 3`
+	if [ -n "${RADIUSD_USER}" ] && ! getent passwd ${RADIUSD_USER} > /dev/null ; then
+		eerror "${RADIUSD_USER} user missing!"
+		return 1
+	fi
+	if [ -n "${RADIUSD_GROUP}" ] && ! getent group ${RADIUSD_GROUP} > /dev/null ; then
+		eerror "${RADIUSD_GROUP} group missing!"
+		return 1
+	fi
+
+	# radius.log is created before privileges are dropped - need to set proper permissions on it
+	[ -f radius.log ] || touch radius.log || return 1
+
+	chown -R "${RADIUSD_USER:-root}:${RADIUSD_GROUP:-root}" . /var/run/radiusd && \
+		chmod -R u+rwX,g+rX . /var/run/radiusd || return 1
+}
+
+start() {
+	checkconfig || return 1
+
+	ebegin "Starting radiusd"
+	start-stop-daemon --start --quiet --exec /usr/sbin/radiusd -- ${RADIUSD_OPTS} >/dev/null
+	eend $?
+}
+
+stop () {
+	ebegin "Stopping radiusd"
+	start-stop-daemon --stop --quiet --pidfile=/var/run/radiusd/radiusd.pid
+	eend $?
+}
+
+reload () {
+	ebegin "Reloading radiusd"
+	kill -HUP `</var/run/radiusd/radiusd.pid`
+	eend $?
+}
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
index 312cadb8f..134c1c032 100755
--- a/testing/hosts/alice/etc/ipsec.conf
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 		
 conn nat-t
 	left=%defaultroute
diff --git a/testing/hosts/alice/etc/raddb/certs/aaaCert.pem b/testing/hosts/alice/etc/raddb/certs/aaaCert.pem
new file mode 100644
index 000000000..6aeb0c0b1
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/aaaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/raddb/certs/aaaKey.pem b/testing/hosts/alice/etc/raddb/certs/aaaKey.pem
new file mode 100644
index 000000000..da8cdb051
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/aaaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/alice/etc/raddb/certs/dh b/testing/hosts/alice/etc/raddb/certs/dh
new file mode 100644
index 000000000..9ee09be74
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/dh
@@ -0,0 +1,5 @@
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAKECDgU/s7GDh2vDd5A10bVlOTcs0e4u8sIsfzGL4kSNokoFqLD6OiVj
+1z1QY1lZz464CSiXzM2A/UqppCsgiXSkjGtDQ87GJpB04fEojzXjxVnHNECJU1o1
+DnW05efrrH8gLm6YxRawQ/aboJxsPdcaaI9CTF9zWYQlDhrpq1RTAgEC
+-----END DH PARAMETERS-----
diff --git a/testing/hosts/alice/etc/raddb/certs/random b/testing/hosts/alice/etc/raddb/certs/random
new file mode 100644
index 000000000..b0dda82b3
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/random
diff --git a/testing/hosts/alice/etc/raddb/certs/strongswanCert.pem b/testing/hosts/alice/etc/raddb/certs/strongswanCert.pem
new file mode 100644
index 000000000..0865ad22e
--- /dev/null
+++ b/testing/hosts/alice/etc/raddb/certs/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDEwMDExOFoXDTE5MDkwNzEwMDExOFowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBsjCBrzASBgNVHRMBAf8ECDAGAQH/AgEBMAsG
+A1UdDwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0j
+BGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkw
+FwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJv
+b3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBACOSmqEBtBLR9aV3UyCI8gmzR5in
+Lte9aUXXS+qis6F2h2Stf4sN+Nl6Gj7REC6SpfEH4wWdwiUL5J0CJhyoOjQuDl3n
+1Dw3dE4/zqMZdyDKEYTU75TmvusNJBdGsLkrf7EATAjoi/nrTOYPPhSUZvPp/D+Y
+vORJ9Ej51GXlK1nwEB5iA8+tDYniNQn6BD1MEgIejzK+fbiy7braZB1kqhoEr2Si
+7luBSnU912sw494E88a2EWbmMvg2TVHPNzCpVkpNk7kifCiwmw9VldkqYy9y/lCa
+Epyp7lTfKw7cbD04Vk8QJW782L6Csuxkl346b17wmOqn8AZips3tFsuAY3w=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/alice/etc/strongswan.conf
+++ b/testing/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
index 0172c043b..62c0ec787 100755
--- a/testing/hosts/bob/etc/ipsec.conf
+++ b/testing/hosts/bob/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn nat-t
 	left=%defaultroute
diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/bob/etc/strongswan.conf
+++ b/testing/hosts/bob/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index af5c71b32..1def6ca99 100755
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/carol/etc/strongswan.conf
+++ b/testing/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
index 16e5299ce..c9d559f0d 100755
--- a/testing/hosts/dave/etc/ipsec.conf
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/dave/etc/strongswan.conf
+++ b/testing/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index 9512fb7e5..b1e6549cf 100755
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/moon/etc/strongswan.conf
+++ b/testing/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
index 77d3fb183..083e58970 100755
--- a/testing/hosts/sun/etc/ipsec.conf
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/sun/etc/strongswan.conf
+++ b/testing/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
index 524640cda..86cd6c9d4 100755
--- a/testing/hosts/venus/etc/ipsec.conf
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn nat-t
 	left=%defaultroute
diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/hosts/venus/etc/strongswan.conf
+++ b/testing/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 58a88a3cb..dd69a793f 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -31,3 +31,4 @@ V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/C
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	150803083841Z		22	unknown	/C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 5fd137735..58a88a3cb 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -30,3 +30,4 @@ V	140826104451Z		1D	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strong
 V	141123125153Z		1E	unknown	/C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
 V	150226210530Z		1F	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 V	190404095350Z		20	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	190404095433Z		21	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/22.pem b/testing/hosts/winnetou/etc/openssl/newcerts/22.pem
new file mode 100644
index 000000000..6aeb0c0b1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/22.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 2bd5a0a98..409940768 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-22
+23
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index aabe6ec39..2bd5a0a98 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-21
+22
diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel
index 7a98fc6c1..b9f0d710d 100755
--- a/testing/scripts/build-umlkernel
+++ b/testing/scripts/build-umlkernel
@@ -119,10 +119,10 @@ cp $KERNELCONFIG .config
 cecho "!!"
 cecho "!! Making .config for kernel. You might be prompted for new parameters!"
 cecho "!!"
-make oldconfig ARCH=um >> $LOGFILE 2>&1
+make oldconfig ARCH=um SUBARCH=i386 2>&1 | tee -a $LOGFILE
 
 cecho-n " * Now compiling uml kernel.."
-make linux ARCH=um  >> $LOGFILE 2>&1
+make linux ARCH=um SUBARCH=i386 >> $LOGFILE 2>&1
 cgecho "done"
 
 cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.."
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 8a083e2ec..e22b65cf4 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -127,6 +127,7 @@ echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
 echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
 echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL
 echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL
+echo -n " --disable-load-warning" >> $INSTALLSHELL
 
 if [ "$USE_LIBCURL" = "yes" ]
 then
@@ -171,6 +172,36 @@ then
     echo -n " --enable-eap-radius" >> $INSTALLSHELL
 fi
 
+if [ "$USE_EAP_TLS" = "yes" ]
+then
+    echo -n " --enable-eap-tls" >> $INSTALLSHELL
+fi
+
+if [ "$USE_EAP_TTLS" = "yes" ]
+then
+    echo -n " --enable-eap-ttls" >> $INSTALLSHELL
+fi
+
+if [ "$USE_EAP_TNC" = "yes" ]
+then
+    echo -n " --enable-eap-tnc" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNC_IMC" = "yes" ]
+then
+    echo -n " --enable-tnc-imc" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNC_IMV" = "yes" ]
+then
+    echo -n " --enable-tnc-imv" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNCCS_11" = "yes" ]
+then
+    echo -n " --enable-tnccs-11" >> $INSTALLSHELL
+fi
+
 if [ "$USE_SQL" = "yes" ]
 then
     echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
@@ -246,8 +277,23 @@ then
     echo -n " --enable-addrblock" >> $INSTALLSHELL
 fi
 
+if [ "$USE_CTR" = "yes" ]
+then
+    echo -n " --enable-ctr" >> $INSTALLSHELL
+fi
+
+if [ "$USE_CCM" = "yes" ]
+then
+    echo -n " --enable-ccm" >> $INSTALLSHELL
+fi
+
+if [ "$USE_GCM" = "yes" ]
+then
+    echo -n " --enable-gcm" >> $INSTALLSHELL
+fi
+
 echo "" >> $INSTALLSHELL
-echo "make" >> $INSTALLSHELL
+echo "make -j" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
 echo "ldconfig" >> $INSTALLSHELL
 
diff --git a/testing/scripts/gstart-umls b/testing/scripts/gstart-umls
index 624db8d8b..c6fcd26dc 100755
--- a/testing/scripts/gstart-umls
+++ b/testing/scripts/gstart-umls
@@ -67,10 +67,10 @@ do
 	    \$SWITCH_${host} \
 	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
         cgecho "done"
+        sleep 15
     fi
     let "x0+=dx"
     let "y0+=dy"
-    sleep 15
 done
 
 if [ -z "$BOOTING_HOSTS" ]
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 8dd3069f6..0e167e8e2 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -45,7 +45,7 @@ then
     for host in `ls $TESTSDIR/$testname/hosts`
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	scp -r $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
 
@@ -57,6 +57,18 @@ fi
 for host in $IPSECHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
+		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
+done
+
+
+##########################################################################
+# clear radius.log on FreeRadius servers
+#
+
+for host in $RADIUSHOSTS
+do
+    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/radius/radius.log; \
 		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
 done
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index b26be9936..64cc0262e 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -46,6 +46,6 @@ then
     for host in `ls $TESTSDIR/${testname}/hosts`
     do
 	eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-	scp -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
+	scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
     done
 fi
diff --git a/testing/ssh_config b/testing/ssh_config
new file mode 100644
index 000000000..36569c07c
--- /dev/null
+++ b/testing/ssh_config
@@ -0,0 +1,10 @@
+Host *
+	# debian default
+	SendEnv LANG LC_*
+	HashKnownHosts yes
+	GSSAPIAuthentication yes
+	# faster encryption
+	Ciphers arcfour
+	# share multiple sessions
+	ControlMaster auto
+	ControlPath /tmp/ssh-uml-%r@%h:%p
diff --git a/testing/testing.conf b/testing/testing.conf
index 55716ebaa..b9cb4bb30 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.33.3.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.35.2.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.33
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.35
 
 # Bzipped uml patch for kernel
-UMLPATCH=$UMLTESTDIR/aes_gmac.patch.bz2
+#UMLPATCH=$UMLTESTDIR/xfrm_mark.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.4.1.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.4.2.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
@@ -42,6 +42,12 @@ USE_EAP_MD5="yes"
 USE_EAP_MSCHAPV2="yes"
 USE_EAP_IDENTITY="yes"
 USE_EAP_RADIUS="yes"
+USE_EAP_TLS="yes"
+USE_EAP_TTLS="yes"
+USE_EAP_TNC="yes"
+USE_TNC_IMC="yes"
+USE_TNC_IMV="yes"
+USE_TNCCS_11="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"
 USE_OPENSSL="yes"
@@ -57,9 +63,12 @@ USE_SOCKET_DYNAMIC="yes"
 USE_DHCP="yes"
 USE_FARP="yes"
 USE_ADDRBLOCK="yes"
+USE_CTR="yes"
+USE_CCM="yes"
+USE_GCM="yes"
 
 # Gentoo linux root filesystem
-ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2
+ROOTFS=$UMLTESTDIR/gentoo-fs-20100805.tar.bz2
 
 # Size of the finished root filesystem in MB
 ROOTFSSIZE=700
@@ -78,6 +87,9 @@ UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
 # Directory where test results will be stored
 TESTRESULTSDIR=$UMLTESTDIR/testresults
 
+# SSH configuration (speedup SSH)
+SSHCONF="-F $UMLTESTDIR/testing/ssh_config"
+
 # Path to a full strongswan tree on the host system, which is
 # mounted into /root/strongswan-shared. This gives us an easy
 # way to apply and test changes instantly.
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index a24c69735..cf51269a5 100755
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia128-sha256-modp2048!
 	esp=camellia128-sha256!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index a8e09f8ff..5571dc086 100755
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia128-sha256-modp2048!
 	esp=camellia128-sha256!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 0848c3696..462427a8c 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index 05edfc7d0..de3c1d1c7 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=serpent256-sha2_512-modp4096!
 	esp=serpent256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 838291f80..4c02699b7 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index c2ef12853..d608ac2f6 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=twofish256-sha2_512-modp4096!
 	esp=twofish256-sha2_512!
 
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl
+  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 77491cfd8..697565a38 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl
+  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 7d8cd1781..5cc54b24f 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 77491cfd8..697565a38 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl
+  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index f0e57e827..92fcbd641 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 208f1c36d..e483eba9d 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index f0e57e827..92fcbd641 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index c2d2b14ac..83c10cfdc 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index a42c7a5bd..3be21d055 100755
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_DAVE
@@ -17,5 +18,4 @@ conn home
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index 340b1a176..d90ab485c 100755
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1 
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index d84d916a5..7a066e53e 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ charon {
 }
 
 pluto {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
 
 libstrongswan {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 38db1e4fc..8cb117c7b 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -5,5 +5,5 @@ charon {
 }
 
 pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
index d55638907..528e3f1b3 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
index 94517ecbe..991ae4368 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 3517077f9..57394c27a 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_512!
 
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index 28dd532b3..4dbdc67b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 1b4cca222..427c5d180 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=blowfish256-sha2_512-modp4096!
 	esp=blowfish256-sha2_512!
 
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index 28dd532b3..4dbdc67b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 2611115cd..2d6f87b17 100755
--- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256_96!
 
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
index 758c7a29a..b2a686db0 100755
--- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256_96!
 
diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha256-96/test.conf
+++ b/testing/tests/ikev1/alg-sha256-96/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 0e1db6fbe..66476b83e 100755
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256!
 
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 584ffda19..2b97ff4f3 100755
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
 	esp=aes128-sha256!
 
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
index c60c6615c..42df1dccd 100755
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
 	esp=aes192-sha384!
 
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
index 2d361b38a..a75d370aa 100755
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
 	esp=aes192-sha384!
 
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
index 6bd3ac8c7..329de395c 100755
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
 	esp=aes256-sha512!
 
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
index a28269155..8da459a8a 100755
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
 	esp=aes256-sha512!
 
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
index cdd6929ff..a84b3a6b2 100755
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
index 285dc7234..ce3903596 100755
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
index a0250f597..11cf4d5d1 100755
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
index 53d719d9d..1a47aeb7d 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 openac {
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index 45118094b..f5050fef1 100755
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	compress=yes
 
 conn home
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index a370ca458..aaf13f5fc 100755
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	compress=yes
 
 conn rw
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
index 98e7df65f..bb1879b1d 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
index 25906e890..ec0bc2e88 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
index 1bc6cf4fb..5a7668c64 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=2
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
index fdfff13f0..1b80c0ddd 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=2
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
index e0c758e74..77f6cfcb0 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
index d3603b7aa..1c011dccb 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
index d240302b6..b4bc2101c 100755
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
index d3603b7aa..1c011dccb 100755
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
index 6c2de2e1e..3fbad9070 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
index 8d07e42ba..0b9f891bd 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
index 307d0b6b4..4d5bff62c 100755
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
index ce7afbaf3..dd7ae0b20 100755
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn carol
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
index 5c0763734..caad279bb 100755
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 		
 conn nat-t
 	left=%defaultroute
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
index e79b2ca35..32d2ab0f6 100755
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn nat-t
 	left=%defaultroute
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
index 3533c3f8b..7de7a951e 100755
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 		
 conn nat-t
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index a50275d98..34490a13a 100755
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	dpdaction=clear
 	dpddelay=10
 	dpdtimeout=30
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
index e6938e79a..3c0b0bf15 100755
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
index ae9b35e97..9f1aded0f 100755
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
         dpdaction=restart
         dpddelay=5
         dpdtimeout=25
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
index bf39d7527..ee28eebf3 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=%defaultroute
 	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
index bf39d7527..ee28eebf3 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=%defaultroute
 	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
index 1f964d0de..0f37e6188 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon 
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
index c098ffd90..ec35eac9a 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn moon
 	left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 45ec8094b..21848bc1c 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=%defaultroute
 	leftnexthop=%direct
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
index 6af3a88ac..299b6a831 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
index e1bc08ee4..45ada023f 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
index 8a9f033f1..168e5d2a8 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
index fb0e59d86..b89d8e861 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	auth=ah
 	ike=aes128-sha
 	esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/test.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
index ed905d05f..75ce0fbbe 100755
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha2_256-modp2048!
 	esp=aes256-aesxcbc!
 
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
index f1b7ff56d..c2e0a6dde 100755
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes256-sha2_256-modp2048!
 	esp=aes256-aesxcbc!
 
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
index feeef7901..a5715a7f1 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
index be4c9aced..0329a533d 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-des/test.conf
+++ b/testing/tests/ikev1/esp-alg-des/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index 3c9fdbb71..fe76579ac 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes-sha1
 	esp=null-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 62f17df49..b768b8ee4 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes-sha1!
 	esp=null-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 21997940b..46a619016 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha1
 	esp=3des-sha1
 
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 14f58ccc3..86a15c96d 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index 7e2de30cd..052541b21 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha,aes128-sha1
 	esp=3des-sha1,aes128-sha1
 
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index 14f58ccc3..86a15c96d 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1
 	esp=aes128-sha1!
 
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
index feeef7901..a5715a7f1 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-md5-modp1024!
 	esp=des-md5!
 
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
index 147d8ffaa..e5fed2f06 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
index b984b8d14..95739fe51 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
index bb409adcc..a0d600a6f 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index 49c84d894..b56189c6c 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index e517b39cd..1f2ade20b 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 63ad1c01d..d75a7022e 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha1
 	esp=3des-sha1
 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 1ea5fe7a5..460ff749c 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index 9272bdc7f..36bdc0fa4 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=3des-sha1,aes128-sha1
 	esp=3des-sha1,aes128-sha1
 conn home
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 1ea5fe7a5..460ff749c 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128-sha1!
 	esp=aes128-sha1
 
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
index f05916614..3d6addb62 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn alice
 	also=home
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
index 44644f2af..0b93eb58f 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn alice
         also=home
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
index ce760a473..7f5bb812f 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=192.168.0.1
 	leftsourceip=10.1.0.1
 	leftcert=moonCert.pem
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
index 21493adc3..fb989daff 100644
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP6_VENUS
 }
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index 594f2c59b..64c97eb16 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	rekeymargin=3m
 	rekey=no
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
index 469145fb8..ba47559a0 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
index 79be57226..8b125ab80 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	modeconfig=push
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
index 797025c4d..f8d952d21 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
index b019c5a33..4cea3d81b 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	right=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
index 5b38a2041..cf96ddeca 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	right=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
index 911531edb..b01f5b112 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightsourceip=PH_IP_MOON1
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
index 57ec7040e..9c75434c2 100755
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
index 3179faa05..726998e19 100755
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index ce26fc5e9..37278081e 100755
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	rekey=no
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
index 797025c4d..f8d952d21 100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index cfdc692d7..d9e5b119e 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index fecce5efa..bf83264af 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 994792f7d..50b896541 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -26,6 +26,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 04a512eb7..4d42b1419 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index a9e648f5e..f91ca63a8 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
index 1da39e483..39a1aa825 100755
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
index 8e41bb124..ca5919d5c 100755
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn duck 
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index d240302b6..b4bc2101c 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index fdca83e18..0b9917b53 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index d4ce57333..cf93bb231 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index ea445522e..5f04445d2 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index cf952be47..f79c501a8 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index 0adb2593d..d11724c28 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftsendcert=ifasked
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 0e8e413e6..2d80aad8a 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftsendcert=ifasked
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index 1e00096c8..9b97015fd 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftsendcert=ifasked
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
index 82576bb2b..1ee1b7749 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-net
 	left=192.168.0.1
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
index 506417867..57496e10e 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-net
 	left=192.168.0.2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev1/nat-two-rw-mark/description.txt
new file mode 100644
index 000000000..2a93d11d8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
+after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark</b> parameter in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
+iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
+that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
new file mode 100644
index 000000000..fa64c3d88
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::alice.*alice@strongswan.org::YES
+sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::venus.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..4ed556226
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..2b346430e
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control parsing" #parsing to get knl 2 messages
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn alice
+	rightid=alice@strongswan.org
+	mark=10/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark=20  #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0d22e684d
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..0be3477c1
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
new file mode 100644
index 000000000..89d5f534b
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
@@ -0,0 +1,11 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
+sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
new file mode 100644
index 000000000..310e5be71
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
@@ -0,0 +1,21 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+venus::sleep 2
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
index e8576f0e7..eee3c45e8 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 		
 conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index ebd735a11..a7c500fe2 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
index e8576f0e7..eee3c45e8 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 		
 conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index 83d2b268a..a38c66023 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index d5b7c39fa..6a373e29f 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
index bbd1f3a06..094ab3bed 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
index abe91e6ee..428b10ce6 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index 7302a423b..ad0359f01 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 7633f5c8b..9bbff9039 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index 5eedd9f28..c63ec2f30 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index 24bd66f53..e21ee9910 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn net-net
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
index eabb76bf7..bc72fab0f 100755
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
index 18b18f3ea..837c1ab56 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
index 4bf0f97aa..c50c4c594 100644
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
index 3f2bc48c0..efd9c798a 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
index 4bf0f97aa..c50c4c594 100644
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt
new file mode 100644
index 000000000..d0eb3374f
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/description.txt
@@ -0,0 +1,15 @@
+A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
+and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
+sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
+sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
+done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
+<p/>
+Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
+<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
+connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
+the necessary NETMAP operations and forward the tunneled traffic.
+<p/>
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
new file mode 100644
index 000000000..b5ad0628e
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::net-net.*IPsec SA established::YES
+sun::ipsec statusall::net-net.*IPsec SA established::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
+bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES 
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..30af017ff
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.0.0.0/14
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.4.0.0/14
+	auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..5e924cf25
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+	plutodebug=control
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.4.0.0/14
+	leftupdown=/etc/mark_updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.0.0.0/14
+	mark_in=8
+	mark_out=4
+	auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0bfdcad85
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -0,0 +1,376 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+# define NETMAP
+SAME_NET=$PLUTO_PEER_CLIENT
+IN_NET=$PLUTO_MY_CLIENT
+OUT_NET="10.8.0.0/14"
+
+# define internal interface
+INT_INTERFACE="eth1"
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK_IN="-p esp"
+	fi
+	SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# is there an outbound mark to be set?
+if [ -n "$PLUTO_MARK_OUT" ]
+then
+	SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK_IN
+	    iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+		     -d $IN_NET -j NETMAP --to $SAME_NET 
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+	    iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+	             -s $SAME_NET -j NETMAP --to $OUT_NET 
+	fi
+	if [ -n "$PLUTO_MARK_OUT" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK_OUT 
+	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+                     -s $SAME_NET -j NETMAP --to $IN_NET
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK_IN
+	    iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+	             -d $IN_NET -j NETMAP --to $SAME_NET 
+	    iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
+	             -s $SAME_NET -j NETMAP --to $OUT_NET 
+	fi
+	if [ -n "$PLUTO_MARK_OUT" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat
new file mode 100644
index 000000000..e75e66650
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/posttest.dat
@@ -0,0 +1,7 @@
+sun::iptables -t mangle -n -v -L PREROUTING
+sun::iptables -t nat -n -v -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::conntrack -F
diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf
new file mode 100644
index 000000000..1971a33ab
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
index e2e43cecd..acb12e7f3 100755
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 9a1f0934b..a62964829 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolRevokedCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 9b0c9b534..cd2ab0aca 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
index 5624f4fcf..c79b1c3e2 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
index 9b0c9b534..cd2ab0aca 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
index 557fb62eb..25eec2a3e 100755
--- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
index 9276f1f90..7541aa894 100755
--- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	left=PH_IP_SUN
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 3adfdc0b8..48df689af 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index e1ce14973..c4bfebda1 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
index 913e6d91a..aae781b69 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home-icmp
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
index d941e81ef..7b80a299e 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw-icmp
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
index dfc0143ed..2bb557410 100755
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
index e1ce14973..c4bfebda1 100755
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
index 6db69096b..7c2bb3a98 100755
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 72ff765c3..7403971e9 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 72ff765c3..7403971e9 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt
new file mode 100644
index 000000000..4c35081b1
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
+and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
+iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
+that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
new file mode 100644
index 000000000..168b3dfb9
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::alice.*alice@strongswan.org::YES
+sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::venus.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..4256006c0
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..83fe9eed2
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn alice
+	rightid=alice@strongswan.org
+	mark_in=10/0xffffffff
+	mark_out=11/0xffffffff
+	also=sun
+	auto=add
+
+conn venus
+	rightid=@venus.strongswan.org
+	mark_in=20  #0xffffffff is used by default
+	mark_out=21 #0xffffffff is used by default
+	also=sun
+	auto=add
+
+conn sun
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftupdown=/etc/mark_updown
+	right=%any
+	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0d22e684d
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+	if [ -n "$PLUTO_UDP_ENC" ]
+	then
+	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+	else
+		SET_MARK="-p esp"
+	fi
+	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -A PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	if [ -n "$PLUTO_MARK_IN" ]
+	then
+	    iptables -t mangle -D PREROUTING $SET_MARK
+	fi
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+        # allow ESP 
+        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+			
+	# allow MOBIKE 
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..e7561ebbe
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=%defaultroute
+	leftsubnet=10.1.0.0/25
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
new file mode 100644
index 000000000..fae79271b
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
@@ -0,0 +1,12 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
+sun::conntrack -F
+sun::rm /etc/mark_updown
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
new file mode 100644
index 000000000..427e5c67f
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
@@ -0,0 +1,18 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2
+alice::ipsec up home
+venus::sleep 2
+venus::ipsec up home
+venus::sleep 2
diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
index f0e4036c0..ffa211299 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
index 864d014de..5f7cdedd2 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw-carol 
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index f0e4036c0..ffa211299 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index f3a6db107..efec3b33d 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index d76337996..0d2a5d2c4 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 025f335b2..41582eaef 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
index 980523a5e..c040fe88f 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	
 conn home
 	authby=secret
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
index d57d790d1..f0dbeb323 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random
+  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 08a41e612..f2a15af0a 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=aes128,serpent128,twofish128,3des
 	
 conn home
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index b8900c082..02270e004 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
index dbfac50e2..dbd3adb4c 100755
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw-psk
 	authby=secret
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
index db281ef80..f6859b8a4 100755
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
index f3c2be9a1..f14352bf8 100755
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn carol
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
 }
 
 scepclient {
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
index cd751df3d..af2fcc5dc 100755
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
index e78231f0c..2bd4985ca 100755
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
index 57ec7040e..9c75434c2 100755
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
index 3179faa05..726998e19 100755
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
index 7cd938628..bd47f9e09 100644
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
@@ -5,6 +5,7 @@ conn %default
         keylife=20m
         rekeymargin=3m
         keyingtries=1
+	keyexchange=ikev1
 
 include /etc/ipsec.host
 
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
index a2af4e9f8..2a1dad5c6 100755
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
index e48b1a78c..e10e9d45c 100755
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index b9710cb14..67e97ebc2 100755
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
index b4ad3c011..4dfa345f4 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	right=PH_IP_CAROL
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
index eafcf5e55..b65d7a690 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index 71aa4decf..e0ef16930 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index 471e9e833..63a8c92b5 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
index d4ce57333..cf93bb231 100755
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
index ea445522e..5f04445d2 100755
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	right=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
index 8952bc92f..39b031551 100755
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
index 30b657662..e3cf9b15d 100755
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn system
 	left=PH_IP_ALICE
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
index ab3287aee..61ce28e6b 100755
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn alice
 	right=PH_IP_ALICE
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
index bb9897c79..fa2dc953e 100755
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn system
 	left=PH_IP_VENUS
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
index aa0ae1289..b7402d24b 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
index dbd431cc2..e3f377d18 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
index 0243f5afb..8f9226dd1 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
index dbd431cc2..e3f377d18 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
index 4206f8916..452187f11 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
index dbd431cc2..089467da4 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink
+  dns1 = 192.168.0.150
+  dns2 = 10.1.0.20
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
index 42fa8359b..f90d222b5 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
index 48015ad4c..da1a10513 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
index baa85e32c..3a4b75af6 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
index c92ad8748..850ea561b 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
index 32b1227bb..be62c2b8f 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
index 090deac77..c09fb3c2c 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 684ace0d3..1c7d7002e 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 14307a7f0..782c160c9 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 
 conn home
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index a4e01b564..595e6588c 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthpsk
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth
+  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
index 47bf1dafc..186d8e121 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
index 47928181f..ca2df4b28 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
index 8c8cb4a2d..079c6b0d5 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
index 1c48e13e7..0a65acb5d 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
index 42fa8359b..f90d222b5 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index 1e21fbb97..fc86bab41 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index 94cc6819d..e2709cdf1 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index 47bf1dafc..186d8e121 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 1fcf71d5c..478e732ae 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 
 conn home
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=xauthrsasig
 	xauth=server
 
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-aes-ccm/description.txt b/testing/tests/ikev2/alg-aes-ccm/description.txt
new file mode 100644
index 000000000..28e38ca7f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_CCM_12_128</b> both for IKE and ESP by defining <b>ike=aes128ccm12-aesxcbc-modp2048</b>
+(or alternatively <b>aes128ccm96</b>) and <b>esp=aes128ccm12-modp2048</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
index f7959d129..0834a8db0 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -1,9 +1,11 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CCM_12_128::YES
-carol::ipsec statusall::AES_CCM_12_128::YES
-carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
+carol::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
+moon::ipsec statusall::AES_CCM_12_128,::YES
+carol::ipsec statusall::AES_CCM_12_128,::YES
 moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
index 85c825002..6bcfbc28d 100755
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
+	ike=aes128ccm96-aesxcbc-modp2048!
 	esp=aes128ccm96-modp2048!
 
 conn home
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
index 339b56987..db2c09bae 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
index 8f8404516..1d6f13861 100755
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
+	ike=aes128ccm12-aesxcbc-modp2048!
 	esp=aes128ccm12-modp2048!
 
 conn rw
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
index 339b56987..db2c09bae 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
index acb73b06f..acb73b06f 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
diff --git a/testing/tests/ikev2/alg-aes-ctr/description.txt b/testing/tests/ikev2/alg-aes-ctr/description.txt
new file mode 100644
index 000000000..edb601b61
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_CTR_128</b> both for IKE and ESP by defining <b>ike=aes128ctr-aesxcbc-modp2048</b>
+and <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
index 6b5d0ba0b..522ce6088 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -1,8 +1,10 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
+moon::ipsec statusall::IKE proposal: AES_CTR_128::YES
+carol::ipsec statusall::IKE proposal: AES_CTR_128::YES
+moon::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
+carol::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
 moon::ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
index 02ca66b75..70c482835 100755
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
+	ike=aes128ctr-aesxcbc-modp2048!
 	esp=aes128ctr-aesxcbc-modp2048!
 
 conn home
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
index 339b56987..be46d6d3e 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
index 1c19714b9..bf103742f 100755
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-aesxcbc-modp2048!
+	ike=aes128ctr-aesxcbc-modp2048!
 	esp=aes128ctr-aesxcbc-modp2048!
 
 conn rw
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
index 339b56987..be46d6d3e 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-aes-gcm/description.txt b/testing/tests/ikev2/alg-aes-gcm/description.txt
new file mode 100644
index 000000000..2afcecd68
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-aesxcbc-modp2048</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
index 7434cc156..9cd3e8e15 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -1,9 +1,11 @@
 moon::ipsec statusall::rw.*INSTALLED::YES
 carol::ipsec statusall::home.*INSTALLED::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_GCM_16_256::YES
-carol::ipsec statusall::AES_GCM_16_256::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
+carol::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
+moon::ipsec statusall::AES_GCM_16_256,::YES
+carol::ipsec statusall::AES_GCM_16_256,::YES
 moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
index df2b7437d..e3f19aff8 100755
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
+	ike=aes256gcm128-aesxcbc-modp2048!
 	esp=aes256gcm128-modp2048!
 
 conn home
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7fe7619f1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 661681105..0d51a3ea8 100755
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-aesxcbc-modp2048!
+	ike=aes256gcm16-aesxcbc-modp2048!
 	esp=aes256gcm16-modp2048!
 
 conn rw
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7fe7619f1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 2b240d895..5442565f8 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
deleted file mode 100644
index 9fe03b010..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
-<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
deleted file mode 100644
index 6443a348f..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CTR_128 / AES_XCBC_96</b> by defining <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
deleted file mode 100644
index bd9521e0d..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
-<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 1c955057a..5b88b2163 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 7cebd7f25..1777f439f 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 7cebd7f25..1777f439f 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
index 32b445090..9d88281ad 100644
--- a/testing/tests/ikev2/ip-split-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::ipsec pool --del pool0 2> /dev/null
 moon::ipsec pool --del pool1 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 83052889c..7b0393ebd 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -1,8 +1,8 @@
 alice::ipsec stop
 venus::ipsec stop
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 alice::/etc/init.d/iptables stop 2> /dev/null
 venus::/etc/init.d/iptables stop 2> /dev/null
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f849b7e1a..f41bb0fbc 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
-moon::ipsec stop
 carol::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 alice::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index d64b3da7d..897db40ed 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -13,7 +13,7 @@ moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RS
 dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
 dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
 moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
index 442233f32..0d22e684d 100755
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index d7b68956c..c64158a2f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a0a045ce8..77d3d45e5 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 2e0f059c6..6a253d830 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
 moon::cat /var/log/daemon.log::libcurl http request failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least SKIPPED::YES
 moon::ipsec status::ESTABLISHED.*carol::YES
 moon::ipsec status::ESTABLISHED.*dave::NO
 carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 45c6ce7c5..44945bf5f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
index 9c3702cb7..2de32a6f2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,29 +1,11 @@
 authorize {
-  preprocess
-  chap
-  mschap
-  suffix
   eap {
     ok = return
   }
-  unix
   files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 3508e9d8c..280d62e3c 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,9 +1,5 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/users
 alice::/etc/init.d/radiusd start 
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
index 9c3702cb7..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,29 +1,12 @@
 authorize {
-  preprocess
-  chap
-  mschap
   suffix
   eap {
     ok = return
   }
-  unix
   files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 3508e9d8c..280d62e3c 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,9 +1,5 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/users
 alice::/etc/init.d/radiusd start 
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
index dfceb037d..92896b11e 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,30 +1,11 @@
 authorize {
-  preprocess
-  chap
-  mschap
   sim_files
-  suffix
   eap {
     ok = return
   }
-  unix
-  files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0a9f41856..0da980c07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,8 +1,5 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
 alice::cat /etc/raddb/triplets.dat
 alice::/etc/init.d/radiusd start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index ff3e67459..852d424af 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -7,7 +7,7 @@ carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
index dfceb037d..126d61d05 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,30 +1,12 @@
 authorize {
-  preprocess
-  chap
-  mschap
   sim_files
   suffix
   eap {
     ok = return
   }
-  unix
-  files
-  expiration
-  logintime
-  pap
 }
 
 authenticate {
-  Auth-Type PAP {
-    pap
-  }
-  Auth-Type CHAP {
-    chap
-  }
-  Auth-Type MS-CHAP {
-    mschap
-  }
-  unix
   eap
 }
 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index 9f82ffa2f..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-  send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index 9f82ffa2f..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,4 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
-  send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index 8250ae1ab..f21745bcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -2,7 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
-  send_vendor_id = yes
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 6a30756b7..5a51733dc 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -4,9 +4,6 @@ dave::/etc/init.d/iptables start 2> /dev/null
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
 alice::cat /etc/raddb/triplets.dat
 alice::/etc/init.d/radiusd start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index 70416826e..bb6b68687 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 5fae7ecd5..b4d66adc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -7,7 +7,7 @@ carol::ipsec statusall::home.*ESTABLISHED::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
 moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/description.txt b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt
new file mode 100644
index 000000000..f6a5f1c7b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively. Large certificates and a multi-level trust hierarchy with a path length
+of 3 force a fragmentation of the TLS handshake message into two TLS records. 
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
new file mode 100644
index 000000000..f4d534051
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..889a47d80
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carol_D_cert.der
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
new file mode 100644
index 000000000..43984fd2b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
new file mode 100644
index 000000000..1b3748ba5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
new file mode 100644
index 000000000..bebee462d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..a1a643655
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carol_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc0bcdff5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+
+  plugins {
+    eap-tls {
+      max_message_count = 40
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9f979e17b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moon_D_cert.der
+	leftauth=eap-tls
+	leftfirewall=yes
+	rightauth=eap-tls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
new file mode 100644
index 000000000..43984fd2b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
new file mode 100644
index 000000000..4f42bb29a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
new file mode 100644
index 000000000..dda5a5b1c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
new file mode 100644
index 000000000..6f59b569e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
new file mode 100644
index 000000000..8d7a0a774
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
new file mode 100644
index 000000000..cbd7b0dc7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
new file mode 100644
index 000000000..9b1da0ea8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
new file mode 100644
index 000000000..ba08fc3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
new file mode 100644
index 000000000..9fb1ba0f8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
new file mode 100644
index 000000000..88c478c35
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e02427b6b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moon_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc0bcdff5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+
+  plugins {
+    eap-tls {
+      max_message_count = 40
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
new file mode 100644
index 000000000..085b19509
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
new file mode 100644
index 000000000..35d35dc86
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
index acb73b06f..2bd21499b 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/ikev2/rw-eap-tls-only/description.txt b/testing/tests/ikev2/rw-eap-tls-only/description.txt
new file mode 100644
index 000000000..b3e0450a4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/description.txt
@@ -0,0 +1,4 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively.
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..1e9bdb2af
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3aeab002f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..430211020
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-tls
+	leftfirewall=yes
+	rightauth=eap-tls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/description.txt b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
new file mode 100644
index 000000000..842a88c42
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates with the remote AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
new file mode 100644
index 000000000..f0a674063
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..92f96ad66
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,13 @@
+eap {
+  default_eap_type = tls
+  tls {
+    certdir = /etc/raddb/certs
+    cadir = /etc/raddb/certs
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..990184919
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4f4c8abcf
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..be907f839
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+	rightauth=eap-radius
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
new file mode 100644
index 000000000..920d6a20d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
new file mode 100644
index 000000000..280d62e3c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
new file mode 100644
index 000000000..e0d77b583
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
new file mode 100644
index 000000000..51423177a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
+<b>carol</b> is authenticated successfully and is granted access to the subnet behind
+<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected. 
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
new file mode 100644
index 000000000..2304df23e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..6747b4a4a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
new file mode 100644
index 000000000..350aefc60
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
+is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas 
+<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
new file mode 100644
index 000000000..517ea9ab2
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES         
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE	/usr/share/freeradius/dictionary
+$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE	TNC-Status	3001	integer
+
+VALUE	TNC-Status	Access	0 
+VALUE	TNC-Status	Isolate	1
+VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..2d4961288
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,23 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
new file mode 100644
index 000000000..dc7d5934e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
new file mode 100644
index 000000000..bb6b68687
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
new file mode 100644
index 000000000..7eebd3d4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
new file mode 100644
index 000000000..d0ea22ba9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE	/usr/share/freeradius/dictionary
+$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE	TNC-Status	3001	integer
+
+VALUE	TNC-Status	Access	0 
+VALUE	TNC-Status	Isolate	1
+VALUE	TNC-Status	None	2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..f91bccc72
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "isolate"	
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..33dcdcfb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4e456bbe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
new file mode 100644
index 000000000..8dd865819
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
new file mode 100644
index 000000000..2a52df203
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
new file mode 100644
index 000000000..762b839ee
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
+bothe ends doing certificate-based EAP-TLS authentication only.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
new file mode 100644
index 000000000..cebfff25f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..1b6274215
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..54c06b12e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8898a63ba
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      request_peer_auth = yes
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt
new file mode 100644
index 000000000..4b4808c94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
new file mode 100644
index 000000000..a02755148
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2, tnc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server 
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/description.txt b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
new file mode 100644
index 000000000..3d4c3ab87
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/> 
+With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
+<b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
+sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
+Finished message. Client <b>carol</b> presents the correct MD5 password and succeeds
+whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
new file mode 100644
index 000000000..9586fe558
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..967598643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ad1255212
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d37848bac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8cdcb640c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+   }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
new file mode 100644
index 000000000..d5f0b267a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the setting <b>charon.plugins.eap-ttls.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request
+right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
+and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
new file mode 100644
index 000000000..9586fe558
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..967598643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ad1255212
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d37848bac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b065251ea
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+   }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
new file mode 100644
index 000000000..299106b32
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
+wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
new file mode 100644
index 000000000..2c0f65159
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -0,0 +1,21 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..c91cd40fb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,18 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..97a2e02c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..d388060be
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
new file mode 100644
index 000000000..cbe1ae229
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
new file mode 100644
index 000000000..e6a786a94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol winnetou dave moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 442233f32..0d22e684d 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
 #       PLUTO_MARK_OUT
 #              is an optional XFRM mark set on the outbound IPsec SA
 #
-#       PLUTO_ESP_ENC
+#       PLUTO_UDP_ENC
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
index 2814e881f..9940e81a5 100755
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index 4cf027ad5..016adc095 100755
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
index 84abbb07a..bb96a71e0 100755
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
index 4cf027ad5..016adc095 100755
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 4e73b5292..1cfd1eb1f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
index 825ae1264..1cfd1eb1f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac 
+  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
 }
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
index b27609917..363c910b0 100755
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn home
 	left=PH_IP6_CAROL
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
index 0129ef744..1b5a2aced 100755
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn rw
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
index 5d77c2dd5..76135d1ee 100755
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn home
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
index 78f674026..69b154bcf 100755
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	authby=secret
 	
 conn rw
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
index 8bc0deba8..69ba50530 100755
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
index b68082dd9..a7c6b18c7 100755
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 
 conn host-host
 	left=PH_IP6_SUN
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index c226d97d0..982b2fdb2 100755
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia192-sha384-modp3072!
 	esp=camellia192-sha384!
 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index e26d972f0..b6f719256 100755
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev1
 	ike=camellia192-sha384-modp3072!
 	esp=camellia192-sha384!
 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 3562ddc67..bdd3f5582 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 63892fd33..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl 
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 3562ddc67..bdd3f5582 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 63892fd33..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl 
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index a96b54446..4c5d53dff 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = pem pkcs1 openssl random hmac curl
+  load = pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 1029b8536..a8fecbc2f 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl
+  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 2da706ef7..85164eeb7 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
+  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index edc6dbed4..763503e29 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl
+  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 206f029f3..c78da2c08 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 208f1c36d..e483eba9d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 3ae6205cb..848adaf6a 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
new file mode 100644
index 000000000..e25da6935
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively. Elliptic curve cryptography is used by both the IKE and TLS
+protocols.
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..dad834ca6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS version TLS 1.2 with suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..02ece4738
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp256!
+	esp=aes128-sha256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5f21c1012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+
+Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
+KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
+RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed9b8c764
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2679d4f9b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tls 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha256-ecp256!
+	esp=aes128-sha256!
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftauth=eap-tls
+	leftfirewall=yes
+	rightauth=eap-tls
+	rightsendcert=never
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..5178c7f38
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
+5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
+BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
+Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
+Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
+j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
+VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
+SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
+l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
+mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
+CI9WpQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..beab0485f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
+yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
+1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
+tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
+pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..46d8e2933
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  multiple_authentication=no
+}
+
+libtls {
+  key_exchange = ecdhe-ecdsa
+  cipher = aes128
+  mac = sha256
+}
+
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
 
 # UML instances on which tcpdump is to be started
 #
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
index 5ff7b9d47..0fce500bf 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat
index 5ff7b9d47..0fce500bf 100644
--- a/testing/tests/sql/ip-split-pools-db/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
+moon::ipsec stop
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*