[svn-upgrade] Integrating new upstream version, strongswan (4.1.3)

382 files changed, 17601 insertions, 12053 deletions

diff --git a/Makefile.in b/Makefile.in
index 436b675c8..3b2ba98c1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -114,6 +114,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -126,6 +127,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -136,8 +138,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -159,6 +165,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -168,6 +175,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -181,9 +190,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -198,6 +211,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 SUBDIRS = src
 EXTRA_DIST = Doxyfile.in testing CREDITS
 CLEANFILES = apidoc Doxyfile
diff --git a/NEWS b/NEWS
index ab92d22e5..9c64e6001 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,58 @@
+strongswan-4.1.3
+----------------
+
+- IKEv2 peer configuration selection now can be based on a given 
+  certification authority using the rightca= statement.
+
+- IKEv2 authentication based on RSA signatures now can handle multiple
+  certificates issued for a given peer ID. This allows a smooth transition
+  in the case of a peer certificate renewal.
+
+- IKEv2: Support for requesting a specific virtual IP using leftsourceip on the
+  client and returning requested virtual IPs using rightsourceip=%config
+  on the server. If the server does not support configuration payloads, the
+  client enforces its leftsourceip parameter.
+
+- The ./configure options --with-uid/--with-gid allow pluto and charon
+  to drop their privileges to a minimum and change to an other UID/GID. This
+  improves the systems security, as a possible intruder may only get the
+  CAP_NET_ADMIN capability.
+
+- Further modularization of charon: Pluggable control interface and 
+  configuration backend modules provide extensibility. The control interface
+  for stroke is included, and further interfaces using DBUS (NetworkManager)
+  or XML are on the way. A backend for storing configurations in the daemon
+  is provided and more advanced backends (using e.g. a database) are trivial 
+  to implement.
+
+ - Fixed a compilation failure in libfreeswan occuring with Linux kernel
+   headers > 2.6.17.
+
+
+strongswan-4.1.2
+----------------
+
+- Support for an additional Diffie-Hellman exchange when creating/rekeying
+  a CHILD_SA in IKEv2 (PFS). PFS is enabled when the proposal contains a
+  DH group (e.g. "esp=aes128-sha1-modp1536"). Further, DH group negotiation
+  is implemented properly for rekeying.
+
+- Support for the AES-XCBC-96 MAC algorithm for IPsec SAs when using IKEv2
+  (requires linux >= 2.6.20). It is enabled using e.g. "esp=aes256-aesxcbc".
+
+- Working IPv4-in-IPv6 and IPv6-in-IPv4 tunnels for linux >= 2.6.21.
+
+- Added support for EAP modules which do not establish an MSK.
+
+- Removed the dependencies from the /usr/include/linux/ headers by
+  including xfrm.h, ipsec.h, and pfkeyv2.h in the distribution.
+  
+- crlNumber is now listed by ipsec listcrls
+
+- The xauth_modules.verify_secret() function now passes the
+  connection name.
+
+
 strongswan-4.1.1
 ----------------
 
@@ -72,6 +127,7 @@ strongswan-4.1.0
   strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
   fixes to enhance interoperability with other implementations.
 
+
 strongswan-4.0.7
 ----------------
 
diff --git a/TODO b/TODO
index 91363e38b..03b4827e6 100644
--- a/TODO
+++ b/TODO
@@ -5,21 +5,17 @@
 These notes mostly belong to charon, the new IKEv2 daemon. The plan is to
 migrate IKEv1 into charon. It's hard to say how much effort is needed to
 do that, and how much code we can reuse from pluto. But a port IS necessary to
-gain hassle-free confiugration, version negotiation and maintainability.
+gain hassle-free configuration, version negotiation and maintainability.
 
 Roadmap 2007
 ============
 
- Mar  !   - Cookie support, IP filter, other fixes to mature against DoS
-      !   - release IKEv2 p2p NATT draft 00
-      !
- Apr  !   - PRF in CHILD_SA rekeying
-      !   - configuration managament refactoring
-      !   - credentials backend redesign
+ Apr  !   - credentials backend redesign
       !   - interface in charon for the XML based SMP management interface
-      !   - reimplement IKEv2 p2p NATT support
       !
  May  !   - SMP configuration client
+      !   - release IKEv2 p2p NATT draft 00
+      !   - reimplement IKEv2 p2p NATT support
       !
  Jun  !   - start with IKEv1 migration strategy
       !
@@ -42,11 +38,6 @@ TODO-List
 
 A set of TODOs. This is only a list of things I write down to not forget them.
 Watch out for TODOs in the code.
-  
-Build system
-------------
-- configure flag which allows to ommit vendor id in pluto
-- reduce printf handlers count to 10, as uClibc does not support more
 
 Certificate support
 -------------------
@@ -64,6 +55,5 @@ Stroke interface
 
 Misc
 ----
-- PFS support for creating/rekeying CHILD_SAs
 - Address pool/backend for virtual IP assignement
 - fix iterator->insert_before/after
diff --git a/aclocal.m4 b/aclocal.m4
index 8fcf50ac3..de1bcc519 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -6468,6 +6468,163 @@ SED=$lt_cv_path_SED
 AC_MSG_RESULT([$SED])
 ])
 
+# pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
+# 
+# Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# PKG_PROG_PKG_CONFIG([MIN-VERSION])
+# ----------------------------------
+AC_DEFUN([PKG_PROG_PKG_CONFIG],
+[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
+m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=m4_default([$1], [0.9.0])
+	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		AC_MSG_RESULT([yes])
+	else
+		AC_MSG_RESULT([no])
+		PKG_CONFIG=""
+	fi
+		
+fi[]dnl
+])# PKG_PROG_PKG_CONFIG
+
+# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
+#
+# Check to see whether a particular set of modules exists.  Similar
+# to PKG_CHECK_MODULES(), but does not set variables or print errors.
+#
+#
+# Similar to PKG_CHECK_MODULES, make sure that the first instance of
+# this or PKG_CHECK_MODULES is called, or make sure to call
+# PKG_CHECK_EXISTS manually
+# --------------------------------------------------------------
+AC_DEFUN([PKG_CHECK_EXISTS],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+if test -n "$PKG_CONFIG" && \
+    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
+  m4_ifval([$2], [$2], [:])
+m4_ifvaln([$3], [else
+  $3])dnl
+fi])
+
+
+# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
+# ---------------------------------------------
+m4_define([_PKG_CONFIG],
+[if test -n "$PKG_CONFIG"; then
+    if test -n "$$1"; then
+        pkg_cv_[]$1="$$1"
+    else
+        PKG_CHECK_EXISTS([$3],
+                         [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
+			 [pkg_failed=yes])
+    fi
+else
+	pkg_failed=untried
+fi[]dnl
+])# _PKG_CONFIG
+
+# _PKG_SHORT_ERRORS_SUPPORTED
+# -----------------------------
+AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi[]dnl
+])# _PKG_SHORT_ERRORS_SUPPORTED
+
+
+# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
+# [ACTION-IF-NOT-FOUND])
+#
+#
+# Note that if there is a possibility the first call to
+# PKG_CHECK_MODULES might not happen, you should be sure to include an
+# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
+#
+#
+# --------------------------------------------------------------
+AC_DEFUN([PKG_CHECK_MODULES],
+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
+AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
+
+pkg_failed=no
+AC_MSG_CHECKING([for $1])
+
+_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
+_PKG_CONFIG([$1][_LIBS], [libs], [$2])
+
+m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
+and $1[]_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.])
+
+if test $pkg_failed = yes; then
+        _PKG_SHORT_ERRORS_SUPPORTED
+        if test $_pkg_short_errors_supported = yes; then
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
+        else 
+	        $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
+
+	ifelse([$4], , [AC_MSG_ERROR(dnl
+[Package requirements ($2) were not met:
+
+$$1_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+_PKG_TEXT
+])],
+		[$4])
+elif test $pkg_failed = untried; then
+	ifelse([$4], , [AC_MSG_FAILURE(dnl
+[The pkg-config script could not be found or is too old.  Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+_PKG_TEXT
+
+To get pkg-config, see <http://www.freedesktop.org/software/pkgconfig>.])],
+		[$4])
+else
+	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
+	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+        AC_MSG_RESULT([yes])
+	ifelse([$3], , :, [$3])
+fi[]dnl
+])# PKG_CHECK_MODULES
+
 # Copyright (C) 2002, 2003, 2005  Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
diff --git a/configure b/configure
index 96e6d5f72..867338ff0 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for strongSwan 4.1.1.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.1.3.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -726,8 +726,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='4.1.1'
-PACKAGE_STRING='strongSwan 4.1.1'
+PACKAGE_VERSION='4.1.3'
+PACKAGE_STRING='strongSwan 4.1.3'
 PACKAGE_BUGREPORT=''
 
 # Factoring default headers for most tests.
@@ -847,10 +847,20 @@ confdir
 ipsecdir
 piddir
 eapdir
+backenddir
+interfacedir
+linuxdir
+LINUX_HEADERS
+ipsecuid
+ipsecgid
 USE_LIBCURL_TRUE
 USE_LIBCURL_FALSE
 USE_LIBLDAP_TRUE
 USE_LIBLDAP_FALSE
+USE_LIBDBUS_TRUE
+USE_LIBDBUS_FALSE
+USE_LIBXML_TRUE
+USE_LIBXML_FALSE
 USE_SMARTCARD_TRUE
 USE_SMARTCARD_FALSE
 USE_CISCO_QUIRKS_TRUE
@@ -893,6 +903,11 @@ YACC
 YFLAGS
 GPERF
 PERL
+PKG_CONFIG
+dbus_CFLAGS
+dbus_LIBS
+xml_CFLAGS
+xml_LIBS
 LIBOBJS
 LTLIBOBJS'
 ac_subst_files=''
@@ -912,7 +927,12 @@ CXXCPP
 F77
 FFLAGS
 YACC
-YFLAGS'
+YFLAGS
+PKG_CONFIG
+dbus_CFLAGS
+dbus_LIBS
+xml_CFLAGS
+xml_LIBS'
 
 
 # Initialize some variables set by options.
@@ -1415,7 +1435,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 4.1.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 4.1.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1485,7 +1505,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 4.1.1:";;
+     short | recursive ) echo "Configuration of strongSwan 4.1.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1498,6 +1518,10 @@ Optional Features:
                           over HTTP (default is NO). Requires libcurl.
   --enable-ldap           enable fetching of CRLs from LDAP (default is NO).
                           Requires openLDAP.
+  --enable-dbus           enable DBUS configuration and control interface
+                          (default is NO). Requires libdbus.
+  --enable-xml            enable XML configuration and control interface
+                          (default is NO). Requires libxml.
   --enable-smartcard      enable smartcard support (default is NO).
   --enable-cisco-quirks   enable support of Cisco VPN client (default is NO).
   --enable-leak-detective enable malloc hooks to find memory leaks (default is
@@ -1534,10 +1558,21 @@ Optional Packages:
   --with-piddir=dir       path for PID and UNIX socket files other than
                           "/var/run"
   --with-eapdir=dir       path for pluggable EAP modules other than
-                          "ipsecdir/eap"
+                          "ipsecdir/plugins/eap"
+  --with-backenddir=dir   path for pluggable configuration backend modules
+                          other than "ipsecdir/plugins/backends"
+  --with-interfacedir=dir path for pluggable control interface modules other
+                          than "ipsecdir/plugins/interfaces"
   --with-sim-reader=library.so
                           library containing the sim_run_alg() function for
                           EAP-SIM
+  --with-linux-headers=dir
+                          use the linux header files in dir instead of the
+                          supplied ones in "src/include"
+  --with-uid=uid          change user of the daemons to UID after startup
+                          (default is 0).
+  --with-gid=gid          change group of the daemons to GID after startup
+                          (default is 0).
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
@@ -1562,6 +1597,11 @@ Some influential environment variables:
   YFLAGS      The list of arguments that will be passed by default to $YACC.
               This script will default YFLAGS to the empty string to avoid a
               default value of `-d' given by some make applications.
+  PKG_CONFIG  path to pkg-config utility
+  dbus_CFLAGS C compiler flags for dbus, overriding pkg-config
+  dbus_LIBS   linker flags for dbus, overriding pkg-config
+  xml_CFLAGS  C compiler flags for xml, overriding pkg-config
+  xml_LIBS    linker flags for xml, overriding pkg-config
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -1626,7 +1666,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 4.1.1
+strongSwan configure 4.1.3
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1640,7 +1680,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by strongSwan $as_me 4.1.1, which was
+It was created by strongSwan $as_me 4.1.3, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2310,7 +2350,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='4.1.1'
+ VERSION='4.1.3'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4611,7 +4651,31 @@ if test "${with_eapdir+set}" = set; then
   withval=$with_eapdir; eapdir="$withval"
 
 else
-  eapdir="${ipsecdir}/eap"
+  eapdir="${ipsecdir}/plugins/eap"
+
+
+fi
+
+
+
+# Check whether --with-backenddir was given.
+if test "${with_backenddir+set}" = set; then
+  withval=$with_backenddir; backenddir="$withval"
+
+else
+  backenddir="${ipsecdir}/plugins/backends"
+
+
+fi
+
+
+
+# Check whether --with-interfacedir was given.
+if test "${with_interfacedir+set}" = set; then
+  withval=$with_interfacedir; interfacedir="$withval"
+
+else
+  interfacedir="${ipsecdir}/plugins/interfaces"
 
 
 fi
@@ -4628,6 +4692,55 @@ _ACEOF
 fi
 
 
+
+# Check whether --with-linux-headers was given.
+if test "${with_linux_headers+set}" = set; then
+  withval=$with_linux_headers; linuxdir="$withval"
+
+else
+  linuxdir="../include"
+
+
+fi
+
+
+
+
+# Check whether --with-uid was given.
+if test "${with_uid+set}" = set; then
+  withval=$with_uid; cat >>confdefs.h <<_ACEOF
+#define IPSEC_UID $withval
+_ACEOF
+ ipsecuid="$withval"
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define IPSEC_UID 0
+_ACEOF
+ ipsecuid="0"
+
+
+fi
+
+
+
+# Check whether --with-gid was given.
+if test "${with_gid+set}" = set; then
+  withval=$with_gid; cat >>confdefs.h <<_ACEOF
+#define IPSEC_GID $withval
+_ACEOF
+ ipsecgid="$withval"
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define IPSEC_GID 0
+_ACEOF
+ ipsecgid="0"
+
+
+fi
+
+
 # Check whether --enable-http was given.
 if test "${enable_http+set}" = set; then
   enableval=$enable_http; if test x$enableval = xyes; then
@@ -4674,6 +4787,52 @@ else
 fi
 
 
+# Check whether --enable-dbus was given.
+if test "${enable_dbus+set}" = set; then
+  enableval=$enable_dbus; if test x$enableval = xyes; then
+        dbus=true
+        cat >>confdefs.h <<\_ACEOF
+#define LIBDBUS 1
+_ACEOF
+
+    fi
+
+fi
+
+
+
+if test x$dbus = xtrue; then
+  USE_LIBDBUS_TRUE=
+  USE_LIBDBUS_FALSE='#'
+else
+  USE_LIBDBUS_TRUE='#'
+  USE_LIBDBUS_FALSE=
+fi
+
+
+# Check whether --enable-xml was given.
+if test "${enable_xml+set}" = set; then
+  enableval=$enable_xml; if test x$enableval = xyes; then
+        xml=true
+        cat >>confdefs.h <<\_ACEOF
+#define LIBXML 1
+_ACEOF
+
+    fi
+
+fi
+
+
+
+if test x$xml = xtrue; then
+  USE_LIBXML_TRUE=
+  USE_LIBXML_FALSE='#'
+else
+  USE_LIBXML_TRUE='#'
+  USE_LIBXML_FALSE=
+fi
+
+
 # Check whether --enable-smartcard was given.
 if test "${enable_smartcard+set}" = set; then
   enableval=$enable_smartcard; if test x$enableval = xyes; then
@@ -5510,7 +5669,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 5513 "configure"' > conftest.$ac_ext
+  echo '#line 5672 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -7824,11 +7983,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7827: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7986: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7831: \$? = $ac_status" >&5
+   echo "$as_me:7990: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8092,11 +8251,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8095: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8254: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8099: \$? = $ac_status" >&5
+   echo "$as_me:8258: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8196,11 +8355,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8199: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8358: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8203: \$? = $ac_status" >&5
+   echo "$as_me:8362: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10541,7 +10700,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10544 "configure"
+#line 10703 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -10641,7 +10800,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10644 "configure"
+#line 10803 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12977,11 +13136,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12980: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13139: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12984: \$? = $ac_status" >&5
+   echo "$as_me:13143: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13081,11 +13240,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13084: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13243: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13088: \$? = $ac_status" >&5
+   echo "$as_me:13247: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -14688,11 +14847,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14691: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14850: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14695: \$? = $ac_status" >&5
+   echo "$as_me:14854: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -14792,11 +14951,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14795: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14954: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14799: \$? = $ac_status" >&5
+   echo "$as_me:14958: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -17027,11 +17186,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17030: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17189: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17034: \$? = $ac_status" >&5
+   echo "$as_me:17193: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -17295,11 +17454,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17298: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17457: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17302: \$? = $ac_status" >&5
+   echo "$as_me:17461: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -17399,11 +17558,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17402: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:17561: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17406: \$? = $ac_status" >&5
+   echo "$as_me:17565: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -21664,6 +21823,281 @@ ac_cv_lib_curl=ac_cv_lib_curl_main
 
 fi
 
+if test "$dbus" = "true"; then
+
+
+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
+	if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+  { echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
+echo "${ECHO_T}$PKG_CONFIG" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_path_PKG_CONFIG"; then
+  ac_pt_PKG_CONFIG=$PKG_CONFIG
+  # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_ac_pt_PKG_CONFIG+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $ac_pt_PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
+if test -n "$ac_pt_PKG_CONFIG"; then
+  { echo "$as_me:$LINENO: result: $ac_pt_PKG_CONFIG" >&5
+echo "${ECHO_T}$ac_pt_PKG_CONFIG" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_pt_PKG_CONFIG" = x; then
+    PKG_CONFIG=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    PKG_CONFIG=$ac_pt_PKG_CONFIG
+  fi
+else
+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
+fi
+
+fi
+if test -n "$PKG_CONFIG"; then
+	_pkg_min_version=0.9.0
+	{ echo "$as_me:$LINENO: checking pkg-config is at least version $_pkg_min_version" >&5
+echo $ECHO_N "checking pkg-config is at least version $_pkg_min_version... $ECHO_C" >&6; }
+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
+		{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	else
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+		PKG_CONFIG=""
+	fi
+
+fi
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for dbus" >&5
+echo $ECHO_N "checking for dbus... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$dbus_CFLAGS"; then
+        pkg_cv_dbus_CFLAGS="$dbus_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"dbus-1\"") >&5
+  ($PKG_CONFIG --exists --print-errors "dbus-1") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_dbus_CFLAGS=`$PKG_CONFIG --cflags "dbus-1" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$dbus_LIBS"; then
+        pkg_cv_dbus_LIBS="$dbus_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"dbus-1\"") >&5
+  ($PKG_CONFIG --exists --print-errors "dbus-1") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_dbus_LIBS=`$PKG_CONFIG --libs "dbus-1" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        dbus_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "dbus-1"`
+        else
+	        dbus_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "dbus-1"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$dbus_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: No libdbus package information found" >&5
+echo "$as_me: error: No libdbus package information found" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: No libdbus package information found" >&5
+echo "$as_me: error: No libdbus package information found" >&2;}
+   { (exit 1); exit 1; }; }
+else
+	dbus_CFLAGS=$pkg_cv_dbus_CFLAGS
+	dbus_LIBS=$pkg_cv_dbus_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+fi
+
+if test "$xml" = "true"; then
+
+pkg_failed=no
+{ echo "$as_me:$LINENO: checking for xml" >&5
+echo $ECHO_N "checking for xml... $ECHO_C" >&6; }
+
+if test -n "$PKG_CONFIG"; then
+    if test -n "$xml_CFLAGS"; then
+        pkg_cv_xml_CFLAGS="$xml_CFLAGS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_xml_CFLAGS=`$PKG_CONFIG --cflags "libxml-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+if test -n "$PKG_CONFIG"; then
+    if test -n "$xml_LIBS"; then
+        pkg_cv_xml_LIBS="$xml_LIBS"
+    else
+        if test -n "$PKG_CONFIG" && \
+    { (echo "$as_me:$LINENO: \$PKG_CONFIG --exists --print-errors \"libxml-2.0\"") >&5
+  ($PKG_CONFIG --exists --print-errors "libxml-2.0") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  pkg_cv_xml_LIBS=`$PKG_CONFIG --libs "libxml-2.0" 2>/dev/null`
+else
+  pkg_failed=yes
+fi
+    fi
+else
+	pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+        _pkg_short_errors_supported=yes
+else
+        _pkg_short_errors_supported=no
+fi
+        if test $_pkg_short_errors_supported = yes; then
+	        xml_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libxml-2.0"`
+        else
+	        xml_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libxml-2.0"`
+        fi
+	# Put the nasty error message in config.log where it belongs
+	echo "$xml_PKG_ERRORS" >&5
+
+	{ { echo "$as_me:$LINENO: error: No libxml2 package information found" >&5
+echo "$as_me: error: No libxml2 package information found" >&2;}
+   { (exit 1); exit 1; }; }
+elif test $pkg_failed = untried; then
+	{ { echo "$as_me:$LINENO: error: No libxml2 package information found" >&5
+echo "$as_me: error: No libxml2 package information found" >&2;}
+   { (exit 1); exit 1; }; }
+else
+	xml_CFLAGS=$pkg_cv_xml_CFLAGS
+	xml_LIBS=$pkg_cv_xml_LIBS
+        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+	:
+fi
+
+
+fi
 
 
 
@@ -21719,6 +22153,57 @@ echo "$as_me: error: No usable gmp.h found!" >&2;}
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: checking capset() definition" >&5
+echo $ECHO_N "checking capset() definition... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <linux/capset.h>
+int
+main ()
+{
+
+    	void *test = capset;
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }; cat >>confdefs.h <<_ACEOF
+#define NO_CAPSET_DEFINED 1
+_ACEOF
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 if test "$ldap" = "true"; then
     if test "${ac_cv_header_ldap_h+set}" = set; then
   { echo "$as_me:$LINENO: checking for ldap.h" >&5
@@ -21993,7 +22478,7 @@ fi
 fi
 
 
-ac_config_files="$ac_config_files Makefile src/Makefile src/libstrongswan/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile"
+ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -22149,6 +22634,20 @@ echo "$as_me: error: conditional \"USE_LIBLDAP\" was never defined.
 Usually this means the macro was only invoked conditionally." >&2;}
    { (exit 1); exit 1; }; }
 fi
+if test -z "${USE_LIBDBUS_TRUE}" && test -z "${USE_LIBDBUS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBDBUS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LIBDBUS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LIBXML_TRUE}" && test -z "${USE_LIBXML_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBXML\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LIBXML\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
 if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
   { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
 Usually this means the macro was only invoked conditionally." >&5
@@ -22505,7 +23004,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 4.1.1, which was
+This file was extended by strongSwan $as_me 4.1.3, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22552,7 +23051,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-strongSwan config.status 4.1.1
+strongSwan config.status 4.1.3
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
@@ -22659,6 +23158,7 @@ do
     "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
     "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
+    "src/include/Makefile") CONFIG_FILES="$CONFIG_FILES src/include/Makefile" ;;
     "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
     "src/libcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcrypto/Makefile" ;;
     "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
@@ -22815,22 +23315,22 @@ confdir!$confdir$ac_delim
 ipsecdir!$ipsecdir$ac_delim
 piddir!$piddir$ac_delim
 eapdir!$eapdir$ac_delim
+backenddir!$backenddir$ac_delim
+interfacedir!$interfacedir$ac_delim
+linuxdir!$linuxdir$ac_delim
+LINUX_HEADERS!$LINUX_HEADERS$ac_delim
+ipsecuid!$ipsecuid$ac_delim
+ipsecgid!$ipsecgid$ac_delim
 USE_LIBCURL_TRUE!$USE_LIBCURL_TRUE$ac_delim
 USE_LIBCURL_FALSE!$USE_LIBCURL_FALSE$ac_delim
 USE_LIBLDAP_TRUE!$USE_LIBLDAP_TRUE$ac_delim
 USE_LIBLDAP_FALSE!$USE_LIBLDAP_FALSE$ac_delim
+USE_LIBDBUS_TRUE!$USE_LIBDBUS_TRUE$ac_delim
+USE_LIBDBUS_FALSE!$USE_LIBDBUS_FALSE$ac_delim
+USE_LIBXML_TRUE!$USE_LIBXML_TRUE$ac_delim
+USE_LIBXML_FALSE!$USE_LIBXML_FALSE$ac_delim
 USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
 USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
-USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
-USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
-USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
-USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
-BUILD_EAP_SIM_TRUE!$BUILD_EAP_SIM_TRUE$ac_delim
-BUILD_EAP_SIM_FALSE!$BUILD_EAP_SIM_FALSE$ac_delim
-USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
-USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
-USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
-USE_VENDORID_FALSE!$USE_VENDORID_FALSE$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -22872,6 +23372,16 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
+USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
+USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
+USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
+BUILD_EAP_SIM_TRUE!$BUILD_EAP_SIM_TRUE$ac_delim
+BUILD_EAP_SIM_FALSE!$BUILD_EAP_SIM_FALSE$ac_delim
+USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
+USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
+USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
+USE_VENDORID_FALSE!$USE_VENDORID_FALSE$ac_delim
 build!$build$ac_delim
 build_cpu!$build_cpu$ac_delim
 build_vendor!$build_vendor$ac_delim
@@ -22902,11 +23412,16 @@ YACC!$YACC$ac_delim
 YFLAGS!$YFLAGS$ac_delim
 GPERF!$GPERF$ac_delim
 PERL!$PERL$ac_delim
+PKG_CONFIG!$PKG_CONFIG$ac_delim
+dbus_CFLAGS!$dbus_CFLAGS$ac_delim
+dbus_LIBS!$dbus_LIBS$ac_delim
+xml_CFLAGS!$xml_CFLAGS$ac_delim
+xml_LIBS!$xml_LIBS$ac_delim
 LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 32; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 47; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index 725be81e6..e661487e3 100644
--- a/configure.in
+++ b/configure.in
@@ -16,7 +16,7 @@ dnl ===========================
 dnl  initialize & set some vars
 dnl ===========================
 
-AC_INIT(strongSwan,4.1.1)
+AC_INIT(strongSwan,4.1.3)
 AM_INIT_AUTOMAKE(tar-ustar)
 AC_C_BIGENDIAN
 AC_SUBST(confdir, '${sysconfdir}')
@@ -75,9 +75,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
     [eapdir],
-    AS_HELP_STRING([--with-eapdir=dir],[path for pluggable EAP modules other than "ipsecdir/eap"]),
+    AS_HELP_STRING([--with-eapdir=dir],[path for pluggable EAP modules other than "ipsecdir/plugins/eap"]),
     [AC_SUBST(eapdir, "$withval")],
-    [AC_SUBST(eapdir, "${ipsecdir}/eap")]
+    [AC_SUBST(eapdir, "${ipsecdir}/plugins/eap")]
+)
+
+AC_ARG_WITH(
+    [backenddir],
+    AS_HELP_STRING([--with-backenddir=dir],[path for pluggable configuration backend modules other than "ipsecdir/plugins/backends"]),
+    [AC_SUBST(backenddir, "$withval")],
+    [AC_SUBST(backenddir, "${ipsecdir}/plugins/backends")]
+)
+
+AC_ARG_WITH(
+    [interfacedir],
+    AS_HELP_STRING([--with-interfacedir=dir],[path for pluggable control interface modules other than "ipsecdir/plugins/interfaces"]),
+    [AC_SUBST(interfacedir, "$withval")],
+    [AC_SUBST(interfacedir, "${ipsecdir}/plugins/interfaces")]
 )
 
 AC_ARG_WITH(
@@ -86,6 +100,27 @@ AC_ARG_WITH(
     [AC_DEFINE_UNQUOTED(SIM_READER_LIB, "$withval")]
 )
 
+AC_ARG_WITH(
+    [linux-headers],
+    AS_HELP_STRING([--with-linux-headers=dir],[use the linux header files in dir instead of the supplied ones in "src/include"]),
+    [AC_SUBST(linuxdir, "$withval")], [AC_SUBST(linuxdir, "../include")]
+)
+AC_SUBST(LINUX_HEADERS)
+
+AC_ARG_WITH(
+    [uid],
+    AS_HELP_STRING([--with-uid=uid],[change user of the daemons to UID after startup (default is 0).]),
+    [AC_DEFINE_UNQUOTED(IPSEC_UID, $withval) AC_SUBST(ipsecuid, "$withval")],
+    [AC_DEFINE_UNQUOTED(IPSEC_UID, 0) AC_SUBST(ipsecuid, "0")]
+)
+
+AC_ARG_WITH(
+    [gid],
+    AS_HELP_STRING([--with-gid=gid],[change group of the daemons to GID after startup (default is 0).]),
+    [AC_DEFINE_UNQUOTED(IPSEC_GID, $withval) AC_SUBST(ipsecgid, "$withval")],
+    [AC_DEFINE_UNQUOTED(IPSEC_GID, 0) AC_SUBST(ipsecgid, "0")]
+)
+
 AC_ARG_ENABLE(
     [http],
     AS_HELP_STRING([--enable-http],[enable OCSP and fetching of Certificates and CRLs over HTTP (default is NO). Requires libcurl.]),
@@ -107,6 +142,26 @@ AC_ARG_ENABLE(
 AM_CONDITIONAL(USE_LIBLDAP, test x$ldap = xtrue)
 
 AC_ARG_ENABLE(
+    [dbus],
+    AS_HELP_STRING([--enable-dbus],[enable DBUS configuration and control interface (default is NO). Requires libdbus.]),
+    [if test x$enableval = xyes; then
+        dbus=true
+        AC_DEFINE(LIBDBUS)
+    fi]
+)
+AM_CONDITIONAL(USE_LIBDBUS, test x$dbus = xtrue)
+
+AC_ARG_ENABLE(
+    [xml],
+    AS_HELP_STRING([--enable-xml],[enable XML configuration and control interface (default is NO). Requires libxml.]),
+    [if test x$enableval = xyes; then
+        xml=true
+        AC_DEFINE(LIBXML)
+    fi]
+)
+AM_CONDITIONAL(USE_LIBXML, test x$xml = xtrue)
+
+AC_ARG_ENABLE(
     [smartcard],
     AS_HELP_STRING([--enable-smartcard],[enable smartcard support (default is NO).]),
     [if test x$enableval = xyes; then
@@ -192,6 +247,17 @@ if test "$http" = "true"; then
     AC_HAVE_LIBRARY([curl],[LIBS="$LIBS"],[AC_MSG_ERROR([HTTP enabled, but library curl not found])])
 fi
 
+if test "$dbus" = "true"; then
+	PKG_CHECK_MODULES(dbus, dbus-1,, AC_MSG_ERROR([No libdbus package information found]))
+	AC_SUBST(dbus_CFLAGS)
+	AC_SUBST(dbus_LIBS)
+fi
+
+if test "$xml" = "true"; then
+	PKG_CHECK_MODULES(xml, libxml-2.0,, AC_MSG_ERROR([No libxml2 package information found]))
+	AC_SUBST(xml_CFLAGS)
+	AC_SUBST(xml_LIBS)
+fi
 
 dnl =============================
 dnl  check required header files
@@ -208,6 +274,14 @@ AC_TRY_COMPILE(
     ], 
     [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
 )
+AC_MSG_CHECKING([capset() definition])
+AC_TRY_COMPILE(
+    [#include <linux/capset.h>],
+    [
+    	void *test = capset;
+    ], 
+    [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_DEFINE_UNQUOTED(NO_CAPSET_DEFINED, 1)]
+)
 if test "$ldap" = "true"; then
     AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP enabled, but ldap.h not found!])])
 fi
@@ -222,13 +296,13 @@ dnl ==============================
 AC_OUTPUT(
 	Makefile
 	src/Makefile
+	src/include/Makefile
 	src/libstrongswan/Makefile
 	src/libcrypto/Makefile
 	src/libfreeswan/Makefile
 	src/pluto/Makefile
 	src/whack/Makefile
 	src/charon/Makefile
-dnl	src/charon/testing/Makefile
 	src/stroke/Makefile
 	src/ipsec/Makefile
 	src/starter/Makefile
diff --git a/src/Makefile.am b/src/Makefile.am
index a3f90f39e..204a211e4 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1 +1 @@
-SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
+SUBDIRS = include libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
diff --git a/src/Makefile.in b/src/Makefile.in
index 6fa95d413..9fb649725 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -99,6 +99,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -111,6 +112,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -121,8 +123,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -144,6 +150,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -153,6 +160,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -166,9 +175,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -183,7 +196,9 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+SUBDIRS = include libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
 all: all-recursive
 
 .SUFFIXES:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 7e78b9185..68d2f0484 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -115,6 +115,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -127,6 +128,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -137,8 +139,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -160,6 +166,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -169,6 +176,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -182,9 +191,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -199,6 +212,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 _copyright_SOURCES = _copyright.c
 dist_man8_MANS = _copyright.8
 INCLUDES = -I$(top_srcdir)/src/libfreeswan
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index ccb176fbc..9118eef49 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -98,6 +98,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -110,6 +111,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -120,8 +122,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -143,6 +149,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -152,6 +159,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -165,9 +174,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -182,6 +195,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 dist_ipsec_SCRIPTS = _updown
 dist_man8_MANS = _updown.8
 all: all-am
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 0286c8f58..da105b469 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -98,6 +98,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -110,6 +111,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -120,8 +122,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -143,6 +149,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -152,6 +159,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -165,9 +174,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -182,6 +195,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 dist_ipsec_SCRIPTS = _updown_espmark
 dist_man8_MANS = _updown_espmark.8
 all: all-am
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 9522b6e6d..a64d9fa70 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -1,87 +1,144 @@
-# SUBDIRS = . testing
 
-eap_LTLIBRARIES = libeapidentity.la
-
-# always build EAP Identity module
-libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c
-libeapidentity_la_LDFLAGS = -module
-
-# build optional EAP modules
-if BUILD_EAP_SIM
-  eap_LTLIBRARIES += libeapsim.la
-  libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c
-  libeapsim_la_LDFLAGS = -module
-endif
 
 ipsec_PROGRAMS = charon
 
 charon_SOURCES = \
 bus/bus.c bus/bus.h \
-bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
-config/connections/connection.c config/connections/connection.h \
-config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \
-config/policies/policy.c config/policies/policy.h \
-config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \
+bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+config/backends/backend.h config/backends/writeable_backend.h \
+config/backend_manager.c config/backend_manager.h \
+config/child_cfg.c config/child_cfg.h \
 config/credentials/local_credential_store.c config/credentials/local_credential_store.h \
+config/ike_cfg.c config/ike_cfg.h \
+config/peer_cfg.c config/peer_cfg.h \
+config/proposal.c config/proposal.h \
 config/traffic_selector.c config/traffic_selector.h \
-config/proposal.c config/proposal.h config/configuration.c config/configuration.h \
-sa/authenticators/eap_authenticator.h sa/authenticators/eap_authenticator.c \
-sa/authenticators/eap/eap_method.h sa/authenticators/eap/eap_method.c \
-sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/ike_sa_id.c sa/ike_sa_id.h sa/tasks/task.c sa/tasks/task.h \
-sa/tasks/ike_init.c sa/tasks/ike_init.h \
-sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+control/interfaces/interface.h \
+control/interface_manager.c control/interface_manager.h \
+daemon.c daemon.h \
+encoding/generator.c encoding/generator.h \
+encoding/message.c encoding/message.h \
+encoding/parser.c encoding/parser.h \
+encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \
+encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \
+encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \
+encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \
+encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
+encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
+encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
+encoding/payloads/encodings.c encoding/payloads/encodings.h \
+encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
+encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
+encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
+encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
+encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \
+encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \
+encoding/payloads/payload.c encoding/payloads/payload.h \
+encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \
+encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
+encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \
+encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
+encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \
+encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
+encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
+encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+network/packet.c network/packet.h \
+network/receiver.c network/receiver.h \
+network/sender.c network/sender.h \
+network/socket.c network/socket.h \
+processing/event_queue.c processing/event_queue.h \
+processing/job_queue.c processing/job_queue.h \
+processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
+processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
+processing/jobs/job.c processing/jobs/job.h \
+processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
+processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
+processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
+processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
+processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/scheduler.c processing/scheduler.h \
+processing/thread_pool.c processing/thread_pool.h  \
+sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
+sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
+sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
+sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
+sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \
+sa/child_sa.c sa/child_sa.h \
+sa/ike_sa.c sa/ike_sa.h \
+sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/task_manager.c sa/task_manager.h \
+sa/tasks/child_create.c sa/tasks/child_create.h \
+sa/tasks/child_delete.c sa/tasks/child_delete.h \
+sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
 sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-sa/tasks/ike_config.c sa/tasks/ike_config.h \
 sa/tasks/ike_cert.c sa/tasks/ike_cert.h \
-sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_config.c sa/tasks/ike_config.h \
 sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
 sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
-sa/tasks/child_create.c sa/tasks/child_create.h \
-sa/tasks/child_delete.c sa/tasks/child_delete.h \
-sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
-sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \
-sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
-sa/task_manager.c sa/task_manager.h encoding/payloads/encryption_payload.c \
-encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
-encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \
-encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
-encoding/payloads/configuration_attribute.c encoding/payloads/transform_substructure.c \
-encoding/payloads/encryption_payload.h encoding/payloads/auth_payload.c encoding/payloads/ike_header.c \
-encoding/payloads/transform_substructure.h encoding/payloads/nonce_payload.c encoding/payloads/cert_payload.h \
-encoding/payloads/eap_payload.c encoding/payloads/ike_header.h encoding/payloads/auth_payload.h \
-encoding/payloads/ts_payload.c encoding/payloads/traffic_selector_substructure.h encoding/payloads/nonce_payload.h \
-encoding/payloads/notify_payload.c encoding/payloads/eap_payload.h encoding/payloads/notify_payload.h \
-encoding/payloads/ts_payload.h encoding/payloads/id_payload.c encoding/payloads/ke_payload.c \
-encoding/payloads/unknown_payload.c encoding/payloads/encodings.c encoding/payloads/id_payload.h \
-encoding/payloads/cp_payload.c encoding/payloads/delete_payload.c encoding/payloads/sa_payload.c \
-encoding/payloads/ke_payload.h encoding/payloads/unknown_payload.h encoding/payloads/encodings.h \
-encoding/payloads/certreq_payload.c encoding/payloads/cp_payload.h encoding/payloads/delete_payload.h \
-encoding/payloads/sa_payload.h encoding/payloads/vendor_id_payload.c encoding/payloads/certreq_payload.h \
-encoding/payloads/vendor_id_payload.h encoding/payloads/proposal_substructure.c encoding/payloads/payload.c \
-encoding/parser.h encoding/message.c encoding/generator.c encoding/message.h encoding/generator.h \
-encoding/parser.c daemon.c daemon.h network/packet.c \
-network/socket.c network/packet.h network/socket.h queues/jobs/job.h queues/jobs/job.c \
-queues/jobs/retransmit_job.h queues/jobs/initiate_job.h \
-queues/jobs/process_message_job.h queues/jobs/process_message_job.c \
-queues/jobs/delete_ike_sa_job.c queues/jobs/delete_ike_sa_job.h \
-queues/jobs/retransmit_job.c queues/jobs/initiate_job.c \
-queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \
-queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \
-queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \
-queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \
-queues/job_queue.c queues/event_queue.c queues/job_queue.h queues/event_queue.h \
-threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \
-threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \
-threads/thread_pool.h threads/receiver.h threads/stroke_interface.h
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\"
+sa/tasks/ike_init.c sa/tasks/ike_init.h \
+sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/task.c sa/tasks/task.h
+
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
+	-DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\"
 charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp -lpthread -lm -ldl
 
 if USE_LIBCURL
-   charon_LDADD += -lcurl
+  charon_LDADD += -lcurl
+endif
+
+
+# build EAP plugins, EAP-Identity is always built
+#################################################
+eap_LTLIBRARIES =
+
+eap_LTLIBRARIES += libeapidentity.la
+libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c
+libeapidentity_la_LDFLAGS = -module
+
+if BUILD_EAP_SIM
+  eap_LTLIBRARIES += libeapsim.la
+  libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c
+  libeapsim_la_LDFLAGS = -module
+endif
+
+# build backends, local backend is always built
+###############################################
+backend_LTLIBRARIES =
+
+backend_LTLIBRARIES += liblocal.la
+liblocal_la_SOURCES = config/backends/local_backend.h config/backends/local_backend.c
+liblocal_la_LDFLAGS = -module
+
+# build control interfaces, stroke interface is always built
+############################################################
+interface_LTLIBRARIES =
+
+interface_LTLIBRARIES += libstroke.la
+libstroke_la_SOURCES = control/interfaces/stroke_interface.h control/interfaces/stroke_interface.c
+libstroke_la_LDFLAGS = -module
+
+if USE_LIBDBUS
+  interface_LTLIBRARIES += libdbus.la
+  libdbus_la_SOURCES = control/interfaces/dbus_interface.h control/interfaces/dbus_interface.c
+  libdbus_la_LDFLAGS = -module
+  libdbus_la_LIBADD = ${dbus_LIBS}
+  INCLUDES += ${dbus_CFLAGS}
+endif
+
+if USE_LIBXML
+  interface_LTLIBRARIES += libxml.la
+  libxml_la_SOURCES = control/interfaces/xml_interface.h control/interfaces/xml_interface.c
+  libxml_la_LDFLAGS = -module
+  libxml_la_LIBADD = ${xml_LIBS}
+  INCLUDES += ${xml_CFLAGS}
 endif
 
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 0f2979d32..9f4177f60 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -14,8 +14,6 @@
 
 @SET_MAKE@
 
-# SUBDIRS = . testing
-
 
 srcdir = @srcdir@
 top_srcdir = @top_srcdir@
@@ -39,11 +37,13 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-
-# build optional EAP modules
-@BUILD_EAP_SIM_TRUE@am__append_1 = libeapsim.la
 ipsec_PROGRAMS = charon$(EXEEXT)
-@USE_LIBCURL_TRUE@am__append_2 = -lcurl
+@USE_LIBCURL_TRUE@am__append_1 = -lcurl
+@BUILD_EAP_SIM_TRUE@am__append_2 = libeapsim.la
+@USE_LIBDBUS_TRUE@am__append_3 = libdbus.la
+@USE_LIBDBUS_TRUE@am__append_4 = ${dbus_CFLAGS}
+@USE_LIBXML_TRUE@am__append_5 = libxml.la
+@USE_LIBXML_TRUE@am__append_6 = ${xml_CFLAGS}
 subdir = src/charon
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -58,9 +58,20 @@ am__vpath_adj = case $$p in \
     *) f=$$p;; \
   esac;
 am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-am__installdirs = "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(ipsecdir)"
+am__installdirs = "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" \
+	"$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(ipsecdir)"
+backendLTLIBRARIES_INSTALL = $(INSTALL)
 eapLTLIBRARIES_INSTALL = $(INSTALL)
-LTLIBRARIES = $(eap_LTLIBRARIES)
+interfaceLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(backend_LTLIBRARIES) $(eap_LTLIBRARIES) \
+	$(interface_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+@USE_LIBDBUS_TRUE@libdbus_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am__libdbus_la_SOURCES_DIST = control/interfaces/dbus_interface.h \
+	control/interfaces/dbus_interface.c
+@USE_LIBDBUS_TRUE@am_libdbus_la_OBJECTS = dbus_interface.lo
+libdbus_la_OBJECTS = $(am_libdbus_la_OBJECTS)
+@USE_LIBDBUS_TRUE@am_libdbus_la_rpath = -rpath $(interfacedir)
 libeapidentity_la_LIBADD =
 am_libeapidentity_la_OBJECTS = eap_identity.lo
 libeapidentity_la_OBJECTS = $(am_libeapidentity_la_OBJECTS)
@@ -70,49 +81,56 @@ am__libeapsim_la_SOURCES_DIST = sa/authenticators/eap/eap_sim.h \
 @BUILD_EAP_SIM_TRUE@am_libeapsim_la_OBJECTS = eap_sim.lo
 libeapsim_la_OBJECTS = $(am_libeapsim_la_OBJECTS)
 @BUILD_EAP_SIM_TRUE@am_libeapsim_la_rpath = -rpath $(eapdir)
+liblocal_la_LIBADD =
+am_liblocal_la_OBJECTS = local_backend.lo
+liblocal_la_OBJECTS = $(am_liblocal_la_OBJECTS)
+libstroke_la_LIBADD =
+am_libstroke_la_OBJECTS = stroke_interface.lo
+libstroke_la_OBJECTS = $(am_libstroke_la_OBJECTS)
+@USE_LIBXML_TRUE@libxml_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am__libxml_la_SOURCES_DIST = control/interfaces/xml_interface.h \
+	control/interfaces/xml_interface.c
+@USE_LIBXML_TRUE@am_libxml_la_OBJECTS = xml_interface.lo
+libxml_la_OBJECTS = $(am_libxml_la_OBJECTS)
+@USE_LIBXML_TRUE@am_libxml_la_rpath = -rpath $(interfacedir)
 ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 PROGRAMS = $(ipsec_PROGRAMS)
-am_charon_OBJECTS = bus.$(OBJEXT) sys_logger.$(OBJEXT) \
-	file_logger.$(OBJEXT) connection.$(OBJEXT) \
-	local_connection_store.$(OBJEXT) policy.$(OBJEXT) \
-	local_policy_store.$(OBJEXT) local_credential_store.$(OBJEXT) \
-	traffic_selector.$(OBJEXT) proposal.$(OBJEXT) \
-	configuration.$(OBJEXT) eap_authenticator.$(OBJEXT) \
-	eap_method.$(OBJEXT) child_sa.$(OBJEXT) ike_sa.$(OBJEXT) \
-	ike_sa_manager.$(OBJEXT) ike_sa_id.$(OBJEXT) task.$(OBJEXT) \
-	ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_auth.$(OBJEXT) \
-	ike_config.$(OBJEXT) ike_cert.$(OBJEXT) ike_rekey.$(OBJEXT) \
-	ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) child_create.$(OBJEXT) \
+am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
+	sys_logger.$(OBJEXT) backend_manager.$(OBJEXT) \
+	child_cfg.$(OBJEXT) local_credential_store.$(OBJEXT) \
+	ike_cfg.$(OBJEXT) peer_cfg.$(OBJEXT) proposal.$(OBJEXT) \
+	traffic_selector.$(OBJEXT) interface_manager.$(OBJEXT) \
+	daemon.$(OBJEXT) generator.$(OBJEXT) message.$(OBJEXT) \
+	parser.$(OBJEXT) auth_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
+	certreq_payload.$(OBJEXT) configuration_attribute.$(OBJEXT) \
+	cp_payload.$(OBJEXT) delete_payload.$(OBJEXT) \
+	eap_payload.$(OBJEXT) encodings.$(OBJEXT) \
+	encryption_payload.$(OBJEXT) id_payload.$(OBJEXT) \
+	ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
+	nonce_payload.$(OBJEXT) notify_payload.$(OBJEXT) \
+	payload.$(OBJEXT) proposal_substructure.$(OBJEXT) \
+	sa_payload.$(OBJEXT) traffic_selector_substructure.$(OBJEXT) \
+	transform_attribute.$(OBJEXT) transform_substructure.$(OBJEXT) \
+	ts_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \
+	vendor_id_payload.$(OBJEXT) kernel_interface.$(OBJEXT) \
+	packet.$(OBJEXT) receiver.$(OBJEXT) sender.$(OBJEXT) \
+	socket.$(OBJEXT) event_queue.$(OBJEXT) job_queue.$(OBJEXT) \
+	acquire_job.$(OBJEXT) delete_child_sa_job.$(OBJEXT) \
+	delete_ike_sa_job.$(OBJEXT) job.$(OBJEXT) \
+	process_message_job.$(OBJEXT) rekey_child_sa_job.$(OBJEXT) \
+	rekey_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \
+	send_dpd_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \
+	scheduler.$(OBJEXT) thread_pool.$(OBJEXT) \
+	authenticator.$(OBJEXT) eap_authenticator.$(OBJEXT) \
+	eap_method.$(OBJEXT) psk_authenticator.$(OBJEXT) \
+	rsa_authenticator.$(OBJEXT) child_sa.$(OBJEXT) \
+	ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) ike_sa_manager.$(OBJEXT) \
+	task_manager.$(OBJEXT) child_create.$(OBJEXT) \
 	child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \
-	authenticator.$(OBJEXT) rsa_authenticator.$(OBJEXT) \
-	psk_authenticator.$(OBJEXT) task_manager.$(OBJEXT) \
-	encryption_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
-	traffic_selector_substructure.$(OBJEXT) \
-	transform_attribute.$(OBJEXT) \
-	configuration_attribute.$(OBJEXT) \
-	transform_substructure.$(OBJEXT) auth_payload.$(OBJEXT) \
-	ike_header.$(OBJEXT) nonce_payload.$(OBJEXT) \
-	eap_payload.$(OBJEXT) ts_payload.$(OBJEXT) \
-	notify_payload.$(OBJEXT) id_payload.$(OBJEXT) \
-	ke_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \
-	encodings.$(OBJEXT) cp_payload.$(OBJEXT) \
-	delete_payload.$(OBJEXT) sa_payload.$(OBJEXT) \
-	certreq_payload.$(OBJEXT) vendor_id_payload.$(OBJEXT) \
-	proposal_substructure.$(OBJEXT) payload.$(OBJEXT) \
-	message.$(OBJEXT) generator.$(OBJEXT) parser.$(OBJEXT) \
-	daemon.$(OBJEXT) packet.$(OBJEXT) socket.$(OBJEXT) \
-	job.$(OBJEXT) process_message_job.$(OBJEXT) \
-	delete_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \
-	initiate_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \
-	rekey_child_sa_job.$(OBJEXT) delete_child_sa_job.$(OBJEXT) \
-	send_dpd_job.$(OBJEXT) route_job.$(OBJEXT) \
-	acquire_job.$(OBJEXT) rekey_ike_sa_job.$(OBJEXT) \
-	job_queue.$(OBJEXT) event_queue.$(OBJEXT) \
-	kernel_interface.$(OBJEXT) thread_pool.$(OBJEXT) \
-	scheduler.$(OBJEXT) sender.$(OBJEXT) receiver.$(OBJEXT) \
-	stroke_interface.$(OBJEXT)
+	ike_auth.$(OBJEXT) ike_cert.$(OBJEXT) ike_config.$(OBJEXT) \
+	ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) ike_init.$(OBJEXT) \
+	ike_natd.$(OBJEXT) ike_rekey.$(OBJEXT) task.$(OBJEXT)
 charon_OBJECTS = $(am_charon_OBJECTS)
-am__DEPENDENCIES_1 =
 charon_DEPENDENCIES =  \
 	$(top_builddir)/src/libstrongswan/libstrongswan.la \
 	$(am__DEPENDENCIES_1)
@@ -127,10 +145,13 @@ LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
 CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libeapidentity_la_SOURCES) $(libeapsim_la_SOURCES) \
-	$(charon_SOURCES)
-DIST_SOURCES = $(libeapidentity_la_SOURCES) \
-	$(am__libeapsim_la_SOURCES_DIST) $(charon_SOURCES)
+SOURCES = $(libdbus_la_SOURCES) $(libeapidentity_la_SOURCES) \
+	$(libeapsim_la_SOURCES) $(liblocal_la_SOURCES) \
+	$(libstroke_la_SOURCES) $(libxml_la_SOURCES) $(charon_SOURCES)
+DIST_SOURCES = $(am__libdbus_la_SOURCES_DIST) \
+	$(libeapidentity_la_SOURCES) $(am__libeapsim_la_SOURCES_DIST) \
+	$(liblocal_la_SOURCES) $(libstroke_la_SOURCES) \
+	$(am__libxml_la_SOURCES_DIST) $(charon_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -178,6 +199,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -190,6 +212,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -200,8 +223,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -223,6 +250,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -232,6 +260,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -245,9 +275,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -262,79 +296,125 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
-eap_LTLIBRARIES = libeapidentity.la $(am__append_1)
-
-# always build EAP Identity module
-libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c
-libeapidentity_la_LDFLAGS = -module
-@BUILD_EAP_SIM_TRUE@libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c
-@BUILD_EAP_SIM_TRUE@libeapsim_la_LDFLAGS = -module
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 charon_SOURCES = \
 bus/bus.c bus/bus.h \
-bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
 bus/listeners/file_logger.c bus/listeners/file_logger.h \
-config/connections/connection.c config/connections/connection.h \
-config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \
-config/policies/policy.c config/policies/policy.h \
-config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \
+bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+config/backends/backend.h config/backends/writeable_backend.h \
+config/backend_manager.c config/backend_manager.h \
+config/child_cfg.c config/child_cfg.h \
 config/credentials/local_credential_store.c config/credentials/local_credential_store.h \
+config/ike_cfg.c config/ike_cfg.h \
+config/peer_cfg.c config/peer_cfg.h \
+config/proposal.c config/proposal.h \
 config/traffic_selector.c config/traffic_selector.h \
-config/proposal.c config/proposal.h config/configuration.c config/configuration.h \
-sa/authenticators/eap_authenticator.h sa/authenticators/eap_authenticator.c \
-sa/authenticators/eap/eap_method.h sa/authenticators/eap/eap_method.c \
-sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
-sa/ike_sa_id.c sa/ike_sa_id.h sa/tasks/task.c sa/tasks/task.h \
-sa/tasks/ike_init.c sa/tasks/ike_init.h \
-sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+control/interfaces/interface.h \
+control/interface_manager.c control/interface_manager.h \
+daemon.c daemon.h \
+encoding/generator.c encoding/generator.h \
+encoding/message.c encoding/message.h \
+encoding/parser.c encoding/parser.h \
+encoding/payloads/auth_payload.c encoding/payloads/auth_payload.h \
+encoding/payloads/cert_payload.c encoding/payloads/cert_payload.h \
+encoding/payloads/certreq_payload.c encoding/payloads/certreq_payload.h \
+encoding/payloads/configuration_attribute.c encoding/payloads/configuration_attribute.h \
+encoding/payloads/cp_payload.c encoding/payloads/cp_payload.h \
+encoding/payloads/delete_payload.c encoding/payloads/delete_payload.h \
+encoding/payloads/eap_payload.c encoding/payloads/eap_payload.h \
+encoding/payloads/encodings.c encoding/payloads/encodings.h \
+encoding/payloads/encryption_payload.c encoding/payloads/encryption_payload.h \
+encoding/payloads/id_payload.c encoding/payloads/id_payload.h \
+encoding/payloads/ike_header.c encoding/payloads/ike_header.h \
+encoding/payloads/ke_payload.c  encoding/payloads/ke_payload.h \
+encoding/payloads/nonce_payload.c encoding/payloads/nonce_payload.h \
+encoding/payloads/notify_payload.c encoding/payloads/notify_payload.h \
+encoding/payloads/payload.c encoding/payloads/payload.h \
+encoding/payloads/proposal_substructure.c encoding/payloads/proposal_substructure.h \
+encoding/payloads/sa_payload.c encoding/payloads/sa_payload.h \
+encoding/payloads/traffic_selector_substructure.c encoding/payloads/traffic_selector_substructure.h \
+encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
+encoding/payloads/transform_substructure.c encoding/payloads/transform_substructure.h \
+encoding/payloads/ts_payload.c encoding/payloads/ts_payload.h \
+encoding/payloads/unknown_payload.c encoding/payloads/unknown_payload.h \
+encoding/payloads/vendor_id_payload.c encoding/payloads/vendor_id_payload.h \
+kernel/kernel_interface.c kernel/kernel_interface.h \
+network/packet.c network/packet.h \
+network/receiver.c network/receiver.h \
+network/sender.c network/sender.h \
+network/socket.c network/socket.h \
+processing/event_queue.c processing/event_queue.h \
+processing/job_queue.c processing/job_queue.h \
+processing/jobs/acquire_job.c processing/jobs/acquire_job.h \
+processing/jobs/delete_child_sa_job.c processing/jobs/delete_child_sa_job.h \
+processing/jobs/delete_ike_sa_job.c processing/jobs/delete_ike_sa_job.h \
+processing/jobs/job.c processing/jobs/job.h \
+processing/jobs/process_message_job.c processing/jobs/process_message_job.h \
+processing/jobs/rekey_child_sa_job.c processing/jobs/rekey_child_sa_job.h \
+processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \
+processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \
+processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \
+processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \
+processing/scheduler.c processing/scheduler.h \
+processing/thread_pool.c processing/thread_pool.h  \
+sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
+sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
+sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
+sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
+sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \
+sa/child_sa.c sa/child_sa.h \
+sa/ike_sa.c sa/ike_sa.h \
+sa/ike_sa_id.c sa/ike_sa_id.h \
+sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/task_manager.c sa/task_manager.h \
+sa/tasks/child_create.c sa/tasks/child_create.h \
+sa/tasks/child_delete.c sa/tasks/child_delete.h \
+sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
 sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
-sa/tasks/ike_config.c sa/tasks/ike_config.h \
 sa/tasks/ike_cert.c sa/tasks/ike_cert.h \
-sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_config.c sa/tasks/ike_config.h \
 sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
 sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
-sa/tasks/child_create.c sa/tasks/child_create.h \
-sa/tasks/child_delete.c sa/tasks/child_delete.h \
-sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
-sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
-sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \
-sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
-sa/task_manager.c sa/task_manager.h encoding/payloads/encryption_payload.c \
-encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
-encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \
-encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
-encoding/payloads/configuration_attribute.c encoding/payloads/transform_substructure.c \
-encoding/payloads/encryption_payload.h encoding/payloads/auth_payload.c encoding/payloads/ike_header.c \
-encoding/payloads/transform_substructure.h encoding/payloads/nonce_payload.c encoding/payloads/cert_payload.h \
-encoding/payloads/eap_payload.c encoding/payloads/ike_header.h encoding/payloads/auth_payload.h \
-encoding/payloads/ts_payload.c encoding/payloads/traffic_selector_substructure.h encoding/payloads/nonce_payload.h \
-encoding/payloads/notify_payload.c encoding/payloads/eap_payload.h encoding/payloads/notify_payload.h \
-encoding/payloads/ts_payload.h encoding/payloads/id_payload.c encoding/payloads/ke_payload.c \
-encoding/payloads/unknown_payload.c encoding/payloads/encodings.c encoding/payloads/id_payload.h \
-encoding/payloads/cp_payload.c encoding/payloads/delete_payload.c encoding/payloads/sa_payload.c \
-encoding/payloads/ke_payload.h encoding/payloads/unknown_payload.h encoding/payloads/encodings.h \
-encoding/payloads/certreq_payload.c encoding/payloads/cp_payload.h encoding/payloads/delete_payload.h \
-encoding/payloads/sa_payload.h encoding/payloads/vendor_id_payload.c encoding/payloads/certreq_payload.h \
-encoding/payloads/vendor_id_payload.h encoding/payloads/proposal_substructure.c encoding/payloads/payload.c \
-encoding/parser.h encoding/message.c encoding/generator.c encoding/message.h encoding/generator.h \
-encoding/parser.c daemon.c daemon.h network/packet.c \
-network/socket.c network/packet.h network/socket.h queues/jobs/job.h queues/jobs/job.c \
-queues/jobs/retransmit_job.h queues/jobs/initiate_job.h \
-queues/jobs/process_message_job.h queues/jobs/process_message_job.c \
-queues/jobs/delete_ike_sa_job.c queues/jobs/delete_ike_sa_job.h \
-queues/jobs/retransmit_job.c queues/jobs/initiate_job.c \
-queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \
-queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \
-queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \
-queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \
-queues/job_queue.c queues/event_queue.c queues/job_queue.h queues/event_queue.h \
-threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \
-threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \
-threads/thread_pool.h threads/receiver.h threads/stroke_interface.h
-
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\"
+sa/tasks/ike_init.c sa/tasks/ike_init.h \
+sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/task.c sa/tasks/task.h
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke \
+	$(am__append_4) $(am__append_6)
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
+	-DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\"
+
 charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-	-lgmp -lpthread -lm -ldl $(am__append_2)
+	-lgmp -lpthread -lm -ldl $(am__append_1)
+
+# build EAP plugins, EAP-Identity is always built
+#################################################
+eap_LTLIBRARIES = libeapidentity.la $(am__append_2)
+libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c
+libeapidentity_la_LDFLAGS = -module
+@BUILD_EAP_SIM_TRUE@libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c
+@BUILD_EAP_SIM_TRUE@libeapsim_la_LDFLAGS = -module
+
+# build backends, local backend is always built
+###############################################
+backend_LTLIBRARIES = liblocal.la
+liblocal_la_SOURCES = config/backends/local_backend.h config/backends/local_backend.c
+liblocal_la_LDFLAGS = -module
+
+# build control interfaces, stroke interface is always built
+############################################################
+interface_LTLIBRARIES = libstroke.la $(am__append_3) $(am__append_5)
+libstroke_la_SOURCES = control/interfaces/stroke_interface.h control/interfaces/stroke_interface.c
+libstroke_la_LDFLAGS = -module
+@USE_LIBDBUS_TRUE@libdbus_la_SOURCES = control/interfaces/dbus_interface.h control/interfaces/dbus_interface.c
+@USE_LIBDBUS_TRUE@libdbus_la_LDFLAGS = -module
+@USE_LIBDBUS_TRUE@libdbus_la_LIBADD = ${dbus_LIBS}
+@USE_LIBXML_TRUE@libxml_la_SOURCES = control/interfaces/xml_interface.h control/interfaces/xml_interface.c
+@USE_LIBXML_TRUE@libxml_la_LDFLAGS = -module
+@USE_LIBXML_TRUE@libxml_la_LIBADD = ${xml_LIBS}
 all: all-am
 
 .SUFFIXES:
@@ -368,6 +448,33 @@ $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-backendLTLIBRARIES: $(backend_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(backenddir)" || $(mkdir_p) "$(DESTDIR)$(backenddir)"
+	@list='$(backend_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(backendLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(backenddir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(backendLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(backenddir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-backendLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@set -x; list='$(backend_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(backenddir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(backenddir)/$$p"; \
+	done
+
+clean-backendLTLIBRARIES:
+	-test -z "$(backend_LTLIBRARIES)" || rm -f $(backend_LTLIBRARIES)
+	@list='$(backend_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
 install-eapLTLIBRARIES: $(eap_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(eapdir)" || $(mkdir_p) "$(DESTDIR)$(eapdir)"
@@ -395,10 +502,45 @@ clean-eapLTLIBRARIES:
 	  echo "rm -f \"$${dir}/so_locations\""; \
 	  rm -f "$${dir}/so_locations"; \
 	done
+install-interfaceLTLIBRARIES: $(interface_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(interfacedir)" || $(mkdir_p) "$(DESTDIR)$(interfacedir)"
+	@list='$(interface_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(interfaceLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(interfacedir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(interfaceLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(interfacedir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-interfaceLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@set -x; list='$(interface_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(interfacedir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(interfacedir)/$$p"; \
+	done
+
+clean-interfaceLTLIBRARIES:
+	-test -z "$(interface_LTLIBRARIES)" || rm -f $(interface_LTLIBRARIES)
+	@list='$(interface_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libdbus.la: $(libdbus_la_OBJECTS) $(libdbus_la_DEPENDENCIES) 
+	$(LINK) $(am_libdbus_la_rpath) $(libdbus_la_LDFLAGS) $(libdbus_la_OBJECTS) $(libdbus_la_LIBADD) $(LIBS)
 libeapidentity.la: $(libeapidentity_la_OBJECTS) $(libeapidentity_la_DEPENDENCIES) 
 	$(LINK) -rpath $(eapdir) $(libeapidentity_la_LDFLAGS) $(libeapidentity_la_OBJECTS) $(libeapidentity_la_LIBADD) $(LIBS)
 libeapsim.la: $(libeapsim_la_OBJECTS) $(libeapsim_la_DEPENDENCIES) 
 	$(LINK) $(am_libeapsim_la_rpath) $(libeapsim_la_LDFLAGS) $(libeapsim_la_OBJECTS) $(libeapsim_la_LIBADD) $(LIBS)
+liblocal.la: $(liblocal_la_OBJECTS) $(liblocal_la_DEPENDENCIES) 
+	$(LINK) -rpath $(backenddir) $(liblocal_la_LDFLAGS) $(liblocal_la_OBJECTS) $(liblocal_la_LIBADD) $(LIBS)
+libstroke.la: $(libstroke_la_OBJECTS) $(libstroke_la_DEPENDENCIES) 
+	$(LINK) -rpath $(interfacedir) $(libstroke_la_LDFLAGS) $(libstroke_la_OBJECTS) $(libstroke_la_LIBADD) $(LIBS)
+libxml.la: $(libxml_la_OBJECTS) $(libxml_la_DEPENDENCIES) 
+	$(LINK) $(am_libxml_la_rpath) $(libxml_la_LDFLAGS) $(libxml_la_OBJECTS) $(libxml_la_LIBADD) $(LIBS)
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
@@ -440,18 +582,19 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_create.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_delete.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_rekey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_sa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration_attribute.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connection.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dbus_interface.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_payload.Po@am__quote@
@@ -468,6 +611,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_config.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_delete.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_dpd.Po@am__quote@
@@ -478,21 +622,20 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interface_manager.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job_queue.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_connection_store.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_backend.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_credential_store.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_policy_store.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/policy.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer_cfg.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Po@am__quote@
@@ -501,7 +644,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/route_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa_authenticator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Po@am__quote@
@@ -509,7 +651,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_interface.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_interface.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Po@am__quote@
@@ -521,6 +663,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xml_interface.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
@@ -543,6 +686,13 @@ distclean-compile:
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
+dbus_interface.lo: control/interfaces/dbus_interface.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT dbus_interface.lo -MD -MP -MF "$(DEPDIR)/dbus_interface.Tpo" -c -o dbus_interface.lo `test -f 'control/interfaces/dbus_interface.c' || echo '$(srcdir)/'`control/interfaces/dbus_interface.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/dbus_interface.Tpo" "$(DEPDIR)/dbus_interface.Plo"; else rm -f "$(DEPDIR)/dbus_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/interfaces/dbus_interface.c' object='dbus_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o dbus_interface.lo `test -f 'control/interfaces/dbus_interface.c' || echo '$(srcdir)/'`control/interfaces/dbus_interface.c
+
 eap_identity.lo: sa/authenticators/eap/eap_identity.c
 @am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_identity.lo -MD -MP -MF "$(DEPDIR)/eap_identity.Tpo" -c -o eap_identity.lo `test -f 'sa/authenticators/eap/eap_identity.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_identity.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_identity.Tpo" "$(DEPDIR)/eap_identity.Plo"; else rm -f "$(DEPDIR)/eap_identity.Tpo"; exit 1; fi
@@ -557,6 +707,27 @@ eap_sim.lo: sa/authenticators/eap/eap_sim.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_sim.lo `test -f 'sa/authenticators/eap/eap_sim.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_sim.c
 
+local_backend.lo: config/backends/local_backend.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_backend.lo -MD -MP -MF "$(DEPDIR)/local_backend.Tpo" -c -o local_backend.lo `test -f 'config/backends/local_backend.c' || echo '$(srcdir)/'`config/backends/local_backend.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_backend.Tpo" "$(DEPDIR)/local_backend.Plo"; else rm -f "$(DEPDIR)/local_backend.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backends/local_backend.c' object='local_backend.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_backend.lo `test -f 'config/backends/local_backend.c' || echo '$(srcdir)/'`config/backends/local_backend.c
+
+stroke_interface.lo: control/interfaces/stroke_interface.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.lo -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.lo `test -f 'control/interfaces/stroke_interface.c' || echo '$(srcdir)/'`control/interfaces/stroke_interface.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Plo"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/interfaces/stroke_interface.c' object='stroke_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.lo `test -f 'control/interfaces/stroke_interface.c' || echo '$(srcdir)/'`control/interfaces/stroke_interface.c
+
+xml_interface.lo: control/interfaces/xml_interface.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xml_interface.lo -MD -MP -MF "$(DEPDIR)/xml_interface.Tpo" -c -o xml_interface.lo `test -f 'control/interfaces/xml_interface.c' || echo '$(srcdir)/'`control/interfaces/xml_interface.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/xml_interface.Tpo" "$(DEPDIR)/xml_interface.Plo"; else rm -f "$(DEPDIR)/xml_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/interfaces/xml_interface.c' object='xml_interface.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xml_interface.lo `test -f 'control/interfaces/xml_interface.c' || echo '$(srcdir)/'`control/interfaces/xml_interface.c
+
 bus.o: bus/bus.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.o -MD -MP -MF "$(DEPDIR)/bus.Tpo" -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bus.Tpo" "$(DEPDIR)/bus.Po"; else rm -f "$(DEPDIR)/bus.Tpo"; exit 1; fi
@@ -571,20 +742,6 @@ bus.obj: bus/bus.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`
 
-sys_logger.o: bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
-
-sys_logger.obj: bus/listeners/sys_logger.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
-
 file_logger.o: bus/listeners/file_logger.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.o -MD -MP -MF "$(DEPDIR)/file_logger.Tpo" -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/file_logger.Tpo" "$(DEPDIR)/file_logger.Po"; else rm -f "$(DEPDIR)/file_logger.Tpo"; exit 1; fi
@@ -599,61 +756,47 @@ file_logger.obj: bus/listeners/file_logger.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`
 
-connection.o: config/connections/connection.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connection.o -MD -MP -MF "$(DEPDIR)/connection.Tpo" -c -o connection.o `test -f 'config/connections/connection.c' || echo '$(srcdir)/'`config/connections/connection.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/connection.Tpo" "$(DEPDIR)/connection.Po"; else rm -f "$(DEPDIR)/connection.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/connection.c' object='connection.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connection.o `test -f 'config/connections/connection.c' || echo '$(srcdir)/'`config/connections/connection.c
-
-connection.obj: config/connections/connection.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connection.obj -MD -MP -MF "$(DEPDIR)/connection.Tpo" -c -o connection.obj `if test -f 'config/connections/connection.c'; then $(CYGPATH_W) 'config/connections/connection.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/connection.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/connection.Tpo" "$(DEPDIR)/connection.Po"; else rm -f "$(DEPDIR)/connection.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/connection.c' object='connection.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connection.obj `if test -f 'config/connections/connection.c'; then $(CYGPATH_W) 'config/connections/connection.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/connection.c'; fi`
-
-local_connection_store.o: config/connections/local_connection_store.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_connection_store.o -MD -MP -MF "$(DEPDIR)/local_connection_store.Tpo" -c -o local_connection_store.o `test -f 'config/connections/local_connection_store.c' || echo '$(srcdir)/'`config/connections/local_connection_store.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_connection_store.Tpo" "$(DEPDIR)/local_connection_store.Po"; else rm -f "$(DEPDIR)/local_connection_store.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/local_connection_store.c' object='local_connection_store.o' libtool=no @AMDEPBACKSLASH@
+sys_logger.o: bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_connection_store.o `test -f 'config/connections/local_connection_store.c' || echo '$(srcdir)/'`config/connections/local_connection_store.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
 
-local_connection_store.obj: config/connections/local_connection_store.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_connection_store.obj -MD -MP -MF "$(DEPDIR)/local_connection_store.Tpo" -c -o local_connection_store.obj `if test -f 'config/connections/local_connection_store.c'; then $(CYGPATH_W) 'config/connections/local_connection_store.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/local_connection_store.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_connection_store.Tpo" "$(DEPDIR)/local_connection_store.Po"; else rm -f "$(DEPDIR)/local_connection_store.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/local_connection_store.c' object='local_connection_store.obj' libtool=no @AMDEPBACKSLASH@
+sys_logger.obj: bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_connection_store.obj `if test -f 'config/connections/local_connection_store.c'; then $(CYGPATH_W) 'config/connections/local_connection_store.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/local_connection_store.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
 
-policy.o: config/policies/policy.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT policy.o -MD -MP -MF "$(DEPDIR)/policy.Tpo" -c -o policy.o `test -f 'config/policies/policy.c' || echo '$(srcdir)/'`config/policies/policy.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/policy.Tpo" "$(DEPDIR)/policy.Po"; else rm -f "$(DEPDIR)/policy.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/policy.c' object='policy.o' libtool=no @AMDEPBACKSLASH@
+backend_manager.o: config/backend_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.o -MD -MP -MF "$(DEPDIR)/backend_manager.Tpo" -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/backend_manager.Tpo" "$(DEPDIR)/backend_manager.Po"; else rm -f "$(DEPDIR)/backend_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o policy.o `test -f 'config/policies/policy.c' || echo '$(srcdir)/'`config/policies/policy.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.o `test -f 'config/backend_manager.c' || echo '$(srcdir)/'`config/backend_manager.c
 
-policy.obj: config/policies/policy.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT policy.obj -MD -MP -MF "$(DEPDIR)/policy.Tpo" -c -o policy.obj `if test -f 'config/policies/policy.c'; then $(CYGPATH_W) 'config/policies/policy.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/policy.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/policy.Tpo" "$(DEPDIR)/policy.Po"; else rm -f "$(DEPDIR)/policy.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/policy.c' object='policy.obj' libtool=no @AMDEPBACKSLASH@
+backend_manager.obj: config/backend_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT backend_manager.obj -MD -MP -MF "$(DEPDIR)/backend_manager.Tpo" -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/backend_manager.Tpo" "$(DEPDIR)/backend_manager.Po"; else rm -f "$(DEPDIR)/backend_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/backend_manager.c' object='backend_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o policy.obj `if test -f 'config/policies/policy.c'; then $(CYGPATH_W) 'config/policies/policy.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/policy.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o backend_manager.obj `if test -f 'config/backend_manager.c'; then $(CYGPATH_W) 'config/backend_manager.c'; else $(CYGPATH_W) '$(srcdir)/config/backend_manager.c'; fi`
 
-local_policy_store.o: config/policies/local_policy_store.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_policy_store.o -MD -MP -MF "$(DEPDIR)/local_policy_store.Tpo" -c -o local_policy_store.o `test -f 'config/policies/local_policy_store.c' || echo '$(srcdir)/'`config/policies/local_policy_store.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_policy_store.Tpo" "$(DEPDIR)/local_policy_store.Po"; else rm -f "$(DEPDIR)/local_policy_store.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/local_policy_store.c' object='local_policy_store.o' libtool=no @AMDEPBACKSLASH@
+child_cfg.o: config/child_cfg.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.o -MD -MP -MF "$(DEPDIR)/child_cfg.Tpo" -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_cfg.Tpo" "$(DEPDIR)/child_cfg.Po"; else rm -f "$(DEPDIR)/child_cfg.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_policy_store.o `test -f 'config/policies/local_policy_store.c' || echo '$(srcdir)/'`config/policies/local_policy_store.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.o `test -f 'config/child_cfg.c' || echo '$(srcdir)/'`config/child_cfg.c
 
-local_policy_store.obj: config/policies/local_policy_store.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_policy_store.obj -MD -MP -MF "$(DEPDIR)/local_policy_store.Tpo" -c -o local_policy_store.obj `if test -f 'config/policies/local_policy_store.c'; then $(CYGPATH_W) 'config/policies/local_policy_store.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/local_policy_store.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_policy_store.Tpo" "$(DEPDIR)/local_policy_store.Po"; else rm -f "$(DEPDIR)/local_policy_store.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/local_policy_store.c' object='local_policy_store.obj' libtool=no @AMDEPBACKSLASH@
+child_cfg.obj: config/child_cfg.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_cfg.obj -MD -MP -MF "$(DEPDIR)/child_cfg.Tpo" -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_cfg.Tpo" "$(DEPDIR)/child_cfg.Po"; else rm -f "$(DEPDIR)/child_cfg.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/child_cfg.c' object='child_cfg.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_policy_store.obj `if test -f 'config/policies/local_policy_store.c'; then $(CYGPATH_W) 'config/policies/local_policy_store.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/local_policy_store.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_cfg.obj `if test -f 'config/child_cfg.c'; then $(CYGPATH_W) 'config/child_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/child_cfg.c'; fi`
 
 local_credential_store.o: config/credentials/local_credential_store.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_credential_store.o -MD -MP -MF "$(DEPDIR)/local_credential_store.Tpo" -c -o local_credential_store.o `test -f 'config/credentials/local_credential_store.c' || echo '$(srcdir)/'`config/credentials/local_credential_store.c; \
@@ -669,19 +812,33 @@ local_credential_store.obj: config/credentials/local_credential_store.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_credential_store.obj `if test -f 'config/credentials/local_credential_store.c'; then $(CYGPATH_W) 'config/credentials/local_credential_store.c'; else $(CYGPATH_W) '$(srcdir)/config/credentials/local_credential_store.c'; fi`
 
-traffic_selector.o: config/traffic_selector.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.o' libtool=no @AMDEPBACKSLASH@
+ike_cfg.o: config/ike_cfg.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.o -MD -MP -MF "$(DEPDIR)/ike_cfg.Tpo" -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cfg.Tpo" "$(DEPDIR)/ike_cfg.Po"; else rm -f "$(DEPDIR)/ike_cfg.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.o `test -f 'config/ike_cfg.c' || echo '$(srcdir)/'`config/ike_cfg.c
 
-traffic_selector.obj: config/traffic_selector.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.obj -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.obj' libtool=no @AMDEPBACKSLASH@
+ike_cfg.obj: config/ike_cfg.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cfg.obj -MD -MP -MF "$(DEPDIR)/ike_cfg.Tpo" -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cfg.Tpo" "$(DEPDIR)/ike_cfg.Po"; else rm -f "$(DEPDIR)/ike_cfg.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/ike_cfg.c' object='ike_cfg.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cfg.obj `if test -f 'config/ike_cfg.c'; then $(CYGPATH_W) 'config/ike_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/ike_cfg.c'; fi`
+
+peer_cfg.o: config/peer_cfg.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.o -MD -MP -MF "$(DEPDIR)/peer_cfg.Tpo" -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/peer_cfg.Tpo" "$(DEPDIR)/peer_cfg.Po"; else rm -f "$(DEPDIR)/peer_cfg.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.o `test -f 'config/peer_cfg.c' || echo '$(srcdir)/'`config/peer_cfg.c
+
+peer_cfg.obj: config/peer_cfg.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT peer_cfg.obj -MD -MP -MF "$(DEPDIR)/peer_cfg.Tpo" -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/peer_cfg.Tpo" "$(DEPDIR)/peer_cfg.Po"; else rm -f "$(DEPDIR)/peer_cfg.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/peer_cfg.c' object='peer_cfg.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o peer_cfg.obj `if test -f 'config/peer_cfg.c'; then $(CYGPATH_W) 'config/peer_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/peer_cfg.c'; fi`
 
 proposal.o: config/proposal.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.o -MD -MP -MF "$(DEPDIR)/proposal.Tpo" -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c; \
@@ -697,355 +854,313 @@ proposal.obj: config/proposal.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
 
-configuration.o: config/configuration.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration.o -MD -MP -MF "$(DEPDIR)/configuration.Tpo" -c -o configuration.o `test -f 'config/configuration.c' || echo '$(srcdir)/'`config/configuration.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration.Tpo" "$(DEPDIR)/configuration.Po"; else rm -f "$(DEPDIR)/configuration.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/configuration.c' object='configuration.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration.o `test -f 'config/configuration.c' || echo '$(srcdir)/'`config/configuration.c
-
-configuration.obj: config/configuration.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration.obj -MD -MP -MF "$(DEPDIR)/configuration.Tpo" -c -o configuration.obj `if test -f 'config/configuration.c'; then $(CYGPATH_W) 'config/configuration.c'; else $(CYGPATH_W) '$(srcdir)/config/configuration.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration.Tpo" "$(DEPDIR)/configuration.Po"; else rm -f "$(DEPDIR)/configuration.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/configuration.c' object='configuration.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration.obj `if test -f 'config/configuration.c'; then $(CYGPATH_W) 'config/configuration.c'; else $(CYGPATH_W) '$(srcdir)/config/configuration.c'; fi`
-
-eap_authenticator.o: sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
-
-eap_authenticator.obj: sa/authenticators/eap_authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
-
-eap_method.o: sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
-
-eap_method.obj: sa/authenticators/eap/eap_method.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
-
-child_sa.o: sa/child_sa.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@
+traffic_selector.o: config/traffic_selector.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
 
-child_sa.obj: sa/child_sa.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@
+traffic_selector.obj: config/traffic_selector.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.obj -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`
 
-ike_sa.o: sa/ike_sa.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@
+interface_manager.o: control/interface_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT interface_manager.o -MD -MP -MF "$(DEPDIR)/interface_manager.Tpo" -c -o interface_manager.o `test -f 'control/interface_manager.c' || echo '$(srcdir)/'`control/interface_manager.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/interface_manager.Tpo" "$(DEPDIR)/interface_manager.Po"; else rm -f "$(DEPDIR)/interface_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/interface_manager.c' object='interface_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o interface_manager.o `test -f 'control/interface_manager.c' || echo '$(srcdir)/'`control/interface_manager.c
 
-ike_sa.obj: sa/ike_sa.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@
+interface_manager.obj: control/interface_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT interface_manager.obj -MD -MP -MF "$(DEPDIR)/interface_manager.Tpo" -c -o interface_manager.obj `if test -f 'control/interface_manager.c'; then $(CYGPATH_W) 'control/interface_manager.c'; else $(CYGPATH_W) '$(srcdir)/control/interface_manager.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/interface_manager.Tpo" "$(DEPDIR)/interface_manager.Po"; else rm -f "$(DEPDIR)/interface_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='control/interface_manager.c' object='interface_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o interface_manager.obj `if test -f 'control/interface_manager.c'; then $(CYGPATH_W) 'control/interface_manager.c'; else $(CYGPATH_W) '$(srcdir)/control/interface_manager.c'; fi`
 
-ike_sa_manager.o: sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@
+generator.o: encoding/generator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
 
-ike_sa_manager.obj: sa/ike_sa_manager.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@
+generator.obj: encoding/generator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
 
-ike_sa_id.o: sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@
+message.o: encoding/message.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
 
-ike_sa_id.obj: sa/ike_sa_id.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@
+message.obj: encoding/message.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
 
-task.o: sa/tasks/task.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@
+parser.o: encoding/parser.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
 
-task.obj: sa/tasks/task.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@
+parser.obj: encoding/parser.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
 
-ike_init.o: sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@
+auth_payload.o: encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
 
-ike_init.obj: sa/tasks/ike_init.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@
+auth_payload.obj: encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
 
-ike_natd.o: sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@
+cert_payload.o: encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
 
-ike_natd.obj: sa/tasks/ike_natd.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@
+cert_payload.obj: encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
 
-ike_auth.o: sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@
+certreq_payload.o: encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
 
-ike_auth.obj: sa/tasks/ike_auth.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@
+certreq_payload.obj: encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
 
-ike_config.o: sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@
+configuration_attribute.o: encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
 
-ike_config.obj: sa/tasks/ike_config.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@
+configuration_attribute.obj: encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
 
-ike_cert.o: sa/tasks/ike_cert.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.o -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert.c' object='ike_cert.o' libtool=no @AMDEPBACKSLASH@
+cp_payload.o: encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
 
-ike_cert.obj: sa/tasks/ike_cert.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.obj -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert.c' object='ike_cert.obj' libtool=no @AMDEPBACKSLASH@
+cp_payload.obj: encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
 
-ike_rekey.o: sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@
+delete_payload.o: encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
 
-ike_rekey.obj: sa/tasks/ike_rekey.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@
+delete_payload.obj: encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
 
-ike_delete.o: sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@
+eap_payload.o: encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
 
-ike_delete.obj: sa/tasks/ike_delete.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@
+eap_payload.obj: encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
 
-ike_dpd.o: sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@
+encodings.o: encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
 
-ike_dpd.obj: sa/tasks/ike_dpd.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@
+encodings.obj: encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
 
-child_create.o: sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@
+encryption_payload.o: encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
 
-child_create.obj: sa/tasks/child_create.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@
+encryption_payload.obj: encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
 
-child_delete.o: sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@
+id_payload.o: encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
 
-child_delete.obj: sa/tasks/child_delete.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@
+id_payload.obj: encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
 
-child_rekey.o: sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@
+ike_header.o: encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
 
-child_rekey.obj: sa/tasks/child_rekey.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@
+ike_header.obj: encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
 
-authenticator.o: sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@
+ke_payload.o: encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
 
-authenticator.obj: sa/authenticators/authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@
+ke_payload.obj: encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
 
-rsa_authenticator.o: sa/authenticators/rsa_authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.o -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.o' libtool=no @AMDEPBACKSLASH@
+nonce_payload.o: encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
 
-rsa_authenticator.obj: sa/authenticators/rsa_authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.obj -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.obj' libtool=no @AMDEPBACKSLASH@
+nonce_payload.obj: encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
 
-psk_authenticator.o: sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@
+notify_payload.o: encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
 
-psk_authenticator.obj: sa/authenticators/psk_authenticator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@
+notify_payload.obj: encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
 
-task_manager.o: sa/task_manager.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@
+payload.o: encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
 
-task_manager.obj: sa/task_manager.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@
+payload.obj: encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
 
-encryption_payload.o: encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@
+proposal_substructure.o: encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
 
-encryption_payload.obj: encoding/payloads/encryption_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@
+proposal_substructure.obj: encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
 
-cert_payload.o: encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@
+sa_payload.o: encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
 
-cert_payload.obj: encoding/payloads/cert_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@
+sa_payload.obj: encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
 
 traffic_selector_substructure.o: encoding/payloads/traffic_selector_substructure.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.o -MD -MP -MF "$(DEPDIR)/traffic_selector_substructure.Tpo" -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c; \
@@ -1075,20 +1190,6 @@ transform_attribute.obj: encoding/payloads/transform_attribute.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`
 
-configuration_attribute.o: encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
-
-configuration_attribute.obj: encoding/payloads/configuration_attribute.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
-
 transform_substructure.o: encoding/payloads/transform_substructure.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.o -MD -MP -MF "$(DEPDIR)/transform_substructure.Tpo" -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/transform_substructure.Tpo" "$(DEPDIR)/transform_substructure.Po"; else rm -f "$(DEPDIR)/transform_substructure.Tpo"; exit 1; fi
@@ -1103,593 +1204,621 @@ transform_substructure.obj: encoding/payloads/transform_substructure.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`
 
-auth_payload.o: encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@
+ts_payload.o: encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
 
-auth_payload.obj: encoding/payloads/auth_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@
+ts_payload.obj: encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
 
-ike_header.o: encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@
+unknown_payload.o: encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
 
-ike_header.obj: encoding/payloads/ike_header.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@
+unknown_payload.obj: encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
 
-nonce_payload.o: encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@
+vendor_id_payload.o: encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
 
-nonce_payload.obj: encoding/payloads/nonce_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@
+vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
 
-eap_payload.o: encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@
+kernel_interface.o: kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'kernel/kernel_interface.c' || echo '$(srcdir)/'`kernel/kernel_interface.c
 
-eap_payload.obj: encoding/payloads/eap_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@
+kernel_interface.obj: kernel/kernel_interface.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='kernel/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'kernel/kernel_interface.c'; then $(CYGPATH_W) 'kernel/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/kernel/kernel_interface.c'; fi`
 
-ts_payload.o: encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@
+packet.o: network/packet.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
 
-ts_payload.obj: encoding/payloads/ts_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@
+packet.obj: network/packet.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
 
-notify_payload.o: encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@
+receiver.o: network/receiver.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'network/receiver.c' || echo '$(srcdir)/'`network/receiver.c
 
-notify_payload.obj: encoding/payloads/notify_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@
+receiver.obj: network/receiver.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'network/receiver.c'; then $(CYGPATH_W) 'network/receiver.c'; else $(CYGPATH_W) '$(srcdir)/network/receiver.c'; fi`
 
-id_payload.o: encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@
+sender.o: network/sender.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'network/sender.c' || echo '$(srcdir)/'`network/sender.c
 
-id_payload.obj: encoding/payloads/id_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@
+sender.obj: network/sender.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'network/sender.c'; then $(CYGPATH_W) 'network/sender.c'; else $(CYGPATH_W) '$(srcdir)/network/sender.c'; fi`
 
-ke_payload.o: encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@
+socket.o: network/socket.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
 
-ke_payload.obj: encoding/payloads/ke_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@
+socket.obj: network/socket.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
 
-unknown_payload.o: encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@
+event_queue.o: processing/event_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.o -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.o `test -f 'processing/event_queue.c' || echo '$(srcdir)/'`processing/event_queue.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/event_queue.c' object='event_queue.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.o `test -f 'processing/event_queue.c' || echo '$(srcdir)/'`processing/event_queue.c
 
-unknown_payload.obj: encoding/payloads/unknown_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@
+event_queue.obj: processing/event_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.obj -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.obj `if test -f 'processing/event_queue.c'; then $(CYGPATH_W) 'processing/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/event_queue.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/event_queue.c' object='event_queue.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.obj `if test -f 'processing/event_queue.c'; then $(CYGPATH_W) 'processing/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/event_queue.c'; fi`
 
-encodings.o: encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@
+job_queue.o: processing/job_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.o -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.o `test -f 'processing/job_queue.c' || echo '$(srcdir)/'`processing/job_queue.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/job_queue.c' object='job_queue.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.o `test -f 'processing/job_queue.c' || echo '$(srcdir)/'`processing/job_queue.c
 
-encodings.obj: encoding/payloads/encodings.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@
+job_queue.obj: processing/job_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.obj -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.obj `if test -f 'processing/job_queue.c'; then $(CYGPATH_W) 'processing/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/job_queue.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/job_queue.c' object='job_queue.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.obj `if test -f 'processing/job_queue.c'; then $(CYGPATH_W) 'processing/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/processing/job_queue.c'; fi`
 
-cp_payload.o: encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@
+acquire_job.o: processing/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'processing/jobs/acquire_job.c' || echo '$(srcdir)/'`processing/jobs/acquire_job.c
 
-cp_payload.obj: encoding/payloads/cp_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@
+acquire_job.obj: processing/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'processing/jobs/acquire_job.c'; then $(CYGPATH_W) 'processing/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/acquire_job.c'; fi`
 
-delete_payload.o: encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@
+delete_child_sa_job.o: processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'processing/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_child_sa_job.c
 
-delete_payload.obj: encoding/payloads/delete_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@
+delete_child_sa_job.obj: processing/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'processing/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_child_sa_job.c'; fi`
 
-sa_payload.o: encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@
+delete_ike_sa_job.o: processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'processing/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/delete_ike_sa_job.c
 
-sa_payload.obj: encoding/payloads/sa_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@
+delete_ike_sa_job.obj: processing/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'processing/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/delete_ike_sa_job.c'; fi`
 
-certreq_payload.o: encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@
+job.o: processing/jobs/job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.o -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.o `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/job.c' object='job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.o `test -f 'processing/jobs/job.c' || echo '$(srcdir)/'`processing/jobs/job.c
 
-certreq_payload.obj: encoding/payloads/certreq_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@
+job.obj: processing/jobs/job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.obj -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.obj `if test -f 'processing/jobs/job.c'; then $(CYGPATH_W) 'processing/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/job.c' object='job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.obj `if test -f 'processing/jobs/job.c'; then $(CYGPATH_W) 'processing/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/job.c'; fi`
 
-vendor_id_payload.o: encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@
+process_message_job.o: processing/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'processing/jobs/process_message_job.c' || echo '$(srcdir)/'`processing/jobs/process_message_job.c
 
-vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@
+process_message_job.obj: processing/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'processing/jobs/process_message_job.c'; then $(CYGPATH_W) 'processing/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/process_message_job.c'; fi`
 
-proposal_substructure.o: encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@
+rekey_child_sa_job.o: processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'processing/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_child_sa_job.c
 
-proposal_substructure.obj: encoding/payloads/proposal_substructure.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@
+rekey_child_sa_job.obj: processing/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'processing/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_child_sa_job.c'; fi`
 
-payload.o: encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@
+rekey_ike_sa_job.o: processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'processing/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`processing/jobs/rekey_ike_sa_job.c
 
-payload.obj: encoding/payloads/payload.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@
+rekey_ike_sa_job.obj: processing/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'processing/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'processing/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/rekey_ike_sa_job.c'; fi`
 
-message.o: encoding/message.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@
+retransmit_job.o: processing/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'processing/jobs/retransmit_job.c' || echo '$(srcdir)/'`processing/jobs/retransmit_job.c
 
-message.obj: encoding/message.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@
+retransmit_job.obj: processing/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'processing/jobs/retransmit_job.c'; then $(CYGPATH_W) 'processing/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/retransmit_job.c'; fi`
 
-generator.o: encoding/generator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@
+send_dpd_job.o: processing/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'processing/jobs/send_dpd_job.c' || echo '$(srcdir)/'`processing/jobs/send_dpd_job.c
 
-generator.obj: encoding/generator.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@
+send_dpd_job.obj: processing/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'processing/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'processing/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_dpd_job.c'; fi`
 
-parser.o: encoding/parser.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@
+send_keepalive_job.o: processing/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c
 
-parser.obj: encoding/parser.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@
+send_keepalive_job.obj: processing/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'processing/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'processing/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/processing/jobs/send_keepalive_job.c'; fi`
 
-packet.o: network/packet.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@
+scheduler.o: processing/scheduler.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'processing/scheduler.c' || echo '$(srcdir)/'`processing/scheduler.c
 
-packet.obj: network/packet.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@
+scheduler.obj: processing/scheduler.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'processing/scheduler.c'; then $(CYGPATH_W) 'processing/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/processing/scheduler.c'; fi`
 
-socket.o: network/socket.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@
+thread_pool.o: processing/thread_pool.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.o -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.o `test -f 'processing/thread_pool.c' || echo '$(srcdir)/'`processing/thread_pool.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/thread_pool.c' object='thread_pool.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.o `test -f 'processing/thread_pool.c' || echo '$(srcdir)/'`processing/thread_pool.c
 
-socket.obj: network/socket.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@
+thread_pool.obj: processing/thread_pool.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.obj -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.obj `if test -f 'processing/thread_pool.c'; then $(CYGPATH_W) 'processing/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/processing/thread_pool.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='processing/thread_pool.c' object='thread_pool.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.obj `if test -f 'processing/thread_pool.c'; then $(CYGPATH_W) 'processing/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/processing/thread_pool.c'; fi`
 
-job.o: queues/jobs/job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.o -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.o `test -f 'queues/jobs/job.c' || echo '$(srcdir)/'`queues/jobs/job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/job.c' object='job.o' libtool=no @AMDEPBACKSLASH@
+authenticator.o: sa/authenticators/authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.o `test -f 'queues/jobs/job.c' || echo '$(srcdir)/'`queues/jobs/job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
 
-job.obj: queues/jobs/job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.obj -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.obj `if test -f 'queues/jobs/job.c'; then $(CYGPATH_W) 'queues/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/job.c' object='job.obj' libtool=no @AMDEPBACKSLASH@
+authenticator.obj: sa/authenticators/authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.obj `if test -f 'queues/jobs/job.c'; then $(CYGPATH_W) 'queues/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
 
-process_message_job.o: queues/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.o `test -f 'queues/jobs/process_message_job.c' || echo '$(srcdir)/'`queues/jobs/process_message_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@
+eap_authenticator.o: sa/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'queues/jobs/process_message_job.c' || echo '$(srcdir)/'`queues/jobs/process_message_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
 
-process_message_job.obj: queues/jobs/process_message_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.obj `if test -f 'queues/jobs/process_message_job.c'; then $(CYGPATH_W) 'queues/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/process_message_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@
+eap_authenticator.obj: sa/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'queues/jobs/process_message_job.c'; then $(CYGPATH_W) 'queues/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/process_message_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
 
-delete_ike_sa_job.o: queues/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.o `test -f 'queues/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_ike_sa_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
+eap_method.o: sa/authenticators/eap/eap_method.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'queues/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_ike_sa_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
 
-delete_ike_sa_job.obj: queues/jobs/delete_ike_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.obj `if test -f 'queues/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_ike_sa_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+eap_method.obj: sa/authenticators/eap/eap_method.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'queues/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_ike_sa_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
 
-retransmit_job.o: queues/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.o `test -f 'queues/jobs/retransmit_job.c' || echo '$(srcdir)/'`queues/jobs/retransmit_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@
+psk_authenticator.o: sa/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'queues/jobs/retransmit_job.c' || echo '$(srcdir)/'`queues/jobs/retransmit_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
 
-retransmit_job.obj: queues/jobs/retransmit_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.obj `if test -f 'queues/jobs/retransmit_job.c'; then $(CYGPATH_W) 'queues/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/retransmit_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@
+psk_authenticator.obj: sa/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'queues/jobs/retransmit_job.c'; then $(CYGPATH_W) 'queues/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/retransmit_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
 
-initiate_job.o: queues/jobs/initiate_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_job.o -MD -MP -MF "$(DEPDIR)/initiate_job.Tpo" -c -o initiate_job.o `test -f 'queues/jobs/initiate_job.c' || echo '$(srcdir)/'`queues/jobs/initiate_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/initiate_job.Tpo" "$(DEPDIR)/initiate_job.Po"; else rm -f "$(DEPDIR)/initiate_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/initiate_job.c' object='initiate_job.o' libtool=no @AMDEPBACKSLASH@
+rsa_authenticator.o: sa/authenticators/rsa_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.o -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_job.o `test -f 'queues/jobs/initiate_job.c' || echo '$(srcdir)/'`queues/jobs/initiate_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c
 
-initiate_job.obj: queues/jobs/initiate_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_job.obj -MD -MP -MF "$(DEPDIR)/initiate_job.Tpo" -c -o initiate_job.obj `if test -f 'queues/jobs/initiate_job.c'; then $(CYGPATH_W) 'queues/jobs/initiate_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/initiate_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/initiate_job.Tpo" "$(DEPDIR)/initiate_job.Po"; else rm -f "$(DEPDIR)/initiate_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/initiate_job.c' object='initiate_job.obj' libtool=no @AMDEPBACKSLASH@
+rsa_authenticator.obj: sa/authenticators/rsa_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.obj -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_job.obj `if test -f 'queues/jobs/initiate_job.c'; then $(CYGPATH_W) 'queues/jobs/initiate_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/initiate_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`
 
-send_keepalive_job.o: queues/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.o `test -f 'queues/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`queues/jobs/send_keepalive_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@
+child_sa.o: sa/child_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'queues/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`queues/jobs/send_keepalive_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
 
-send_keepalive_job.obj: queues/jobs/send_keepalive_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.obj `if test -f 'queues/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'queues/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_keepalive_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@
+child_sa.obj: sa/child_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'queues/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'queues/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_keepalive_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
 
-rekey_child_sa_job.o: queues/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.o `test -f 'queues/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_child_sa_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
+ike_sa.o: sa/ike_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'queues/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_child_sa_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
 
-rekey_child_sa_job.obj: queues/jobs/rekey_child_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.obj `if test -f 'queues/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_child_sa_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+ike_sa.obj: sa/ike_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'queues/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_child_sa_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
 
-delete_child_sa_job.o: queues/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.o `test -f 'queues/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_child_sa_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
+ike_sa_id.o: sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'queues/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_child_sa_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
 
-delete_child_sa_job.obj: queues/jobs/delete_child_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.obj `if test -f 'queues/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_child_sa_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+ike_sa_id.obj: sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'queues/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_child_sa_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
 
-send_dpd_job.o: queues/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.o `test -f 'queues/jobs/send_dpd_job.c' || echo '$(srcdir)/'`queues/jobs/send_dpd_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@
+ike_sa_manager.o: sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'queues/jobs/send_dpd_job.c' || echo '$(srcdir)/'`queues/jobs/send_dpd_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
 
-send_dpd_job.obj: queues/jobs/send_dpd_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.obj `if test -f 'queues/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'queues/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_dpd_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@
+ike_sa_manager.obj: sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'queues/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'queues/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_dpd_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
 
-route_job.o: queues/jobs/route_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT route_job.o -MD -MP -MF "$(DEPDIR)/route_job.Tpo" -c -o route_job.o `test -f 'queues/jobs/route_job.c' || echo '$(srcdir)/'`queues/jobs/route_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/route_job.Tpo" "$(DEPDIR)/route_job.Po"; else rm -f "$(DEPDIR)/route_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/route_job.c' object='route_job.o' libtool=no @AMDEPBACKSLASH@
+task_manager.o: sa/task_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o route_job.o `test -f 'queues/jobs/route_job.c' || echo '$(srcdir)/'`queues/jobs/route_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
 
-route_job.obj: queues/jobs/route_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT route_job.obj -MD -MP -MF "$(DEPDIR)/route_job.Tpo" -c -o route_job.obj `if test -f 'queues/jobs/route_job.c'; then $(CYGPATH_W) 'queues/jobs/route_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/route_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/route_job.Tpo" "$(DEPDIR)/route_job.Po"; else rm -f "$(DEPDIR)/route_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/route_job.c' object='route_job.obj' libtool=no @AMDEPBACKSLASH@
+task_manager.obj: sa/task_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o route_job.obj `if test -f 'queues/jobs/route_job.c'; then $(CYGPATH_W) 'queues/jobs/route_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/route_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
 
-acquire_job.o: queues/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.o `test -f 'queues/jobs/acquire_job.c' || echo '$(srcdir)/'`queues/jobs/acquire_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@
+child_create.o: sa/tasks/child_create.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'queues/jobs/acquire_job.c' || echo '$(srcdir)/'`queues/jobs/acquire_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
 
-acquire_job.obj: queues/jobs/acquire_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.obj `if test -f 'queues/jobs/acquire_job.c'; then $(CYGPATH_W) 'queues/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/acquire_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@
+child_create.obj: sa/tasks/child_create.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'queues/jobs/acquire_job.c'; then $(CYGPATH_W) 'queues/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/acquire_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
 
-rekey_ike_sa_job.o: queues/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.o `test -f 'queues/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_ike_sa_job.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
+child_delete.o: sa/tasks/child_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'queues/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
 
-rekey_ike_sa_job.obj: queues/jobs/rekey_ike_sa_job.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.obj `if test -f 'queues/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_ike_sa_job.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+child_delete.obj: sa/tasks/child_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'queues/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_ike_sa_job.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
 
-job_queue.o: queues/job_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.o -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.o `test -f 'queues/job_queue.c' || echo '$(srcdir)/'`queues/job_queue.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/job_queue.c' object='job_queue.o' libtool=no @AMDEPBACKSLASH@
+child_rekey.o: sa/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.o `test -f 'queues/job_queue.c' || echo '$(srcdir)/'`queues/job_queue.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
 
-job_queue.obj: queues/job_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.obj -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.obj `if test -f 'queues/job_queue.c'; then $(CYGPATH_W) 'queues/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/job_queue.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/job_queue.c' object='job_queue.obj' libtool=no @AMDEPBACKSLASH@
+child_rekey.obj: sa/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.obj `if test -f 'queues/job_queue.c'; then $(CYGPATH_W) 'queues/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/job_queue.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
 
-event_queue.o: queues/event_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.o -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.o `test -f 'queues/event_queue.c' || echo '$(srcdir)/'`queues/event_queue.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/event_queue.c' object='event_queue.o' libtool=no @AMDEPBACKSLASH@
+ike_auth.o: sa/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.o `test -f 'queues/event_queue.c' || echo '$(srcdir)/'`queues/event_queue.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
 
-event_queue.obj: queues/event_queue.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.obj -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.obj `if test -f 'queues/event_queue.c'; then $(CYGPATH_W) 'queues/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/event_queue.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/event_queue.c' object='event_queue.obj' libtool=no @AMDEPBACKSLASH@
+ike_auth.obj: sa/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.obj `if test -f 'queues/event_queue.c'; then $(CYGPATH_W) 'queues/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/event_queue.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
 
-kernel_interface.o: threads/kernel_interface.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.o `test -f 'threads/kernel_interface.c' || echo '$(srcdir)/'`threads/kernel_interface.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@
+ike_cert.o: sa/tasks/ike_cert.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.o -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert.c' object='ike_cert.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'threads/kernel_interface.c' || echo '$(srcdir)/'`threads/kernel_interface.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c
 
-kernel_interface.obj: threads/kernel_interface.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.obj `if test -f 'threads/kernel_interface.c'; then $(CYGPATH_W) 'threads/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/kernel_interface.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@
+ike_cert.obj: sa/tasks/ike_cert.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.obj -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert.c' object='ike_cert.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'threads/kernel_interface.c'; then $(CYGPATH_W) 'threads/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/kernel_interface.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`
 
-thread_pool.o: threads/thread_pool.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.o -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.o `test -f 'threads/thread_pool.c' || echo '$(srcdir)/'`threads/thread_pool.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/thread_pool.c' object='thread_pool.o' libtool=no @AMDEPBACKSLASH@
+ike_config.o: sa/tasks/ike_config.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.o `test -f 'threads/thread_pool.c' || echo '$(srcdir)/'`threads/thread_pool.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
 
-thread_pool.obj: threads/thread_pool.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.obj -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.obj `if test -f 'threads/thread_pool.c'; then $(CYGPATH_W) 'threads/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/threads/thread_pool.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/thread_pool.c' object='thread_pool.obj' libtool=no @AMDEPBACKSLASH@
+ike_config.obj: sa/tasks/ike_config.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.obj `if test -f 'threads/thread_pool.c'; then $(CYGPATH_W) 'threads/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/threads/thread_pool.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
 
-scheduler.o: threads/scheduler.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.o `test -f 'threads/scheduler.c' || echo '$(srcdir)/'`threads/scheduler.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@
+ike_delete.o: sa/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'threads/scheduler.c' || echo '$(srcdir)/'`threads/scheduler.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
 
-scheduler.obj: threads/scheduler.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.obj `if test -f 'threads/scheduler.c'; then $(CYGPATH_W) 'threads/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/threads/scheduler.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@
+ike_delete.obj: sa/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'threads/scheduler.c'; then $(CYGPATH_W) 'threads/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/threads/scheduler.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
 
-sender.o: threads/sender.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.o `test -f 'threads/sender.c' || echo '$(srcdir)/'`threads/sender.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@
+ike_dpd.o: sa/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'threads/sender.c' || echo '$(srcdir)/'`threads/sender.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
 
-sender.obj: threads/sender.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.obj `if test -f 'threads/sender.c'; then $(CYGPATH_W) 'threads/sender.c'; else $(CYGPATH_W) '$(srcdir)/threads/sender.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@
+ike_dpd.obj: sa/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'threads/sender.c'; then $(CYGPATH_W) 'threads/sender.c'; else $(CYGPATH_W) '$(srcdir)/threads/sender.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
 
-receiver.o: threads/receiver.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.o `test -f 'threads/receiver.c' || echo '$(srcdir)/'`threads/receiver.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@
+ike_init.o: sa/tasks/ike_init.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'threads/receiver.c' || echo '$(srcdir)/'`threads/receiver.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
 
-receiver.obj: threads/receiver.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.obj `if test -f 'threads/receiver.c'; then $(CYGPATH_W) 'threads/receiver.c'; else $(CYGPATH_W) '$(srcdir)/threads/receiver.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@
+ike_init.obj: sa/tasks/ike_init.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
+
+ike_natd.o: sa/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
+
+ike_natd.obj: sa/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
+
+ike_rekey.o: sa/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'threads/receiver.c'; then $(CYGPATH_W) 'threads/receiver.c'; else $(CYGPATH_W) '$(srcdir)/threads/receiver.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
 
-stroke_interface.o: threads/stroke_interface.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.o -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.o `test -f 'threads/stroke_interface.c' || echo '$(srcdir)/'`threads/stroke_interface.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Po"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/stroke_interface.c' object='stroke_interface.o' libtool=no @AMDEPBACKSLASH@
+ike_rekey.obj: sa/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
+
+task.o: sa/tasks/task.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.o `test -f 'threads/stroke_interface.c' || echo '$(srcdir)/'`threads/stroke_interface.c
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
 
-stroke_interface.obj: threads/stroke_interface.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.obj -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.obj `if test -f 'threads/stroke_interface.c'; then $(CYGPATH_W) 'threads/stroke_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/stroke_interface.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Po"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/stroke_interface.c' object='stroke_interface.obj' libtool=no @AMDEPBACKSLASH@
+task.obj: sa/tasks/task.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.obj `if test -f 'threads/stroke_interface.c'; then $(CYGPATH_W) 'threads/stroke_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/stroke_interface.c'; fi`
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -1780,7 +1909,7 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
 installdirs:
-	for dir in "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	for dir in "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(ipsecdir)"; do \
 	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
 	done
 install: install-am
@@ -1809,8 +1938,9 @@ maintainer-clean-generic:
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 
-clean-am: clean-eapLTLIBRARIES clean-generic clean-ipsecPROGRAMS \
-	clean-libtool mostlyclean-am
+clean-am: clean-backendLTLIBRARIES clean-eapLTLIBRARIES clean-generic \
+	clean-interfaceLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
@@ -1828,7 +1958,8 @@ info: info-am
 
 info-am:
 
-install-data-am: install-eapLTLIBRARIES install-ipsecPROGRAMS
+install-data-am: install-backendLTLIBRARIES install-eapLTLIBRARIES \
+	install-interfaceLTLIBRARIES install-ipsecPROGRAMS
 
 install-exec-am:
 
@@ -1856,22 +1987,26 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-eapLTLIBRARIES uninstall-info-am \
+uninstall-am: uninstall-backendLTLIBRARIES uninstall-eapLTLIBRARIES \
+	uninstall-info-am uninstall-interfaceLTLIBRARIES \
 	uninstall-ipsecPROGRAMS
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean \
-	clean-eapLTLIBRARIES clean-generic clean-ipsecPROGRAMS \
-	clean-libtool ctags distclean distclean-compile \
-	distclean-generic distclean-libtool distclean-tags distdir dvi \
-	dvi-am html html-am info info-am install install-am \
-	install-data install-data-am install-eapLTLIBRARIES \
-	install-exec install-exec-am install-info install-info-am \
+	clean-backendLTLIBRARIES clean-eapLTLIBRARIES clean-generic \
+	clean-interfaceLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \
+	ctags distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am \
+	install-backendLTLIBRARIES install-data install-data-am \
+	install-eapLTLIBRARIES install-exec install-exec-am \
+	install-info install-info-am install-interfaceLTLIBRARIES \
 	install-ipsecPROGRAMS install-man install-strip installcheck \
 	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-eapLTLIBRARIES \
-	uninstall-info-am uninstall-ipsecPROGRAMS
+	tags uninstall uninstall-am uninstall-backendLTLIBRARIES \
+	uninstall-eapLTLIBRARIES uninstall-info-am \
+	uninstall-interfaceLTLIBRARIES uninstall-ipsecPROGRAMS
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 740663d5c..5f46cd29e 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -185,6 +185,28 @@ static void add_listener(private_bus_t *this, bus_listener_t *listener)
 }
 
 /**
+ * Implementation of bus_t.remove_listener.
+ */
+static void remove_listener(private_bus_t *this, bus_listener_t *listener)
+{
+	iterator_t *iterator;
+	bus_listener_t *current;
+
+	pthread_mutex_lock(&this->mutex);
+	iterator = this->listeners->create_iterator(this->listeners, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current == listener)
+		{
+			iterator->remove(iterator);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&this->mutex);
+}
+
+/**
  * Get the listener object for the calling thread
  */
 static active_listener_t *get_active_listener(private_bus_t *this)
@@ -216,6 +238,32 @@ static active_listener_t *get_active_listener(private_bus_t *this)
 	return found;
 }
 
+typedef struct cancel_info_t cancel_info_t;
+
+/**
+ * cancellation info to cancel a listening operation cleanly
+ */
+struct cancel_info_t {
+	/**
+	 * mutex to unlock on cancellation
+	 */
+	pthread_mutex_t *mutex;
+	
+	/**
+	 * listener to unregister
+	 */
+	active_listener_t *listener;
+};
+
+/**
+ * disable a listener to cleanly clean up
+ */
+static void unregister(cancel_info_t *info)
+{
+	info->listener->state = UNREGISTERED;
+	pthread_mutex_unlock(info->mutex);
+}
+
 /**
  * Implementation of bus_t.listen.
  */
@@ -223,14 +271,24 @@ static signal_t listen_(private_bus_t *this, level_t *level, int *thread,
 						ike_sa_t **ike_sa, char** format, va_list* args)
 {
 	active_listener_t *listener;
+	int oldstate;
+	cancel_info_t info;
 	
 	pthread_mutex_lock(&this->mutex);
 	listener = get_active_listener(this);
 	/* go "listening", say hello to a thread which have a signal for us */
 	listener->state = LISTENING;
 	pthread_cond_broadcast(&listener->cond);
-	/* wait until it has us delivered a signal, and go back to "registered" */
+	/* wait until it has us delivered a signal, and go back to "registered".
+	 * we allow cancellation here, but must cleanly disable the listener. */
+	info.mutex = &this->mutex;
+	info.listener = listener;
+	pthread_cleanup_push((void*)unregister, &info);
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
 	pthread_cond_wait(&listener->cond, &this->mutex);
+	pthread_setcancelstate(oldstate, NULL);
+	pthread_cleanup_pop(0);
+	
 	pthread_mutex_unlock(&this->mutex);
 	
 	/* return signal values */
@@ -299,7 +357,6 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level,
 	while (iterator->iterate(iterator, (void**)&listener))
 	{
 		va_list args_copy;
-		
 		va_copy(args_copy, args);
 		if (!listener->signal(listener, signal, level, thread, 
 							  ike_sa, format, args_copy))
@@ -315,8 +372,11 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level,
 	iterator = this->active_listeners->create_iterator(this->active_listeners, TRUE);
 	while (iterator->iterate(iterator, (void**)&active_listener))
 	{
-		/* wait until it is back */
-		while (active_listener->state == REGISTERED)
+		/* wait until all threads are registered. But if the thread raising
+		 * the signal is the same as the one that listens, we skip it.
+		 * Otherwise we would deadlock. */
+		while (active_listener->id != pthread_self() &&
+			   active_listener->state == REGISTERED)
 		{
 			pthread_cond_wait(&active_listener->cond, &this->mutex);
 		}
@@ -339,7 +399,9 @@ static void vsignal(private_bus_t *this, signal_t signal, level_t level,
 	iterator->reset(iterator);
 	while (iterator->iterate(iterator, (void**)&active_listener))
 	{
-		while (active_listener->state == REGISTERED)
+		/* do not wait for ourself, it won't happen (see above) */
+		while (active_listener->id != pthread_self() &&
+			   active_listener->state == REGISTERED)
 		{
 			pthread_cond_wait(&active_listener->cond, &this->mutex);
 		}
@@ -380,6 +442,7 @@ bus_t *bus_create()
 	private_bus_t *this = malloc_thing(private_bus_t);
 	
 	this->public.add_listener = (void(*)(bus_t*,bus_listener_t*))add_listener;
+	this->public.remove_listener = (void(*)(bus_t*,bus_listener_t*))remove_listener;
 	this->public.listen = (signal_t(*)(bus_t*,level_t*,int*,ike_sa_t**,char**,va_list*))listen_;
 	this->public.set_listen_state = (void(*)(bus_t*,bool))set_listen_state;
 	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 200525fb7..4b46c7e82 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -266,6 +266,14 @@ struct bus_t {
 	void (*add_listener) (bus_t *this, bus_listener_t *listener);
 	
 	/**
+	 * @brief Unregister a listener from the bus.
+	 *
+	 * @param this		bus
+	 * @param listener	listener to unregister.
+	 */
+	void (*remove_listener) (bus_t *this, bus_listener_t *listener);
+	
+	/**
 	 * @brief Listen actively on the bus.
 	 *
 	 * As we are fully multithreaded, we must provide a mechanism
@@ -275,6 +283,9 @@ struct bus_t {
 	 * it processes a signal, registration is required. This is done through
 	 * the set_listen_state() method, see below.
 	 *
+	 * The listen() function is (has) a thread cancellation point, so might
+	 * want to register cleanup handlers.
+	 *
 	 * @param this		bus
 	 * @param level		verbosity level of the signal
 	 * @param thread	receives thread number emitted the signal
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
new file mode 100644
index 000000000..6df68c700
--- /dev/null
+++ b/src/charon/config/backend_manager.c
@@ -0,0 +1,229 @@
+/**
+ * @file backend_manager.c
+ * 
+ * @brief Implementation of backend_manager_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "backend_manager.h"
+
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <dlfcn.h>
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <config/backends/writeable_backend.h>
+
+
+typedef struct private_backend_manager_t private_backend_manager_t;
+
+/**
+ * Private data of an backend_manager_t object.
+ */
+struct private_backend_manager_t {
+
+	/**
+	 * Public part of backend_manager_t object.
+	 */
+	backend_manager_t public;
+	
+	/**
+	 * list of registered backends
+	 */
+	linked_list_t *backends;
+	
+	/**
+	 * Additional list of writable backends.
+	 */
+	linked_list_t *writeable;
+	
+	/**
+	 * List of dlopen() handles we used to open backends
+	 */
+	linked_list_t *handles;
+};
+
+/**
+ * implements backend_manager_t.get_ike_cfg.
+ */
+static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, 
+							  host_t *my_host, host_t *other_host)
+{
+	backend_t *backend;
+	ike_cfg_t *config = NULL;
+	iterator_t *iterator = this->backends->create_iterator(this->backends, TRUE);
+	while (config == NULL && iterator->iterate(iterator, (void**)&backend))
+	{
+		config = backend->get_ike_cfg(backend, my_host, other_host);
+	}
+	iterator->destroy(iterator);
+	return config;
+}
+
+/**
+ * implements backend_manager_t.get_peer_cfg.
+ */			
+static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this,
+								identification_t *my_id, identification_t *other_id,
+								ca_info_t *other_ca_info)
+{
+	backend_t *backend;
+	peer_cfg_t *config = NULL;
+	iterator_t *iterator = this->backends->create_iterator(this->backends, TRUE);
+	while (config == NULL && iterator->iterate(iterator, (void**)&backend))
+	{
+		config = backend->get_peer_cfg(backend, my_id, other_id, other_ca_info);
+	}
+	iterator->destroy(iterator);
+	return config;
+}
+
+/**
+ * implements backend_manager_t.add_peer_cfg.
+ */	
+static void add_peer_cfg(private_backend_manager_t *this, peer_cfg_t *config)
+{
+	writeable_backend_t *backend;
+	
+	if (this->writeable->get_first(this->writeable, (void**)&backend) == SUCCESS)
+	{
+		backend->add_cfg(backend, config);
+	}
+}
+
+/**
+ * implements backend_manager_t.create_iterator.
+ */	
+static iterator_t* create_iterator(private_backend_manager_t *this)
+{
+	writeable_backend_t *backend;
+	
+	if (this->writeable->get_first(this->writeable, (void**)&backend) == SUCCESS)
+	{
+		return backend->create_iterator(backend);
+	}
+	/* give out an empty iterator if we have no writable backend*/
+	return this->writeable->create_iterator(this->writeable, TRUE);
+}
+
+/**
+ * load the configuration backend modules
+ */
+static void load_backends(private_backend_manager_t *this)
+{
+	struct dirent* entry;
+	DIR* dir;
+
+	dir = opendir(IPSEC_BACKENDDIR);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening backend modules directory "IPSEC_BACKENDDIR);
+		return;
+	}
+	
+	DBG1(DBG_CFG, "loading backend modules from '"IPSEC_BACKENDDIR"'");
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[256];
+		backend_t *backend;
+		backend_constructor_t constructor;
+		void *handle;
+		char *ending;
+		
+		snprintf(file, sizeof(file), IPSEC_BACKENDDIR"/%s", entry->d_name);
+		
+		ending = entry->d_name + strlen(entry->d_name) - 3;
+		if (ending <= entry->d_name || !streq(ending, ".so"))
+		{
+			/* skip anything which does not look like a library */
+			DBG2(DBG_CFG, "  skipping %s, doesn't look like a library",
+				 entry->d_name);
+			continue;
+		}
+		/* try to load the library */
+		handle = dlopen(file, RTLD_LAZY);
+		if (handle == NULL)
+		{
+			DBG1(DBG_CFG, "  opening backend module %s failed: %s",
+				 entry->d_name, dlerror());
+			continue;
+		}
+		constructor = dlsym(handle, "backend_create");
+		if (constructor == NULL)
+		{
+			DBG1(DBG_CFG, "  backend module %s has no backend_create() "
+				 "function, skipped", entry->d_name);
+			dlclose(handle);
+			continue;
+		}
+		
+		backend = constructor();
+		if (backend == NULL)
+		{
+			DBG1(DBG_CFG, "  unable to create instance of backend "
+				 "module %s, skipped", entry->d_name);
+			dlclose(handle);
+			continue;
+		}
+		DBG1(DBG_CFG, "  loaded backend module successfully from %s", entry->d_name);
+		this->backends->insert_last(this->backends, backend);
+		if (backend->is_writeable(backend))
+		{
+			this->writeable->insert_last(this->writeable, backend);
+		}
+		this->handles->insert_last(this->handles, handle);
+	}
+	closedir(dir);
+}
+
+/**
+ * Implementation of backend_manager_t.destroy.
+ */
+static void destroy(private_backend_manager_t *this)
+{
+	this->backends->destroy_offset(this->backends, offsetof(backend_t, destroy));
+	this->writeable->destroy(this->writeable);
+	this->handles->destroy_function(this->handles, (void*)dlclose);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+backend_manager_t *backend_manager_create()
+{
+	private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
+	
+	this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
+	this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg;
+	this->public.add_peer_cfg = (void (*)(backend_manager_t*,peer_cfg_t*))add_peer_cfg;
+	this->public.create_iterator = (iterator_t* (*)(backend_manager_t*))create_iterator;
+	this->public.destroy = (void (*)(backend_manager_t*))destroy;
+	
+	this->backends = linked_list_create();
+	this->writeable = linked_list_create();
+	this->handles = linked_list_create();
+	
+	load_backends(this);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
new file mode 100644
index 000000000..22a19a218
--- /dev/null
+++ b/src/charon/config/backend_manager.h
@@ -0,0 +1,124 @@
+/**
+ * @file backend_manager.h
+ * 
+ * @brief Interface backend_manager_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef BACKEND_MANAGER_H_
+#define BACKEND_MANAGER_H_
+
+typedef struct backend_manager_t backend_manager_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/identification.h>
+#include <config/ike_cfg.h>
+#include <config/peer_cfg.h>
+#include <config/backends/backend.h>
+
+
+/**
+ * @brief A loader and multiplexer to use multiple backends.
+ *
+ * Charon allows the use of multiple configuration backends simultaneously. To
+ * access all this backends by a single call, this class wraps multiple
+ * backends behind a single object. It is also responsible for loading
+ * the backend modules and cleaning them up.
+ * A backend may be writeable or not. All backends implement the backend_t
+ * interface, those who are writeable additionally implement the
+ * writeable_backend_t interface. Adding configs to the backend_manager will
+ * be redirected to the first writeable backend.
+ * @verbatim
+
+   +---------+      +-----------+         +--------------+     |
+   |         |      |           |       +--------------+ |     |
+   | daemon  |----->| backend_- |     +--------------+ |-+  <==|==> IPC
+   |  core   |      | manager   |---->|   backends   |-+       |
+   |         |----->|           |     +--------------+         |
+   |         |      |           |                              |
+   +---------+      +-----------+                              |
+   
+   @endverbatim
+ *
+ * @b Constructors:
+ * - backend_manager_create()
+ * 
+ * @ingroup config
+ */
+struct backend_manager_t {
+	
+	/**
+	 * @brief Get an ike_config identified by two hosts.
+	 *
+	 * @param this				calling object
+	 * @param my_host			address of own host
+	 * @param other_host		address of remote host
+	 * @return					matching ike_config, or NULL if none found
+	 */
+	ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this, 
+							  host_t *my_host, host_t *other_host);
+	
+	/**
+	 * @brief Get a peer_config identified by two IDs and the peer's certificate issuer
+	 *
+	 * @param this				calling object
+	 * @param my_id				own ID
+	 * @param other_id			peer ID
+	 * @param other_ca_info		info record on issuer of peer certificate
+	 * @return					matching peer_config, or NULL if none found
+	 */
+	peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this,
+								identification_t *my_id, identification_t *other_id,
+								ca_info_t *other_ca_info);
+	
+	/**
+	 * @brief Add a peer_config to the first found writable backend.
+	 *
+	 * @param this		calling object
+	 * @param config	peer_config to add to the backend
+	 */
+	void (*add_peer_cfg)(backend_manager_t *this, peer_cfg_t *config);
+	
+	/**
+	 * @brief Create an iterator over all peer configs of the writable backend.
+	 *
+	 * @param this		calling object
+	 * @return 			iterator over peer configs
+	 */
+	iterator_t* (*create_iterator)(backend_manager_t *this);
+	
+	/**
+	 * @brief Destroys a backend_manager_t object.
+	 *
+	 * @param this 					calling object
+	 */
+	void (*destroy) (backend_manager_t *this);
+};
+
+/**
+ * @brief Creates a new instance of the manager and loads all backends.
+ *
+ * @return		backend_manager instance
+ *
+ * @ingroup config
+ */
+backend_manager_t* backend_manager_create(void);
+
+#endif /*BACKEND_MANAGER_H_*/
+
diff --git a/src/charon/config/backends/backend.h b/src/charon/config/backends/backend.h
new file mode 100644
index 000000000..acab660b6
--- /dev/null
+++ b/src/charon/config/backends/backend.h
@@ -0,0 +1,96 @@
+/**
+ * @file backend.h
+ * 
+ * @brief Interface backend_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef BACKEND_H_
+#define BACKEND_H_
+
+typedef struct backend_t backend_t;
+
+#include <library.h>
+#include <config/ike_cfg.h>
+#include <config/peer_cfg.h>
+#include <utils/linked_list.h>
+
+/**
+ * @brief The interface for a configuration backend.
+ *
+ * A configuration backend is loaded by the backend_manager. It does the actual
+ * configuration lookup for the method it implements. See backend_manager_t for
+ * more information.
+ *
+ * @b Constructors:
+ * - implementations constructors
+ * 
+ * @ingroup backends
+ */
+struct backend_t {
+
+	/**
+	 * @brief Get an ike_cfg identified by two hosts.
+	 *
+	 * @param this				calling object
+	 * @param my_host			address of own host
+	 * @param other_host		address of remote host
+	 * @return					matching ike_config, or NULL if none found
+	 */
+	ike_cfg_t *(*get_ike_cfg)(backend_t *this, 
+							  host_t *my_host, host_t *other_host);
+	
+	/**
+	 * @brief Get a peer_cfg identified by two IDs.
+	 * 
+	 * Select a config based on the two IDs and the other's certificate issuer
+	 *
+	 * @param this				calling object
+	 * @param my_id				own ID
+	 * @param other_id			peer ID
+	 * @param other_ca_info		info record on issuer of peer certificate
+	 * @return					matching peer_config, or NULL if none found
+	 */
+	peer_cfg_t *(*get_peer_cfg)(backend_t *this,
+								identification_t *my_id, identification_t *other_id,
+								ca_info_t *other_ca_info);
+	
+	/**
+	 * @brief Check if a backend is writable and implements writable_backend_t.
+	 *
+	 * @param this		calling object
+	 * @return			TRUE if backend implements writable_backend_t.
+	 */
+	bool (*is_writeable)(backend_t *this);
+	
+	/**
+	 * @brief Destroy a backend.
+	 *
+	 * @param this		calling object
+	 */
+	void (*destroy)(backend_t *this);
+};
+
+
+/**
+ * Construction to create a backend.
+ */
+typedef backend_t*(*backend_constructor_t)(void);
+
+#endif /* BACKEND_H_ */
+
diff --git a/src/charon/config/backends/local_backend.c b/src/charon/config/backends/local_backend.c
new file mode 100644
index 000000000..2e80cc870
--- /dev/null
+++ b/src/charon/config/backends/local_backend.c
@@ -0,0 +1,274 @@
+/**
+ * @file local_backend.c
+ *
+ * @brief Implementation of local_backend_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "local_backend.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <crypto/ca.h>
+
+
+typedef struct private_local_backend_t private_local_backend_t;
+
+/**
+ * Private data of an local_backend_t object
+ */
+struct private_local_backend_t {
+
+	/**
+	 * Public part
+	 */
+	local_backend_t public;
+	
+	/**
+	 * list of configs
+	 */
+	linked_list_t *cfgs;
+	
+	/**
+	 * Mutex to exclusivly access list
+	 */
+	pthread_mutex_t mutex;
+};
+
+/**
+ * implements backen_t.get_ike_cfg.
+ */
+static ike_cfg_t *get_ike_cfg(private_local_backend_t *this, 
+							  host_t *my_host, host_t *other_host)
+{
+	peer_cfg_t *peer;
+	ike_cfg_t *current, *found = NULL;
+	iterator_t *iterator;
+	host_t *my_candidate, *other_candidate;
+	enum {
+		MATCH_NONE  = 0x00,
+		MATCH_ANY   = 0x01,
+		MATCH_ME    = 0x04,
+		MATCH_OTHER = 0x08,
+	} prio, best = MATCH_ANY;
+	
+	DBG2(DBG_CFG, "looking for a config for %H...%H",
+		 my_host, other_host);
+	
+	iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex);
+	while (iterator->iterate(iterator, (void**)&peer))
+	{
+		prio = MATCH_NONE;
+		current = peer->get_ike_cfg(peer);
+		my_candidate = current->get_my_host(current);
+		other_candidate = current->get_other_host(current);
+		
+		if (my_candidate->ip_equals(my_candidate, my_host))
+		{
+			prio += MATCH_ME;
+		}
+		else if (my_candidate->is_anyaddr(my_candidate))
+		{
+			prio += MATCH_ANY;
+		}
+		
+		if (other_candidate->ip_equals(other_candidate, other_host))
+		{
+			prio += MATCH_OTHER;
+		}
+		else if (other_candidate->is_anyaddr(other_candidate))
+		{
+			prio += MATCH_ANY;
+		}
+		
+		DBG2(DBG_CFG, "  candidate '%s': %H...%H, prio %d",
+			 peer->get_name(peer), my_candidate, other_candidate, prio);
+		
+		/* we require at least two MATCH_ANY */
+		if (prio > best)
+		{
+			best = prio;
+			found = current;
+		}
+	}
+	if (found)
+	{
+		found->get_ref(found);
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+#define PRIO_NO_MATCH_FOUND		256
+
+/**
+ * implements backend_t.get_peer.
+ */			
+static peer_cfg_t *get_peer_cfg(private_local_backend_t *this,
+								identification_t *my_id, identification_t *other_id,
+								ca_info_t *other_ca_info)
+{
+	peer_cfg_t *current, *found = NULL;
+	iterator_t *iterator;
+	identification_t *my_candidate, *other_candidate;
+	int best = PRIO_NO_MATCH_FOUND;
+	
+	DBG2(DBG_CFG, "looking for a config for %D...%D", my_id, other_id);
+	
+	iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		int wc1, wc2;
+
+		my_candidate = current->get_my_id(current);
+		other_candidate = current->get_other_id(current);
+
+		if (my_candidate->matches(my_candidate, my_id, &wc1)
+		&&	other_id->matches(other_id, other_candidate, &wc2))
+		{
+			int prio = (wc1 + wc2) * (MAX_CA_PATH_LEN + 1);
+			int pathlen = 0;
+			identification_t *other_candidate_ca = current->get_other_ca(current);
+
+			/* are there any ca constraints? */
+			if (other_candidate_ca->get_type(other_candidate_ca) != ID_ANY)
+			{
+				ca_info_t *ca_info = other_ca_info;
+
+				for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+				{
+					if (ca_info == NULL)
+					{
+						prio = PRIO_NO_MATCH_FOUND;
+						break;
+					}
+					else
+					{
+						x509_t *cacert = ca_info->get_certificate(ca_info);
+						identification_t *other_ca = cacert->get_subject(cacert);
+
+						if (other_candidate_ca->equals(other_candidate_ca, other_ca))
+						{
+							/* found a ca match */
+							break;
+						}
+						if (cacert->is_self_signed(cacert))
+						{
+							/* reached the root ca without a match */
+							prio = PRIO_NO_MATCH_FOUND;
+							break;
+						}
+						/* move a level upward in the trust path hierarchy */
+						ca_info = charon->credentials->get_issuer(charon->credentials, cacert); 
+					}
+				}
+				if (pathlen == MAX_CA_PATH_LEN)
+				{
+					DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN);
+					prio = PRIO_NO_MATCH_FOUND;
+				}
+			}
+			if (prio == PRIO_NO_MATCH_FOUND)
+			{
+				DBG2(DBG_CFG, "  candidate '%s': %D...%D, no ca match",
+				 	current->get_name(current), my_candidate, other_candidate);
+			}
+			else
+			{
+				prio += pathlen;
+				DBG2(DBG_CFG, "  candidate '%s': %D...%D, prio %d",
+				 	current->get_name(current), my_candidate, other_candidate, prio);
+			
+				if (prio < best)
+				{
+					found = current;
+					best = prio;
+				}
+			}
+		}
+	}
+	if (found)
+	{
+		DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d",
+				found->get_name(found),
+				found->get_my_id(found),
+				found->get_other_id(found),
+				best);
+		found->get_ref(found);
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of backend_t.is_writable.
+ */
+static bool is_writeable(private_local_backend_t *this)
+{
+    return TRUE;
+}
+
+/**
+ * Implementation of writable_backend_t.create_iterator.
+ */
+static iterator_t* create_iterator(private_local_backend_t *this)
+{
+	return this->cfgs->create_iterator_locked(this->cfgs, &this->mutex);
+}
+
+/**
+ * Implementation of writable_backend_t.add_peer_cfg.
+ */
+static void add_cfg(private_local_backend_t *this, peer_cfg_t *config)
+{
+    pthread_mutex_lock(&this->mutex);
+    this->cfgs->insert_last(this->cfgs, config);
+    pthread_mutex_unlock(&this->mutex);
+}
+
+/**
+ * Implementation of backend_t.destroy.
+ */
+static void destroy(private_local_backend_t *this)
+{
+    this->cfgs->destroy_offset(this->cfgs, offsetof(peer_cfg_t, destroy));
+    free(this);
+}
+
+/**
+ * Described in header.
+ */
+backend_t *backend_create(void)
+{
+	private_local_backend_t *this = malloc_thing(private_local_backend_t);
+	
+	this->public.backend.backend.get_ike_cfg = (ike_cfg_t* (*)(backend_t*, host_t*, host_t*))get_ike_cfg;
+	this->public.backend.backend.get_peer_cfg = (peer_cfg_t* (*)(backend_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg;
+    this->public.backend.backend.is_writeable = (bool(*) (backend_t*))is_writeable;
+    this->public.backend.backend.destroy = (void (*)(backend_t*))destroy;
+	this->public.backend.create_iterator = (iterator_t* (*)(writeable_backend_t*))create_iterator;
+    this->public.backend.add_cfg = (void (*)(writeable_backend_t*,peer_cfg_t*))add_cfg;
+    
+	/* private variables */
+	this->cfgs = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	
+	return &this->public.backend.backend;
+}
diff --git a/src/charon/config/backends/local_backend.h b/src/charon/config/backends/local_backend.h
new file mode 100644
index 000000000..b33c6443b
--- /dev/null
+++ b/src/charon/config/backends/local_backend.h
@@ -0,0 +1,60 @@
+/**
+ * @file local_backend.h
+ *
+ * @brief Interface of local_backend_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef LOCAL_BACKEND_H_
+#define LOCAL_BACKEND_H_
+
+typedef struct local_backend_t local_backend_t;
+
+#include <library.h>
+#include <config/backends/writeable_backend.h>
+
+/**
+ * @brief An in-memory backend to store configurations.
+ *
+ * The local_backend_t stores the configuration in a simple list. It
+ * implements both, backend_t and writeable_backend_t.
+ *
+ * @b Constructors:
+ *  - local_backend_create()
+ * 
+ * @ingroup backends
+ */
+struct local_backend_t {
+	
+	/**
+	 * Implements writable_backend_t interface
+	 */
+	writeable_backend_t backend;
+};
+
+/**
+ * @brief Create a backend_t instance implemented as local backend.
+ *
+ * @return backend instance
+ * 
+ * @ingroup backends
+ */
+backend_t *backend_create(void);
+
+#endif /* LOCAL_BACKEND_H_ */
+
diff --git a/src/charon/config/backends/writeable_backend.h b/src/charon/config/backends/writeable_backend.h
new file mode 100644
index 000000000..ea62f62c9
--- /dev/null
+++ b/src/charon/config/backends/writeable_backend.h
@@ -0,0 +1,64 @@
+/**
+ * @file writeable_backend.h
+ *
+ * @brief Interface of writeable_backend_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef WRITEABLE_BACKEND_H_
+#define WRITEABLE_BACKEND_H_
+
+typedef struct writeable_backend_t writeable_backend_t;
+
+#include <library.h>
+#include <config/backends/backend.h>
+
+/**
+ * @brief A writeable backend extends backend_t by modification functions.
+ *
+ * @b Constructors:
+ *  - writeable_backend_create()
+ * 
+ * @ingroup backends
+ */
+struct writeable_backend_t {
+	
+	/**
+	 * Implements backend_t interface
+	 */
+	backend_t backend;
+	
+	/**
+	 * @brief Add a peer_config to the backend.
+	 *
+	 * @param this		calling object
+	 * @param config	peer_config to add to the backend
+	 */
+	void (*add_cfg)(writeable_backend_t *this, peer_cfg_t *config);
+	
+	/**
+	 * @brief Create an iterator over all peer configs.
+	 *
+	 * @param this		calling object
+	 * @return 			iterator over peer configs
+	 */
+	iterator_t* (*create_iterator)(writeable_backend_t *this);
+};
+
+#endif /* WRITEABLE_BACKEND_H_ */
+
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
new file mode 100644
index 000000000..e9f0e5249
--- /dev/null
+++ b/src/charon/config/child_cfg.c
@@ -0,0 +1,449 @@
+/**
+ * @file child_cfg.c
+ * 
+ * @brief Implementation of child_cfg_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "child_cfg.h"
+
+#include <daemon.h>
+
+ENUM(mode_names, MODE_TRANSPORT, MODE_BEET,
+	"TRANSPORT",
+	"TUNNEL",
+	"2",
+	"3",
+	"BEET",
+);
+
+typedef struct private_child_cfg_t private_child_cfg_t;
+
+/**
+ * Private data of an child_cfg_t object
+ */
+struct private_child_cfg_t {
+
+	/**
+	 * Public part
+	 */
+	child_cfg_t public;
+	
+	/**
+	 * Number of references hold by others to this child_cfg
+	 */
+	refcount_t refcount;
+	
+	/**
+	 * Name of the child_cfg, used to query it
+	 */
+	char *name;
+	
+	/**
+	 * list for all proposals
+	 */
+	linked_list_t *proposals;
+	
+	/**
+	 * list for traffic selectors for my site
+	 */
+	linked_list_t *my_ts;
+	
+	/**
+	 * list for traffic selectors for others site
+	 */
+	linked_list_t *other_ts;
+	
+	/**
+	 * updown script
+	 */
+	char *updown;
+	
+	/**
+	 * allow host access
+	 */
+	bool hostaccess;
+	
+	/**
+	 * Mode to propose for a initiated CHILD: tunnel/transport
+	 */
+	mode_t mode;
+	
+	/**
+	 * Time before an SA gets invalid
+	 */
+	u_int32_t lifetime;
+	
+	/**
+	 * Time before an SA gets rekeyed
+	 */
+	u_int32_t rekeytime;
+	
+	/**
+	 * Time, which specifies the range of a random value
+	 * substracted from rekeytime.
+	 */
+	u_int32_t jitter;
+};
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static char *get_name(private_child_cfg_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Implementation of child_cfg_t.add_proposal
+ */
+static void add_proposal(private_child_cfg_t *this, proposal_t *proposal)
+{
+	this->proposals->insert_last(this->proposals, proposal);
+}
+
+/**
+ * strip out DH groups from a proposal
+ */
+static void strip_dh_from_proposal(proposal_t *proposal)
+{
+	iterator_t *iterator;
+	algorithm_t *algo;
+	
+	iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		iterator->remove(iterator);
+		free(algo);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of child_cfg_t.get_proposals
+ */
+static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh)
+{
+	iterator_t *iterator;
+	proposal_t *current;
+	linked_list_t *proposals = linked_list_create();
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		current = current->clone(current);
+		if (strip_dh)
+		{
+			strip_dh_from_proposal(current);
+		}
+		proposals->insert_last(proposals, current);
+	}
+	iterator->destroy(iterator);
+	
+	return proposals;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static proposal_t* select_proposal(private_child_cfg_t*this,
+								   linked_list_t *proposals, bool strip_dh)
+{
+	iterator_t *stored_iter, *supplied_iter;
+	proposal_t *stored, *supplied, *selected = NULL;
+	
+	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
+	supplied_iter = proposals->create_iterator(proposals, TRUE);
+	
+	/* compare all stored proposals with all supplied. Stored ones are preferred. */
+	while (stored_iter->iterate(stored_iter, (void**)&stored))
+	{
+		stored = stored->clone(stored);
+		supplied_iter->reset(supplied_iter);
+		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
+		{
+			if (strip_dh)
+			{
+				strip_dh_from_proposal(stored);
+			}
+			selected = stored->select(stored, supplied);
+			if (selected)
+			{
+				break;
+			}
+		}
+		stored->destroy(stored);
+		if (selected)
+		{
+			break;
+		}
+	}
+	stored_iter->destroy(stored_iter);
+	supplied_iter->destroy(supplied_iter);
+	return selected;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static void add_traffic_selector(private_child_cfg_t *this, bool local,
+								 traffic_selector_t *ts)
+{
+	if (local)
+	{
+		this->my_ts->insert_last(this->my_ts, ts);
+	}
+	else
+	{
+		this->other_ts->insert_last(this->other_ts, ts);
+	}
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local,
+											linked_list_t *supplied,
+											host_t *host)
+{
+	iterator_t *i1, *i2;
+	traffic_selector_t *ts1, *ts2, *selected;
+	linked_list_t *result = linked_list_create();
+	
+	if (local)
+	{
+		i1 = this->my_ts->create_iterator(this->my_ts, TRUE);
+	}
+	else
+	{
+		i1 = this->other_ts->create_iterator(this->other_ts, FALSE);
+	}
+	
+	/* no list supplied, just fetch the stored traffic selectors */
+	if (supplied == NULL)
+	{
+		while (i1->iterate(i1, (void**)&ts1))
+		{
+			/* we make a copy of the TS, this allows us to update dynamic TS' */
+			ts1 = ts1->clone(ts1);
+			if (host)
+			{
+				ts1->set_address(ts1, host);
+			}
+			result->insert_last(result, ts1);
+		}
+		i1->destroy(i1);
+	}
+	else
+	{
+		DBG2(DBG_CFG, "selecting traffic selectors");
+		i2 = supplied->create_iterator(supplied, TRUE);
+		/* iterate over all stored selectors */
+		while (i1->iterate(i1, (void**)&ts1))
+		{
+			/* we make a copy of the TS, as we have to update dynamic TS' */
+			ts1 = ts1->clone(ts1);
+			if (host)
+			{
+				ts1->set_address(ts1, host);
+			}
+			
+			i2->reset(i2);
+			/* iterate over all supplied traffic selectors */
+			while (i2->iterate(i2, (void**)&ts2))
+			{
+				DBG2(DBG_CFG, "stored %R <=> %R received", ts1, ts2);
+				selected = ts1->get_subset(ts1, ts2);
+				if (selected)
+				{
+					result->insert_last(result, selected);
+					DBG2(DBG_CFG, "found traffic selector for %s: %R", 
+						 local ? "us" : "other", selected);
+				}
+			}
+			ts1->destroy(ts1);
+		}
+		i1->destroy(i1);
+		i2->destroy(i2);
+	}
+	
+	/* remove any redundant traffic selectors in the list */
+	i1 = result->create_iterator(result, TRUE);
+	i2 = result->create_iterator(result, TRUE);
+	while (i1->iterate(i1, (void**)&ts1))
+	{
+		while (i2->iterate(i2, (void**)&ts2))
+		{
+			if (ts1 != ts2)
+			{
+				if (ts2->is_contained_in(ts2, ts1))
+				{
+					i2->remove(i2);
+					ts2->destroy(ts2);
+					i1->reset(i1);
+					break;
+				}
+				if (ts1->is_contained_in(ts1, ts2))
+				{
+					i1->remove(i1);
+					ts1->destroy(ts1);
+					i2->reset(i2);
+					break;
+				}
+			}
+		}
+	}
+	i1->destroy(i1);
+	i2->destroy(i2);
+	
+	return result;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static char* get_updown(private_child_cfg_t *this)
+{
+	return this->updown;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static bool get_hostaccess(private_child_cfg_t *this)
+{
+	return this->hostaccess;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
+{
+	if (rekey)
+	{
+		if (this->jitter == 0)
+		{
+			return this->rekeytime;
+		}
+		return this->rekeytime - (random() % this->jitter);
+	}
+	return this->lifetime;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static mode_t get_mode(private_child_cfg_t *this)
+{
+	return this->mode;
+}
+
+/**
+ * Implementation of child_cfg_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	algorithm_t *algo;
+	diffie_hellman_group_t dh_group = MODP_NONE;
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&proposal))
+	{
+		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo))
+		{
+			dh_group = algo->algorithm;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return dh_group;
+}
+
+/**
+ * Implementation of child_cfg_t.get_name
+ */
+static void get_ref(private_child_cfg_t *this)
+{
+	ref_get(&this->refcount);
+}
+
+/**
+ * Implements child_cfg_t.destroy.
+ */
+static void destroy(private_child_cfg_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+		if (this->updown)
+		{
+			free(this->updown);
+		}
+		free(this->name);
+		free(this);
+	}
+}
+
+/*
+ * Described in header-file
+ */
+child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
+							  u_int32_t rekeytime, u_int32_t jitter,
+							  char *updown, bool hostaccess, mode_t mode)
+{
+	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
+
+	/* public functions */
+	this->public.get_name = (char* (*) (child_cfg_t*))get_name;
+	this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
+	this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
+	this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
+	this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
+	this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
+	this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
+	this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
+	this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode;
+	this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
+	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
+	this->public.get_ref = (void (*) (child_cfg_t*))get_ref;
+	this->public.destroy = (void (*) (child_cfg_t*))destroy;
+	
+	/* apply init values */
+	this->name = strdup(name);
+	this->lifetime = lifetime;
+	this->rekeytime = rekeytime;
+	this->jitter = jitter;
+	this->updown = updown ? strdup(updown) : NULL;
+	this->hostaccess = hostaccess;
+	this->mode = mode;
+	
+	/* initialize private members*/
+	this->refcount = 1;
+	this->proposals = linked_list_create();
+	this->my_ts = linked_list_create();
+	this->other_ts = linked_list_create();
+
+	return &this->public;
+}
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
new file mode 100644
index 000000000..e1a6553b4
--- /dev/null
+++ b/src/charon/config/child_cfg.h
@@ -0,0 +1,251 @@
+/**
+ * @file child_cfg.h
+ * 
+ * @brief Interface of child_cfg_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CHILD_CFG_H_
+#define CHILD_CFG_H_
+
+typedef enum mode_t mode_t;
+typedef struct child_cfg_t child_cfg_t;
+
+#include <library.h>
+#include <config/proposal.h>
+#include <config/traffic_selector.h>
+
+/**
+ * @brief Mode of an CHILD_SA.
+ *
+ * These are equal to those defined in XFRM, so don't change.
+ *
+ * @ingroup config
+ */
+enum mode_t {
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 0,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL = 1,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET = 4,
+};
+
+/**
+ * enum names for mode_t.
+ */
+extern enum_name_t *mode_names;
+
+/**
+ * @brief A child_cfg_t defines the config template for a CHILD_SA.
+ *
+ * After creation, proposals and traffic selectors may be added to the config.
+ * A child_cfg object is referenced multiple times, and is not thread save.
+ * Reading from the object is save, adding things is not allowed while other
+ * threads may access the object. 
+ * A reference counter handles the number of references hold to this config.
+ *
+ * @see peer_cfg_t to get an overview over the configurations.
+ * 
+ * @b Constructors:
+ *   - child_cfg_create()
+ *
+ * @ingroup config
+ */
+struct child_cfg_t {
+	
+	/**
+	 * @brief Get the name of the child_cfg.
+	 * 
+	 * @param this			calling object
+	 * @return				child_cfg's name
+	 */
+	char *(*get_name) (child_cfg_t *this);
+	
+	/**
+	 * @brief Add a proposal to the list. 
+	 * 
+	 * The proposals are stored by priority, first added
+	 * is the most prefered.
+	 * After add, proposal is owned by child_cfg.
+	 * 
+	 * @param this			calling object
+	 * @param proposal		proposal to add
+	 */
+	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
+	
+	/**
+	 * @brief Get the list of proposals for the CHILD_SA.
+	 *
+	 * Resulting list and all of its proposals must be freed after use.
+	 * 
+	 * @param this			calling object
+	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @return				list of proposals
+	 */
+	linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
+	
+	/**
+	 * @brief Select a proposal from a supplied list.
+	 *
+	 * Returned propsal is newly created and must be destroyed after usage.
+	 * 
+	 * @param this			calling object
+	 * @param proposals		list from from wich proposals are selected
+	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @return				selected proposal, or NULL if nothing matches
+	 */
+	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
+								   bool strip_dh);
+	
+	/**
+	 * @brief Add a traffic selector to the config.
+	 * 
+	 * Use the "local" parameter to add it for the local or the remote side.
+	 * After add, traffic selector is owned by child_cfg.
+	 * 
+	 * @param this			calling object
+	 * @param local			TRUE for local side, FALSE for remote
+	 * @param ts			traffic_selector to add
+	 */
+	void (*add_traffic_selector)(child_cfg_t *this, bool local,
+								 traffic_selector_t *ts);
+	
+	/**
+	 * @brief Get a list of traffic selectors to use for the CHILD_SA.
+	 * 
+	 * The config contains two set of traffic selectors, one for the local
+	 * side, one for the remote side.
+	 * If a list with traffic selectors is supplied, these are used to narrow
+	 * down the traffic selector list to the greatest common divisor.
+	 * Some traffic selector may be "dymamic", meaning they are narrowed down
+	 * to a specific address (host-to-host or virtual-IP setups). Use
+	 * the "host" parameter to narrow such traffic selectors to that address.
+	 * Resulted list and its traffic selectors must be destroyed after use.
+	 * 
+	 * @param this			calling object
+	 * @param local			TRUE for TS on local side, FALSE for remote
+	 * @param supplied		list with TS to select from, or NULL
+	 * @param host			address to use for narrowing "dynamic" TS', or NULL
+	 * @return				list containing the traffic selectors
+	 */
+	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
+											linked_list_t *supplied,
+											host_t *host);
+
+	/**
+	 * @brief Get the updown script to run for the CHILD_SA.
+	 * 
+	 * @param this			calling object
+	 * @return				path to updown script
+	 */
+	char* (*get_updown)(child_cfg_t *this);
+	
+	/**
+	 * @brief Should we allow access to the local host (gateway)?
+	 * 
+	 * @param this			calling object
+	 * @return				value of hostaccess flag
+	 */
+	bool (*get_hostaccess) (child_cfg_t *this);
+
+	/**
+	 * @brief Get the lifetime of a CHILD_SA.
+	 *
+	 * If "rekey" is set to TRUE, a lifetime is returned before the first
+	 * rekeying should be started. If it is FALSE, the actual lifetime is
+	 * returned when the CHILD_SA must be deleted.
+	 * The rekey time automatically contains a jitter to avoid simlutaneous
+	 * rekeying.
+	 * 
+	 * @param this			child_cfg 
+	 * @param rekey			TRUE to get rekey time
+	 * @return				lifetime in seconds
+	 */
+	u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
+	
+	/**
+	 * @brief Get the mode to use for the CHILD_SA.
+	 *
+	 * The mode is either tunnel, transport or BEET. The peer must agree
+	 * on the method, fallback is tunnel mode.
+	 * 
+	 * @param this			child_cfg
+	 * @return				lifetime in seconds
+	 */
+	mode_t (*get_mode) (child_cfg_t *this);
+	
+	/**
+	 * @brief Get the DH group to use for CHILD_SA setup.
+	 * 
+	 * @param this		calling object
+	 * @return			dh group to use
+	 */
+	diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
+	
+	/**
+	 * @brief Get a new reference.
+	 *
+	 * Get a new reference to this child_cfg by increasing
+	 * it's internal reference counter.
+	 * Do not call get_ref or any other function until you
+	 * already have a reference. Otherwise the object may get
+	 * destroyed while calling get_ref(),
+	 * 
+	 * @param this				calling object
+	 */
+	void (*get_ref) (child_cfg_t *this);
+	
+	/**
+	 * @brief Destroys the child_cfg object.
+	 *
+	 * Decrements the internal reference counter and
+	 * destroys the child_cfg when it reaches zero.
+	 * 
+	 * @param this				calling object
+	 */
+	void (*destroy) (child_cfg_t *this);
+};
+
+/**
+ * @brief Create a configuration template for CHILD_SA setup.
+ * 
+ * The "name" string gets cloned.
+ * Lifetimes are in seconds. To prevent to peers to start rekeying at the
+ * same time, a jitter may be specified. Rekeying of an SA starts at
+ * (rekeytime - random(0, jitter)). You should specify
+ * lifetime > rekeytime > jitter.
+ * After a call to create, a reference is obtained (refcount = 1).
+ * 
+ * @param name				name of the child_cfg
+ * @param lifetime			lifetime after CHILD_SA expires and gets deleted
+ * @param rekeytime			time when rekeying should be initiated
+ * @param jitter			range of randomization time to remove from rekeytime
+ * @param updown			updown script to execute on up/down event
+ * @param hostaccess		TRUE to allow access to the local host
+ * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
+ * @return 					child_cfg_t object
+ * 
+ * @ingroup config
+ */
+child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
+							  u_int32_t rekeytime, u_int32_t jitter,
+							  char *updown, bool hostaccess, mode_t mode);
+
+#endif /* CHILD_CFG_H_ */
diff --git a/src/charon/config/configuration.c b/src/charon/config/configuration.c
deleted file mode 100755
index 488ba9a5e..000000000
--- a/src/charon/config/configuration.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/**
- * @file configuration.c
- * 
- * @brief Implementation of configuration_t.
- * 
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <math.h>
-
-#include "configuration.h"
-
-#include <library.h>
-
-/**
- * Timeout in milliseconds after that a half open IKE_SA gets deleted.
- */
-#define HALF_OPEN_IKE_SA_TIMEOUT 30000
-
-/**
- * Retransmission uses a backoff algorithm. The timeout is calculated using
- * TIMEOUT * (BASE ** try).
- * When try reaches TRIES, retransmission is given up.
- *
- * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us:
- *
- *                        | relative | absolute
- * ---------------------------------------------------------
- * 4s * (1.8 ** (0  % 5)) =    4s         4s
- * 4s * (1.8 ** (1  % 5)) =    7s        11s
- * 4s * (1.8 ** (2  % 5)) =   13s        24s
- * 4s * (1.8 ** (3  % 5)) =   23s        47s
- * 4s * (1.8 ** (4  % 5)) =   42s        89s
- * 4s * (1.8 ** (5  % 5)) =   76s       165s
- *
- * The peer is considered dead after 2min 45s when no reply comes in.
- */
-
-/**
- * First retransmit timeout in milliseconds.
- * Timeout value is increasing in each retransmit round.
- */
-#define RETRANSMIT_TIMEOUT 4000
-
-/**
- * Base which is raised to the power of the retransmission count.
- */
-#define RETRANSMIT_BASE 1.8
-
-/**
- * Number of retransmits done in a retransmit sequence
- */
-#define RETRANSMIT_TRIES 5
-
-/**
- * Keepalive interval in seconds.
- */
-#define KEEPALIVE_INTERVAL 20
-
-/**
- * retry interval in seconds.
- */
-#define RETRY_INTERVAL 30
-
-/**
- * jitter to user for retrying
- */
-#define RETRY_JITTER 20
-
-
-typedef struct private_configuration_t private_configuration_t;
-
-/**
- * Private data of an configuration_t object.
- */
-struct private_configuration_t {
-
-	/**
-	 * Public part of configuration_t object.
-	 */
-	configuration_t public;
-
-};
-
-/**
- * Implementation of configuration_t.get_retransmit_timeout.
- */
-static u_int32_t get_retransmit_timeout (private_configuration_t *this,
-										 u_int32_t retransmit_count)
-{
-	if (retransmit_count > RETRANSMIT_TRIES)
-	{
-		/* give up */
-		return 0;
-	}
-	return (u_int32_t)
-				(RETRANSMIT_TIMEOUT * pow(RETRANSMIT_BASE, retransmit_count));
-}
-
-/**
- * Implementation of configuration_t.get_half_open_ike_sa_timeout.
- */
-static u_int32_t get_half_open_ike_sa_timeout (private_configuration_t *this)
-{
-	return HALF_OPEN_IKE_SA_TIMEOUT;
-}
-
-/**
- * Implementation of configuration_t.get_keepalive_interval.
- */
-static u_int32_t get_keepalive_interval (private_configuration_t *this)
-{
-	return KEEPALIVE_INTERVAL;
-}
-
-/**
- * Implementation of configuration_t.get_retry_interval.
- */
-static u_int32_t get_retry_interval (private_configuration_t *this)
-{
-	return RETRY_INTERVAL - (random() % RETRY_JITTER);
-}
-
-/**
- * Implementation of configuration_t.destroy.
- */
-static void destroy(private_configuration_t *this)
-{
-	free(this);
-}
-
-/*
- * Described in header-file
- */
-configuration_t *configuration_create()
-{
-	private_configuration_t *this = malloc_thing(private_configuration_t);
-	
-	/* public functions */
-	this->public.destroy = (void(*)(configuration_t*))destroy;
-	this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t*,u_int32_t))get_retransmit_timeout;
-	this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t*)) get_half_open_ike_sa_timeout;
-	this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t*)) get_keepalive_interval;
-	this->public.get_retry_interval = (u_int32_t (*) (configuration_t*)) get_retry_interval;
-	
-	return (&this->public);
-}
diff --git a/src/charon/config/configuration.h b/src/charon/config/configuration.h
deleted file mode 100755
index c1207171d..000000000
--- a/src/charon/config/configuration.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/**
- * @file configuration.h
- * 
- * @brief Interface configuration_t.
- *  
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef CONFIGURATION_H_
-#define CONFIGURATION_H_
-
-typedef struct configuration_t configuration_t;
-
-#include <library.h>
-
-/**
- * @brief The interface for various daemon related configs.
- * 
- * @b Constructors:
- * 	- configuration_create()
- * 
- * @ingroup config
- */
-struct configuration_t {
-
-	/**
-	 * @brief Returns the retransmit timeout.
-	 *
-	 * A return value of zero means the request should not be
-	 * retransmitted again.
-	 *
-	 * @param this				calling object
-	 * @param retransmitted		number of times a message was retransmitted so far
-	 * @return					time in milliseconds, when to do next retransmit
-	 */
-	u_int32_t (*get_retransmit_timeout) (configuration_t *this, 
-										 u_int32_t retransmitted);
-	
-	/**
-	 * @brief Returns the timeout for an half open IKE_SA in ms.
-	 *
-	 * Half open means that the IKE_SA is still on a not established state
-	 *
-	 * @param this				calling object
-	 * @return					timeout in milliseconds (ms)
-	 */
-	u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this);
-
-	/**
-	 * @brief Returns the keepalive interval in s.
-	 * 
-	 * The keepalive interval defines the idle time after which a
-	 * NAT keepalive packet should be sent.
-	 * 
-	 * @param this				calling object
-	 * @return					interval in s
-	 */	
-	u_int32_t (*get_keepalive_interval) (configuration_t *this);
-
-	/**
-	 * @brief Returns the interval to retry a failed action again.
-	 *
-	 * In some situations, the protocol may be in a state where processing
-	 * is not possible and an action must be retried (e.g. rekeying).
-	 * 
-	 * @param this				calling object
-	 * @return					interval in s
-	 */	
-	u_int32_t (*get_retry_interval) (configuration_t *this);
-
-	/**
-	 * @brief Destroys a configuration_t object.
-	 * 
-	 * @param this 					calling object
-	 */
-	void (*destroy) (configuration_t *this);
-};
-
-/**
- * @brief Creates a configuration backend.
- * 
- * @return static_configuration_t object
- * 
- * @ingroup config
- */
-configuration_t *configuration_create(void);
-
-#endif /*CONFIGURATION_H_*/
diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c
deleted file mode 100644
index ffe508992..000000000
--- a/src/charon/config/connections/connection.c
+++ /dev/null
@@ -1,404 +0,0 @@
-/**
- * @file connection.c
- *
- * @brief Implementation of connection_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include <config/connections/connection.h>
-#include <utils/linked_list.h>
-
-ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
-	"CERT_ALWAYS_SEND",
-	"CERT_SEND_IF_ASKED",
-	"CERT_NEVER_SEND"
-);
-
-typedef struct private_connection_t private_connection_t;
-
-/**
- * Private data of an connection_t object
- */
-struct private_connection_t {
-
-	/**
-	 * Public part
-	 */
-	connection_t public;
-	
-	/**
-	 * Number of references hold by others to this connection
-	 */
-	refcount_t refcount;
-
-	/**
-	 * Name of the connection
-	 */
-	char *name;
-	
-	/** 
-	 * Does charon handle this connection? Or can he ignore it?
-	 */
-	bool ikev2;
-	
-	/**
-	 * should we send a certificate request?
-	 */
-	cert_policy_t certreq_policy;
-	
-	/**
-	 * should we send a certificates?
-	 */
-	cert_policy_t cert_policy;
-	
-	/**
-	 * ID of us
-	 */
-	identification_t *my_id;
-
-	/**
-	 * Host information of my host.
-	 */
-	host_t *my_host;
-
-	/**
-	 * Host information of other host.
-	 */	
-	host_t *other_host;
-	
-	/**
-	 * Interval to send DPD liveness checks on inactivity
-	 */
-	u_int32_t dpd_delay;
-	
-	/**
-	 * Number of retransmission sequences to send bevore giving up
-	 */
-	u_int32_t keyingtries;
-	
-	/**
-	 * Supported proposals
-	 */
-	linked_list_t *proposals;
-	
-	/**
-	 * Time before an SA gets invalid
-	 */
-	u_int32_t soft_lifetime;
-	
-	/**
-	 * Time before an SA gets rekeyed
-	 */
-	u_int32_t hard_lifetime;
-	
-	/**
-	 * Use full reauthentication instead of rekeying
-	 */
-	bool reauth;
-	
-	/**
-	 * Time, which specifies the range of a random value
-	 * substracted from soft_lifetime.
-	 */
-	u_int32_t jitter;
-};
-
-/**
- * Implementation of connection_t.get_name.
- */
-static char *get_name (private_connection_t *this)
-{
-	return this->name;
-}
-
-/**
- * Implementation of connection_t.is_ikev2.
- */
-static bool is_ikev2 (private_connection_t *this)
-{
-	return this->ikev2;
-}
-
-/**
- * Implementation of connection_t.get_certreq_policy.
- */
-static cert_policy_t get_certreq_policy (private_connection_t *this)
-{
-	return this->certreq_policy;
-}
-
-/**
- * Implementation of connection_t.get_cert_policy.
- */
-static cert_policy_t get_cert_policy (private_connection_t *this)
-{
-	return this->cert_policy;
-}
-
-/**
- * Implementation of connection_t.get_my_host.
- */
-static host_t *get_my_host (private_connection_t *this)
-{
-	return this->my_host;
-}
-
-/**
- * Implementation of connection_t.get_other_host.
- */
-static host_t *get_other_host (private_connection_t *this)
-{
-	return this->other_host;
-}
-
-/**
- * Implementation of connection_t.get_proposals.
- */
-static linked_list_t* get_proposals(private_connection_t *this)
-{
-	iterator_t *iterator;
-	proposal_t *current;
-	linked_list_t *proposals = linked_list_create();
-	
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		current = current->clone(current);
-		proposals->insert_last(proposals, (void*)current);
-	}
-	iterator->destroy(iterator);
-	
-	return proposals;
-}
-	
-/**
- * Implementation of connection_t.select_proposal.
- */
-static proposal_t *select_proposal(private_connection_t *this, linked_list_t *proposals)
-{
-	iterator_t *stored_iter, *supplied_iter;
-	proposal_t *stored, *supplied, *selected;
-	
-	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
-	supplied_iter = proposals->create_iterator(proposals, TRUE);
-	
-	/* compare all stored proposals with all supplied. Stored ones are preferred. */
-	while (stored_iter->iterate(stored_iter, (void**)&stored))
-	{
-		supplied_iter->reset(supplied_iter);
-		
-		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
-		{
-			selected = stored->select(stored, supplied);
-			if (selected)
-			{
-				/* they match, return */
-				stored_iter->destroy(stored_iter);
-				supplied_iter->destroy(supplied_iter);
-				return selected;
-			}
-		}
-	}
-	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
-	stored_iter->destroy(stored_iter);
-	supplied_iter->destroy(supplied_iter);
-	
-	return NULL;
-}
-
-/**
- * Implementation of connection_t.add_proposal.
- */
-static void add_proposal(private_connection_t *this, proposal_t *proposal)
-{
-	this->proposals->insert_last(this->proposals, proposal);
-}
-
-/**
- * Implementation of connection_t.get_dpd_delay.
- */
-static u_int32_t get_dpd_delay(private_connection_t *this)
-{
-	return this->dpd_delay;
-}
-
-/**
- * Implementation of connection_t.get_keyingtries.
- */
-static u_int32_t get_keyingtries(private_connection_t *this)
-{
-	return this->keyingtries;
-}
-
-/**
- * Implementation of connection_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(private_connection_t *this)
-{
-	iterator_t *iterator;
-	proposal_t *proposal;
-	algorithm_t *algo;
-	diffie_hellman_group_t dh_group = MODP_NONE;
-	
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&proposal))
-	{
-		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo))
-		{
-			dh_group = algo->algorithm;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	return dh_group;
-}
-
-/**
- * Implementation of connection_t.check_dh_group.
- */
-static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh_group)
-{
-	iterator_t *prop_iter, *alg_iter;
-	proposal_t *proposal;
-	algorithm_t *algo;
-	
-	prop_iter = this->proposals->create_iterator(this->proposals, TRUE);
-	while (prop_iter->iterate(prop_iter, (void**)&proposal))
-	{
-		alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
-		while (alg_iter->iterate(alg_iter, (void**)&algo))
-		{
-			if (algo->algorithm == dh_group)
-			{
-				prop_iter->destroy(prop_iter);
-				alg_iter->destroy(alg_iter);
-				return TRUE;
-			}
-		}
-		alg_iter->destroy(alg_iter);
-	}
-	prop_iter->destroy(prop_iter);
-	return FALSE;
-}
-/**
- * Implementation of connection_t.get_soft_lifetime
- */
-static u_int32_t get_soft_lifetime(private_connection_t *this)
-{
-	if (this->jitter == 0)
-	{
-		return this->soft_lifetime ;
-	}
-	return this->soft_lifetime - (random() % this->jitter);
-}
-
-/**
- * Implementation of connection_t.get_hard_lifetime.
- */
-static u_int32_t get_hard_lifetime(private_connection_t *this)
-{
-	return this->hard_lifetime;
-}
-
-/**
- * Implementation of connection_t.get_reauth.
- */
-static bool get_reauth(private_connection_t *this)
-{
-	return this->reauth;
-}
-
-/**
- * Implementation of connection_t.get_ref.
- */
-static void get_ref(private_connection_t *this)
-{
-	ref_get(&this->refcount);
-}
-
-/**
- * Implementation of connection_t.destroy.
- */
-static void destroy(private_connection_t *this)
-{
-	if (ref_put(&this->refcount))
-	{
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-		this->my_host->destroy(this->my_host);
-		this->other_host->destroy(this->other_host);
-		free(this->name);
-		free(this);
-	}
-}
-
-/**
- * Described in header.
- */
-connection_t * connection_create(char *name, bool ikev2,
-								 cert_policy_t cert_policy,
-								 cert_policy_t certreq_policy,
-								 host_t *my_host, host_t *other_host,
-								 u_int32_t dpd_delay, bool reauth,
-								 u_int32_t keyingtries,
-								 u_int32_t hard_lifetime,
-								 u_int32_t soft_lifetime, u_int32_t jitter)
-{
-	private_connection_t *this = malloc_thing(private_connection_t);
-	
-	/* public functions */
-	this->public.get_name = (char*(*)(connection_t*))get_name;
-	this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2;
-	this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy;
-	this->public.get_certreq_policy = (cert_policy_t(*)(connection_t*))get_certreq_policy;
-	this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
-	this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host;
-	this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals;
-	this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal;
-	this->public.add_proposal = (void(*)(connection_t*, proposal_t*)) add_proposal;
-	this->public.get_dpd_delay = (u_int32_t(*)(connection_t*)) get_dpd_delay;
-	this->public.get_reauth = (bool(*)(connection_t*)) get_reauth;
-	this->public.get_keyingtries = (u_int32_t(*)(connection_t*)) get_keyingtries;
-	this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
-	this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
-	this->public.get_soft_lifetime = (u_int32_t (*) (connection_t *))get_soft_lifetime;
-	this->public.get_hard_lifetime = (u_int32_t (*) (connection_t *))get_hard_lifetime;
-	this->public.get_ref = (void(*)(connection_t*))get_ref;
-	this->public.destroy = (void(*)(connection_t*))destroy;
-	
-	/* private variables */
-	this->refcount = 1;
-	this->name = strdup(name);
-	this->ikev2 = ikev2;
-	this->cert_policy = cert_policy;
-	this->certreq_policy = certreq_policy;
-	this->my_host = my_host;
-	this->other_host = other_host;
-	this->dpd_delay = dpd_delay;
-	this->reauth = reauth;
-	this->keyingtries = keyingtries;
-	this->hard_lifetime = hard_lifetime;
-	this->soft_lifetime = soft_lifetime;
-	this->jitter = jitter;
-	
-	this->proposals = linked_list_create();
-	
-	return &this->public;
-}
diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h
deleted file mode 100644
index d0788876f..000000000
--- a/src/charon/config/connections/connection.h
+++ /dev/null
@@ -1,292 +0,0 @@
-/**
- * @file connection.h
- *
- * @brief Interface of connection_t.
- *
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef CONNECTION_H_
-#define CONNECTION_H_
-
-typedef enum cert_policy_t cert_policy_t;
-typedef struct connection_t connection_t;
-
-#include <library.h>
-#include <utils/host.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <config/proposal.h>
-#include <crypto/diffie_hellman.h>
-
-
-/**
- * Certificate sending policy. This is also used for certificate
- * requests when using this definition for the other peer. If
- * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
- * included.
- *
- * @ingroup config
- * 
- * @warning These definitions must be the same as in pluto/starter,
- * as they are sent over the stroke socket.
- */
-enum cert_policy_t {
-	/** always send certificates, even when not requested */
-	CERT_ALWAYS_SEND   = 0,
-	/** send certificate upon cert request */
-	CERT_SEND_IF_ASKED = 1,
-	/** never send a certificate, even when requested */
-	CERT_NEVER_SEND    = 2,
-};
-
-/**
- * enum strings for cert_policy_t
- * 
- * @ingroup config
- */
-extern enum_name_t *cert_policy_names;
-
-/**
- * @brief A connection_t defines the rules to set up an IKE_SA.
- *
- * @b Constructors:
- *  - connection_create()
- *
- * @ingroup config
- */
-struct connection_t {
-
-	/**
-	 * @brief Get my address as host_t object.
-	 * 
-	 * Object is NOT getting cloned.
-	 * 
-	 * @param this	calling object
-	 * @return		host information as host_t object
-	 */
-	host_t *(*get_my_host) (connection_t *this);
-
-	/**
-	 * @brief Get others address as host_t object.
-	 * 
-	 * Object is NOT getting cloned.
-	 * 
-	 * @param this	calling object
-	 * @return		host information as host_t object
-	 */
-	host_t *(*get_other_host) (connection_t *this);
-	
-	/**
-	 * @brief Returns a list of all supported proposals.
-	 * 
-	 * Returned list and its proposals  must be destroyed after usage.
-	 * 
-	 * @param this		calling object
-	 * @return 			list containing all the proposals
-	 */
-	linked_list_t *(*get_proposals) (connection_t *this);
-	
-	/**
-	 * @brief Adds a proposal to the list.
-	 * 
-	 * The first added proposal has the highest priority, the last
-	 * added the lowest.
-	 * 
-	 * @param this		calling object
-	 * @param proposal	proposal to add
-	 */
-	void (*add_proposal) (connection_t *this, proposal_t *proposal);
-	
-	/**
-	 * @brief Select a proposed from suggested proposals.
-	 * 
-	 * Returned proposal must be destroyed after usage.
-	 * 
-	 * @param this		calling object
-	 * @param proposals	list of proposals to select from
-	 * @return			selected proposal, or NULL if none matches.
-	 */
-	proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals);
-	
-	/**
-	 * @brief Get the DPD check interval.
-	 * 
-	 * @param this		calling object
-	 * @return			dpd_delay in seconds
-	 */
-	u_int32_t (*get_dpd_delay) (connection_t *this);
-	
-	/**
-	 * @brief Should a full reauthentication be done instead of rekeying?
-	 * 
-	 * @param this		calling object
-	 * @return			TRUE to use full reauthentication
-	 */
-	bool (*get_reauth) (connection_t *this);
-	
-	/**
-	 * @brief Get the max number of retransmission sequences.
-	 *
-	 * @param this		calling object
-	 * @return			max number of retransmission sequences
-	 */
-	u_int32_t (*get_keyingtries) (connection_t *this);
-	
-	/**
-	 * @brief Get the connection name.
-	 * 
-	 * Name must not be freed, since it points to 
-	 * internal data.
-	 * 
-	 * @param this		calling object
-	 * @return			name of the connection
-	 */
-	char* (*get_name) (connection_t *this);
-	
-	/**
-	 * @brief Check if the connection is marked as an IKEv2 connection.
-	 * 
-	 * Since all connections (IKEv1+2) are loaded, but charon handles 
-	 * only those marked with IKEv2, this flag can tell us if we must
-	 * ignore a connection on initiaton. Then pluto will do it for us.
-	 * 
-	 * @param this		calling object
-	 * @return			- TRUE, if this is an IKEv2 connection
-	 */
-	bool (*is_ikev2) (connection_t *this);
-	
-	/**
-	 * @brief Should be sent a certificate request for this connection?
-	 *
-	 * A certificate request contains serials of our trusted CA certificates.
-	 * This flag says if such a request is sent on connection setup to
-	 * the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise.
-	 *
-	 * @param this		calling object
-	 * @return			certificate request sending policy
-	 */
-	cert_policy_t (*get_certreq_policy) (connection_t *this);
-	
-	/**
-	 * @brief Should be sent a certificate for this connection?
-	 *
-	 * Return the policy used to send the certificate.
-	 *
-	 * @param this		calling object
-	 * @return			certificate sending policy
-	 */
-	cert_policy_t (*get_cert_policy) (connection_t *this);
-	
-	/**
-	 * @brief Get the DH group to use for connection initialization.
-	 * 
-	 * @param this		calling object
-	 * @return			dh group to use for initialization
-	 */
-	diffie_hellman_group_t (*get_dh_group) (connection_t *this);
-	
-	/**
-	 * @brief Check if a suggested dh group is acceptable.
-	 * 
-	 * If we guess a wrong DH group for IKE_SA_INIT, the other
-	 * peer will send us a offer. But is this acceptable for us?
-	 * 
-	 * @param this		calling object
-	 * @return			TRUE if group acceptable
-	 */
-	bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
-
-	/**
-	 * @brief Get the lifetime of a connection, before IKE_SA rekeying starts.
-	 * 
-	 * A call to this function automatically adds a jitter to
-	 * avoid simultanous rekeying.
-	 * 
-	 * @param this		calling object
-	 * @return			lifetime in seconds
-	 */
-	u_int32_t (*get_soft_lifetime) (connection_t *this);
-	
-	/**
-	 * @brief Get the lifetime of a connection, before IKE_SA gets deleted.
-	 * 
-	 * @param this		calling object
-	 * @return			lifetime in seconds
-	 */
-	u_int32_t (*get_hard_lifetime) (connection_t *this);
-	
-	/**
-	 * @brief Get a new reference to this connection.
-	 *
-	 * Get a new reference to this connection by increasing
-	 * it's internal reference counter.
-	 * Do not call get_ref or any other function until you
-	 * already have a reference. Otherwise the object may get
-	 * destroyed while calling get_ref(),
-	 *
-	 * @param this		calling object
-	 */
-	void (*get_ref) (connection_t *this);
-	
-	/**
-	 * @brief Destroys a connection_t object.
-	 * 
-	 * Decrements the internal reference counter and
-	 * destroys the connection when it reaches zero.
-	 * 
-	 * @param this		calling object
-	 */
-	void (*destroy) (connection_t *this);
-};
-
-/**
- * @brief Creates a connection_t object.
- *
- * Supplied hosts become owned by connection, so
- * do not modify or destroy them after a call to
- * connection_create(). Name gets cloned internally.
- * The retrasmit sequence number says how fast we give up when the peer
- * does not respond. A high value may bridge-over temporary connection 
- * problems, a small value can detect dead peers faster.
- *
- * @param name				connection identifier
- * @param ikev2				TRUE if this is an IKEv2 connection
- * @param cert_policy		certificate send policy
- * @param cert_req_policy	certificate request send policy
- * @param my_host			host_t representing local address
- * @param other_host		host_t representing remote address
- * @param dpd_delay			interval of DPD liveness checks
- * @param reauth			use full reauthentication instead of rekeying
- * @param keyingtries		number of retransmit sequences to use
- * @param hard_lifetime		lifetime before deleting an IKE_SA
- * @param soft_lifetime		lifetime before rekeying an IKE_SA
- * @param jitter			range of randomization time
- * @return 					connection_t object.
- * 
- * @ingroup config
- */
-connection_t * connection_create(char *name, bool ikev2,
-								 cert_policy_t cert_pol, cert_policy_t req_pol,
-								 host_t *my_host, host_t *other_host,
-								 u_int32_t dpd_delay, bool reauth,
-								 u_int32_t keyingtries,
-								 u_int32_t hard_lifetime, u_int32_t soft_lifetime, 
-								 u_int32_t jitter);
-
-#endif /* CONNECTION_H_ */
diff --git a/src/charon/config/connections/connection_store.h b/src/charon/config/connections/connection_store.h
deleted file mode 100755
index 70f209d3b..000000000
--- a/src/charon/config/connections/connection_store.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * @file connection_store.h
- *
- * @brief Interface connection_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef CONNECTION_STORE_H_
-#define CONNECTION_STORE_H_
-
-typedef struct connection_store_t connection_store_t;
-
-#include <library.h>
-#include <config/connections/connection.h>
-#include <utils/iterator.h>
-
-/**
- * @brief The interface for a store of connection_t's.
- *
- * @b Constructors:
- *	- stroke_create()
- *
- * @ingroup config
- */
-struct connection_store_t {
-
-	/**
-	 * @brief Returns a connection definition identified by two hosts.
-	 * 
-	 * This call is usefull to get a connection identified by addresses.
-	 * It may be used after kernel request for traffic protection.
-	 * The returned connection gets created/cloned and therefore must
-	 * be destroyed after usage.
-	 *
-	 * @param this				calling object
-	 * @param my_id				own address of connection
-	 * @param other_id			others address of connection
-	 * @return		
-	 * 							- connection_t, if found
-	 * 							- NULL otherwise
-	 */
-	connection_t *(*get_connection_by_hosts)(connection_store_t *this, 
-											 host_t *my_host, host_t *other_host);
-	
-	/**
-	 * @brief Returns a connection identified by its name.
-	 *
-	 * This call is usefull to get a connection identified its
-	 * name, as on an connection setup.
-	 *
-	 * @param this				calling object
-	 * @param name				name of the connection to get
-	 * @return		
-	 * 							- connection_t, if found
-	 * 							- NULL otherwise
-	 */
-	connection_t *(*get_connection_by_name) (connection_store_t *this, char *name);
-	
-	/**
-	 * @brief Add a connection to the store.
-	 *
-	 * After a successful call, the connection is owned by the store and may
-	 * not be manipulated nor destroyed.
-	 *
-	 * @param this				calling object
-	 * @param connection		connection to add
-	 * @return
-	 * 							- SUCCESS, or
-	 * 							- FAILED
-	 */
-	status_t (*add_connection) (connection_store_t *this, connection_t *connection);
-	
-	/**
-	 * @brief Delete a connection from the store.
-	 *
-	 * Remove a connection from the connection store, identified
-	 * by the connections name.
-	 *
-	 * @param this				calling object
-	 * @param name				name of the connection to delete
-	 * @return
-	 * 							- SUCCESS, or
-	 * 							- NOT_FOUND
-	 */
-	status_t (*delete_connection) (connection_store_t *this, char *name);
-	
-	/**
-	 * @brief Get an iterator for the stored connections.
-	 *
-	 * @param this				calling object
-	 * @return					iterator over all stored connections
-	 */
-	iterator_t* (*create_iterator) (connection_store_t *this);
-	
-	/**
-	 * @brief Destroys a connection_store_t object.
-	 *
-	 * @param this 					calling object
-	 */
-	void (*destroy) (connection_store_t *this);
-};
-
-#endif /* CONNECTION_STORE_H_ */
diff --git a/src/charon/config/connections/local_connection_store.c b/src/charon/config/connections/local_connection_store.c
deleted file mode 100644
index df4ec230a..000000000
--- a/src/charon/config/connections/local_connection_store.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/**
- * @file local_connection_store.c
- *
- * @brief Implementation of local_connection_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "local_connection_store.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-
-
-typedef struct private_local_connection_store_t private_local_connection_store_t;
-
-/**
- * Private data of an local_connection_store_t object
- */
-struct private_local_connection_store_t {
-
-	/**
-	 * Public part
-	 */
-	local_connection_store_t public;
-	
-	/**
-	 * stored connection
-	 */
-	linked_list_t *connections;
-	
-	/**
-	 * Mutex to exclusivly access connection list
-	 */
-	pthread_mutex_t mutex;
-};
-
-
-/**
- * Implementation of connection_store_t.get_connection_by_hosts.
- */
-static connection_t *get_connection_by_hosts(private_local_connection_store_t *this, host_t *my_host, host_t *other_host)
-{
-	typedef enum {
-		PRIO_UNDEFINED=		0x00,
-		PRIO_ADDR_ANY= 		0x01,
-		PRIO_ADDR_MATCH=	0x02
-	} prio_t;
-
-	prio_t best_prio = PRIO_UNDEFINED;
-
-	iterator_t *iterator;
-	connection_t *candidate;
-	connection_t *found = NULL;
-	
-	DBG2(DBG_CFG, "looking for connection for host pair %H...%H",
-		 my_host, other_host);
-	
-	pthread_mutex_lock(&(this->mutex));
-	iterator = this->connections->create_iterator(this->connections, TRUE);
-	/* determine closest matching connection */
-	while (iterator->iterate(iterator, (void**)&candidate))
-	{
-		host_t *candidate_my_host;
-		host_t *candidate_other_host;
-
-		candidate_my_host = candidate->get_my_host(candidate);
-		candidate_other_host = candidate->get_other_host(candidate);
-
-		/* my_host addresses must match*/
-		if (my_host->ip_equals(my_host, candidate_my_host))
-		{
-			prio_t prio = PRIO_UNDEFINED;
-
-			/* exact match of peer host address or wildcard address? */
-			if (other_host->ip_equals(other_host, candidate_other_host))
-			{
-				prio |= PRIO_ADDR_MATCH;
-			}
-			else if (candidate_other_host->is_anyaddr(candidate_other_host))
-			{
-				prio |= PRIO_ADDR_ANY;
-			}
-
-			DBG2(DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)",
-				 candidate->get_name(candidate),
-				 candidate_my_host, candidate_other_host, prio);
-
-			if (prio > best_prio)
-			{
-				found = candidate;
-				best_prio = prio;
-			}
-		}
-	}
-	iterator->destroy(iterator);
-	
-	if (found)
-	{
-		DBG2(DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)",
-			 found->get_name(found), found->get_my_host(found),
-			 found->get_other_host(found), best_prio);
-		
-		/* give out a new reference to it */
-		found->get_ref(found);
-	}
-	pthread_mutex_unlock(&(this->mutex));
-	return found;
-}
-
-/**
- * Implementation of connection_store_t.get_connection_by_name.
- */
-static connection_t *get_connection_by_name(private_local_connection_store_t *this, char *name)
-{
-	iterator_t *iterator;
-	connection_t *current, *found = NULL;
-	
-	pthread_mutex_lock(&(this->mutex));
-	iterator = this->connections->create_iterator(this->connections, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		if (strcmp(name, current->get_name(current)) == 0)
-		{
-			found = current;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	pthread_mutex_unlock(&(this->mutex));
-	
-	if (found)
-	{
-		/* get a new reference for it */
-		found->get_ref(found);
-	}
-	return found;
-}
-
-/**
- * Implementation of connection_store_t.delete_connection.
- */
-static status_t delete_connection(private_local_connection_store_t *this, char *name)
-{
-	iterator_t *iterator;
-	connection_t *current;
-	bool found = FALSE;
-	
-	pthread_mutex_lock(&(this->mutex));
-	iterator = this->connections->create_iterator(this->connections, TRUE);
-	while (iterator->iterate(iterator, (void **)&current))
-	{
-		if (strcmp(current->get_name(current), name) == 0)
-		{
-			/* remove connection from list, and destroy it */
-			iterator->remove(iterator);
-			current->destroy(current);
-			found = TRUE;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-	pthread_mutex_unlock(&(this->mutex));
-	if (found)
-	{
-		return SUCCESS;
-	}
-	return NOT_FOUND;
-}
-
-/**
- * Implementation of connection_store_t.add_connection.
- */
-static status_t add_connection(private_local_connection_store_t *this, connection_t *connection)
-{
-	pthread_mutex_lock(&(this->mutex));
-	this->connections->insert_last(this->connections, connection);
-	pthread_mutex_unlock(&(this->mutex));
-	return SUCCESS;
-}
-
-/**
- * Implementation of connection_store_t.create_iterator.
- */
-static iterator_t* create_iterator(private_local_connection_store_t *this)
-{
-	return this->connections->create_iterator_locked(this->connections,
-													 &this->mutex);
-}
-
-/**
- * Implementation of connection_store_t.destroy.
- */
-static void destroy (private_local_connection_store_t *this)
-{
-	pthread_mutex_lock(&(this->mutex));
-	this->connections->destroy_offset(this->connections, offsetof(connection_t, destroy));
-	pthread_mutex_unlock(&(this->mutex));
-	free(this);
-}
-
-/**
- * Described in header.
- */
-local_connection_store_t * local_connection_store_create(void)
-{
-	private_local_connection_store_t *this = malloc_thing(private_local_connection_store_t);
-
-	this->public.connection_store.get_connection_by_hosts = (connection_t*(*)(connection_store_t*,host_t*,host_t*))get_connection_by_hosts;
-	this->public.connection_store.get_connection_by_name = (connection_t*(*)(connection_store_t*,char*))get_connection_by_name;
-	this->public.connection_store.delete_connection = (status_t(*)(connection_store_t*,char*))delete_connection;
-	this->public.connection_store.add_connection = (status_t(*)(connection_store_t*,connection_t*))add_connection;
-	this->public.connection_store.create_iterator = (iterator_t*(*)(connection_store_t*))create_iterator;
-	this->public.connection_store.destroy = (void(*)(connection_store_t*))destroy;
-	
-	/* private variables */
-	this->connections = linked_list_create();
-	pthread_mutex_init(&(this->mutex), NULL);
-
-	return (&this->public);
-}
diff --git a/src/charon/config/connections/local_connection_store.h b/src/charon/config/connections/local_connection_store.h
deleted file mode 100644
index e78ed809a..000000000
--- a/src/charon/config/connections/local_connection_store.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * @file local_connection_store.h
- * 
- * @brief Interface of local_connection_store_t.
- *  
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-#ifndef LOCAL_CONNECTION_H_
-#define LOCAL_CONNECTION_H_
-
-typedef struct local_connection_store_t local_connection_store_t;
-
-#include <library.h>
-#include <config/connections/connection_store.h>
-
-/**
- * @brief A connection_store_t implementation using a simple connection list.
- *
- * The local_connection_store_t class implements the connection_store_t interface
- * as simple as possible. connection_t's are stored in an in-memory list.
- *
- * @b Constructors:
- *  - local_connection_store_create()
- *
- * @todo Make thread-save first
- * @todo Add remove_connection method
- *
- * @ingroup config
- */
-struct local_connection_store_t {
-	
-	/**
-	 * Implements connection_store_t interface
-	 */
-	connection_store_t connection_store;
-};
-
-/**
- * @brief Creates a local_connection_store_t instance.
- *
- * @return connection store instance.
- * 
- * @ingroup config
- */
-local_connection_store_t * local_connection_store_create(void);
-
-#endif /* LOCAL_CONNECTION_H_ */
diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
index b7b71b9e7..6964345b3 100644
--- a/src/charon/config/credentials/local_credential_store.c
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -24,6 +24,7 @@
 #include <dirent.h>
 #include <string.h>
 #include <pthread.h>
+#include <errno.h>
 
 #include <library.h>
 #include <utils/lexparser.h>
@@ -32,13 +33,13 @@
 #include <crypto/certinfo.h>
 #include <crypto/x509.h>
 #include <crypto/ca.h>
+#include <crypto/ac.h>
 #include <crypto/crl.h>
 #include <asn1/ttodata.h>
 
 #include "local_credential_store.h"
 
 #define PATH_BUF			256
-#define MAX_CA_PATH_LEN		7
 
 typedef struct shared_key_t shared_key_t;
 
@@ -103,24 +104,25 @@ static shared_key_t *shared_key_create(chunk_t secret)
   |                 | ca_info_t                |
   |                 +--------------------------+
 +---------------+   | char *name               |
-| x509_t        |<--| x509_t *cacert           |   +----------------------+
-+---------------+   | linked_list_t *certinfos |-->| certinfo_t           |
-| chunk_t keyid |   | linked_list_t *ocspuris  |   +----------------------+
-+---------------+   | crl_t *crl               |   | chunk_t serialNumber |
+| x509_t        |<--| x509_t *cacert           |
++---------------+   | linked_list_t *attrcerts |   +----------------------+
+| chunk_t keyid |   | linked_list_t *certinfos |-->| certinfo_t           |
++---------------+   | linked_list_t *ocspuris  |   +----------------------+
+  |                 | crl_t *crl               |   | chunk_t serialNumber |
   |                 | linked_list_t *crluris   |   | cert_status_t status |
-  |                 | pthread_mutex_t mutex    |   | time_t thisUpdate    |
-+---------------+   +--------------------------+   | time_t nextUpdate    |
-| x509_t        |                |                 | bool once            |
-+---------------+                |                 +----------------------+
-| chunk_t keyid |                |                   |
-+---------------+   +------------------------- +   +----------------------+
-  |                 | ca_info_t                |   | certinfo_t           |
-  |                 +--------------------------+   +----------------------+
-+---------------+   | char *name               |   | chunk_t serialNumber |
-| x509_t        |<--| x509_t *cacert           |   | cert_status_t status |
-+---------------+   | linked_list_t *certinfos |   | time_t thisUpdate    |
-| chunk_t keyid |   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
-+---------------+   | crl_t *crl               |   | bool once            |
++---------------+   | pthread_mutex_t mutex    |   | time_t thisUpdate    |
+| x509_t        |   +--------------------------+   | time_t nextUpdate    |
++---------------+                |                 | bool once            |
+| chunk_t keyid |                |                 +----------------------+
++---------------+   +------------------------- +     |
+  |                 | ca_info_t                |   +----------------------+
+  |                 +--------------------------+   | certinfo_t           |
++---------------+   | char *name               |   +----------------------+
+| x509_t        |<--| x509_t *cacert           |   | chunk_t serialNumber |
++---------------+   | linked_list_t *attrcerts |   | cert_status_t status |
+| chunk_t keyid |   | linked_list_t *certinfos |   | time_t thisUpdate    |
++---------------+   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
+  |                 | crl_t *crl               |   | bool once            |
   |                 | linked_list_t *crluris   |   +----------------------+
   |                 | pthread_mutex_t mutex;   |     |
   |                 +--------------------------+
@@ -169,11 +171,6 @@ struct private_local_credential_store_t {
 	 * list of X.509 CA information records
 	 */
 	linked_list_t *ca_infos;
-
-	/**
-	 * enforce strict crl policy
-	 */
-	bool strict;
 };
 
 
@@ -302,39 +299,29 @@ static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *th
 }
 
 /**
- * Implementation of local_credential_store_t.get_trusted_public_key.
+ * Implementation of credential_store_t.get_issuer.
  */
-static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t *this,
-												identification_t *id)
+static ca_info_t* get_issuer(private_local_credential_store_t *this, x509_t *cert)
 {
-	cert_status_t status;
-	err_t ugh;
-
-	x509_t *cert = get_certificate(this, id);
-
-	if (cert == NULL)
-		return NULL;
+	ca_info_t *found = cert->get_ca_info(cert);
 
-	ugh = cert->is_valid(cert, NULL);
-	if (ugh != NULL)
+	if (found == NULL)
 	{
-		DBG1(DBG_CFG, "certificate %s", ugh);
-		return NULL;
-	}
+		iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+		ca_info_t *ca_info;
 
-	status = cert->get_status(cert);
-	if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD))
-	{
-		DBG1(DBG_CFG, "certificate status: %N", cert_status_names, status);
-		return NULL;
-	}
-	if (status == CERT_GOOD && cert->get_until(cert) < time(NULL))
-	{
-		DBG1(DBG_CFG, "certificate is good but crl is stale");
-		return NULL;
+		while (iterator->iterate(iterator, (void**)&ca_info))
+		{
+			if (ca_info->is_cert_issuer(ca_info, cert))
+			{
+				found = ca_info;
+				cert->set_ca_info(cert, found);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
 	}
-
-	return cert->get_public_key(cert);
+	return found;
 }
 
 /**
@@ -435,29 +422,6 @@ static x509_t* get_ca_certificate_by_keyid(private_local_credential_store_t *thi
 }
 
 /**
- * Implementation of credential_store_t.get_issuer.
- */
-static ca_info_t* get_issuer(private_local_credential_store_t *this, const x509_t *cert)
-{
-	ca_info_t *found = NULL;
-	ca_info_t *ca_info;
-
-	iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
-
-	while (iterator->iterate(iterator, (void**)&ca_info))
-	{
-		if (ca_info->is_cert_issuer(ca_info, cert))
-		{
-			found = ca_info;
-			break;
-		}
-	}
-	iterator->destroy(iterator);
-
-	return found;
-}
-
-/**
  * Find an exact copy of a certificate in a linked list
  */
 static x509_t* find_certificate(linked_list_t *certs, x509_t *cert)
@@ -509,13 +473,13 @@ static void add_uris(ca_info_t *issuer, x509_t *cert)
 /**
  * Implementation of credential_store_t.is_trusted
  */
-static bool is_trusted(private_local_credential_store_t *this, x509_t *cert)
+static bool is_trusted(private_local_credential_store_t *this, const char *label, x509_t *cert)
 {
 	int pathlen;
 	time_t until = UNDEFINED_TIME;
 	x509_t *cert_to_be_trusted = cert;
 
-	DBG2(DBG_CFG, "establishing trust in certificate:");
+	DBG1(DBG_CFG, "establishing trust in %s certificate:", label);
 
 	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
 	{
@@ -525,8 +489,8 @@ static bool is_trusted(private_local_credential_store_t *this, x509_t *cert)
 		rsa_public_key_t *issuer_public_key;
 		bool valid_signature;
 
-		DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
-		DBG2(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+		DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
+		DBG1(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
 
 		ugh = cert->is_valid(cert, &until);
 		if (ugh != NULL)
@@ -558,18 +522,19 @@ static bool is_trusted(private_local_credential_store_t *this, x509_t *cert)
 		/* check if cert is a self-signed root ca */
 		if (pathlen > 0 && cert->is_self_signed(cert))
 		{
-			DBG2(DBG_CFG, "reached self-signed root ca");
+			DBG1(DBG_CFG, "reached self-signed root ca");
 			cert_to_be_trusted->set_until(cert_to_be_trusted, until);
 			cert_to_be_trusted->set_status(cert_to_be_trusted, CERT_GOOD);
 			return TRUE;
 		}
 		else
 		{
-			/* go up one step in the trust chain */
+			DBG1(DBG_CFG, "going up one step in the certificate trust chain (%d)",
+						   pathlen + 1);
 			cert = issuer_cert;
 		}
 	}
-	DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN);
 	return FALSE;
 }
 
@@ -584,7 +549,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 	x509_t *end_cert = cert;
 	x509_t *cert_copy = find_certificate(this->certs, end_cert);
 	
-	DBG2(DBG_CFG, "verifying end entity certificate:");
+	DBG1(DBG_CFG, "verifying end entity certificate up to trust anchor:");
 
 	*found = (cert_copy != NULL);
 	if (*found)
@@ -595,14 +560,16 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 
 	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
 	{
+		bool valid_signature;
 		err_t ugh = NULL;
 		ca_info_t *issuer;
 		x509_t *issuer_cert;
 		rsa_public_key_t *issuer_public_key;
-		bool valid_signature;
+		chunk_t keyid = cert->get_keyid(cert);
 
 		DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
 		DBG1(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+		DBG1(DBG_CFG, "keyid:    %#B", &keyid);
 
 		ugh = cert->is_valid(cert, &until);
 		if (ugh != NULL)
@@ -647,24 +614,29 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 		}
 		else
 		{
+			bool strict;
 			time_t nextUpdate;
 			cert_status_t status;
 			certinfo_t *certinfo = certinfo_create(cert->get_serialNumber(cert));
 
-			certinfo->set_nextUpdate(certinfo, until);
-
 			if (pathlen == 0)
 			{
 				/* add any crl and ocsp uris contained in the certificate under test */
 				add_uris(issuer, cert);
 			}
 
+			strict = issuer->is_strict(issuer);
+			DBG1(DBG_CFG, "issuer %s a strict crl policy",
+				 strict ? "enforces":"does not enforce");
+
 			/* first check certificate revocation using ocsp */
 			status = issuer->verify_by_ocsp(issuer, certinfo, &this->public.credential_store);
 
 			/* if ocsp service is not available then fall back to crl */
-			if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && this->strict))
+			if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && strict))
 			{
+
+				certinfo->set_status(certinfo, CERT_UNKNOWN);
 				status = issuer->verify_by_crl(issuer, certinfo, CRL_DIR);
 			}
 			
@@ -674,23 +646,23 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 			switch (status)
 			{
 				case CERT_GOOD:
-					/* set nextUpdate */
-					cert->set_until(cert, nextUpdate);
+					/* with strict crl policy the public key must have the same
+					 * lifetime as the validity of the ocsp status or crl lifetime
+					 */
+					if (strict)
+					{
+						cert->set_until(cert, nextUpdate);
+						until = (nextUpdate < until)? nextUpdate : until;
+					}
 
 					/* if status information is stale */
-					if (this->strict && nextUpdate < time(NULL))
+					if (strict && nextUpdate < time(NULL))
 					{
 						DBG2(DBG_CFG, "certificate is good but status is stale");
 						certinfo->destroy(certinfo);
 						return FALSE;
 					}
 					DBG1(DBG_CFG, "certificate is good");
-
-					/* with strict crl policy the public key must have the same
-					 * lifetime as the validity of the ocsp status or crl lifetime
-					 */
-					if (this->strict && nextUpdate < until)
-		    			until = nextUpdate;
 					break;
 				case CERT_REVOKED:
 					{
@@ -724,7 +696,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 				case CERT_UNDEFINED:
 				default:
 					DBG1(DBG_CFG, "certificate status unknown");
-					if (this->strict)
+					if (strict)
 					{
 						/* update status of end certificate in the credential store */
 						if (cert_copy)
@@ -738,14 +710,97 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
 			}
 			certinfo->destroy(certinfo);
 		}
-		/* go up one step in the trust chain */
+		DBG1(DBG_CFG, "going up one step in the certificate trust chain (%d)",
+					   pathlen + 1);
 		cert = issuer_cert;
 	}
-	DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN);
 	return FALSE;
 }
 
 /**
+ * Implementation of local_credential_store_t.verify_signature.
+ */
+static status_t verify_signature(private_local_credential_store_t *this,
+								 chunk_t hash, chunk_t sig,
+								 identification_t *id, ca_info_t **issuer_p)
+{
+	iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
+	status_t sig_status;
+	x509_t *cert;
+
+	/* default return values in case of failure */
+	sig_status = NOT_FOUND;
+	*issuer_p = NULL;
+
+	while (iterator->iterate(iterator, (void**)&cert))
+	{
+		if (id->equals(id, cert->get_subject(cert))
+		||	cert->equals_subjectAltName(cert, id))
+		{
+			rsa_public_key_t *public_key = cert->get_public_key(cert);
+			cert_status_t cert_status = cert->get_status(cert);
+			
+			DBG2(DBG_CFG, "found candidate peer certificate");
+
+			if (cert_status == CERT_UNDEFINED || cert->get_until(cert) < time(NULL))
+			{
+				bool found;
+
+				if (!verify(this, cert, &found))
+				{
+					sig_status = VERIFY_ERROR;
+					DBG1(DBG_CFG, "candidate peer certificate was not successfully verified");
+					continue;
+				}
+				*issuer_p = get_issuer(this, cert);
+			}
+			else
+			{
+				ca_info_t *issuer = get_issuer(this, cert);
+				chunk_t keyid = public_key->get_keyid(public_key);
+
+				DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
+				DBG2(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+				DBG2(DBG_CFG, "keyid:    %#B", &keyid);
+
+				if (issuer == NULL)
+				{
+					DBG1(DBG_CFG, "candidate peer certificate has no retrievable issuer");
+					sig_status = NOT_FOUND;
+					continue;
+				}
+				if (cert_status == CERT_REVOKED	|| cert_status == CERT_UNTRUSTED
+				|| ((issuer)->is_strict(issuer) && cert_status != CERT_GOOD))
+				{
+					DBG1(DBG_CFG, "candidate peer certificate has an inacceptable status: %N", cert_status_names, cert_status);
+					sig_status = VERIFY_ERROR;
+					continue;
+				}
+				*issuer_p = issuer;
+			}
+			sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, sig);
+			if (sig_status == SUCCESS)
+			{
+				DBG2(DBG_CFG, "candidate peer certificate has a matching RSA public key");
+				break;
+			}
+			else
+			{
+				DBG1(DBG_CFG, "candidate peer certificate has a non-matching RSA public key");
+				*issuer_p = NULL;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	if (sig_status == NOT_FOUND)
+	{
+		DBG1(DBG_CFG, "no candidate peer certificate found");
+	}
+	return sig_status;
+}
+
+/**
  * Add a unique certificate to a linked list
  */
 static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
@@ -770,7 +825,7 @@ static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
 /**
  * Add a unique ca info record to a linked list
  */
-static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info)
+static ca_info_t* add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info)
 {
 	ca_info_t *current_ca_info;
 	ca_info_t *found_ca_info = NULL;
@@ -791,11 +846,13 @@ static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_in
 	{
 		current_ca_info->add_info(current_ca_info, ca_info);
 		ca_info->destroy(ca_info);
+		ca_info = found_ca_info;
 	}
 	else
 	{
 		this->ca_infos->insert_last(this->ca_infos, (void*)ca_info);
 	}
+	return ca_info;
 }
 
 /**
@@ -886,12 +943,12 @@ static void load_auth_certificates(private_local_credential_store_t *this,
 	struct stat stb;
 	DIR* dir;
 	
-	DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path);
+	DBG1(DBG_CFG, "loading %s certificates from '%s'", label, path);
 
 	dir = opendir(path);
 	if (dir == NULL)
 	{
-		DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path);
+		DBG1(DBG_CFG, "error opening %s certs directory '%s'", label, path);
 		return;
 	}
 
@@ -962,12 +1019,15 @@ static void load_ca_certificates(private_local_credential_store_t *this)
 
 		while (iterator->iterate(iterator, (void **)&ca_info))
 		{
-			x509_t *cacert = ca_info->get_certificate(ca_info);
-			ca_info_t *issuer = get_issuer(this, cacert);
-
-			if (issuer)
+			if (ca_info->is_ca(ca_info))
 			{
-				add_uris(issuer, cacert);
+				x509_t *cacert = ca_info->get_certificate(ca_info);
+				ca_info_t *issuer = get_issuer(this, cacert);
+
+				if (issuer)
+				{
+					add_uris(issuer, cacert);
+				}
 			}
 		}
 		iterator->destroy(iterator);
@@ -975,6 +1035,74 @@ static void load_ca_certificates(private_local_credential_store_t *this)
 }
 
 /**
+ * Implements local_credential_store_t.load_aa_certificates
+ */
+static void load_aa_certificates(private_local_credential_store_t *this)
+{
+	load_auth_certificates(this, AUTH_AA, "aa", AA_CERTIFICATE_DIR);
+}
+
+/**
+ * Add a unique attribute certificate to a linked list
+ */
+static void add_attr_certificate(private_local_credential_store_t *this, x509ac_t *cert)
+{
+  /* TODO add a new attribute certificate to the linked list */
+}
+
+/**
+ * Implements local_credential_store_t.load_attr_certificates
+ */
+static void load_attr_certificates(private_local_credential_store_t *this)
+{
+	struct dirent* entry;
+	struct stat stb;
+	DIR* dir;
+
+	const char *path = ATTR_CERTIFICATE_DIR;
+	
+	DBG1(DBG_CFG, "loading attribute certificates from '%s'", path);
+
+	dir = opendir(ATTR_CERTIFICATE_DIR);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening attribute certs directory '%s'", path);
+		return;
+	}
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[PATH_BUF];
+
+		snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
+		
+		if (stat(file, &stb) == -1)
+		{
+			continue;
+		}
+		/* try to parse all regular files */
+		if (stb.st_mode & S_IFREG)
+		{
+			x509ac_t *cert = x509ac_create_from_file(file);
+
+			if (cert)
+			{
+				err_t ugh = cert->is_valid(cert, NULL);
+
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "warning: attribute certificate %s", ugh);
+				}
+				add_attr_certificate(this, cert);
+			}
+		}
+	}
+	closedir(dir);
+
+
+}
+
+/**
  * Implements local_credential_store_t.load_ocsp_certificates
  */
 static void load_ocsp_certificates(private_local_credential_store_t *this)
@@ -993,7 +1121,7 @@ static void add_crl(private_local_credential_store_t *this, crl_t *crl, const ch
 
 	while (iterator->iterate(iterator, (void**)&ca_info))
 	{
-		if (ca_info->is_crl_issuer(ca_info, crl))
+		if (ca_info->is_ca(ca_info) && ca_info->is_crl_issuer(ca_info, crl))
 		{
 			char buffer[BUF_LEN];
 			chunk_t uri = { buffer, 7 + strlen(path) };
@@ -1027,12 +1155,12 @@ static void load_crls(private_local_credential_store_t *this)
 	DIR* dir;
 	crl_t *crl;
 	
-	DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR);
+	DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR);
 
 	dir = opendir(CRL_DIR);
 	if (dir == NULL)
 	{
-		DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR);
+		DBG1(DBG_CFG, "error opening crl directory '%s'", CRL_DIR);
 		return;
 	}
 
@@ -1300,7 +1428,8 @@ error:
 	}
 	else
 	{
-		DBG1(DBG_CFG, "could not open file '%s'", SECRETS_FILE);
+		DBG1(DBG_CFG, "could not open file '%s': %s", SECRETS_FILE,
+			 strerror(errno));
 	}
 }
 
@@ -1321,7 +1450,7 @@ static void destroy(private_local_credential_store_t *this)
 /**
  * Described in header.
  */
-local_credential_store_t * local_credential_store_create(bool strict)
+local_credential_store_t * local_credential_store_create(void)
 {
 	private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t);
 	
@@ -1330,21 +1459,23 @@ local_credential_store_t * local_credential_store_create(bool strict)
 	this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
 	this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
 	this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
-	this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key;
 	this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate;
 	this->public.credential_store.get_auth_certificate = (x509_t* (*) (credential_store_t*,u_int,identification_t*))get_auth_certificate;
 	this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid;
-	this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,const x509_t*))get_issuer;
-	this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,x509_t*))is_trusted;
+	this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,x509_t*))get_issuer;
+	this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,const char*,x509_t*))is_trusted;
+	this->public.credential_store.verify_signature = (status_t (*) (credential_store_t*,chunk_t,chunk_t,identification_t*,ca_info_t**))verify_signature;
 	this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify;
 	this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate;
 	this->public.credential_store.add_auth_certificate = (x509_t* (*) (credential_store_t*,x509_t*,u_int))add_auth_certificate;
-	this->public.credential_store.add_ca_info = (void (*) (credential_store_t*,ca_info_t*))add_ca_info;
+	this->public.credential_store.add_ca_info = (ca_info_t* (*) (credential_store_t*,ca_info_t*))add_ca_info;
 	this->public.credential_store.release_ca_info = (status_t (*) (credential_store_t*,const char*))release_ca_info;
 	this->public.credential_store.create_cert_iterator = (iterator_t* (*) (credential_store_t*))create_cert_iterator;
 	this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator;
 	this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator;
 	this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates;
+	this->public.credential_store.load_aa_certificates = (void (*) (credential_store_t*))load_aa_certificates;
+	this->public.credential_store.load_attr_certificates = (void (*) (credential_store_t*))load_attr_certificates;
 	this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates;
 	this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls;
 	this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets;
@@ -1357,7 +1488,6 @@ local_credential_store_t * local_credential_store_create(bool strict)
 	this->certs = linked_list_create();
 	this->auth_certs = linked_list_create();
 	this->ca_infos = linked_list_create();
-	this->strict = strict;
 
 	return (&this->public);
 }
diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h
index 88a94d6f9..87a12663a 100644
--- a/src/charon/config/credentials/local_credential_store.h
+++ b/src/charon/config/credentials/local_credential_store.h
@@ -54,11 +54,10 @@ struct local_credential_store_t {
 /**
  * @brief Creates a local_credential_store_t instance.
  *
- * @param  strict		enforce a strict crl policy
  * @return 				credential store instance.
  *
  * @ingroup config
  */
-local_credential_store_t *local_credential_store_create(bool strict);
+local_credential_store_t *local_credential_store_create(void);
 
 #endif /* LOCAL_CREDENTIAL_H_ */
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
new file mode 100644
index 000000000..35f46a6b7
--- /dev/null
+++ b/src/charon/config/ike_cfg.c
@@ -0,0 +1,228 @@
+/**
+ * @file ike_cfg.c
+ *
+ * @brief Implementation of ike_cfg_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cfg.h"
+
+#include <string.h>
+
+
+typedef struct private_ike_cfg_t private_ike_cfg_t;
+
+/**
+ * Private data of an ike_cfg_t object
+ */
+struct private_ike_cfg_t {
+
+	/**
+	 * Public part
+	 */
+	ike_cfg_t public;
+	
+	/**
+	 * Number of references hold by others to this ike_cfg
+	 */
+	refcount_t refcount;
+
+	/**
+	 * Address of local host
+	 */
+	host_t *my_host;
+
+	/**
+	 * Address of remote host
+	 */	
+	host_t *other_host;
+	
+	/**
+	 * should we send a certificate request?
+	 */
+	bool certreq;
+	
+	/**
+	 * List of proposals to use
+	 */
+	linked_list_t *proposals;
+};
+
+/**
+ * Implementation of ike_cfg_t.certreq.
+ */
+static bool send_certreq(private_ike_cfg_t *this)
+{
+	return this->certreq;
+}
+
+/**
+ * Implementation of ike_cfg_t.get_my_host.
+ */
+static host_t *get_my_host (private_ike_cfg_t *this)
+{
+	return this->my_host;
+}
+
+/**
+ * Implementation of ike_cfg_t.get_other_host.
+ */
+static host_t *get_other_host (private_ike_cfg_t *this)
+{
+	return this->other_host;
+}
+
+/**
+ * Implementation of ike_cfg_t.add_proposal.
+ */
+static void add_proposal(private_ike_cfg_t *this, proposal_t *proposal)
+{
+	this->proposals->insert_last(this->proposals, proposal);
+}
+
+/**
+ * Implementation of ike_cfg_t.get_proposals.
+ */
+static linked_list_t* get_proposals(private_ike_cfg_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *current;
+	linked_list_t *proposals = linked_list_create();
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		current = current->clone(current);
+		proposals->insert_last(proposals, (void*)current);
+	}
+	iterator->destroy(iterator);
+	
+	return proposals;
+}
+	
+/**
+ * Implementation of ike_cfg_t.select_proposal.
+ */
+static proposal_t *select_proposal(private_ike_cfg_t *this,
+								   linked_list_t *proposals)
+{
+	iterator_t *stored_iter, *supplied_iter;
+	proposal_t *stored, *supplied, *selected;
+	
+	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
+	supplied_iter = proposals->create_iterator(proposals, TRUE);
+	
+	/* compare all stored proposals with all supplied. Stored ones are preferred.*/
+	while (stored_iter->iterate(stored_iter, (void**)&stored))
+	{
+		supplied_iter->reset(supplied_iter);
+		
+		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
+		{
+			selected = stored->select(stored, supplied);
+			if (selected)
+			{
+				/* they match, return */
+				stored_iter->destroy(stored_iter);
+				supplied_iter->destroy(supplied_iter);
+				return selected;
+			}
+		}
+	}
+	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
+	stored_iter->destroy(stored_iter);
+	supplied_iter->destroy(supplied_iter);
+	
+	return NULL;
+}
+
+/**
+ * Implementation of ike_cfg_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_ike_cfg_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	algorithm_t *algo;
+	diffie_hellman_group_t dh_group = MODP_NONE;
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&proposal))
+	{
+		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo))
+		{
+			dh_group = algo->algorithm;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return dh_group;
+}
+
+/**
+ * Implementation of ike_cfg_t.get_ref.
+ */
+static void get_ref(private_ike_cfg_t *this)
+{
+	ref_get(&this->refcount);
+}
+
+/**
+ * Implementation of ike_cfg_t.destroy.
+ */
+static void destroy(private_ike_cfg_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->proposals->destroy_offset(this->proposals,
+										offsetof(proposal_t, destroy));
+		this->my_host->destroy(this->my_host);
+		this->other_host->destroy(this->other_host);
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host)
+{
+	private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t);
+	
+	/* public functions */
+	this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq;
+	this->public.get_my_host = (host_t*(*)(ike_cfg_t*))get_my_host;
+	this->public.get_other_host = (host_t*(*)(ike_cfg_t*))get_other_host;
+	this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal;
+	this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals;
+	this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal;
+	this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group;
+	this->public.get_ref = (void(*)(ike_cfg_t*))get_ref;
+	this->public.destroy = (void(*)(ike_cfg_t*))destroy;
+	
+	/* private variables */
+	this->refcount = 1;
+	this->certreq = certreq;
+	this->my_host = my_host;
+	this->other_host = other_host;
+	
+	this->proposals = linked_list_create();
+	
+	return &this->public;
+}
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
new file mode 100644
index 000000000..bcdc90d9e
--- /dev/null
+++ b/src/charon/config/ike_cfg.h
@@ -0,0 +1,151 @@
+/**
+ * @file ike_cfg.h
+ *
+ * @brief Interface of ike_cfg_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_CFG_H_
+#define IKE_CFG_H_
+
+typedef struct ike_cfg_t ike_cfg_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <config/proposal.h>
+#include <crypto/diffie_hellman.h>
+
+/**
+ * @brief An ike_cfg_t defines the rules to set up an IKE_SA.
+ *
+ * @see peer_cfg_t to get an overview over the configurations.
+ *
+ * @b Constructors:
+ *  - ike_cfg_create()
+ *
+ * @ingroup config
+ */
+struct ike_cfg_t {
+	
+	/**
+	 * @brief Get own address.
+	 * 
+	 * @param this	calling object
+	 * @return		host information as host_t object
+	 */
+	host_t* (*get_my_host) (ike_cfg_t *this);
+
+	/**
+	 * @brief Get peers address.
+	 * 
+	 * @param this	calling object
+	 * @return		host information as host_t object
+	 */
+	host_t* (*get_other_host) (ike_cfg_t *this);
+	
+	/**
+	 * @brief Adds a proposal to the list.
+	 * 
+	 * The first added proposal has the highest priority, the last
+	 * added the lowest.
+	 * 
+	 * @param this		calling object
+	 * @param proposal	proposal to add
+	 */
+	void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
+	
+	/**
+	 * @brief Returns a list of all supported proposals.
+	 * 
+	 * Returned list and its proposals must be destroyed after use.
+	 * 
+	 * @param this		calling object
+	 * @return 			list containing all the proposals
+	 */
+	linked_list_t* (*get_proposals) (ike_cfg_t *this);
+	
+	/**
+	 * @brief Select a proposed from suggested proposals.
+	 * 
+	 * Returned proposal must be destroyed after use.
+	 * 
+	 * @param this		calling object
+	 * @param proposals	list of proposals to select from
+	 * @return			selected proposal, or NULL if none matches.
+	 */
+	proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals);
+	
+	/**
+	 * @brief Should we send a certificate request in IKE_SA_INIT?
+	 *
+	 * @param this		calling object
+	 * @return			certificate request sending policy
+	 */
+	bool (*send_certreq) (ike_cfg_t *this);
+	
+	/**
+	 * @brief Get the DH group to use for IKE_SA setup.
+	 * 
+	 * @param this		calling object
+	 * @return			dh group to use for initialization
+	 */
+	diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
+	
+	/**
+	 * @brief Get a new reference to this ike_cfg.
+	 *
+	 * Get a new reference to this ike_cfg by increasing
+	 * it's internal reference counter.
+	 * Do not call get_ref or any other function until you
+	 * already have a reference. Otherwise the object may get
+	 * destroyed while calling get_ref(),
+	 *
+	 * @param this		calling object
+	 */
+	void (*get_ref) (ike_cfg_t *this);
+	
+	/**
+	 * @brief Destroys a ike_cfg_t object.
+	 * 
+	 * Decrements the internal reference counter and
+	 * destroys the ike_cfg when it reaches zero.
+	 * 
+	 * @param this		calling object
+	 */
+	void (*destroy) (ike_cfg_t *this);
+};
+
+/**
+ * @brief Creates a ike_cfg_t object.
+ *
+ * Supplied hosts become owned by ike_cfg, the name gets cloned.
+ *
+ * @param name			ike_cfg identifier
+ * @param certreq		TRUE to send a certificate request
+ * @param my_host		host_t representing local address
+ * @param other_host	host_t representing remote address
+ * @return 				ike_cfg_t object.
+ * 
+ * @ingroup config
+ */
+ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host);
+
+#endif /* IKE_CFG_H_ */
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
new file mode 100644
index 000000000..1d9176e0d
--- /dev/null
+++ b/src/charon/config/peer_cfg.c
@@ -0,0 +1,479 @@
+/**
+ * @file peer_cfg.c
+ * 
+ * @brief Implementation of peer_cfg_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <pthread.h>
+
+#include "peer_cfg.h"
+
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
+	"CERT_ALWAYS_SEND",
+	"CERT_SEND_IF_ASKED",
+	"CERT_NEVER_SEND"
+);
+
+ENUM(dpd_action_names, DPD_NONE, DPD_RESTART,
+	"DPD_NONE",
+	"DPD_CLEAR",
+	"DPD_ROUTE",
+	"DPD_RESTART"
+);
+
+typedef struct private_peer_cfg_t private_peer_cfg_t;
+
+/**
+ * Private data of an peer_cfg_t object
+ */
+struct private_peer_cfg_t {
+
+	/**
+	 * Public part
+	 */
+	peer_cfg_t public;
+	
+	/**
+	 * Number of references hold by others to this peer_cfg
+	 */
+	refcount_t refcount;
+	
+	/**
+	 * Name of the peer_cfg, used to query it
+	 */
+	char *name;
+	
+	/**
+	 * IKE version to use for initiation
+	 */
+	u_int ike_version;
+	
+	/**
+	 * IKE config associated to this peer config
+	 */
+	ike_cfg_t *ike_cfg;
+	
+	/**
+	 * list of child configs associated to this peer config
+	 */
+	linked_list_t *child_cfgs;
+	
+	/**
+	 * mutex to lock access to list of child_cfgs
+	 */
+	pthread_mutex_t mutex;
+	
+	/**
+	 * id to use to identify us
+	 */
+	identification_t *my_id;
+	
+	/**
+	 * allowed id for other
+	 */
+	identification_t *other_id;
+	
+	/**
+	 * we have a cert issued by this CA
+	 */
+	identification_t *my_ca;
+	
+	/**
+	 * we require the other end to have a cert issued by this CA
+	 */
+	identification_t *other_ca;
+	
+	/**
+	 * should we send a certificate
+	 */
+	cert_policy_t cert_policy;
+	
+	/**
+	 * Method to use for own authentication data
+	 */
+	auth_method_t auth_method;
+	
+	/**
+	 * EAP type to use for peer authentication
+	 */
+	eap_type_t eap_type;
+	
+	/**
+	 * number of tries after giving up if peer does not respond
+	 */
+	u_int32_t keyingtries;
+	
+	/**
+	 * user reauthentication instead of rekeying
+	 */
+	bool use_reauth;
+	
+	/**
+	 * Time before an SA gets invalid
+	 */
+	u_int32_t lifetime;
+	
+	/**
+	 * Time before an SA gets rekeyed
+	 */
+	u_int32_t rekeytime;
+	
+	/**
+	 * Time, which specifies the range of a random value
+	 * substracted from lifetime.
+	 */
+	u_int32_t jitter;
+	
+	/**
+	 * What to do with an SA when other peer seams to be dead?
+	 */
+	bool dpd_delay;
+	
+	/**
+	 * What to do with CHILDren when other peer seams to be dead?
+	 */
+	bool dpd_action;
+	
+	/**
+	 * virtual IP to use locally
+	 */
+	host_t *my_virtual_ip;
+	
+	/**
+	 * virtual IP to use remotly
+	 */
+	host_t *other_virtual_ip;
+};
+
+/**
+ * Implementation of peer_cfg_t.get_name
+ */
+static char *get_name(private_peer_cfg_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_ike_version
+ */
+static u_int get_ike_version(private_peer_cfg_t *this)
+{
+	return this->ike_version;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_ike_cfg
+ */
+static ike_cfg_t* get_ike_cfg(private_peer_cfg_t *this)
+{
+	return this->ike_cfg;
+}
+
+/**
+ * Implementation of peer_cfg_t.add_child_cfg.
+ */
+static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
+{
+	pthread_mutex_lock(&this->mutex);
+	this->child_cfgs->insert_last(this->child_cfgs, child_cfg);
+	pthread_mutex_unlock(&this->mutex);
+}
+
+/**
+ * Implementation of peer_cfg_t.create_child_cfg_iterator.
+ */
+static iterator_t* create_child_cfg_iterator(private_peer_cfg_t *this)
+{
+	return this->child_cfgs->create_iterator_locked(this->child_cfgs,
+													&this->mutex);
+}
+
+/**
+ * Check if child_cfg contains traffic selectors
+ */
+static bool contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts,
+						host_t *host)
+{
+	linked_list_t *selected;
+	bool contains = FALSE;
+	
+	selected = child->get_traffic_selectors(child, mine, ts, host);
+	contains = selected->get_count(selected);
+	selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
+	return contains;
+}
+
+/**
+ * Implementation of peer_cfg_t.select_child_cfg
+ */
+static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
+									 linked_list_t *my_ts,
+									 linked_list_t *other_ts,
+									 host_t *my_host, host_t *other_host)
+{
+	child_cfg_t *current, *found = NULL;
+	iterator_t *iterator;
+	
+	iterator = create_child_cfg_iterator(this);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (contains_ts(current, TRUE, my_ts, my_host) &&
+			contains_ts(current, FALSE, other_ts, other_host))
+		{
+			found = current;
+			found->get_ref(found);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_my_id
+ */
+static identification_t *get_my_id(private_peer_cfg_t *this)
+{
+	return this->my_id;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_other_id
+ */
+static identification_t *get_other_id(private_peer_cfg_t *this)
+{
+	return this->other_id;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_my_ca
+ */
+static identification_t *get_my_ca(private_peer_cfg_t *this)
+{
+	return this->my_ca;
+}
+
+static identification_t *get_other_ca(private_peer_cfg_t *this)
+{
+	return this->other_ca;
+}	
+
+/**
+ * Implementation of peer_cfg_t.get_cert_policy.
+ */
+static cert_policy_t get_cert_policy(private_peer_cfg_t *this)
+{
+	return this->cert_policy;
+}
+
+/**
+ * Implementation of connection_t.auth_method_t.
+ */
+static auth_method_t get_auth_method(private_peer_cfg_t *this)
+{
+	return this->auth_method;
+}
+
+/**
+ * Implementation of connection_t.get_eap_type.
+ */
+static eap_type_t get_eap_type(private_peer_cfg_t *this)
+{
+	return this->eap_type;
+}
+
+/**
+ * Implementation of connection_t.get_keyingtries.
+ */
+static u_int32_t get_keyingtries(private_peer_cfg_t *this)
+{
+	return this->keyingtries;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_soft_lifetime
+ */
+static u_int32_t get_lifetime(private_peer_cfg_t *this, bool rekey)
+{
+	if (rekey)
+	{
+		if (this->jitter == 0)
+		{
+			return this->rekeytime;
+		}
+		return this->rekeytime - (random() % this->jitter);
+	}
+	return this->lifetime;
+}
+	
+/**
+ * Implementation of peer_cfg_t.use_reauth.
+ */
+static bool use_reauth(private_peer_cfg_t *this, bool rekey)
+{
+	return this->use_reauth;
+}
+
+/**
+ * Implements peer_cfg_t.get_dpd_delay
+ */
+static u_int32_t get_dpd_delay(private_peer_cfg_t *this)
+{
+	return this->dpd_delay;
+}
+
+/**
+ * Implements peer_cfg_t.get_dpd_action
+ */
+static dpd_action_t get_dpd_action(private_peer_cfg_t *this)
+{
+	return this->dpd_action;
+}
+
+/**
+ * Implementation of peer_cfg_t.get_my_virtual_ip.
+ */
+static host_t* get_my_virtual_ip(private_peer_cfg_t *this)
+{
+	if (this->my_virtual_ip == NULL)
+	{
+		return NULL;
+	}
+	return this->my_virtual_ip->clone(this->my_virtual_ip);
+}
+
+/**
+ * Implementation of peer_cfg_t.get_other_virtual_ip.
+ */
+static host_t* get_other_virtual_ip(private_peer_cfg_t *this, host_t *suggestion)
+{
+	if (this->other_virtual_ip == NULL)
+	{	/* disallow */
+		return NULL;
+	}
+	if (!this->other_virtual_ip->is_anyaddr(this->other_virtual_ip))
+	{	/* force own configuration */
+		return this->other_virtual_ip->clone(this->other_virtual_ip);
+	}
+	if (suggestion == NULL || suggestion->is_anyaddr(suggestion))
+	{
+		return NULL;
+	}
+	return suggestion->clone(suggestion);
+}
+
+/**
+ * Implements peer_cfg_t.get_ref.
+ */
+static void get_ref(private_peer_cfg_t *this)
+{
+	ref_get(&this->refcount);
+}
+
+/**
+ * Implements peer_cfg_t.destroy.
+ */
+static void destroy(private_peer_cfg_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->ike_cfg->destroy(this->ike_cfg);
+		this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy));
+		this->my_id->destroy(this->my_id);
+		this->other_id->destroy(this->other_id);
+		DESTROY_IF(this->my_ca);
+		DESTROY_IF(this->other_ca);
+		
+		DESTROY_IF(this->my_virtual_ip);
+		DESTROY_IF(this->other_virtual_ip);
+		free(this->name);
+		free(this);
+	}
+}
+
+/*
+ * Described in header-file
+ */
+peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
+							identification_t *my_id, identification_t *other_id,
+							identification_t *my_ca, identification_t *other_ca,
+							cert_policy_t cert_policy, auth_method_t auth_method,
+							eap_type_t eap_type, u_int32_t keyingtries,
+							u_int32_t lifetime, u_int32_t rekeytime,
+							u_int32_t jitter, bool reauth,
+							u_int32_t dpd_delay, dpd_action_t dpd_action,
+							host_t *my_virtual_ip, host_t *other_virtual_ip)
+{
+	private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t);
+
+	/* public functions */
+	this->public.get_name = (char* (*) (peer_cfg_t *))get_name;	
+	this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version;	
+	this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg;
+	this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg;
+	this->public.create_child_cfg_iterator = (iterator_t* (*) (peer_cfg_t *))create_child_cfg_iterator;
+	this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg;
+	this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id;
+	this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id;
+	this->public.get_my_ca = (identification_t* (*)(peer_cfg_t *))get_my_ca;
+	this->public.get_other_ca = (identification_t* (*)(peer_cfg_t *))get_other_ca;
+	this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
+	this->public.get_auth_method = (auth_method_t (*) (peer_cfg_t *))get_auth_method;
+	this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *))get_eap_type;
+	this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
+	this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime;
+	this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth;
+	this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
+	this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
+	this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip;
+	this->public.get_other_virtual_ip = (host_t* (*) (peer_cfg_t *, host_t *))get_other_virtual_ip;
+	this->public.get_ref = (void(*)(peer_cfg_t *))get_ref;
+	this->public.destroy = (void(*)(peer_cfg_t *))destroy;
+	
+	/* apply init values */
+	this->name = strdup(name);
+	this->ike_version = ike_version;
+	this->ike_cfg = ike_cfg;
+	this->child_cfgs = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	this->my_id = my_id;
+	this->other_id = other_id;
+	this->my_ca = my_ca;
+	this->other_ca = other_ca;
+	this->cert_policy = cert_policy;
+	this->auth_method = auth_method;
+	this->eap_type = eap_type;
+	this->keyingtries = keyingtries;
+	this->lifetime = lifetime;
+	this->rekeytime = rekeytime;
+	this->jitter = jitter;
+	this->use_reauth = reauth;
+	this->dpd_delay = dpd_delay;
+	this->dpd_action = dpd_action;
+	this->my_virtual_ip = my_virtual_ip;
+	this->other_virtual_ip = other_virtual_ip;
+	this->refcount = 1;
+
+	return &this->public;
+}
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
new file mode 100644
index 000000000..63c87674c
--- /dev/null
+++ b/src/charon/config/peer_cfg.h
@@ -0,0 +1,368 @@
+/**
+ * @file peer_cfg.h
+ * 
+ * @brief Interface of peer_cfg_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PEER_CFG_H_
+#define PEER_CFG_H_
+
+typedef enum dpd_action_t dpd_action_t;
+typedef enum cert_policy_t cert_policy_t;
+typedef struct peer_cfg_t peer_cfg_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <config/traffic_selector.h>
+#include <config/proposal.h>
+#include <config/ike_cfg.h>
+#include <config/child_cfg.h>
+#include <sa/authenticators/authenticator.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Certificate sending policy. This is also used for certificate
+ * requests when using this definition for the other peer. If
+ * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
+ * included.
+ *
+ * @ingroup config
+ * 
+ * @warning These definitions must be the same as in pluto/starter,
+ * as they are sent over the stroke socket.
+ */
+enum cert_policy_t {
+	/** always send certificates, even when not requested */
+	CERT_ALWAYS_SEND   = 0,
+	/** send certificate upon cert request */
+	CERT_SEND_IF_ASKED = 1,
+	/** never send a certificate, even when requested */
+	CERT_NEVER_SEND    = 2,
+};
+
+/**
+ * enum strings for cert_policy_t
+ * 
+ * @ingroup config
+ */
+extern enum_name_t *cert_policy_names;
+
+/**
+ * @brief Actions to take when a peer does not respond (dead peer detected).
+ *
+ * These values are the same as in pluto/starter, so do not modify them!
+ *
+ * @ingroup config
+ */
+enum dpd_action_t {
+	/** DPD disabled */
+	DPD_NONE,
+	/** remove CHILD_SAs without replacement */
+	DPD_CLEAR,
+	/** route the CHILD_SAs to resetup when needed */
+	DPD_ROUTE,
+	/** restart CHILD_SAs in a new IKE_SA, immediately */
+	DPD_RESTART,
+};
+
+/**
+ * enum names for dpd_action_t.
+ */
+extern enum_name_t *dpd_action_names;
+
+/**
+ * @brief Configuration of a peer, specified by IDs.
+ *
+ * The peer config defines a connection between two given IDs. It contains
+ * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
+ * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
+ * @verbatim
+
+                           +-------------------+           +---------------+
+   +---------------+       |     peer_cfg      |         +---------------+ |
+   |    ike_cfg    |       +-------------------+         |   child_cfg   | |
+   +---------------+       | - ids             |         +---------------+ |
+   | - hosts       | 1   1 | - cas             | 1     n | - proposals   | |
+   | - proposals   |<------| - auth info       |-------->| - traffic sel | |
+   | - ...         |       | - dpd config      |         | - ...         |-+
+   +---------------+       | - ...             |         +---------------+
+                           +-------------------+
+   @endverbatim
+ *
+ * @b Constructors:
+ *   - peer_cfg_create()
+ *
+ * @ingroup config
+ */
+struct peer_cfg_t {
+	
+	/**
+	 * @brief Get the name of the peer_cfg.
+	 * 
+	 * Returned object is not getting cloned.
+	 * 
+	 * @param this			calling object
+	 * @return				peer_cfg's name
+	 */
+	char* (*get_name) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the IKE version to use for initiating.
+	 *
+	 * @param this			calling object
+	 * @return 				IKE major version
+	 */
+	u_int (*get_ike_version)(peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the IKE config to use for initiaton.
+	 * 
+	 * @param this			calling object
+	 * @return				the IKE config to use
+	 */
+	ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Attach a CHILD config.
+	 * 
+	 * @param this			calling object
+	 * @param child_cfg		CHILD config to add
+	 */
+	void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
+	
+	/**
+	 * @brief Create an iterator for all attached CHILD configs.
+	 * 
+	 * @param this			calling object
+	 * @return				an iterator over all CHILD configs.
+	 */
+	iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Select a CHILD config from traffic selectors.
+	 * 
+	 * @param this			calling object
+	 * @param my_ts			TS for local side
+	 * @param other_ts		TS for remote side
+	 * @param my_host		host to narrow down dynamic TS for local side
+	 * @param other_host	host to narrow down dynamic TS for remote side
+	 * @return				selected CHILD config, or NULL if no match found
+	 */
+	child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
+									  linked_list_t *other_ts, host_t *my_host,
+									  host_t *other_host);
+	
+	/**
+	 * @brief Get own ID.
+	 * 
+	 * @param this			calling object
+	 * @return				own id
+	 */
+	identification_t* (*get_my_id)(peer_cfg_t *this);
+	
+	/**
+	 * @brief Get peers ID.
+	 * 
+	 * @param this			calling object
+	 * @return				other id
+	 */
+	identification_t* (*get_other_id)(peer_cfg_t *this);
+	
+	/**
+	 * @brief Get own CA.
+	 * 
+	 * @param this			calling object
+	 * @return				own ca
+	 */
+	identification_t* (*get_my_ca)(peer_cfg_t *this);
+
+	/**
+	 * @brief Get peers CA.
+	 * 
+	 * @param this			calling object
+	 * @return				other ca
+	 */
+	identification_t* (*get_other_ca)(peer_cfg_t *this);
+	
+	/**
+	 * @brief Should be sent a certificate for this connection?
+	 *
+	 * @param this		calling object
+	 * @return			certificate sending policy
+	 */
+	cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
+
+	/**
+	 * @brief Get the authentication method to use to authenticate us.
+	 * 
+	 * @param this		calling object
+	 * @return			authentication method
+	 */
+	auth_method_t (*get_auth_method) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the EAP type to use for peer authentication.
+	 * 
+	 * @param this		calling object
+	 * @return			authentication method
+	 */
+	eap_type_t (*get_eap_type) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the max number of retries after timeout.
+	 *
+	 * @param this		calling object
+	 * @return			max number retries
+	 */
+	u_int32_t (*get_keyingtries) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the lifetime of a IKE_SA.
+	 *
+	 * If "rekey" is set to TRUE, a lifetime is returned before the first
+	 * rekeying should be started. If it is FALSE, the actual lifetime is
+	 * returned when the IKE_SA must be deleted.
+	 * The rekey time automatically contains a jitter to avoid simlutaneous
+	 * rekeying.
+	 * 
+	 * @param this			child_config 
+	 * @param rekey			TRUE to get rekey time
+	 * @return				lifetime in seconds
+	 */
+	u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey);
+	
+	/**
+	 * @brief Should a full reauthentication be done instead of rekeying?
+	 * 
+	 * @param this		calling object
+	 * @return			TRUE to use full reauthentication
+	 */
+	bool (*use_reauth) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get the DPD check interval.
+	 * 
+	 * @param this		calling object
+	 * @return			dpd_delay in seconds
+	 */
+	u_int32_t (*get_dpd_delay) (peer_cfg_t *this);
+	
+	/**
+	 * @brief What should be done with a CHILD_SA, when other peer does not respond.
+	 *
+	 * @param this 		calling object
+	 * @return			dpd action
+	 */	
+	dpd_action_t (*get_dpd_action) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get a virtual IP for the local peer.
+	 *
+	 * If no virtual IP should be used, NULL is returned. %any means to request
+	 * a virtual IP using configuration payloads. A specific address is also
+	 * used for a request and may be changed by the server.
+	 *
+	 * @param this			peer_cfg
+	 * @param suggestion	NULL, %any or specific
+	 * @return				clone of an IP, %any or NULL
+	 */
+	host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Get a virtual IP for the remote peer.
+	 *
+	 * An IP may be supplied, if one was requested by the initiator. However,
+	 * the suggestion is not more as it says, any address may be returned, even
+	 * NULL to not use virtual IPs.
+	 *
+	 * @param this			peer_cfg
+	 * @param suggestion	NULL, %any or specific
+	 * @return				clone of an IP to use
+	 */
+	host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
+	
+	/**
+	 * @brief Get a new reference.
+	 *
+	 * Get a new reference to this peer_cfg by increasing
+	 * it's internal reference counter.
+	 * Do not call get_ref or any other function until you
+	 * already have a reference. Otherwise the object may get
+	 * destroyed while calling get_ref(),
+	 * 
+	 * @param this				calling object
+	 */
+	void (*get_ref) (peer_cfg_t *this);
+	
+	/**
+	 * @brief Destroys the peer_cfg object.
+	 *
+	 * Decrements the internal reference counter and
+	 * destroys the peer_cfg when it reaches zero.
+	 * 
+	 * @param this				calling object
+	 */
+	void (*destroy) (peer_cfg_t *this);
+};
+
+/**
+ * @brief Create a configuration object for IKE_AUTH and later.
+ * 
+ * name-string gets cloned, ID's not.
+ * Virtual IPs are used if they are != NULL. A %any host means the virtual
+ * IP should be obtained from the other peer.
+ * Lifetimes are in seconds. To prevent to peers to start rekeying at the
+ * same time, a jitter may be specified. Rekeying of an SA starts at
+ * (rekeylifetime - random(0, jitter)). 
+ * 
+ * @param name				name of the peer_cfg
+ * @param ike_version		which IKE version we sould use for this peer
+ * @param ike_cfg			IKE config to use when acting as initiator
+ * @param my_id 			identification_t for ourselves
+ * @param other_id 			identification_t for the remote guy
+ * @param my_ca				CA to use for us
+ * @param other_ca			CA to use for other
+ * @param cert_policy		should we send a certificate payload?
+ * @param auth_method		auth method to use to authenticate us
+ * @param eap_type			EAP type to use for peer authentication
+ * @param keyingtries		how many keying tries should be done before giving up
+ * @param lifetime			lifetime before deleting an SA
+ * @param rekeytime			lifetime before rekeying an SA
+ * @param jitter			range of random to substract from rekeytime
+ * @param use_reauth		sould be done reauthentication instead of rekeying?
+ * @param dpd_delay			after how many seconds of inactivity to check DPD
+ * @param dpd_action		what to do with CHILD_SAs when detected a dead peer
+ * @param my_virtual_ip		virtual IP for local host, or NULL
+ * @param other_virtual_ip	virtual IP for remote host, or NULL
+ * @return 					peer_cfg_t object
+ * 
+ * @ingroup config
+ */
+peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
+							identification_t *my_id, identification_t *other_id,
+							identification_t *my_ca, identification_t *other_ca,
+							cert_policy_t cert_policy, auth_method_t auth_method,
+							eap_type_t eap_type, u_int32_t keyingtries,
+							u_int32_t lifetime, u_int32_t rekeytime,
+							u_int32_t jitter, bool use_reauth,
+							u_int32_t dpd_delay, dpd_action_t dpd_action,
+							host_t *my_virtual_ip, host_t *other_virtual_ip);
+
+#endif /* PEER_CFG_H_ */
diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c
deleted file mode 100644
index dd22b43a0..000000000
--- a/src/charon/config/policies/local_policy_store.c
+++ /dev/null
@@ -1,282 +0,0 @@
-/**
- * @file local_policy_store.c
- *
- * @brief Implementation of local_policy_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <string.h>
-
-#include "local_policy_store.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-
-
-typedef struct private_local_policy_store_t private_local_policy_store_t;
-
-/**
- * Private data of an local_policy_store_t object
- */
-struct private_local_policy_store_t {
-
-	/**
-	 * Public part
-	 */
-	local_policy_store_t public;
-	
-	/**
-	 * list of policy_t's
-	 */
-	linked_list_t *policies;
-	
-	/**
-	 * Mutex to exclusivly access list
-	 */
-	pthread_mutex_t mutex;
-};
-
-/**
- * Implementation of policy_store_t.add_policy.
- */
-static void add_policy(private_local_policy_store_t *this, policy_t *policy)
-{
-	pthread_mutex_lock(&(this->mutex));
-	this->policies->insert_last(this->policies, (void*)policy);
-	pthread_mutex_unlock(&(this->mutex));
-}
-
-/**
- * Check if a policy contains traffic selectors
- */
-static bool contains_traffic_selectors(policy_t *policy, bool mine, 
-									   linked_list_t *ts, host_t *host)
-{
-	linked_list_t *selected;
-	bool contains = FALSE;
-	
-	if (mine)
-	{
-		selected = policy->select_my_traffic_selectors(policy, ts, host);
-	}
-	else
-	{
-		selected = policy->select_other_traffic_selectors(policy, ts, host);
-	}
-	if (selected->get_count(selected))
-	{
-		contains = TRUE;
-	}
-	selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
-	return contains;
-}
-
-/**
- * Implementation of policy_store_t.get_policy.
- */
-static policy_t *get_policy(private_local_policy_store_t *this, 
-							identification_t *my_id, identification_t *other_id,
-						    linked_list_t *my_ts, linked_list_t *other_ts,
-						    host_t *my_host, host_t *other_host)
-{
-	typedef enum {
-		PRIO_UNDEFINED = 	0x00,
-		PRIO_TS_MISMATCH =  0x01,
-		PRIO_ID_ANY = 		0x02,
-		PRIO_ID_MATCH =		PRIO_ID_ANY + MAX_WILDCARDS,
-	} prio_t;
-
-	prio_t best_prio = PRIO_UNDEFINED;
-
-	iterator_t *iterator;
-	policy_t *candidate;
-	policy_t *found = NULL;
-	traffic_selector_t *ts;
-	
-	DBG1(DBG_CFG, "searching policy for '%D'...'%D'", my_id, other_id);
-	iterator = my_ts->create_iterator(my_ts, TRUE);
-	while (iterator->iterate(iterator, (void**)&ts))
-	{
-		DBG1(DBG_CFG, "  local TS:  %R", ts);
-	}
-	iterator->destroy(iterator);
-	iterator = other_ts->create_iterator(other_ts, TRUE);
-	while (iterator->iterate(iterator, (void**)&ts))
-	{
-		DBG1(DBG_CFG, "  remote TS: %R", ts);
-	}
-	iterator->destroy(iterator);
-
-	pthread_mutex_lock(&(this->mutex));
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-
-	/* determine closest matching policy */
-	while (iterator->iterate(iterator, (void**)&candidate))
-	{
-		identification_t *candidate_my_id;
-		identification_t *candidate_other_id;
-		int wildcards;
-
-		candidate_my_id = candidate->get_my_id(candidate);
-		candidate_other_id = candidate->get_other_id(candidate);
-
-		/* my_id is either %any or if set must match exactly */
-		if (candidate_my_id->matches(candidate_my_id, my_id, &wildcards))
-		{
-			prio_t prio = PRIO_UNDEFINED;
-
-			/* wildcard match for other_id */
-			if (!other_id->matches(other_id, candidate_other_id, &wildcards))
-			{
-				continue;
-			}
-			prio = PRIO_ID_MATCH - wildcards;
-			
-			/* only accept if traffic selectors match */
-			if (!contains_traffic_selectors(candidate, TRUE, my_ts, my_host) ||
-				!contains_traffic_selectors(candidate, FALSE, other_ts, other_host))
-			{
-				DBG2(DBG_CFG, "candidate '%s' inacceptable due traffic "
-					 "selector mismatch", candidate->get_name(candidate));
-				prio = PRIO_TS_MISMATCH;
-			}
-
-			DBG2(DBG_CFG, "candidate policy '%s': '%D'...'%D' (prio=%d)",
-				 candidate->get_name(candidate),
-				 candidate_my_id, candidate_other_id, prio);
-
-			if (prio > best_prio)
-			{
-				found = candidate;
-				best_prio = prio;
-			}
-		}
-	}
-	iterator->destroy(iterator);
-	
-	if (found)
-	{
-		DBG1(DBG_CFG, "found matching policy '%s': '%D'...'%D' (prio=%d)",
-			 found->get_name(found), found->get_my_id(found),
-			 found->get_other_id(found), best_prio);
-		/* give out a new reference to it */
-		found->get_ref(found);
-	}
-	pthread_mutex_unlock(&(this->mutex));
-	return found;
-}
-
-/**
- * Implementation of policy_store_t.get_policy_by_name.
- */
-static policy_t *get_policy_by_name(private_local_policy_store_t *this, char *name)
-{
-	iterator_t *iterator;
-	policy_t *current, *found = NULL;
-	
-	DBG2(DBG_CFG, "looking for policy '%s'", name);
-	
-	pthread_mutex_lock(&(this->mutex));
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void **)&current))
-	{
-		if (strcmp(current->get_name(current), name) == 0)
-		{
-			found = current;
-		}
-	}
-	iterator->destroy(iterator);
-	pthread_mutex_unlock(&(this->mutex));
-	
-	/* give out a new reference */
-	found->get_ref(found);
-	return found;
-}
-
-/**
- * Implementation of policy_store_t.delete_policy.
- */
-static status_t delete_policy(private_local_policy_store_t *this, char *name)
-{
-	iterator_t *iterator;
-	policy_t *current;
-	bool found = FALSE;
-	
-	pthread_mutex_lock(&(this->mutex));
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void **)&current))
-	{
-		if (strcmp(current->get_name(current), name) == 0)
-		{
-			/* remove policy from list, and destroy it */
-			iterator->remove(iterator);
-			current->destroy(current);
-			found = TRUE;
-			/* we do not break here, as there may be multipe policies */
-		}
-	}
-	iterator->destroy(iterator);
-	pthread_mutex_unlock(&(this->mutex));
-	if (found)
-	{
-		return SUCCESS;
-	}
-	return NOT_FOUND;
-}
-
-/**
- * Implementation of policy_store_t.create_iterator.
- */
-static iterator_t* create_iterator(private_local_policy_store_t *this)
-{
-	return this->policies->create_iterator_locked(this->policies,
-												  &this->mutex);
-}
-
-/**
- * Implementation of policy_store_t.destroy.
- */
-static void destroy(private_local_policy_store_t *this)
-{
-	pthread_mutex_lock(&(this->mutex));
-	this->policies->destroy_offset(this->policies, offsetof(policy_t, destroy));
-	pthread_mutex_unlock(&(this->mutex));
-	free(this);
-}
-
-/**
- * Described in header.
- */
-local_policy_store_t *local_policy_store_create(void)
-{
-	private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t);
-	
-	this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy;
-	this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*,
-											linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy;
-	this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name;
-	this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy;
-	this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator;
-	this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy;
-	
-	/* private variables */
-	this->policies = linked_list_create();
-	pthread_mutex_init(&(this->mutex), NULL);
-	
-	return (&this->public);
-}
diff --git a/src/charon/config/policies/local_policy_store.h b/src/charon/config/policies/local_policy_store.h
deleted file mode 100644
index 01d5d2d60..000000000
--- a/src/charon/config/policies/local_policy_store.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * @file local_policy_store.h
- *
- * @brief Interface of local_policy_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
- 
-#ifndef LOCAL_POLICY_STORE_H_
-#define LOCAL_POLICY_STORE_H_
-
-typedef struct local_policy_store_t local_policy_store_t;
-
-#include <library.h>
-#include <config/policies/policy_store.h>
-
-
-/**
- * @brief A policy_store_t implementation using a simple policy lists.
- *
- * The local_policy_store_t class implements the policy_store_t interface
- * as simple as possible. The policies are stored in a in-memory list.
- *
- * @b Constructors:
- *  - local_policy_store_create()
- * 
- * @ingroup config
- */
-struct local_policy_store_t {
-	
-	/**
-	 * Implements policy_store_t interface
-	 */
-	policy_store_t policy_store;
-};
-
-/**
- * @brief Creates a local_policy_store_t instance.
- *
- * @return policy store instance.
- * 
- * @ingroup config
- */
-local_policy_store_t *local_policy_store_create(void);
-
-#endif /* LOCAL_POLICY_STORE_H_ */
diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c
deleted file mode 100644
index 363d1609f..000000000
--- a/src/charon/config/policies/policy.c
+++ /dev/null
@@ -1,635 +0,0 @@
-/**
- * @file policy.c
- * 
- * @brief Implementation of policy_t.
- * 
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <time.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "policy.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-
-ENUM(dpd_action_names, DPD_NONE, DPD_RESTART,
-	"DPD_NONE",
-	"DPD_CLEAR",
-	"DPD_ROUTE",
-	"DPD_RESTART"
-);
-
-ENUM(mode_names, MODE_TRANSPORT, MODE_BEET,
-	"TRANSPORT",
-	"TUNNEL",
-	"2",
-	"3",
-	"BEET"
-);
-
-typedef struct private_policy_t private_policy_t;
-
-/**
- * Private data of an policy_t object
- */
-struct private_policy_t {
-
-	/**
-	 * Public part
-	 */
-	policy_t public;
-	
-	/**
-	 * Number of references hold by others to this policy
-	 */
-	refcount_t refcount;
-	
-	/**
-	 * Name of the policy, used to query it
-	 */
-	char *name;
-	
-	/**
-	 * id to use to identify us
-	 */
-	identification_t *my_id;
-	
-	/**
-	 * allowed id for other
-	 */
-	identification_t *other_id;
-	
-	/**
-	 * virtual IP to use locally
-	 */
-	host_t *my_virtual_ip;
-	
-	/**
-	 * virtual IP to use remotly
-	 */
-	host_t *other_virtual_ip;
-	
-	/**
-	 * Method to use for own authentication data
-	 */
-	auth_method_t auth_method;
-	
-	/**
-	 * EAP type to use for peer authentication
-	 */
-	eap_type_t eap_type;
-	
-	/**
-	 * we have a cert issued by this CA
-	 */
-	identification_t *my_ca;
-	
-	/**
-	 * we require the other end to have a cert issued by this CA
-	 */
-	identification_t *other_ca;
-	
-	/**
-	 * updown script
-	 */
-	char *updown;
-	
-	/**
-	 * allow host access
-	 */
-	bool hostaccess;
-	
-	/**
-	 * list for all proposals
-	 */
-	linked_list_t *proposals;
-	
-	/**
-	 * list for traffic selectors for my site
-	 */
-	linked_list_t *my_ts;
-	
-	/**
-	 * list for traffic selectors for others site
-	 */
-	linked_list_t *other_ts;
-	
-	/**
-	 * Time before an SA gets invalid
-	 */
-	u_int32_t soft_lifetime;
-	
-	/**
-	 * Time before an SA gets rekeyed
-	 */
-	u_int32_t hard_lifetime;
-	
-	/**
-	 * Time, which specifies the range of a random value
-	 * substracted from soft_lifetime.
-	 */
-	u_int32_t jitter;
-	
-	/**
-	 * What to do with an SA when other peer seams to be dead?
-	 */
-	bool dpd_action;
-	
-	/**
-	 * Mode to propose for a initiated CHILD: tunnel/transport
-	 */
-	mode_t mode;
-};
-
-/**
- * Implementation of policy_t.get_name
- */
-static char *get_name(private_policy_t *this)
-{
-	return this->name;
-}
-
-/**
- * Implementation of policy_t.get_my_id
- */
-static identification_t *get_my_id(private_policy_t *this)
-{
-	return this->my_id;
-}
-
-/**
- * Implementation of policy_t.get_other_id
- */
-static identification_t *get_other_id(private_policy_t *this)
-{
-	return this->other_id;
-}
-
-/**
- * Implementation of policy_t.get_my_ca
- */
-static identification_t *get_my_ca(private_policy_t *this)
-{
-	return this->my_ca;
-}
-
-/**
- * Implementation of policy_t.get_other_ca
- */
-static identification_t *get_other_ca(private_policy_t *this)
-{
-	return this->other_ca;
-}
-
-/**
- * Implementation of connection_t.auth_method_t.
- */
-static auth_method_t get_auth_method(private_policy_t *this)
-{
-	return this->auth_method;
-}
-
-/**
- * Implementation of connection_t.get_eap_type.
- */
-static eap_type_t get_eap_type(private_policy_t *this)
-{
-	return this->eap_type;
-}
-
-/**
- * Get traffic selectors, with wildcard-address update
- */
-static linked_list_t *get_traffic_selectors(private_policy_t *this,
-											linked_list_t *list, host_t *host)
-{
-	iterator_t *iterator;
-	traffic_selector_t *current;
-	linked_list_t *result = linked_list_create();
-	
-	iterator = list->create_iterator(list, TRUE);
-	
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		/* we make a copy of the TS, this allows us to update wildcard
-		 * addresses in it. We won't pollute the shared policy. */
-		current = current->clone(current);
-		if (host)
-		{
-			current->set_address(current, host);
-		}
-		
-		result->insert_last(result, (void*)current);
-	}
-	iterator->destroy(iterator);
-	return result;
-}
-
-/**
- * Implementation of policy_t.get_my_traffic_selectors
- */
-static linked_list_t *get_my_traffic_selectors(private_policy_t *this, host_t *me)
-{
-	return get_traffic_selectors(this, this->my_ts, me);
-}
-
-/**
- * Implementation of policy_t.get_other_traffic_selectors
- */
-static linked_list_t *get_other_traffic_selectors(private_policy_t *this, host_t *other)
-{
-	return get_traffic_selectors(this, this->other_ts, other);
-}
-
-/**
- * Narrow traffic selectors, with wildcard-address update in "stored".
- */
-static linked_list_t *select_traffic_selectors(private_policy_t *this,
-											   linked_list_t *stored,
-											   linked_list_t *supplied,
-											   host_t *host)
-{
-	iterator_t *supplied_iter, *stored_iter, *i1, *i2;
-	traffic_selector_t *supplied_ts, *stored_ts, *selected_ts, *ts1, *ts2;
-	linked_list_t *selected = linked_list_create();
-	
-	DBG2(DBG_CFG, "selecting traffic selectors");
-	
-	stored_iter = stored->create_iterator(stored, TRUE);
-	supplied_iter = supplied->create_iterator(supplied, TRUE);
-	
-	/* iterate over all stored selectors */
-	while (stored_iter->iterate(stored_iter, (void**)&stored_ts))
-	{
-		/* we make a copy of the TS, this allows us to update wildcard
-		 * addresses in it. We won't pollute the shared policy. */
-		stored_ts = stored_ts->clone(stored_ts);
-		if (host)
-		{
-			stored_ts->set_address(stored_ts, host);
-		}
-		
-		supplied_iter->reset(supplied_iter);
-		/* iterate over all supplied traffic selectors */
-		while (supplied_iter->iterate(supplied_iter, (void**)&supplied_ts))
-		{
-			DBG2(DBG_CFG, "stored %R <=> %R received",
-				 stored_ts, supplied_ts);
-			
-			selected_ts = stored_ts->get_subset(stored_ts, supplied_ts);
-			if (selected_ts)
-			{
-				/* got a match, add to list */
-				selected->insert_last(selected, (void*)selected_ts);
-				
-				DBG2(DBG_CFG, "found traffic selector for %s: %R", 
-					 stored == this->my_ts ? "us" : "other", selected_ts);
-			}
-		}
-		stored_ts->destroy(stored_ts);
-	}
-	stored_iter->destroy(stored_iter);
-	supplied_iter->destroy(supplied_iter);
-	
-	/* remove any redundant traffic selectors in the list */
-	i1 = selected->create_iterator(selected, TRUE);
-	i2 = selected->create_iterator(selected, TRUE);
-	while (i1->iterate(i1, (void**)&ts1))
-	{
-		while (i2->iterate(i2, (void**)&ts2))
-		{
-			if (ts1 != ts2)
-			{
-				if (ts2->is_contained_in(ts2, ts1))
-				{
-					i2->remove(i2);
-					ts2->destroy(ts2);
-					i1->reset(i1);
-					break;
-				}
-				if (ts1->is_contained_in(ts1, ts2))
-				{
-					i1->remove(i1);
-					ts1->destroy(ts1);
-					i2->reset(i2);
-					break;
-				}
-			}
-		}
-	}
-	i1->destroy(i1);
-	i2->destroy(i2);
-	
-	return selected;
-}
-
-/**
- * Implementation of private_policy_t.select_my_traffic_selectors
- */
-static linked_list_t *select_my_traffic_selectors(private_policy_t *this,
-												  linked_list_t *supplied,
-												  host_t *me)
-{
-	return select_traffic_selectors(this, this->my_ts, supplied, me);
-}
-
-/**
- * Implementation of private_policy_t.select_other_traffic_selectors
- */
-static linked_list_t *select_other_traffic_selectors(private_policy_t *this,
-		 											 linked_list_t *supplied,
-													 host_t* other)
-{
-	return select_traffic_selectors(this, this->other_ts, supplied, other);
-}
-
-/**
- * Implementation of policy_t.get_proposal_iterator
- */
-static linked_list_t *get_proposals(private_policy_t *this)
-{
-	iterator_t *iterator;
-	proposal_t *current;
-	linked_list_t *proposals = linked_list_create();
-	
-	iterator = this->proposals->create_iterator(this->proposals, TRUE);
-	while (iterator->iterate(iterator, (void**)&current))
-	{
-		current = current->clone(current);
-		proposals->insert_last(proposals, (void*)current);
-	}
-	iterator->destroy(iterator);
-	
-	return proposals;
-}
-
-/**
- * Implementation of policy_t.select_proposal
- */
-static proposal_t *select_proposal(private_policy_t *this, linked_list_t *proposals)
-{
-	iterator_t *stored_iter, *supplied_iter;
-	proposal_t *stored, *supplied, *selected;
-	
-	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
-	supplied_iter = proposals->create_iterator(proposals, TRUE);
-	
-	/* compare all stored proposals with all supplied. Stored ones are preferred. */
-	while (stored_iter->iterate(stored_iter, (void**)&stored))
-	{
-		supplied_iter->reset(supplied_iter);
-		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
-		{
-			selected = stored->select(stored, supplied);
-			if (selected)
-			{
-				/* they match, return */
-				stored_iter->destroy(stored_iter);
-				supplied_iter->destroy(supplied_iter);
-				return selected;
-			}
-		}
-	}
-	
-	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
-	stored_iter->destroy(stored_iter);
-	supplied_iter->destroy(supplied_iter);
-	
-	return NULL;
-}
-
-/**
- * Implementation of policy_t.add_authorities
- */
-static void add_authorities(private_policy_t *this, identification_t *my_ca, identification_t *other_ca)
-{
-	this->my_ca = my_ca;
-	this->other_ca = other_ca;
-}
-
-/**
- * Implementation of policy_t.get_updown
- */
-static char* get_updown(private_policy_t *this)
-{
-	return this->updown;
-}
-
-/**
- * Implementation of policy_t.get_hostaccess
- */
-static bool get_hostaccess(private_policy_t *this)
-{
-	return this->hostaccess;
-}
-
-/**
- * Implements policy_t.get_dpd_action
- */
-static dpd_action_t get_dpd_action(private_policy_t *this)
-{
-	return this->dpd_action;
-}
-
-/**
- * Implementation of policy_t.add_my_traffic_selector
- */
-static void add_my_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector)
-{
-	this->my_ts->insert_last(this->my_ts, (void*)traffic_selector);
-}
-
-/**
- * Implementation of policy_t.add_other_traffic_selector
- */
-static void add_other_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector)
-{
-	this->other_ts->insert_last(this->other_ts, (void*)traffic_selector);
-}
-
-/**
- * Implementation of policy_t.add_proposal
- */
-static void add_proposal(private_policy_t *this, proposal_t *proposal)
-{
-	this->proposals->insert_last(this->proposals, (void*)proposal);
-}
-
-/**
- * Implementation of policy_t.get_soft_lifetime
- */
-static u_int32_t get_soft_lifetime(private_policy_t *this)
-{
-	if (this->jitter == 0)
-	{
-		return this->soft_lifetime ;
-	}
-	return this->soft_lifetime - (random() % this->jitter);
-}
-
-/**
- * Implementation of policy_t.get_hard_lifetime
- */
-static u_int32_t get_hard_lifetime(private_policy_t *this)
-{
-	return this->hard_lifetime;
-}
-
-/**
- * Implementation of policy_t.get_mode.
- */
-static mode_t get_mode(private_policy_t *this)
-{
-	return this->mode;
-}
-
-/**
- * Implementation of policy_t.get_virtual_ip.
- */
-static host_t* get_virtual_ip(private_policy_t *this, host_t *suggestion)
-{
-	if (suggestion == NULL)
-	{
-		if (this->my_virtual_ip)
-		{
-			return this->my_virtual_ip->clone(this->my_virtual_ip);
-		}
-		return NULL;
-	}
-	if (this->other_virtual_ip)
-	{
-		return this->other_virtual_ip->clone(this->other_virtual_ip);
-	}
-	if (suggestion->is_anyaddr(suggestion))
-	{
-		return NULL;
-	}
-	return suggestion->clone(suggestion);
-}
-
-/**
- * Implements policy_t.get_ref.
- */
-static void get_ref(private_policy_t *this)
-{
-	ref_get(&this->refcount);
-}
-
-/**
- * Implements policy_t.destroy.
- */
-static void destroy(private_policy_t *this)
-{
-	if (ref_put(&this->refcount))
-	{
-		
-		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
-		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
-		
-		/* delete certification authorities */
-		DESTROY_IF(this->my_ca);
-		DESTROY_IF(this->other_ca);
-		
-		/* delete updown script */
-		if (this->updown)
-		{
-			free(this->updown);
-		}
-		
-		/* delete ids */
-		this->my_id->destroy(this->my_id);
-		this->other_id->destroy(this->other_id);
-		DESTROY_IF(this->my_virtual_ip);
-		DESTROY_IF(this->other_virtual_ip);
-		
-		free(this->name);
-		free(this);
-	}
-}
-
-/*
- * Described in header-file
- */
-policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id,
-						host_t *my_virtual_ip, host_t *other_virtual_ip,
-						auth_method_t auth_method, eap_type_t eap_type,
-						u_int32_t hard_lifetime, u_int32_t soft_lifetime, 
-						u_int32_t jitter, char *updown, bool hostaccess,
-						mode_t mode, dpd_action_t dpd_action)
-{
-	private_policy_t *this = malloc_thing(private_policy_t);
-
-	/* public functions */
-	this->public.get_name = (char* (*) (policy_t*))get_name;
-	this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id;
-	this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id;
-	this->public.get_my_ca = (identification_t* (*) (policy_t*))get_my_ca;
-	this->public.get_other_ca = (identification_t* (*) (policy_t*))get_other_ca;
-	this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method;
-	this->public.get_eap_type = (eap_type_t (*) (policy_t*)) get_eap_type;
-	this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors;
-	this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors;
-	this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors;
-	this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors;
-	this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals;
-	this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal;
-	this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector;
-	this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector;
-	this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal;
-	this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities;
-	this->public.get_updown = (char* (*) (policy_t*))get_updown;
-	this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess;
-	this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action;
-	this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime;
-	this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime;
-	this->public.get_mode = (mode_t (*) (policy_t *))get_mode;
-	this->public.get_virtual_ip = (host_t* (*)(policy_t*,host_t*))get_virtual_ip;
-	this->public.get_ref = (void (*) (policy_t*))get_ref;
-	this->public.destroy = (void (*) (policy_t*))destroy;
-	
-	/* apply init values */
-	this->name = strdup(name);
-	this->my_id = my_id;
-	this->other_id = other_id;
-	this->my_virtual_ip = my_virtual_ip;
-	this->other_virtual_ip = other_virtual_ip;
-	this->auth_method = auth_method;
-	this->eap_type = eap_type;
-	this->hard_lifetime = hard_lifetime;
-	this->soft_lifetime = soft_lifetime;
-	this->jitter = jitter;
-	this->updown = (updown == NULL) ? NULL : strdup(updown);
-	this->hostaccess = hostaccess;
-	this->dpd_action = dpd_action;
-	this->mode = mode;
-	
-	/* initialize private members*/
-	this->refcount = 1;
-	this->my_ca = NULL;
-	this->other_ca = NULL;
-	this->proposals = linked_list_create();
-	this->my_ts = linked_list_create();
-	this->other_ts = linked_list_create();
-
-	return &this->public;
-}
diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h
deleted file mode 100644
index d8916b29e..000000000
--- a/src/charon/config/policies/policy.h
+++ /dev/null
@@ -1,413 +0,0 @@
-/**
- * @file policy.h
- * 
- * @brief Interface of policy_t.
- *  
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef POLICY_H_
-#define POLICY_H_
-
-typedef enum dpd_action_t dpd_action_t;
-typedef struct policy_t policy_t;
-
-#include <library.h>
-#include <utils/identification.h>
-#include <config/traffic_selector.h>
-#include <config/proposal.h>
-#include <sa/authenticators/authenticator.h>
-#include <sa/authenticators/eap/eap_method.h>
-
-
-/**
- * @brief Actions to take when a peer does not respond (dead peer detected).
- *
- * These values are the same as in pluto/starter, so do not modify them!
- *
- * @ingroup config
- */
-enum dpd_action_t {
-	/** DPD disabled */
-	DPD_NONE,
-	/** remove CHILD_SA without replacement */
-	DPD_CLEAR,
-	/** route the CHILD_SA to resetup when needed */
-	DPD_ROUTE,
-	/** restart CHILD_SA in a new IKE_SA, immediately */
-	DPD_RESTART,
-};
-
-/**
- * enum names for dpd_action_t.
- */
-extern enum_name_t *dpd_action_names;
-
-/**
- * @brief Mode of an IPsec SA.
- *
- * These are equal to those defined in XFRM, so don't change.
- *
- * @ingroup config
- */
-enum mode_t {
-	/** transport mode, no inner address */
-	MODE_TRANSPORT = 0,
-	/** tunnel mode, inner and outer addresses */
-	MODE_TUNNEL = 1,
-	/** BEET mode, tunnel mode but fixed, bound inner addresses */
-	MODE_BEET = 4,
-};
-
-/**
- * enum names for mode_t.
- */
-extern enum_name_t *mode_names;
-
-/**
- * @brief A policy_t defines the policies to apply to CHILD_SAs.
- *
- * The given two IDs identify a policy. These rules define how
- * child SAs may be set up and which traffic may be IPsec'ed.
- *
- * @b Constructors:
- *   - policy_create()
- *
- * @ingroup config
- */
-struct policy_t {
-	
-	/**
-	 * @brief Get the name of the policy.
-	 * 
-	 * Returned object is not getting cloned.
-	 * 
-	 * @param this			calling object
-	 * @return				policy's name
-	 */
-	char *(*get_name) (policy_t *this);
-	
-	/**
-	 * @brief Get own id.
-	 * 
-	 * Returned object is not getting cloned.
-	 * 
-	 * @param this			calling object
-	 * @return				own id
-	 */
-	identification_t *(*get_my_id) (policy_t *this);
-	
-	/**
-	 * @brief Get peer id.
-	 *
-	 * Returned object is not getting cloned.
-	 * 
-	 * @param this			calling object
-	 * @return				other id
-	 */
-	identification_t *(*get_other_id) (policy_t *this);
-	
-	/**
-	 * @brief Get own ca.
-	 *
-	 * Returned object is not getting cloned.
-	 * 
-	 * @param this			calling object
-	 * @return				own ca
-	 */
-	identification_t *(*get_my_ca) (policy_t *this);
-
-	/**
-	 * @brief Get peer ca.
-	 *
-	 * Returned object is not getting cloned.
-	 * 
-	 * @param this			calling object
-	 * @return				other ca
-	 */
-	identification_t *(*get_other_ca) (policy_t *this);
-
-	/**
-	 * @brief Get the authentication method to use.
-	 * 
-	 * @param this		calling object
-	 * @return			authentication method
-	 */
-	auth_method_t (*get_auth_method) (policy_t *this);
-
-	/**
-	 * @brief Get the EAP type to use for peer authentication.
-	 * 
-	 * @param this		calling object
-	 * @return			authentication method
-	 */
-	eap_type_t (*get_eap_type) (policy_t *this);
-	
-	/**
-	 * @brief Get configured traffic selectors for our site.
-	 * 
-	 * Returns a list with all traffic selectors for the local
-	 * site. List and items must be destroyed after usage.
-	 * 
-	 * @param this			calling object
-	 * @return				list with traffic selectors
-	 */
-	linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
-	
-	/**
-	 * @brief Get configured traffic selectors for others site.
-	 * 
-	 * Returns a list with all traffic selectors for the remote
-	 * site. List and items must be destroyed after usage.
-	 * 
-	 * @param this			calling object
-	 * @return				list with traffic selectors
-	 */
-	linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
-	
-	/**
-	 * @brief Select traffic selectors from a supplied list for local site.
-	 * 
-	 * Resulted list and traffic selectors must be destroyed after usage.
-	 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
-	 * addresses we don't know in previous, an address may be supplied to
-	 * replace these 0.0.0.0 addresses on-the-fly.
-	 * 
-	 * @param this			calling object
-	 * @param supplied		linked list with traffic selectors
-	 * @param me			host address used by us
-	 * @return				list containing the selected traffic selectors
-	 */
-	linked_list_t *(*select_my_traffic_selectors) (policy_t *this, 
-												   linked_list_t *supplied,
-												   host_t *me);
-		
-	/**
-	 * @brief Select traffic selectors from a supplied list for remote site.
-	 * 
-	 * Resulted list and traffic selectors must be destroyed after usage.
-	 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
-	 * addresses we don't know in previous, an address may be supplied to
-	 * replace these 0.0.0.0 addresses on-the-fly.
-	 *
-	 * @param this			calling object
-	 * @param supplied		linked list with traffic selectors
-	 * @return				list containing the selected traffic selectors
-	 */
-	linked_list_t *(*select_other_traffic_selectors) (policy_t *this, 
-													  linked_list_t *supplied,
-													  host_t *other);
-	
-	/**
-	 * @brief Get the list of internally stored proposals.
-	 * 
-	 * policy_t does store proposals for AH/ESP, IKE proposals are in 
-	 * the connection_t.
-	 * Resulting list and all of its proposals must be freed after usage.
-	 *
-	 * @param this			calling object
-	 * @return				lists with proposals
-	 */
-	linked_list_t *(*get_proposals) (policy_t *this);
-	
-	/**
-	 * @brief Select a proposal from a supplied list.
-	 *
-	 * Returned propsal is newly created and must be destroyed after usage.
-	 * 
-	 * @param this			calling object
-	 * @param proposals		list from from wich proposals are selected
-	 * @return				selected proposal, or NULL if nothing matches
-	 */
-	proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
-	
-	/**
-	 * @brief Add a traffic selector to the list for local site.
-	 * 
-	 * After add, traffic selector is owned by policy.
-	 * 
-	 * @param this				calling object
-	 * @param traffic_selector	traffic_selector to add
-	 */
-	void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
-	
-	/**
-	 * @brief Add a traffic selector to the list for remote site.
-	 * 
-	 * After add, traffic selector is owned by policy.
-	 * 
-	 * @param this				calling object
-	 * @param traffic_selector	traffic_selector to add
-	 */
-	void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
-	
-	/**
-	 * @brief Add a proposal to the list. 
-	 * 
-	 * The proposals are stored by priority, first added
-	 * is the most prefered.
-	 * After add, proposal is owned by policy.
-	 * 
-	 * @param this			calling object
-	 * @param proposal		proposal to add
-	 */
-	void (*add_proposal) (policy_t *this, proposal_t *proposal);
-	
-	/**
-	 * @brief Add certification authorities.
-	 * 
-	 * @param this			calling object
-	 * @param my_ca			issuer of my certificate
-	 * @param other_ca		required issuer of the peer's certificate
-	 */
-	void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);
-
-	/**
-	 * @brief Get updown script
-	 * 
-	 * @param this			calling object
-	 * @return				path to updown script
-	 */
-	char* (*get_updown) (policy_t *this);
-	
-	/**
-	 * @brief Get hostaccess flag
-	 * 
-	 * @param this			calling object
-	 * @return				value of hostaccess flag
-	 */
-	bool (*get_hostaccess) (policy_t *this);
-	
-	/**
-	 * @brief What should be done with a CHILD_SA, when other peer does not respond.
-	 *
-	 * @param this 		calling object
-	 * @return			dpd action
-	 */	
-	dpd_action_t (*get_dpd_action) (policy_t *this);
-
-	/**
-	 * @brief Get the lifetime of a policy, before rekeying starts.
-	 * 
-	 * A call to this function automatically adds a jitter to
-	 * avoid simultanous rekeying.
-	 * 
-	 * @param this			policy 
-	 * @return				lifetime in seconds
-	 */
-	u_int32_t (*get_soft_lifetime) (policy_t *this);
-	
-	/**
-	 * @brief Get the lifetime of a policy, before SA gets deleted.
-	 * 
-	 * @param this			policy
-	 * @return				lifetime in seconds
-	 */
-	u_int32_t (*get_hard_lifetime) (policy_t *this);
-	
-	/**
-	 * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET.
-	 * 
-	 * @param this			policy
-	 * @return				lifetime in seconds
-	 */
-	mode_t (*get_mode) (policy_t *this);
-	
-	/**
-	 * @brief Get a virtual IP for the local or the remote host.
-	 *
-	 * By supplying NULL as IP, an IP for the local host is requested. It
-	 * may be %any or specific. 
-	 * By supplying %any as host, an IP from the pool is selected to be
-	 * served to the peer.
-	 * If a specified host is supplied, it is checked if this address
-	 * is acceptable to serve to the peer. If so, it is returned. Otherwise,
-	 * an alternative IP is returned.
-	 * In any mode, this call may return NULL indicating virtual IP should
-	 * not be used.
-	 * 
-	 * @param this			policy
-	 * @param suggestion	NULL, %any or specific, see description
-	 * @return				clone of an IP to use, or NULL
-	 */
-	host_t* (*get_virtual_ip) (policy_t *this, host_t *suggestion);
-	
-	/**
-	 * @brief Get a new reference.
-	 *
-	 * Get a new reference to this policy by increasing
-	 * it's internal reference counter.
-	 * Do not call get_ref or any other function until you
-	 * already have a reference. Otherwise the object may get
-	 * destroyed while calling get_ref(),
-	 * 
-	 * @param this				calling object
-	 */
-	void (*get_ref) (policy_t *this);
-	
-	/**
-	 * @brief Destroys the policy object.
-	 *
-	 * Decrements the internal reference counter and
-	 * destroys the policy when it reaches zero.
-	 * 
-	 * @param this				calling object
-	 */
-	void (*destroy) (policy_t *this);
-};
-
-/**
- * @brief Create a configuration object for IKE_AUTH and later.
- * 
- * name-string gets cloned, ID's not.
- * Virtual IPs are used if they are != NULL. A %any host means the virtual
- * IP should be obtained from the other peer.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (soft_lifetime - random(0, jitter)). After a successful rekeying, 
- * the hard_lifetime limit counter is reset. You should specify
- * hard_lifetime > soft_lifetime > jitter.
- * After a call to create, a reference is obtained (refcount = 1).
- * 
- * @param name				name of the policy
- * @param my_id 			identification_t for ourselves
- * @param other_id 			identification_t for the remote guy
- * @param my_virtual_ip		virtual IP for local host, or NULL
- * @param other_virtual_ip	virtual IP for remote host, or NULL
- * @param auth_method		Authentication method to use for our(!) auth data
- * @param eap_type			EAP type to use for peer authentication
- * @param hard_lifetime		lifetime before deleting an SA
- * @param soft_lifetime		lifetime before rekeying an SA
- * @param jitter			range of randomization time
- * @param updown			updown script to execute on up/down event
- * @param hostaccess		allow access to the host itself (used by the updown script)
- * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
- * @param dpd_action		what to to with a CHILD_SA when other peer does not respond
- * @return 					policy_t object
- * 
- * @ingroup config
- */
-policy_t *policy_create(char *name, 
-						identification_t *my_id, identification_t *other_id,
-						host_t *my_virtual_ip, host_t *other_virtual_ip,
-						auth_method_t auth_method, eap_type_t eap_type,
-						u_int32_t hard_lifetime, u_int32_t soft_lifetime,
-						u_int32_t jitter, char *updown, bool hostaccess,
-						mode_t mode, dpd_action_t dpd_action);
-
-#endif /* POLICY_H_ */
diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h
deleted file mode 100755
index cd8870953..000000000
--- a/src/charon/config/policies/policy_store.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * @file policy_store.h
- * 
- * @brief Interface policy_store_t.
- *  
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef POLICY_STORE_H_
-#define POLICY_STORE_H_
-
-typedef struct policy_store_t policy_store_t;
-
-#include <library.h>
-#include <config/policies/policy.h>
-#include <utils/linked_list.h>
-
-
-/**
- * @brief The interface for a store of policy_t's.
- *
- * The store uses reference counting to manage their lifetime. Call
- * destroy() for a policy which is returned from the store after usage.
- *
- * @b Constructors:
- * - stroke_create()
- * 
- * @ingroup config
- */
-struct policy_store_t {
-
-	/**
-	 * @brief Returns a policy identified by two IDs and a set of traffic selectors.
-	 *
-	 * other_id must be fully qualified. my_id may be %any, as the
-	 * other peer may not include an IDr Request.
-	 *
-	 * @param this			calling object
-	 * @param my_id			own ID of the policy
-	 * @param other_id		others ID of the policy
-	 * @param my_ts			traffic selectors requested for local host
-	 * @param other_ts		traffic selectors requested for remote host
-	 * @param my_host		host to use for wilcards in TS compare
-	 * @param other_host	host to use for wildcards in TS compare
-	 * @return
-	 *						- matching policy_t, if found
-	 *						- NULL otherwise
-	 */
-	policy_t *(*get_policy) (policy_store_t *this, 
-							 identification_t *my_id, identification_t *other_id,
-							 linked_list_t *my_ts, linked_list_t *other_ts,
-							 host_t *my_host, host_t* other_host);
-
-	/**
-	 * @brief Returns a policy identified by a connection name.
-	 *
-	 * @param this		calling object
-	 * @param name		name of the policy
-	 * @return
-	 *					- matching policy_t, if found
-	 *					- NULL otherwise
-	 */
-	policy_t *(*get_policy_by_name) (policy_store_t *this, char *name);
-
-	/**
-	 * @brief Add a policy to the list.
-	 *
-	 * The policy is owned by the store after the call. Do
-	 * not modify nor free.
-	 *
-	 * @param this		calling object
-	 * @param policy	policy to add
-	 */
-	void (*add_policy) (policy_store_t *this, policy_t *policy);
-
-	/**
-	 * @brief Delete a policy from the store.
-	 *
-	 * Remove a policy from the store identified by its name.
-	 *
-	 * @param this		calling object
-	 * @param policy	policy to add
-	 * @return
-	 *					- SUCCESS, or
-	 *					- NOT_FOUND
-	 */
-	status_t (*delete_policy) (policy_store_t *this, char *name);
-	
-	/**
-	 * @brief Get an iterator for the stored policies.
-	 *
-	 * @param this				calling object
-	 * @return					iterator over all stored policies
-	 */
-	iterator_t* (*create_iterator) (policy_store_t *this);
-	
-	/**
-	 * @brief Destroys a policy_store_t object.
-	 *
-	 * @param this 					calling object
-	 */
-	void (*destroy) (policy_store_t *this);
-};
-
-#endif /*POLICY_STORE_H_*/
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index dcab8cbdd..cff9859c1 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -144,39 +144,6 @@ static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int
 }
 
 /**
- * Implements proposal_t.get_algorithm.
- */
-static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo)
-{
-	linked_list_t *list;
-	switch (type)
-	{
-		case ENCRYPTION_ALGORITHM:
-			list = this->encryption_algos;
-			break;
-		case INTEGRITY_ALGORITHM:
-			list = this->integrity_algos;
-			break;
-		case PSEUDO_RANDOM_FUNCTION:
-			list = this->prf_algos;
-			break;
-		case DIFFIE_HELLMAN_GROUP:
-			list = this->dh_groups;
-			break;
-		case EXTENDED_SEQUENCE_NUMBERS:
-			list = this->esns;
-			break;
-		default:
-			return FALSE;
-	}
-	if (list->get_first(list, (void**)algo) != SUCCESS)
-	{
-		return FALSE;
-	}
-	return TRUE;
-}
-
-/**
  * Implements proposal_t.create_algorithm_iterator.
  */
 static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform_type_t type)
@@ -200,6 +167,50 @@ static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform
 }
 
 /**
+ * Implements proposal_t.get_algorithm.
+ */
+static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo)
+{
+	iterator_t *iterator = create_algorithm_iterator(this, type);
+	if (iterator->iterate(iterator, (void**)algo))
+	{
+		iterator->destroy(iterator);
+		return TRUE;
+	}
+	iterator->destroy(iterator);
+	return FALSE;
+}
+
+/**
+ * Implements proposal_t.has_dh_group
+ */
+static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group)
+{
+	algorithm_t *current;
+	iterator_t *iterator;
+	bool result = FALSE;
+	
+	iterator = this->dh_groups->create_iterator(this->dh_groups, TRUE);
+	if (iterator->get_count(iterator))
+	{
+		while (iterator->iterate(iterator, (void**)&current))
+		{
+			if (current->algorithm == group)
+			{
+				result = TRUE;
+				break;
+			}
+		}
+	}
+	else if (group == MODP_NONE)
+	{
+		result = TRUE;
+	}
+	iterator->destroy(iterator);
+	return result;
+}
+
+/**
  * Find a matching alg/keysize in two linked lists
  */
 static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add, u_int16_t *alg, size_t *key_size)
@@ -399,6 +410,10 @@ static proposal_t *clone_(private_proposal_t *this)
 	return &clone->public;
 }
 
+/**
+ * add a algorithm identified by a string to the proposal.
+ * TODO: we could use gperf here.
+ */
 static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 {
 	if (strncmp(alg.ptr, "null", alg.len) == 0)
@@ -443,8 +458,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 		{
 			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
 		}
-	}
-	else if (strncmp(alg.ptr, "sha256", alg.len) == 0)
+	}  
+	else if (strncmp(alg.ptr, "sha256", alg.len) == 0 ||
+			 strncmp(alg.ptr, "sha2_256", alg.len) == 0)
 	{
 		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
 		if (this->protocol == PROTO_IKE)
@@ -452,7 +468,8 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0);
 		}
 	}
-	else if (strncmp(alg.ptr, "sha384", alg.len) == 0)
+	else if (strncmp(alg.ptr, "sha384", alg.len) == 0 ||
+			 strncmp(alg.ptr, "sha2_384", alg.len) == 0)
 	{
 		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
 		if (this->protocol == PROTO_IKE)
@@ -460,7 +477,8 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0);
 		}
 	}
-	else if (strncmp(alg.ptr, "sha512", alg.len) == 0)
+	else if (strncmp(alg.ptr, "sha512", alg.len) == 0 ||
+			 strncmp(alg.ptr, "sha2_512", alg.len) == 0)
 	{
 		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
 		if (this->protocol == PROTO_IKE)
@@ -476,6 +494,14 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
 			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
 		}
 	}
+	else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0)
+	{
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, AUTH_AES_XCBC_96, 0);
+		}
+	}
 	else if (strncmp(alg.ptr, "modp768", alg.len) == 0)
 	{
 		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
@@ -530,6 +556,7 @@ proposal_t *proposal_create(protocol_id_t protocol)
 	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm;
 	this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator;
 	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm;
+	this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group;
 	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
 	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
 	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
@@ -586,11 +613,13 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
 			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
 			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,        256);
 			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
 			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
 			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
 			break;
 		case PROTO_AH:
 			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_AES_XCBC_96,       0);
 			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
 			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
 			break;
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index abcb40999..379550f44 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -102,6 +102,8 @@ extern enum_name_t *extended_sequence_numbers_names;
 /**
  * Struct used to store different kinds of algorithms. The internal
  * lists of algorithms contain such structures.
+ *
+ * @ingroup config
  */
 struct algorithm_t {
 	/**
@@ -162,7 +164,6 @@ struct proposal_t {
 	 * @brief Get the algorithm for a type to use.
 	 * 
 	 * If there are multiple algorithms, only the first is returned.
-	 * Result is still owned by proposal, do not modify!
 	 * 
 	 * @param this					calling object
 	 * @param type					kind of algorithm
@@ -170,6 +171,15 @@ struct proposal_t {
 	 * @return						TRUE if algorithm of this kind available
 	 */
 	bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo);
+	
+	/**
+	 * @brief Check if the proposal has a specific DH group.
+	 * 
+	 * @param this					calling object
+	 * @param group					group to check for
+	 * @return						TRUE if algorithm included
+	 */
+	bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group);
 
 	/**
 	 * @brief Compare two proposal, and select a matching subset.
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index 2fb012e16..b399074d1 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -167,6 +167,8 @@ static int print(FILE *stream, const struct printf_info *info,
 				 const void *const *args)
 {
 	private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
+	linked_list_t *list = *((linked_list_t**)(args[0]));
+	iterator_t *iterator;
 	char addr_str[INET6_ADDRSTRLEN] = "";
 	char *serv_proto = NULL;
 	u_int8_t mask;
@@ -179,6 +181,24 @@ static int print(FILE *stream, const struct printf_info *info,
 		return fprintf(stream, "(null)");
 	}
 	
+	if (info->alt)
+	{
+		iterator = list->create_iterator(list, TRUE);
+		while (iterator->iterate(iterator, (void**)&this))
+		{
+			/* call recursivly */
+			written += fprintf(stream, "%R ", this);
+		}
+		iterator->destroy(iterator);
+		return written;
+	}
+	
+	if (this->dynamic)
+	{
+		return fprintf(stream, "dynamic/%d",
+					   this->type == TS_IPV4_ADDR_RANGE ? 32 : 128);
+	}
+	
 	if (this->type == TS_IPV4_ADDR_RANGE)
 	{
 		inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
diff --git a/src/charon/control/interface_manager.c b/src/charon/control/interface_manager.c
new file mode 100644
index 000000000..700174c5b
--- /dev/null
+++ b/src/charon/control/interface_manager.c
@@ -0,0 +1,705 @@
+/**
+ * @file interface_manager.c
+ * 
+ * @brief Implementation of interface_manager_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "interface_manager.h"
+
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <dlfcn.h>
+
+#include <daemon.h>
+#include <library.h>
+#include <control/interfaces/interface.h>
+
+
+typedef struct private_interface_manager_t private_interface_manager_t;
+typedef struct interface_bus_listener_t interface_bus_listener_t;
+
+/**
+ * Private data of an stroke_t object.
+ */
+struct private_interface_manager_t {
+
+	/**
+	 * Public part of stroke_t object.
+	 */
+	interface_manager_t public;
+	
+	/**
+	 * a list of all loaded interfaces
+	 */
+	linked_list_t *interfaces;
+	
+	/**
+	 * dlopen() handles of interfaces
+	 */
+	linked_list_t *handles;
+};
+
+/**
+ * helper struct to map bus listener callbacks to interface callbacks
+ */
+struct interface_bus_listener_t {
+
+	/**
+	 * bus listener callback function (called)
+	 */
+	bus_listener_t listener;
+	
+	/**
+	 * IKE_SA to use for message filtering
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 *  interface callback (listener gets redirected to here)
+	 */
+	interface_manager_cb_t callback;
+	
+	/**
+	 * user parameter to pass to callback
+	 */
+	void *param;
+	
+	/**
+	 * caller has cancelled its listening subscription
+	 */
+	bool cancelled;
+};
+
+/**
+ * Implementation of interface_manager_t.create_ike_sa_iterator.
+ */
+static iterator_t* create_ike_sa_iterator(interface_manager_t *this)
+{
+	return charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
+}
+
+/**
+ * listener function for initiate
+ */
+static bool initiate_listener(interface_bus_listener_t *this, signal_t signal,
+							  level_t level, int thread, ike_sa_t *ike_sa,
+							  char* format, va_list args)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		{
+			this->cancelled = TRUE;
+			return FALSE;
+		}
+		switch (signal)
+		{
+			case IKE_UP_FAILED:
+			case CHILD_UP_FAILED:
+			case CHILD_UP_SUCCESS:
+			{
+				return FALSE;
+			}
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * listener function for terminate_ike
+ */
+static bool terminate_ike_listener(interface_bus_listener_t *this, signal_t signal,
+								   level_t level, int thread, ike_sa_t *ike_sa,
+								   char* format, va_list args)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		{
+			this->cancelled = TRUE;
+			return FALSE;
+		}
+		switch (signal)
+		{
+			case IKE_DOWN_FAILED:
+			case IKE_DOWN_SUCCESS:
+			{
+				return FALSE;
+			}
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * listener function for terminate_child
+ */
+static bool terminate_child_listener(interface_bus_listener_t *this, signal_t signal,
+									 level_t level, int thread, ike_sa_t *ike_sa,
+									 char* format, va_list args)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		{
+			this->cancelled = TRUE;
+			return FALSE;
+		}
+		switch (signal)
+		{
+			case IKE_DOWN_FAILED:
+			case IKE_DOWN_SUCCESS:
+			case CHILD_DOWN_FAILED:
+			case CHILD_DOWN_SUCCESS:
+			{
+				return FALSE;
+			}
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * listener function for route
+ */
+static bool route_listener(interface_bus_listener_t *this, signal_t signal,
+						   level_t level, int thread, ike_sa_t *ike_sa,
+						   char* format, va_list args)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		{
+			this->cancelled = TRUE;
+			return FALSE;
+		}
+		switch (signal)
+		{
+			case CHILD_ROUTE_SUCCESS:
+			case CHILD_ROUTE_FAILED:
+			{
+				return FALSE;
+			}
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * listener function for unroute
+ */
+static bool unroute_listener(interface_bus_listener_t *this, signal_t signal,
+						     level_t level, int thread, ike_sa_t *ike_sa,
+						     char* format, va_list args)
+{
+	if (this->ike_sa == ike_sa)
+	{
+		if (!this->callback(this->param, signal, level, ike_sa, format, args))
+		{
+			this->cancelled = TRUE;
+			return FALSE;
+		}
+		switch (signal)
+		{
+			case CHILD_UNROUTE_SUCCESS:
+			case CHILD_UNROUTE_FAILED:
+			{
+				return FALSE;
+			}
+			default:
+				break;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * remove a previously registered listener from the bus
+ */
+static void remove_listener(interface_bus_listener_t *listener)
+{
+	charon->bus->remove_listener(charon->bus, &listener->listener);
+}
+
+/**
+ * Implementation of interface_manager_t.initiate.
+ */
+static status_t initiate(private_interface_manager_t *this,
+						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+						 interface_manager_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	ike_cfg_t *ike_cfg;
+	status_t retval = FAILED;
+	interface_bus_listener_t listener;
+	
+	ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+	ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager,
+				ike_cfg->get_my_host(ike_cfg), ike_cfg->get_other_host(ike_cfg),
+				peer_cfg->get_my_id(peer_cfg), peer_cfg->get_other_id(peer_cfg));
+
+	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+	peer_cfg->destroy(peer_cfg);
+
+	listener.listener.signal = (void*)initiate_listener;
+	listener.callback = callback;
+	listener.ike_sa = ike_sa;
+	listener.param = param;
+	listener.cancelled = FALSE;
+
+	/* we listen passively to catch the signals we are raising in 
+	 * ike_sa->delete(). */
+	if (callback)
+	{
+		charon->bus->add_listener(charon->bus, &listener.listener);
+	}
+	charon->bus->set_listen_state(charon->bus, TRUE);
+	if (ike_sa->initiate(ike_sa, child_cfg) != SUCCESS)
+	{
+		charon->bus->set_listen_state(charon->bus, FALSE);
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		return FAILED;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	
+	/* wait until we get a result */
+	while (TRUE)
+	{
+		level_t level;
+		signal_t signal;
+		int thread;
+		ike_sa_t *current;
+		char* format;
+		va_list args;
+		
+		/* stop listening if the passive listener returned FALSE */
+		if (listener.cancelled)
+		{
+			retval = NEED_MORE;
+			break;
+		}
+		pthread_cleanup_push((void*)remove_listener, &listener);
+		signal = charon->bus->listen(charon->bus, &level, &thread, 
+									 &current, &format, &args);
+		pthread_cleanup_pop(0);
+		/* ike_sa is a valid pointer until we get one of the signals */
+		if (ike_sa == current)
+		{
+			switch (signal)
+			{
+				case CHILD_UP_SUCCESS:
+					retval = SUCCESS;
+				case CHILD_UP_FAILED:
+				case IKE_UP_FAILED:
+					break;
+				default:
+					continue;
+			}
+			break;
+		}
+	}
+	charon->bus->set_listen_state(charon->bus, FALSE);
+	return retval;
+}
+
+/**
+ * Implementation of interface_manager_t.terminate_ike.
+ */
+static status_t terminate_ike(interface_manager_t *this, u_int32_t unique_id, 
+							  interface_manager_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	status_t status = FAILED;;
+	interface_bus_listener_t listener;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													unique_id, FALSE);							
+	if (ike_sa == NULL)
+	{
+		return NOT_FOUND;
+	}
+	
+	/* we listen passively to catch the signals we are raising in 
+	 * ike_sa->delete(). */
+	listener.listener.signal = (void*)terminate_ike_listener;
+	listener.callback = callback;
+	listener.ike_sa = ike_sa;
+	listener.param = param;
+	listener.cancelled = FALSE;
+	if (callback)
+	{
+		charon->bus->add_listener(charon->bus, &listener.listener);
+	}
+	charon->bus->set_listen_state(charon->bus, TRUE);
+	status = ike_sa->delete(ike_sa);
+	if (status == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		
+		/* wait until IKE_SA is cleanly deleted using a delete message */
+		while (TRUE)
+		{
+			level_t level;
+			signal_t signal;
+			int thread;
+			ike_sa_t *current;
+			char* format;
+			va_list args;
+			
+			/* stop listening if the passive listener returned FALSE */
+			if (listener.cancelled)
+			{
+				status = NEED_MORE;
+				break;
+			}
+			pthread_cleanup_push((void*)remove_listener, &listener);
+			signal = charon->bus->listen(charon->bus, &level, &thread, 
+										 &current, &format, &args);
+			pthread_cleanup_pop(0);
+
+			/* even if we checked in the IKE_SA, the pointer is valid until
+			 * we get an IKE_DOWN_... */
+			if (ike_sa == current)
+			{
+				switch (signal)
+				{
+					case IKE_DOWN_FAILED:
+					case IKE_DOWN_SUCCESS:
+					{
+						status = SUCCESS;
+						break;
+					}
+					default:
+						continue;
+				}
+				break;
+			}
+		}
+	}
+	charon->bus->set_listen_state(charon->bus, FALSE);
+
+	return status;
+}
+
+/**
+ * Implementation of interface_manager_t.terminate_child.
+ */
+static status_t terminate_child(interface_manager_t *this, u_int32_t reqid, 
+								interface_manager_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	child_sa_t *child_sa;
+	iterator_t *iterator;
+	status_t status = FAILED;
+	interface_bus_listener_t listener;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													reqid, TRUE);							
+	if (ike_sa == NULL)
+	{
+		return NOT_FOUND;
+	}
+	
+	iterator = ike_sa->create_child_sa_iterator(ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
+			child_sa->get_reqid(child_sa) == reqid)
+		{
+			break;
+		}
+		child_sa = NULL;
+	}
+	iterator->destroy(iterator);
+	
+	if (child_sa == NULL)
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		return NOT_FOUND;
+	}
+	
+	listener.listener.signal = (void*)terminate_child_listener;
+	listener.callback = callback;
+	listener.ike_sa = ike_sa;
+	listener.param = param;
+	listener.cancelled = FALSE;
+		
+	/* we listen passively to catch the signals we are raising */
+	if (callback)
+	{
+		charon->bus->add_listener(charon->bus, &listener.listener);
+	}
+	charon->bus->set_listen_state(charon->bus, TRUE);
+	status = ike_sa->delete_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+									 child_sa->get_spi(child_sa, TRUE));
+	if (status == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		
+		/* wait until CHILD_SA is cleanly deleted using a delete message */
+		while (TRUE)
+		{
+			level_t level;
+			signal_t signal;
+			int thread;
+			ike_sa_t *current;
+			char* format;
+			va_list args;
+			
+			/* stop listening if the passive listener returned FALSE */
+			if (listener.cancelled)
+			{
+				status = NEED_MORE;
+				break;
+			}
+			pthread_cleanup_push((void*)remove_listener, &listener);
+			signal = charon->bus->listen(charon->bus, &level, &thread, 
+										 &current, &format, &args);
+			pthread_cleanup_pop(0);
+			/* even if we checked in the IKE_SA, the pointer is valid until
+			 * we get an IKE_DOWN_... */
+			if (ike_sa == current)
+			{
+				switch (signal)
+				{
+					case IKE_DOWN_FAILED:
+					case IKE_DOWN_SUCCESS:
+					case CHILD_DOWN_FAILED:
+					case CHILD_DOWN_SUCCESS:
+					{
+						status = SUCCESS;
+						break;
+					}
+					default:
+						continue;
+				}
+				break;
+			}
+		}
+	}
+	charon->bus->set_listen_state(charon->bus, FALSE);
+
+	return status;
+}
+
+/**
+ * Implementation of interface_manager_t.route.
+ */
+static status_t route(interface_manager_t *this,
+					  peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+					  interface_manager_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	ike_cfg_t *ike_cfg;
+	status_t status = SUCCESS;
+	
+	ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager,
+				ike_cfg->get_my_host(ike_cfg), ike_cfg->get_other_host(ike_cfg),
+				peer_cfg->get_my_id(peer_cfg), peer_cfg->get_other_id(peer_cfg));
+	
+	if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+	{
+		ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+	}
+		
+	/* we listen passively only, as routing is done by one thread only */
+	if (callback)
+	{
+		interface_bus_listener_t listener;
+	
+		listener.listener.signal = (void*)route_listener;
+		listener.callback = callback;
+		listener.ike_sa = ike_sa;
+		listener.param = param;
+		listener.cancelled = FALSE;
+		charon->bus->add_listener(charon->bus, &listener.listener);
+	}
+	
+	if (ike_sa->route(ike_sa, child_cfg) != SUCCESS)
+	{
+		status = FAILED;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return status;
+}
+
+/**
+ * Implementation of interface_manager_t.unroute.
+ */
+static status_t unroute(interface_manager_t *this, u_int32_t reqid, 
+						interface_manager_cb_t callback, void *param)
+{
+	ike_sa_t *ike_sa;
+	status_t status;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													reqid, TRUE);							
+	if (ike_sa == NULL)
+	{
+		return NOT_FOUND;
+	}
+	
+	/* we listen passively only, as routing is done by one thread only */
+	if (callback)
+	{
+		interface_bus_listener_t listener;
+	
+		listener.listener.signal = (void*)unroute_listener;
+		listener.callback = callback;
+		listener.ike_sa = ike_sa;
+		listener.param = param;
+		listener.cancelled = FALSE;
+		charon->bus->add_listener(charon->bus, &listener.listener);
+	}
+	status = ike_sa->unroute(ike_sa, reqid);
+	if (status == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		status = SUCCESS;
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	return status;
+}
+
+/**
+ * load the control interface modules
+ */
+static void load_interfaces(private_interface_manager_t *this)
+{
+	struct dirent* entry;
+	DIR* dir;
+
+	dir = opendir(IPSEC_INTERFACEDIR);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening interface modules directory "IPSEC_INTERFACEDIR);
+		return;
+	}
+	
+	DBG1(DBG_CFG, "loading control interface modules from '"IPSEC_INTERFACEDIR"'");
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[256];
+		interface_t *interface;
+		interface_constructor_t constructor;
+		void *handle;
+		char *ending;
+		
+		snprintf(file, sizeof(file), IPSEC_INTERFACEDIR"/%s", entry->d_name);
+		
+		ending = entry->d_name + strlen(entry->d_name) - 3;
+		if (ending <= entry->d_name || !streq(ending, ".so"))
+		{
+			/* skip anything which does not look like a library */
+			DBG2(DBG_CFG, "  skipping %s, doesn't look like a library",
+				 entry->d_name);
+			continue;
+		}
+		/* try to load the library */
+		handle = dlopen(file, RTLD_LAZY);
+		if (handle == NULL)
+		{
+			DBG1(DBG_CFG, "  opening control interface module %s failed: %s",
+				 entry->d_name, dlerror());
+			continue;
+		}
+		constructor = dlsym(handle, "interface_create");
+		if (constructor == NULL)
+		{
+			DBG1(DBG_CFG, "  interface module %s has no interface_create() "
+				 "function, skipped", entry->d_name);
+			dlclose(handle);
+			continue;
+		}
+		
+		interface = constructor();
+		if (interface == NULL)
+		{
+			DBG1(DBG_CFG, "  unable to create instance of interface "
+				 "module %s, skipped", entry->d_name);
+			dlclose(handle);
+			continue;
+		}
+		DBG1(DBG_CFG, "  loaded control interface module successfully from %s", entry->d_name);
+		this->interfaces->insert_last(this->interfaces, interface);
+		this->handles->insert_last(this->handles, handle);
+	}
+	closedir(dir);
+}
+
+
+/**
+ * Implementation of stroke_t.destroy.
+ */
+static void destroy(private_interface_manager_t *this)
+{
+	this->interfaces->destroy_offset(this->interfaces, offsetof(interface_t, destroy));
+	this->handles->destroy_function(this->handles, (void*)dlclose);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+interface_manager_t *interface_manager_create(void)
+{
+	private_interface_manager_t *this = malloc_thing(private_interface_manager_t);
+	
+	this->public.create_ike_sa_iterator = (iterator_t*(*)(interface_manager_t*))create_ike_sa_iterator;
+	this->public.initiate = (status_t(*)(interface_manager_t*,peer_cfg_t*,child_cfg_t*,bool(*)(void*,signal_t,level_t,ike_sa_t*,char*,va_list),void*))initiate;
+	this->public.terminate_ike = (status_t(*)(interface_manager_t*,u_int32_t,interface_manager_cb_t, void*))terminate_ike;
+	this->public.terminate_child = (status_t(*)(interface_manager_t*,u_int32_t,interface_manager_cb_t, void *param))terminate_child;
+	this->public.route = (status_t(*)(interface_manager_t*,peer_cfg_t*, child_cfg_t*,interface_manager_cb_t,void*))route;
+	this->public.unroute = (status_t(*)(interface_manager_t*,u_int32_t,interface_manager_cb_t,void*))unroute;
+	this->public.destroy = (void (*)(interface_manager_t*))destroy;
+	
+	this->interfaces = linked_list_create();
+	this->handles = linked_list_create();
+	
+	load_interfaces(this);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/control/interface_manager.h b/src/charon/control/interface_manager.h
new file mode 100644
index 000000000..06a5fe6c4
--- /dev/null
+++ b/src/charon/control/interface_manager.h
@@ -0,0 +1,192 @@
+/**
+ * @file interface_manager.h
+ *
+ * @brief Interface of interface_manager_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef INTERFACE_MANAGER_H_
+#define INTERFACE_MANAGER_H_
+
+#include <bus/bus.h>
+
+/**
+ * callback to log things triggered by interface_manager.
+ *
+ * @param param			echoed parameter supplied when function invoked
+ * @param signal		type of signal
+ * @param level			verbosity level if log
+ * @param ike_sa		associated IKE_SA, if any
+ * @param format		printf like format string
+ * @param args			list of arguments to use for format
+ * @return				FALSE to return from invoked function
+ * @ingroup control
+ */
+typedef bool(*interface_manager_cb_t)(void* param, signal_t signal, level_t level,
+							   ike_sa_t* ike_sa, char* format, va_list args);
+
+typedef struct interface_manager_t interface_manager_t;
+
+/**
+ * @brief The interface_manager loads control interfaces and has helper methods.
+ *
+ * One job of the interface manager is to load pluggable control interface
+ * modules, implemented as interface_t.
+ * @verbatim
+
+   +---------+      +------------+         +--------------+     |
+   |         |      |            |<----- +--------------+ |     |
+   | daemon  |<-----| interface- |     +--------------+ |-+  <==|==> IPC
+   |  core   |      | manager    |<----|  interfaces  |-+       |
+   |         |<-----|            |     +--------------+         |
+   |         |      |            |                              |
+   +---------+      +------------+                              |
+
+   @endverbatim
+ * The manager does not really use the interfaces, instead, the interface
+ * use the manager to fullfill their tasks (initiating, terminating, ...). 
+ * The interface_manager starts actions by creating jobs. It then tries to
+ * evaluate the result of the operation by listening on the bus.
+ * 
+ * @b Constructors:
+ * - interface_manager_create()
+ * 
+ * @ingroup control
+ */
+struct interface_manager_t {
+
+	/**
+	 * @brief Create an iterator for all IKE_SAs.
+	 *
+	 * The iterator blocks the IKE_SA manager until it gets destroyed. Do
+	 * not call another interface/manager method while the iterator is alive.
+	 *
+	 * @param this			calling object
+	 * @return				iterator, locks IKE_SA manager until destroyed
+	 */
+	iterator_t* (*create_ike_sa_iterator)(interface_manager_t *this);
+
+	/**
+	 * @brief Initiate a CHILD_SA, and if required, an IKE_SA.
+	 *
+	 * The inititate() function is synchronous and thus blocks until the
+	 * IKE_SA is established or failed. Because of this, the initiate() function
+	 * contains a thread cancellation point.
+	 *
+	 * @param this			calling object
+	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
+	 * @param child_cfg		child_cfg to set up CHILD_SA from
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA established
+	 *						- FAILED, if setup failed
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*initiate)(interface_manager_t *this,
+						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+						 interface_manager_cb_t callback, void *param);
+
+	/**
+	 * @brief Terminate an IKE_SA and all of its CHILD_SAs.
+	 *
+	 * The terminate() function is synchronous and thus blocks until the
+	 * IKE_SA is properly deleted, or the delete timed out. 
+	 * The terminate() function contains a thread cancellation point.
+	 *
+	 * @param this			calling object
+	 * @param unique_id		unique id of the IKE_SA to terminate.
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA terminated
+	 *						- NOT_FOUND, if no such CHILD_SA found
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*terminate_ike)(interface_manager_t *this, u_int32_t unique_id, 
+							  interface_manager_cb_t callback, void *param);
+	
+	/**
+	 * @brief Terminate a CHILD_SA.
+	 *
+	 * @param this			calling object
+	 * @param reqid			reqid of the CHILD_SA to terminate
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA terminated
+	 *						- NOT_FOUND, if no such CHILD_SA found
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*terminate_child)(interface_manager_t *this, u_int32_t reqid, 
+								interface_manager_cb_t callback, void *param);
+	
+	/**
+	 * @brief Route a CHILD_SA (install triggering policies).
+	 *
+	 * @param this			calling object
+	 * @param peer_cfg		peer_cfg to use for IKE_SA setup, if triggered
+	 * @param child_cfg		child_cfg to route
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA routed
+	 *						- FAILED, if routing failed
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*route)(interface_manager_t *this,
+					  peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+					  interface_manager_cb_t callback, void *param);
+	
+	/**
+	 * @brief Unroute a routed CHILD_SA (uninstall triggering policies).
+	 *
+	 * Only the route is removed, not the CHILD_SAs the route triggered.
+	 *
+	 * @param this			calling object
+	 * @param reqid			reqid of the CHILD_SA to unroute
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @return
+	 *						- SUCCESS, if CHILD_SA terminated
+	 *						- NOT_FOUND, if no such CHILD_SA routed
+	 *						- NEED_MORE, if callback returned FALSE
+	 */
+	status_t (*unroute)(interface_manager_t *this, u_int32_t reqid, 
+						interface_manager_cb_t callback, void *param);
+	
+	/**
+	 * @brief Destroy a interface_manager_t instance.
+	 * 
+	 * @param this		interface_manager_t objec to destroy
+	 */
+	void (*destroy) (interface_manager_t *this);
+};
+
+
+/**
+ * @brief Creates a interface_manager instance and loads all interface modules.
+ * 
+ * @return 			interface_manager_t object
+ * 
+ * @ingroup control
+ */
+interface_manager_t *interface_manager_create(void);
+
+#endif /* INTERFACE_MANAGER_H_ */
+
diff --git a/src/charon/control/interfaces/dbus_interface.c b/src/charon/control/interfaces/dbus_interface.c
new file mode 100644
index 000000000..443df635c
--- /dev/null
+++ b/src/charon/control/interfaces/dbus_interface.c
@@ -0,0 +1,479 @@
+/**
+ * @file dbus_interface.c
+ * 
+ * @brief Implementation of dbus_interface_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define DBUS_API_SUBJECT_TO_CHANGE
+#include <dbus/dbus.h>
+#include <NetworkManager/NetworkManager.h>
+#include <NetworkManager/NetworkManagerVPN.h>
+#include <stdlib.h>
+
+#include "dbus_interface.h"
+
+#include <library.h>
+#include <daemon.h>
+
+
+#define NM_DBUS_SERVICE_STRONG "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_INTERFACE_STRONG "org.freedesktop.NetworkManager.strongswan"
+#define NM_DBUS_PATH_STRONG "/org/freedesktop/NetworkManager/strongswan"
+
+typedef struct private_dbus_interface_t private_dbus_interface_t;
+
+/**
+ * Private data of an dbus_interface_t object.
+ */
+struct private_dbus_interface_t {
+
+	/**
+	 * Public part of dbus_t object.
+	 */
+	dbus_interface_t public;
+	
+	/**
+	 * DBUS connection
+	 */
+	DBusConnection* conn;
+	
+	/**
+	 * error value used here and there
+	 */
+	DBusError err;
+	
+	/**
+	 * state of the daemon
+	 */
+	NMVPNState state;
+	
+	/**
+	 * dispatcher thread for DBUS messages
+	 */
+	pthread_t thread;
+	
+	/**
+	 * name of the currently active connection
+	 */
+	char *name;
+};
+
+/**
+ * set daemon state and send StateChange signal to the bus
+ */
+static void set_state(private_dbus_interface_t *this, NMVPNState state)
+{
+	DBusMessage* msg;
+
+	msg = dbus_message_new_signal(NM_DBUS_PATH_STRONG, NM_DBUS_INTERFACE_STRONG, NM_DBUS_VPN_SIGNAL_STATE_CHANGE);
+
+	if (!dbus_message_append_args(msg, DBUS_TYPE_UINT32, &this->state,
+							  DBUS_TYPE_UINT32, &state, DBUS_TYPE_INVALID) ||
+		!dbus_connection_send(this->conn, msg, NULL))
+	{
+		DBG1(DBG_CFG, "unable to send DBUS StateChange signal");
+	}
+	dbus_connection_flush(this->conn);
+	dbus_message_unref(msg);
+	this->state = state;
+}
+
+
+/**
+ * get the child_cfg with the same name as the peer cfg
+ */
+static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
+{
+	child_cfg_t *current, *found = NULL;
+	iterator_t *iterator;
+	
+	iterator = peer_cfg->create_child_cfg_iterator(peer_cfg);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (streq(current->get_name(current), name))
+		{
+			found = current;
+			found->get_ref(found);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * get a peer configuration by its name, or a name of its children
+ */
+static peer_cfg_t *get_peer_cfg_by_name(char *name)
+{
+	iterator_t *i1, *i2;
+	peer_cfg_t *current, *found = NULL;
+	child_cfg_t *child;
+
+	i1 = charon->backends->create_iterator(charon->backends);
+	while (i1->iterate(i1, (void**)&current))
+	{
+	        /* compare peer_cfgs name first */
+	        if (streq(current->get_name(current), name))
+	        {
+	                found = current;
+	                found->get_ref(found);
+	                break;
+	        }
+	        /* compare all child_cfg names otherwise */
+	        i2 = current->create_child_cfg_iterator(current);
+	        while (i2->iterate(i2, (void**)&child))
+	        {
+	                if (streq(child->get_name(child), name))
+	                {
+	                        found = current;
+	                        found->get_ref(found);
+	                        break;
+	                }
+	        }
+	        i2->destroy(i2);
+	        if (found)
+	        {
+	                break;
+	        }
+	}
+	i1->destroy(i1);
+	return found;
+}
+
+/**
+ * logging dummy
+ */
+static bool dbus_log(void *param, signal_t signal, level_t level,
+					 ike_sa_t *ike_sa, char *format, va_list args)
+{
+	return TRUE;
+}
+
+
+/**
+ * process NetworkManagers startConnection method call
+ */
+static bool start_connection(private_dbus_interface_t *this, DBusMessage* msg)
+{
+	DBusMessage *reply, *signal;
+	char *name, *user, **data, **passwords, **routes;
+	int data_count, passwords_count, routes_count;
+	u_int32_t me, other, p2p, netmask, mss;
+	char *dev, *domain, *banner;
+	const dbus_int32_t array[] = {};
+	const dbus_int32_t *varray = array;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	status_t status = FAILED;
+	
+	dbus_error_free(&this->err);
+	
+	if (!dbus_message_get_args(msg, &this->err,
+  			 DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING, &user,
+			 DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &passwords, &passwords_count,
+			 DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &data, &data_count,
+			 DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &routes, &routes_count,
+			 DBUS_TYPE_INVALID))
+	{
+		return FALSE;
+	}
+	set_state(this, NM_VPN_STATE_STARTING);
+	
+	peer_cfg = get_peer_cfg_by_name(name);
+	if (peer_cfg)
+	{
+		free(this->name);
+		this->name = strdup(peer_cfg->get_name(peer_cfg));
+		child_cfg = get_child_from_peer(peer_cfg, name);
+		if (child_cfg)
+		{
+			status = charon->interfaces->initiate(charon->interfaces, peer_cfg,
+												  child_cfg, dbus_log, NULL);
+		}
+		else
+		{
+			peer_cfg->destroy(peer_cfg);
+		}
+	}
+	reply = dbus_message_new_method_return(msg);
+	dbus_connection_send(this->conn, reply, NULL);
+	dbus_message_unref(reply);
+	
+	if (status == SUCCESS)
+	{
+	
+		set_state(this, NM_VPN_STATE_STARTED);
+		signal = dbus_message_new_signal(NM_DBUS_PATH_STRONG,
+										 NM_DBUS_INTERFACE_STRONG,
+										 NM_DBUS_VPN_SIGNAL_IP4_CONFIG);
+		me = other = p2p = mss = netmask = 0;
+		dev = domain = banner = "";
+		if (dbus_message_append_args(signal,
+						DBUS_TYPE_UINT32, &other,
+						DBUS_TYPE_STRING, &dev,
+						DBUS_TYPE_UINT32, &me,
+						DBUS_TYPE_UINT32, &p2p,
+						DBUS_TYPE_UINT32, &netmask,
+						DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &varray, 0,
+						DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &varray, 0,
+						DBUS_TYPE_UINT32, &mss,
+						DBUS_TYPE_STRING, &domain,
+						DBUS_TYPE_STRING, &banner, DBUS_TYPE_INVALID))
+		{
+			dbus_connection_send(this->conn, signal, NULL);
+		}						 
+		dbus_message_unref(signal);
+	}
+	else
+	{
+		set_state(this, NM_VPN_STATE_STOPPED);
+	}
+	
+	dbus_connection_flush(this->conn);
+	return TRUE;
+}
+
+/**
+ * process NetworkManagers stopConnection method call
+ */
+static bool stop_connection(private_dbus_interface_t *this, DBusMessage* msg)
+{
+	u_int32_t id;
+	iterator_t *iterator;
+	ike_sa_t *ike_sa;
+	
+	if (this->name == NULL)
+	{
+		return FALSE;
+	}
+	
+	dbus_error_free(&this->err);
+	
+	set_state(this, NM_VPN_STATE_STOPPING);
+	
+	iterator = charon->interfaces->create_ike_sa_iterator(charon->interfaces);
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		child_sa_t *child_sa;
+		iterator_t *children;
+		
+		if (this->name && streq(this->name, ike_sa->get_name(ike_sa)))
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			iterator->destroy(iterator);
+			charon->interfaces->terminate_ike(charon->interfaces, id, NULL, NULL);
+			set_state(this, NM_VPN_STATE_STOPPED);
+			return TRUE;;
+		}
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (this->name && streq(this->name, child_sa->get_name(child_sa)))
+			{
+				id = child_sa->get_reqid(child_sa);
+				children->destroy(children);
+				iterator->destroy(iterator);
+				charon->interfaces->terminate_child(charon->interfaces, id, NULL, NULL);
+				set_state(this, NM_VPN_STATE_STOPPED);
+				return TRUE;
+			}
+		}
+		children->destroy(children);
+	}
+	iterator->destroy(iterator);
+	set_state(this, NM_VPN_STATE_STOPPED);
+	return TRUE;
+}
+
+/**
+ * process NetworkManagers getState method call
+ */
+static bool get_state(private_dbus_interface_t *this, DBusMessage* msg)
+{
+	DBusMessage* reply;
+	reply = dbus_message_new_method_return(msg);
+	if (!reply || !dbus_message_append_args(reply,
+											DBUS_TYPE_UINT32, &this->state,
+											DBUS_TYPE_INVALID))
+	{
+		return FALSE;
+	}
+	dbus_connection_send(this->conn, reply, NULL);
+	return TRUE;
+}
+
+/**
+ * Handle incoming messages
+ */
+static DBusHandlerResult message_handler(DBusConnection *con, DBusMessage *msg,
+										 private_dbus_interface_t *this)
+{
+	bool handled;
+
+	if (dbus_message_is_method_call(msg, NM_DBUS_INTERFACE_STRONG,
+									"startConnection"))
+	{
+		handled = start_connection(this, msg);
+	}
+	else if (dbus_message_is_method_call(msg, NM_DBUS_INTERFACE_STRONG,
+										 "stopConnection"))
+	{
+		handled = stop_connection(this, msg);
+	}
+	else if (dbus_message_is_method_call(msg, NM_DBUS_INTERFACE_STRONG,
+										 "getState"))
+	{
+		handled = get_state(this, msg);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "ignoring DBUS message %s.%s",
+			 dbus_message_get_interface(msg), dbus_message_get_member(msg));
+		handled = FALSE;
+	}
+	
+	if (handled)
+	{
+		return DBUS_HANDLER_RESULT_HANDLED;
+	}
+	return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+
+/**
+ * Handle received signals
+
+static DBusHandlerResult signal_handler(DBusConnection *con, DBusMessage *msg,
+										private_dbus_interface_t *this)
+{
+	bool handled;
+
+	if (dbus_message_is_signal(msg, NM_DBUS_INTERFACE, "VPNConnectionStateChange"))
+	{
+		NMVPNState state;
+		char *name;
+		
+		if (dbus_message_get_args(msg, &this->err, DBUS_TYPE_STRING, &name, 
+								  DBUS_TYPE_UINT32, &state, DBUS_TYPE_INVALID))
+		{
+			DBG1(DBG_CFG, "got state %d for %s", state, name);
+		}
+		handled = TRUE;
+	}
+	else
+	{
+		DBG1(DBG_CFG, "ignoring DBUS signal %s.%s",
+			 dbus_message_get_interface(msg), dbus_message_get_member(msg));
+		handled = FALSE;
+	}
+	if (handled)
+	{
+		return DBUS_HANDLER_RESULT_HANDLED;
+	}
+	return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+} */
+
+/**
+ * dispatcher function processed by a seperate thread
+ */
+static void dispatch(private_dbus_interface_t *this)
+{
+	charon->drop_capabilities(charon, TRUE);
+
+	while (dbus_connection_read_write_dispatch(this->conn, -1))
+	{
+		/* nothing */
+	}
+}
+
+/**
+ * Implementation of interface_t.destroy.
+ */
+static void destroy(private_dbus_interface_t *this)
+{
+	pthread_cancel(this->thread);
+	pthread_join(this->thread, NULL);
+	dbus_connection_close(this->conn);
+	dbus_error_free(&this->err);
+	dbus_shutdown();
+	free(this->name);
+	free(this);
+}
+
+/*
+ * Described in header file
+ */
+interface_t *interface_create()
+{
+	int ret;
+	DBusObjectPathVTable v = {NULL, (void*)&message_handler, NULL, NULL, NULL, NULL};
+	private_dbus_interface_t *this = malloc_thing(private_dbus_interface_t);
+  
+	this->public.interface.destroy = (void (*)(interface_t*))destroy;
+	
+	dbus_error_init(&this->err); 
+	this->conn = dbus_bus_get(DBUS_BUS_SYSTEM, &this->err);
+	if (dbus_error_is_set(&this->err))
+	{ 
+		DBG1(DBG_CFG, "unable to open DBUS connection: %s", this->err.message); 
+		charon->kill(charon, "DBUS initialization failed");
+	}
+	dbus_connection_set_exit_on_disconnect(this->conn, FALSE);
+	
+	ret = dbus_bus_request_name(this->conn, NM_DBUS_SERVICE_STRONG,
+							    DBUS_NAME_FLAG_REPLACE_EXISTING , &this->err);
+	if (dbus_error_is_set(&this->err))
+	{
+		DBG1(DBG_CFG, "unable to set DBUS name: %s", this->err.message);
+		charon->kill(charon, "unable to set DBUS name");
+	}
+	if (ret != DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER)
+	{
+		charon->kill(charon, "DBUS name already owned");
+	}
+	if (!dbus_connection_register_object_path(this->conn, NM_DBUS_PATH_STRONG, &v, this))
+    {
+		charon->kill(charon, "unable to register DBUS message handler");
+    }
+	/*
+	if (!dbus_connection_add_filter(this->conn, (void*)signal_handler, this, NULL))
+	{
+		charon->kill(charon, "unable to register DBUS signal handler");
+	}
+	
+	dbus_bus_add_match(this->conn, "type='signal', "
+					   "interface='" NM_DBUS_INTERFACE_VPN "',"
+					   "path='" NM_DBUS_PATH_VPN "'", &this->err);
+	if (dbus_error_is_set (&this->err))
+	{
+		charon->kill(charon, "unable to add DBUS signal match");
+	}*/
+
+	this->name = NULL;
+	this->state = NM_VPN_STATE_INIT;
+	set_state(this, NM_VPN_STATE_STOPPED);
+
+	if (pthread_create(&this->thread, NULL, (void*(*)(void*))dispatch, this) != 0)
+	{
+		charon->kill(charon, "unable to create stroke thread");
+	}
+
+	return &this->public.interface;
+}
+
diff --git a/src/charon/control/interfaces/dbus_interface.h b/src/charon/control/interfaces/dbus_interface.h
new file mode 100644
index 000000000..0ce57bbbc
--- /dev/null
+++ b/src/charon/control/interfaces/dbus_interface.h
@@ -0,0 +1,57 @@
+/**
+ * @file dbus_interface.h
+ *
+ * @brief Interface of dbus_interface_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DBUS_INTERFACE_H_
+#define DBUS_INTERFACE_H_
+
+typedef struct dbus_interface_t dbus_interface_t;
+
+#include <control/interfaces/interface.h>
+
+/**
+ * @brief The DBUS interface uses the DBUS system bus to communicate.
+ * 
+ * @b Constructors:
+ * - dbus_interface_create()
+ * 
+ * @ingroup interfaces
+ */
+struct dbus_interface_t {
+	
+	/**
+	 * implements interface_t.
+	 */
+	interface_t interface;
+};
+
+
+/**
+ * @brief Create the DBUS interface.
+ *
+ * @return 			stroke_t object
+ * 
+ * @ingroup interfaces
+ */
+interface_t *interface_create();
+
+#endif /* DBUS_INTERFACE_H_ */
+
diff --git a/src/charon/control/interfaces/interface.h b/src/charon/control/interfaces/interface.h
new file mode 100644
index 000000000..955f4a4eb
--- /dev/null
+++ b/src/charon/control/interfaces/interface.h
@@ -0,0 +1,59 @@
+/**
+ * @file interface.h
+ *
+ * @brief Interface of interface_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef INTERFACE_H_
+#define INTERFACE_H_
+
+typedef struct interface_t interface_t;
+
+/**
+ * @brief Interface for a controller.
+ *
+ * An interface controls the daemon by calling functions on the
+ * interface_manager. All interfaces are manager by the interface_manager
+ * in a generic way, so they need their own class.
+ * 
+ * @b Constructors:
+ * - interface_create() of one of the modules
+ * 
+ * @ingroup interfaces
+ */
+struct interface_t {
+	
+	/**
+	 * @brief Destroy all interfaces
+	 * 
+	 * @param this		stroke_t objec to destroy
+	 */
+	void (*destroy) (interface_t *this);
+};
+
+
+/**
+ * Constructor in a control interface module to create the interface.
+ *
+ * @ingroup interfaces
+ */
+typedef interface_t*(*interface_constructor_t)(void);
+
+#endif /* INTERFACE_H_ */
+
diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c
new file mode 100755
index 000000000..6e3427e8e
--- /dev/null
+++ b/src/charon/control/interfaces/stroke_interface.c
@@ -0,0 +1,1728 @@
+/**
+ * @file stroke_interface.c
+ * 
+ * @brief Implementation of stroke_interface_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/fcntl.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+
+#include "stroke_interface.h"
+
+#include <library.h>
+#include <stroke.h>
+#include <daemon.h>
+#include <crypto/x509.h>
+#include <crypto/ca.h>
+#include <crypto/crl.h>
+#include <control/interface_manager.h>
+#include <control/interfaces/interface.h>
+#include <utils/leak_detective.h>
+
+#define IKE_PORT	500
+#define PATH_BUF	256
+#define STROKE_THREADS 3
+
+struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+
+
+typedef struct private_stroke_interface_t private_stroke_interface_t;
+
+/**
+ * Private data of an stroke_interfacet object.
+ */
+struct private_stroke_interface_t {
+
+	/**
+	 * Public part of stroke_interfacet object.
+	 */
+	stroke_interface_t public;
+		
+	/**
+	 * Unix socket to listen for strokes
+	 */
+	int socket;
+	
+	/**
+	 * Thread which reads from the Socket
+	 */
+	pthread_t threads[STROKE_THREADS];
+};
+
+typedef struct stroke_log_info_t stroke_log_info_t;
+
+/**
+ * helper struct to say what and where to log when using controller callback
+ */
+struct stroke_log_info_t {
+
+	/**
+	 * level to log up to
+	 */
+	level_t level;
+	
+	/**
+	 * where to write log
+	 */
+	FILE* out;
+};
+
+/**
+ * Helper function which corrects the string pointers
+ * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
+ * contains RELATIVE addresses (relative to the beginning of the
+ * stroke_msg). They must be corrected if they reach our address
+ * space...
+ */
+static void pop_string(stroke_msg_t *msg, char **string)
+{
+	if (*string == NULL)
+		return;
+
+	/* check for sanity of string pointer and string */
+	if (string < (char**)msg
+	||	string > (char**)msg + sizeof(stroke_msg_t)
+	|| (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg)
+	|| (unsigned long)*string > msg->length)
+	{
+		*string = "(invalid pointer in stroke msg)";
+	}
+	else
+	{
+		*string = (char*)msg + (unsigned long)*string;
+	}
+}
+
+/**
+ * Load end entitity certificate
+ */
+static x509_t* load_end_certificate(const char *filename, identification_t **idp)
+{
+	char path[PATH_BUF];
+	x509_t *cert;
+
+	if (*filename == '/')
+	{
+		/* absolute path name */
+		snprintf(path, sizeof(path), "%s", filename);
+	}
+	else
+	{
+		/* relative path name */
+		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
+	}
+
+	cert = x509_create_from_file(path, "end entity");
+
+	if (cert)
+	{
+		identification_t *id = *idp;
+		identification_t *subject = cert->get_subject(cert);
+
+		err_t ugh = cert->is_valid(cert, NULL);
+
+		if (ugh != NULL)	
+		{
+			DBG1(DBG_CFG, "warning: certificate %s", ugh);
+		}
+		if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id))
+		{
+			id->destroy(id);
+			id = subject;
+			*idp = id->clone(id);
+		}
+		return charon->credentials->add_end_certificate(charon->credentials, cert);
+	}
+	return NULL;
+}
+
+/**
+ * Load ca certificate
+ */
+static x509_t* load_ca_certificate(const char *filename)
+{
+	char path[PATH_BUF];
+	x509_t *cert;
+
+	if (*filename == '/')
+	{
+		/* absolute path name */
+		snprintf(path, sizeof(path), "%s", filename);
+	}
+	else
+	{
+		/* relative path name */
+		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+	}
+
+	cert = x509_create_from_file(path, "ca");
+
+	if (cert)
+	{
+		if (cert->is_ca(cert))
+		{
+			return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  CA basic constraints flag not set, cert discarded");
+			cert->destroy(cert);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Pop the strings of a stroke_end_t struct and log them for debugging purposes
+ */
+static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
+{
+	pop_string(msg, &end->address);
+	pop_string(msg, &end->subnet);
+	pop_string(msg, &end->sourceip);
+	pop_string(msg, &end->id);
+	pop_string(msg, &end->cert);
+	pop_string(msg, &end->ca);
+	pop_string(msg, &end->groups);
+	pop_string(msg, &end->updown);
+	
+	DBG2(DBG_CFG, "  %s=%s", label, end->address);
+	DBG2(DBG_CFG, "  %ssubnet=%s", label, end->subnet);
+	DBG2(DBG_CFG, "  %ssourceip=%s", label, end->sourceip);
+	DBG2(DBG_CFG, "  %sid=%s", label, end->id);
+	DBG2(DBG_CFG, "  %scert=%s", label, end->cert);
+	DBG2(DBG_CFG, "  %sca=%s", label, end->ca);
+	DBG2(DBG_CFG, "  %sgroups=%s", label, end->groups);
+	DBG2(DBG_CFG, "  %supdown=%s", label, end->updown);
+}
+
+/**
+ * Add a connection to the configuration list
+ */
+static void stroke_add_conn(private_stroke_interface_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	identification_t *my_id, *other_id;
+	identification_t *my_ca = NULL;
+	identification_t *other_ca = NULL;
+	bool my_ca_same = FALSE;
+	bool other_ca_same =FALSE;
+	host_t *my_host, *other_host, *my_subnet, *other_subnet;
+	host_t *my_vip = NULL, *other_vip = NULL;
+	proposal_t *proposal;
+	traffic_selector_t *my_ts, *other_ts;
+	char *interface;
+	bool use_existing = FALSE;
+	iterator_t *iterator;
+	
+	pop_string(msg, &msg->add_conn.name);
+	DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
+	DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
+	pop_end(msg, "left", &msg->add_conn.me);
+	pop_end(msg, "right", &msg->add_conn.other);
+	pop_string(msg, &msg->add_conn.algorithms.ike);
+	pop_string(msg, &msg->add_conn.algorithms.esp);
+	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
+	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
+	
+	my_host = msg->add_conn.me.address?
+			  host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL;
+	if (my_host == NULL)
+	{
+		DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
+		return;
+	}
+
+	other_host = msg->add_conn.other.address ?
+			host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL;
+	if (other_host == NULL)
+	{
+		DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
+		my_host->destroy(my_host);
+		return;
+	}
+	
+	interface = charon->kernel_interface->get_interface(charon->kernel_interface, 
+														other_host);
+	if (interface)
+	{
+		stroke_end_t tmp_end;
+		host_t *tmp_host;
+
+		DBG2(DBG_CFG, "left is other host, swapping ends\n");
+
+		tmp_host = my_host;
+		my_host = other_host;
+		other_host = tmp_host;
+
+		tmp_end = msg->add_conn.me;
+		msg->add_conn.me = msg->add_conn.other;
+		msg->add_conn.other = tmp_end;
+		free(interface);
+	}
+	if (!interface)
+	{
+		interface = charon->kernel_interface->get_interface(
+											charon->kernel_interface, my_host);
+		if (!interface)
+		{
+			DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
+			goto destroy_hosts;
+		}
+		free(interface);
+	}
+
+	my_id = identification_create_from_string(msg->add_conn.me.id ?
+						msg->add_conn.me.id : msg->add_conn.me.address);
+	if (my_id == NULL)
+	{
+		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
+		goto destroy_hosts;
+	}
+
+	other_id = identification_create_from_string(msg->add_conn.other.id ?
+						msg->add_conn.other.id : msg->add_conn.other.address);
+	if (other_id == NULL)
+	{
+		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
+		my_id->destroy(my_id);
+		goto destroy_hosts;
+	}
+	
+	my_subnet = host_create_from_string(msg->add_conn.me.subnet ?
+					msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT);
+	if (my_subnet == NULL)
+	{
+		DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
+		goto destroy_ids;
+	}
+	
+	other_subnet = host_create_from_string(msg->add_conn.other.subnet ?
+					msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT);
+	if (other_subnet == NULL)
+	{
+		DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
+		my_subnet->destroy(my_subnet);
+		goto destroy_ids;
+	}
+	
+	if (msg->add_conn.me.virtual_ip)
+	{
+		my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
+	}
+	if (msg->add_conn.other.virtual_ip)
+	{
+		other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0);
+	}
+	
+	if (msg->add_conn.me.tohost)
+	{
+		my_ts = traffic_selector_create_dynamic(msg->add_conn.me.protocol,
+					my_host->get_family(my_host) == AF_INET ?
+						TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE,
+					msg->add_conn.me.port ? msg->add_conn.me.port : 0,
+					msg->add_conn.me.port ? msg->add_conn.me.port : 65535);
+	}
+	else
+	{
+		my_ts = traffic_selector_create_from_subnet(my_subnet,
+				msg->add_conn.me.subnet ?  msg->add_conn.me.subnet_mask : 0,
+				msg->add_conn.me.protocol, msg->add_conn.me.port);
+	}
+	my_subnet->destroy(my_subnet);
+	
+	if (msg->add_conn.other.tohost)
+	{
+		other_ts = traffic_selector_create_dynamic(msg->add_conn.other.protocol,
+					other_host->get_family(other_host) == AF_INET ?
+						TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE,
+					msg->add_conn.other.port ? msg->add_conn.other.port : 0,
+					msg->add_conn.other.port ? msg->add_conn.other.port : 65535);
+	}
+	else
+	{
+		other_ts = traffic_selector_create_from_subnet(other_subnet, 
+				msg->add_conn.other.subnet ?  msg->add_conn.other.subnet_mask : 0,
+				msg->add_conn.other.protocol, msg->add_conn.other.port);
+	}
+	other_subnet->destroy(other_subnet);
+
+	if (msg->add_conn.me.ca)
+	{
+		if (streq(msg->add_conn.me.ca, "%same"))
+		{
+			my_ca_same = TRUE;
+		}
+		else
+		{
+			my_ca = identification_create_from_string(msg->add_conn.me.ca);
+		}
+	}
+	if (msg->add_conn.other.ca)
+	{
+		if (streq(msg->add_conn.other.ca, "%same"))
+		{
+			other_ca_same = TRUE;
+		}
+		else
+		{
+			other_ca = identification_create_from_string(msg->add_conn.other.ca);
+		}
+	}
+	if (msg->add_conn.me.cert)
+	{
+		x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id);
+
+		if (cert)
+		{
+			ca_info_t *ca_info;
+
+			if (cert->is_self_signed(cert))
+			{
+				/* a self-signed certificate is its own ca */
+				ca_info = ca_info_create(NULL, cert);
+				ca_info = charon->credentials->add_ca_info(charon->credentials, ca_info);
+				cert->set_ca_info(cert, ca_info);
+			}
+			else
+			{
+				/* get_issuer() automatically sets cert->ca_info */
+				ca_info = charon->credentials->get_issuer(charon->credentials, cert);
+			}
+			if (my_ca == NULL && !my_ca_same)
+			{
+				identification_t *issuer = cert->get_issuer(cert);
+
+				my_ca = issuer->clone(issuer);
+			}
+		}
+	}
+	if (msg->add_conn.other.cert)
+	{
+		x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id);
+
+		if (cert)
+		{
+			ca_info_t *ca_info;
+
+			if (cert->is_self_signed(cert))
+			{
+				/* a self-signed certificate is its own ca */
+				ca_info = ca_info_create(NULL, cert);
+				ca_info = charon->credentials->add_ca_info(charon->credentials, ca_info);
+				cert->set_ca_info(cert, ca_info);
+			}
+			else
+			{
+				/* get_issuer() automatically sets cert->ca_info */
+				ca_info = charon->credentials->get_issuer(charon->credentials, cert);
+			}
+			if (other_ca == NULL && !other_ca_same)
+			{
+				identification_t *issuer = cert->get_issuer(cert);
+
+				other_ca = issuer->clone(issuer);
+			}
+		}
+	}
+	if (other_ca_same && my_ca)
+	{
+		other_ca = my_ca->clone(my_ca);
+	}
+	else if (my_ca_same && other_ca)
+	{
+		my_ca = other_ca->clone(other_ca);
+	}
+	if (my_ca == NULL)
+	{
+		my_ca = identification_create_from_string("%any");
+	}
+	if (other_ca == NULL)
+	{
+		other_ca = identification_create_from_string("%any");
+	}
+	DBG2(DBG_CFG, "  my ca:   '%D'", my_ca);
+	DBG2(DBG_CFG, "  other ca:'%D'", other_ca);
+
+	/* have a look for an (almost) identical peer config to reuse */
+	iterator = charon->backends->create_iterator(charon->backends);
+	while (iterator->iterate(iterator, (void**)&peer_cfg))
+	{
+		ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+		if (my_id->equals(my_id, peer_cfg->get_my_id(peer_cfg))
+		&&	other_id->equals(other_id, peer_cfg->get_other_id(peer_cfg))
+		&&	my_host->equals(my_host, ike_cfg->get_my_host(ike_cfg))
+		&&	other_host->equals(other_host, ike_cfg->get_other_host(ike_cfg))
+		&&	other_ca->equals(other_ca, peer_cfg->get_other_ca(peer_cfg))
+		&&	peer_cfg->get_ike_version(peer_cfg) == (msg->add_conn.ikev2 ? 2 : 1)
+		&&	peer_cfg->get_auth_method(peer_cfg) == msg->add_conn.auth_method
+		&&	peer_cfg->get_eap_type(peer_cfg) == msg->add_conn.eap_type)
+		{
+			DBG1(DBG_CFG, "reusing existing configuration '%s'",
+				 peer_cfg->get_name(peer_cfg));
+			use_existing = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (use_existing)
+	{
+		DESTROY_IF(my_vip);
+		DESTROY_IF(other_vip);
+		my_host->destroy(my_host);
+		my_id->destroy(my_id);
+		my_ca->destroy(my_ca);
+		other_host->destroy(other_host);
+		other_id->destroy(other_id);
+		other_ca->destroy(other_ca);
+	}
+	else
+	{
+		ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
+								 my_host, other_host);
+
+		if (msg->add_conn.algorithms.ike)
+		{
+			char *proposal_string;
+			char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1;
+
+			if (*strict == '!')
+				*strict = '\0';
+			else
+				strict = NULL;
+
+			while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ",")))
+			{
+				proposal = proposal_create_from_string(PROTO_IKE, proposal_string);
+				if (proposal == NULL)
+				{
+					DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
+					my_id->destroy(my_id);
+					other_id->destroy(other_id);
+					my_ts->destroy(my_ts);
+					other_ts->destroy(other_ts);
+					my_ca->destroy(my_ca);
+					other_ca->destroy(other_ca);
+					ike_cfg->destroy(ike_cfg);
+					return;
+				}
+				ike_cfg->add_proposal(ike_cfg, proposal);
+			}
+			if (!strict)
+			{
+				proposal = proposal_create_default(PROTO_IKE);
+				ike_cfg->add_proposal(ike_cfg, proposal);
+			}
+		}
+		else
+		{
+			proposal = proposal_create_default(PROTO_IKE);
+			ike_cfg->add_proposal(ike_cfg, proposal);
+		}
+		
+		
+		peer_cfg = peer_cfg_create(msg->add_conn.name, msg->add_conn.ikev2 ? 2 : 1,
+					ike_cfg, my_id, other_id, my_ca, other_ca, msg->add_conn.me.sendcert, 
+					msg->add_conn.auth_method, msg->add_conn.eap_type,
+					msg->add_conn.rekey.tries, msg->add_conn.rekey.ike_lifetime,
+					msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
+					msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
+					msg->add_conn.rekey.reauth, msg->add_conn.dpd.delay,
+					msg->add_conn.dpd.action,my_vip, other_vip);
+	}
+	
+	child_cfg = child_cfg_create(
+				msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime,
+				msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+				msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
+				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
+				msg->add_conn.mode);
+	
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
+	
+	child_cfg->add_traffic_selector(child_cfg, TRUE, my_ts);
+	child_cfg->add_traffic_selector(child_cfg, FALSE, other_ts);
+	
+	if (msg->add_conn.algorithms.esp)
+	{
+		char *proposal_string;
+		char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1;
+
+		if (*strict == '!')
+			*strict = '\0';
+		else
+			strict = NULL;
+		
+		while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ",")))
+		{
+			proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
+			if (proposal == NULL)
+			{
+				DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
+				peer_cfg->destroy(peer_cfg);
+				return;
+			}
+			child_cfg->add_proposal(child_cfg, proposal);
+		}
+		if (!strict)
+		{
+			proposal = proposal_create_default(PROTO_ESP);
+			child_cfg->add_proposal(child_cfg, proposal);
+		}
+	}
+	else
+	{
+		proposal = proposal_create_default(PROTO_ESP);
+		child_cfg->add_proposal(child_cfg, proposal);
+	}
+	
+	if (!use_existing)
+	{
+		/* add config to backend */
+		charon->backends->add_peer_cfg(charon->backends, peer_cfg);
+		DBG1(DBG_CFG, "added configuration '%s': %H[%D]...%H[%D]",
+			 msg->add_conn.name, my_host, my_id, other_host, other_id);
+	}
+	return;
+
+	/* mopping up after parsing errors */
+
+destroy_ids:
+	my_id->destroy(my_id);
+	other_id->destroy(other_id);
+
+destroy_hosts:
+	my_host->destroy(my_host);
+	other_host->destroy(other_host);
+}
+
+/**
+ * Delete a connection from the list
+ */
+static void stroke_del_conn(private_stroke_interface_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	iterator_t *peer_iter, *child_iter;
+	peer_cfg_t *peer, *child;
+	
+	pop_string(msg, &(msg->del_conn.name));
+	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
+	
+	peer_iter = charon->backends->create_iterator(charon->backends);
+	while (peer_iter->iterate(peer_iter, (void**)&peer))
+	{
+		/* remove peer config with such a name */
+		if (streq(peer->get_name(peer), msg->del_conn.name))
+		{
+			peer_iter->remove(peer_iter);
+			peer->destroy(peer);
+			continue;
+		}
+		/* remove any child with such a name */
+		child_iter = peer->create_child_cfg_iterator(peer);
+		while (child_iter->iterate(child_iter, (void**)&child))
+		{
+			if (streq(child->get_name(child), msg->del_conn.name))
+			{
+				child_iter->remove(child_iter);
+				child->destroy(child);
+			}
+		}
+		child_iter->destroy(child_iter);
+	}
+	peer_iter->destroy(peer_iter);
+	
+	fprintf(out, "deleted connection '%s'\n", msg->del_conn.name);
+}
+
+/**
+ * get the child_cfg with the same name as the peer cfg
+ */
+static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
+{
+	child_cfg_t *current, *found = NULL;
+	iterator_t *iterator;
+	
+	iterator = peer_cfg->create_child_cfg_iterator(peer_cfg);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (streq(current->get_name(current), name))
+		{
+			found = current;
+			found->get_ref(found);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * logging to the stroke interface
+ */
+static bool stroke_log(stroke_log_info_t *info, signal_t signal, level_t level,
+					   ike_sa_t *ike_sa, char *format, va_list args)
+{
+	if (level <= info->level)
+	{
+		if (vfprintf(info->out, format, args) < 0 ||
+			fprintf(info->out, "\n") < 0 ||
+			fflush(info->out) != 0)
+		{
+			return FALSE;
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * get a peer configuration by its name, or a name of its children
+ */
+static peer_cfg_t *get_peer_cfg_by_name(char *name)
+{
+	iterator_t *i1, *i2;
+	peer_cfg_t *current, *found = NULL;
+	child_cfg_t *child;
+
+	i1 = charon->backends->create_iterator(charon->backends);
+	while (i1->iterate(i1, (void**)&current))
+	{
+	        /* compare peer_cfgs name first */
+	        if (streq(current->get_name(current), name))
+	        {
+	                found = current;
+	                found->get_ref(found);
+	                break;
+	        }
+	        /* compare all child_cfg names otherwise */
+	        i2 = current->create_child_cfg_iterator(current);
+	        while (i2->iterate(i2, (void**)&child))
+	        {
+	                if (streq(child->get_name(child), name))
+	                {
+	                        found = current;
+	                        found->get_ref(found);
+	                        break;
+	                }
+	        }
+	        i2->destroy(i2);
+	        if (found)
+	        {
+	                break;
+	        }
+	}
+	i1->destroy(i1);
+	return found;
+}
+
+/**
+ * initiate a connection by name
+ */
+static void stroke_initiate(private_stroke_interface_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	stroke_log_info_t info;
+	
+	pop_string(msg, &(msg->initiate.name));
+	DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
+	
+	peer_cfg = get_peer_cfg_by_name(msg->initiate.name);
+	if (peer_cfg == NULL)
+	{
+		fprintf(out, "no config named '%s'\n", msg->initiate.name);
+		return;
+	}
+	if (peer_cfg->get_ike_version(peer_cfg) != 2)
+	{
+		DBG1(DBG_CFG, "ignoring initiation request for IKEv%d config",
+			 peer_cfg->get_ike_version(peer_cfg));
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+	
+	child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
+	if (child_cfg == NULL)
+	{
+		fprintf(out, "no child config named '%s'\n", msg->initiate.name);
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+	
+	info.out = out;
+	info.level = msg->output_verbosity;
+	
+	charon->interfaces->initiate(charon->interfaces, peer_cfg, child_cfg,
+								 (interface_manager_cb_t)stroke_log, &info);
+}
+
+/**
+ * route a policy (install SPD entries)
+ */
+static void stroke_route(private_stroke_interface_t *this,
+						 stroke_msg_t *msg, FILE *out)
+{
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+	stroke_log_info_t info;
+	
+	pop_string(msg, &(msg->route.name));
+	DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
+	
+	peer_cfg = get_peer_cfg_by_name(msg->route.name);
+	if (peer_cfg == NULL)
+	{
+		fprintf(out, "no config named '%s'\n", msg->route.name);
+		return;
+	}
+	if (peer_cfg->get_ike_version(peer_cfg) != 2)
+	{
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+	
+	child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
+	if (child_cfg == NULL)
+	{
+		fprintf(out, "no child config named '%s'\n", msg->route.name);
+		peer_cfg->destroy(peer_cfg);
+		return;
+	}
+	
+	info.out = out;
+	info.level = msg->output_verbosity;
+	charon->interfaces->route(charon->interfaces, peer_cfg, child_cfg,
+							  (interface_manager_cb_t)stroke_log, &info);
+	peer_cfg->destroy(peer_cfg);
+	child_cfg->destroy(child_cfg);
+}
+
+/**
+ * unroute a policy
+ */
+static void stroke_unroute(private_stroke_interface_t *this,
+						   stroke_msg_t *msg, FILE *out)
+{
+	char *name;
+	ike_sa_t *ike_sa;
+	iterator_t *iterator;
+	stroke_log_info_t info;
+	
+	pop_string(msg, &(msg->terminate.name));
+	name = msg->terminate.name;
+	
+	info.out = out;
+	info.level = msg->output_verbosity;
+	
+	iterator = charon->interfaces->create_ike_sa_iterator(charon->interfaces);
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		child_sa_t *child_sa;
+		iterator_t *children;
+		u_int32_t id;
+
+		children = ike_sa->create_child_sa_iterator(ike_sa);
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
+				streq(name, child_sa->get_name(child_sa)))
+			{
+				id = child_sa->get_reqid(child_sa);
+				children->destroy(children);
+				iterator->destroy(iterator);
+				charon->interfaces->unroute(charon->interfaces, id,
+								(interface_manager_cb_t)stroke_log, &info);
+				return;
+			}
+		}
+		children->destroy(children);
+	}
+	iterator->destroy(iterator);
+	DBG1(DBG_CFG, "no such SA found");
+}
+
+/**
+ * terminate a connection by name
+ */
+static void stroke_terminate(private_stroke_interface_t *this,
+							 stroke_msg_t *msg, FILE *out)
+{
+	char *string, *pos = NULL, *name = NULL;
+	u_int32_t id = 0;
+	bool child;
+	int len;
+	ike_sa_t *ike_sa;
+	iterator_t *iterator;
+	stroke_log_info_t info;
+	
+	pop_string(msg, &(msg->terminate.name));
+	string = msg->terminate.name;
+	DBG1(DBG_CFG, "received stroke: terminate '%s'", string);
+	
+	len = strlen(string);
+	if (len < 1)
+	{
+		DBG1(DBG_CFG, "error parsing string");
+		return;
+	}
+	switch (string[len-1])
+	{
+		case '}':
+			child = TRUE;
+			pos = strchr(string, '{');
+			break;
+		case ']':
+			child = FALSE;
+			pos = strchr(string, '[');
+			break;
+		default:
+			name = string;
+			child = FALSE;
+			break;
+	}
+	
+	if (name)
+	{
+		/* is a single name */
+	}
+	else if (pos == string + len - 2)
+	{	/* is name[] or name{} */
+		string[len-2] = '\0';
+		name = string;
+	}
+	else
+	{	/* is name[123] or name{23} */
+		string[len-1] = '\0';
+		id = atoi(pos + 1);
+		if (id == 0)
+		{
+			DBG1(DBG_CFG, "error parsing string");
+			return;
+		}
+	}
+	
+	info.out = out;
+	info.level = msg->output_verbosity;
+	
+	iterator = charon->interfaces->create_ike_sa_iterator(charon->interfaces);
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		child_sa_t *child_sa;
+		iterator_t *children;
+		
+		if (child)
+		{
+			children = ike_sa->create_child_sa_iterator(ike_sa);
+			while (children->iterate(children, (void**)&child_sa))
+			{
+				if ((name && streq(name, child_sa->get_name(child_sa))) ||
+					(id && id == child_sa->get_reqid(child_sa)))
+				{
+					id = child_sa->get_reqid(child_sa);
+					children->destroy(children);
+					iterator->destroy(iterator);
+					
+					charon->interfaces->terminate_child(charon->interfaces, id,
+									(interface_manager_cb_t)stroke_log, &info);
+					return;
+				}
+			}
+			children->destroy(children);
+		}
+		else if ((name && streq(name, ike_sa->get_name(ike_sa))) ||
+				 (id && id == ike_sa->get_unique_id(ike_sa)))
+		{
+			id = ike_sa->get_unique_id(ike_sa);
+			/* unlock manager first */
+			iterator->destroy(iterator);
+			
+			charon->interfaces->terminate_ike(charon->interfaces, id,
+								 	(interface_manager_cb_t)stroke_log, &info);
+			return;
+		}
+		
+	}
+	iterator->destroy(iterator);
+	DBG1(DBG_CFG, "no such SA found");
+}
+
+/**
+ * Add a ca information record to the cainfo list
+ */
+static void stroke_add_ca(private_stroke_interface_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	x509_t *cacert;
+	ca_info_t *ca_info;
+
+	pop_string(msg, &msg->add_ca.name);
+	pop_string(msg, &msg->add_ca.cacert);
+	pop_string(msg, &msg->add_ca.crluri);
+	pop_string(msg, &msg->add_ca.crluri2);
+	pop_string(msg, &msg->add_ca.ocspuri);
+	pop_string(msg, &msg->add_ca.ocspuri2);
+	
+	DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name);
+	
+	DBG2(DBG_CFG, "ca %s",        msg->add_ca.name);
+	DBG2(DBG_CFG, "  cacert=%s",  msg->add_ca.cacert);
+	DBG2(DBG_CFG, "  crluri=%s",  msg->add_ca.crluri);
+	DBG2(DBG_CFG, "  crluri2=%s", msg->add_ca.crluri2);
+	DBG2(DBG_CFG, "  ocspuri=%s", msg->add_ca.ocspuri);
+	DBG2(DBG_CFG, "  ocspuri2=%s", msg->add_ca.ocspuri2);
+
+	if (msg->add_ca.cacert == NULL)
+	{
+		DBG1(DBG_CFG, "missing cacert parameter\n");
+		return;
+	}
+
+	cacert = load_ca_certificate(msg->add_ca.cacert);
+
+	if (cacert == NULL)
+	{
+		return;
+	}
+	ca_info = ca_info_create(msg->add_ca.name, cacert);
+
+	if (msg->add_ca.crluri)
+	{
+		chunk_t uri = { msg->add_ca.crluri, strlen(msg->add_ca.crluri) };
+		
+		ca_info->add_crluri(ca_info, uri);
+	}
+	if (msg->add_ca.crluri2)
+	{
+		chunk_t uri = { msg->add_ca.crluri2, strlen(msg->add_ca.crluri2) };
+		
+		ca_info->add_crluri(ca_info, uri);
+	}
+	if (msg->add_ca.ocspuri)
+	{
+		chunk_t uri = { msg->add_ca.ocspuri, strlen(msg->add_ca.ocspuri) };
+		
+		ca_info->add_ocspuri(ca_info, uri);
+	}
+	if (msg->add_ca.ocspuri2)
+	{
+		chunk_t uri = { msg->add_ca.ocspuri2, strlen(msg->add_ca.ocspuri2) };
+		
+		ca_info->add_ocspuri(ca_info, uri);
+	}
+	charon->credentials->add_ca_info(charon->credentials, ca_info);
+	DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
+
+}
+
+/**
+ * Delete a ca information record from the cainfo list
+ */
+static void stroke_del_ca(private_stroke_interface_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	status_t status;
+	
+	pop_string(msg, &(msg->del_ca.name));
+	DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
+	
+	status = charon->credentials->release_ca_info(charon->credentials,
+												  msg->del_ca.name);
+
+	if (status == SUCCESS)
+	{
+		fprintf(out, "deleted ca '%s'\n", msg->del_ca.name);
+	}
+	else
+	{
+		fprintf(out, "no ca named '%s'\n", msg->del_ca.name);
+	}
+}
+
+/**
+ * log an IKE_SA to out
+ */
+static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
+{
+	peer_cfg_t *cfg = ike_sa->get_peer_cfg(ike_sa);
+	ike_sa_id_t *id = ike_sa->get_id(ike_sa);
+	u_int32_t next, now = time(NULL);
+
+	fprintf(out, "%12s[%d]: %N, %H[%D]...%H[%D]\n",
+			ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+			ike_sa_state_names, ike_sa->get_state(ike_sa),
+			ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
+			ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
+	
+	if (all)
+	{
+		fprintf(out, "%12s[%d]: IKE SPIs: 0x%0llx_i%s 0x%0llx_r%s, ",
+				ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+				id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
+				id->get_responder_spi(id), id->is_initiator(id) ? "" : "");
+	
+		ike_sa->get_stats(ike_sa, &next);
+		if (next)
+		{
+			fprintf(out, "%s in %V\n", cfg->use_reauth(cfg) ?
+					"reauthentication" : "rekeying", &now, &next);
+		}
+		else
+		{
+			fprintf(out, "rekeying disabled\n");
+		}
+	}
+}
+
+/**
+ * log an CHILD_SA to out
+ */
+static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
+{
+	u_int32_t rekey, now = time(NULL);
+	u_int32_t use_in, use_out, use_fwd;
+	encryption_algorithm_t encr_alg;
+	integrity_algorithm_t int_alg;
+	size_t encr_len, int_len;
+	mode_t mode;
+	
+	child_sa->get_stats(child_sa, &mode, &encr_alg, &encr_len,
+						&int_alg, &int_len, &rekey, &use_in, &use_out,
+						&use_fwd);
+	
+	fprintf(out, "%12s{%d}:  %N, %N", 
+			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			child_sa_state_names, child_sa->get_state(child_sa),
+			mode_names, mode);
+	
+	if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
+	{
+		fprintf(out, ", %N SPIs: 0x%0x_i 0x%0x_o",
+				protocol_id_names, child_sa->get_protocol(child_sa),
+				htonl(child_sa->get_spi(child_sa, TRUE)),
+				htonl(child_sa->get_spi(child_sa, FALSE)));
+		
+		if (all)
+		{
+			fprintf(out, "\n%12s{%d}:  ", child_sa->get_name(child_sa), 
+					child_sa->get_reqid(child_sa));
+			
+			
+			if (child_sa->get_protocol(child_sa) == PROTO_ESP)
+			{
+				fprintf(out, "%N", encryption_algorithm_names, encr_alg);
+				
+				if (encr_len)
+				{
+					fprintf(out, "-%d", encr_len);
+				}
+				fprintf(out, "/");
+			}
+			
+			fprintf(out, "%N", integrity_algorithm_names, int_alg);
+			if (int_len)
+			{
+				fprintf(out, "-%d", int_len);
+			}
+			fprintf(out, ", rekeying ");
+			
+			if (rekey)
+			{
+				fprintf(out, "in %V", &now, &rekey);
+			}
+			else
+			{
+				fprintf(out, "disabled");
+			}
+			
+			fprintf(out, ", last use: ");
+			use_in = max(use_in, use_fwd);
+			if (use_in)
+			{
+				fprintf(out, "%ds_i ", now - use_in);
+			}
+			else
+			{
+				fprintf(out, "no_i ");
+			}
+			if (use_out)
+			{
+				fprintf(out, "%ds_o ", now - use_out);
+			}
+			else
+			{
+				fprintf(out, "no_o ");
+			}
+		}
+	}
+	
+	fprintf(out, "\n%12s{%d}:   %#R=== %#R\n",
+			child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+			child_sa->get_traffic_selectors(child_sa, TRUE),
+			child_sa->get_traffic_selectors(child_sa, FALSE));
+}
+
+/**
+ * show status of daemon
+ */
+static void stroke_status(private_stroke_interface_t *this,
+						  stroke_msg_t *msg, FILE *out, bool all)
+{
+	iterator_t *iterator, *children;
+	linked_list_t *list;
+	host_t *host;
+	peer_cfg_t *peer_cfg;
+	ike_cfg_t *ike_cfg;
+	child_cfg_t *child_cfg;
+	ike_sa_t *ike_sa;
+	char *name = NULL;
+	
+	if (msg->status.name)
+	{
+		pop_string(msg, &(msg->status.name));
+		name = msg->status.name;
+	}
+	
+	if (all)
+	{
+		leak_detective_status(out);
+	
+		fprintf(out, "Performance:\n");
+		fprintf(out, "  worker threads: %d idle of %d,",
+				charon->thread_pool->get_idle_threads(charon->thread_pool),
+				charon->thread_pool->get_pool_size(charon->thread_pool));
+		fprintf(out, " job queue load: %d,",
+				charon->job_queue->get_count(charon->job_queue));
+		fprintf(out, " scheduled events: %d\n",
+				charon->event_queue->get_count(charon->event_queue));
+		list = charon->kernel_interface->create_address_list(charon->kernel_interface);
+
+		fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list));
+		while (list->remove_first(list, (void**)&host) == SUCCESS)
+		{
+			fprintf(out, "  %H\n", host);
+			host->destroy(host);
+		}
+		list->destroy(list);
+	
+		fprintf(out, "Connections:\n");
+		iterator = charon->backends->create_iterator(charon->backends);
+		while (iterator->iterate(iterator, (void**)&peer_cfg))
+		{
+			if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
+				(name && !streq(name, peer_cfg->get_name(peer_cfg))))
+			{
+				continue;
+			}
+			
+			ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+			fprintf(out, "%12s:  %H[%D]...%H[%D]\n", peer_cfg->get_name(peer_cfg),
+					ike_cfg->get_my_host(ike_cfg), peer_cfg->get_my_id(peer_cfg),
+					ike_cfg->get_other_host(ike_cfg), peer_cfg->get_other_id(peer_cfg));
+			{
+				identification_t *my_ca = peer_cfg->get_my_ca(peer_cfg);
+				identification_t *other_ca = peer_cfg->get_other_ca(peer_cfg);
+
+				if (my_ca->get_type(my_ca) != ID_ANY
+				||  other_ca->get_type(other_ca) != ID_ANY)
+				{
+					fprintf(out, "%12s:    CAs: '%D'...'%D'\n", peer_cfg->get_name(peer_cfg),
+							my_ca, other_ca);
+				}
+			}
+			children = peer_cfg->create_child_cfg_iterator(peer_cfg);
+			while (children->iterate(children, (void**)&child_cfg))
+			{
+				linked_list_t *my_ts, *other_ts;
+				my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
+				other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
+				fprintf(out, "%12s:    %#R=== %#R\n", child_cfg->get_name(child_cfg),
+						my_ts, other_ts);
+				my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+				other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+			}
+			children->destroy(children);
+		}
+		iterator->destroy(iterator);
+	}
+	
+	iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
+	if (all && iterator->get_count(iterator) > 0)
+	{
+		fprintf(out, "Security Associations:\n");
+	}
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		bool ike_printed = FALSE;
+		child_sa_t *child_sa;
+		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
+
+		if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
+		{
+			log_ike_sa(out, ike_sa, all);
+			ike_printed = TRUE;
+		}
+
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			if (name == NULL || streq(name, child_sa->get_name(child_sa)))
+			{
+				if (!ike_printed)
+				{
+					log_ike_sa(out, ike_sa, all);
+					ike_printed = TRUE;
+				}
+				log_child_sa(out, child_sa, all);
+			}	
+		}
+		children->destroy(children);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * list all authority certificates matching a specified flag 
+ */
+static void list_auth_certificates(private_stroke_interface_t *this,  u_int flag,
+								   const char *label, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	x509_t *cert;
+	
+	iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
+
+	while (iterator->iterate(iterator, (void**)&cert))
+	{
+		if (cert->has_authority_flag(cert, flag))
+		{
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of X.509 %s Certificates:\n", label);
+				fprintf(out, "\n");
+				first = FALSE;
+			}
+			cert->list(cert, out, utc);
+			fprintf(out, "\n");
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * list various information
+ */
+static void stroke_list(private_stroke_interface_t *this, 
+						stroke_msg_t *msg, FILE *out)
+{
+	iterator_t *iterator;
+	
+	if (msg->list.flags & LIST_CERTS)
+	{
+		x509_t *cert;
+		
+		iterator = charon->credentials->create_cert_iterator(charon->credentials);
+		if (iterator->get_count(iterator))
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of X.509 End Entity Certificates:\n");
+			fprintf(out, "\n");
+		}
+		while (iterator->iterate(iterator, (void**)&cert))
+		{
+			cert->list(cert, out, msg->list.utc);
+			if (charon->credentials->has_rsa_private_key(
+					charon->credentials, cert->get_public_key(cert)))
+			{
+				fprintf(out, ", has private key");
+			}
+			fprintf(out, "\n");
+			
+		}
+		iterator->destroy(iterator);
+	}
+	if (msg->list.flags & LIST_CACERTS)
+	{
+		list_auth_certificates(this, AUTH_CA, "CA", msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_OCSPCERTS)
+	{
+		list_auth_certificates(this, AUTH_OCSP, "OCSP", msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_AACERTS)
+	{
+		list_auth_certificates(this, AUTH_AA, "AA", msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_CAINFOS)
+	{
+		ca_info_t *ca_info;
+		bool first = TRUE;
+
+		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+		while (iterator->iterate(iterator, (void**)&ca_info))
+		{
+			if (ca_info->is_ca(ca_info))
+			{
+				if (first)
+				{
+					fprintf(out, "\n");
+					fprintf(out, "List of X.509 CA Information Records:\n");
+					fprintf(out, "\n");
+					first = FALSE;
+				}
+				ca_info->list(ca_info, out, msg->list.utc);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	if (msg->list.flags & LIST_CRLS)
+	{
+        ca_info_t *ca_info;
+        bool first = TRUE;
+
+        iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+        while (iterator->iterate(iterator, (void **)&ca_info))
+        {
+            if (ca_info->is_ca(ca_info) && ca_info->has_crl(ca_info))
+            {
+                if (first)
+                {
+                    fprintf(out, "\n");
+                    fprintf(out, "List of X.509 CRLs:\n");
+                    fprintf(out, "\n");
+                    first = FALSE;
+                }
+                ca_info->list_crl(ca_info, out, msg->list.utc);
+            }
+        }
+        iterator->destroy(iterator);
+	}
+	if (msg->list.flags & LIST_OCSP)
+	{
+		ca_info_t *ca_info;
+		bool first = TRUE;
+
+        iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+        while (iterator->iterate(iterator, (void **)&ca_info))
+        {
+            if (ca_info->is_ca(ca_info) && ca_info->has_certinfos(ca_info))
+            {
+                if (first)
+                {
+                    fprintf(out, "\n");
+                    fprintf(out, "List of OCSP responses:\n");
+                    first = FALSE;
+                }
+                fprintf(out, "\n");
+                ca_info->list_certinfos(ca_info, out, msg->list.utc);
+            }
+        }
+        iterator->destroy(iterator);
+	}
+}
+
+/**
+ * reread various information
+ */
+static void stroke_reread(private_stroke_interface_t *this,
+						  stroke_msg_t *msg, FILE *out)
+{
+	if (msg->reread.flags & REREAD_CACERTS)
+	{
+		charon->credentials->load_ca_certificates(charon->credentials);
+	}
+	if (msg->reread.flags & REREAD_OCSPCERTS)
+	{
+		charon->credentials->load_ocsp_certificates(charon->credentials);
+	}
+	if (msg->reread.flags & REREAD_CRLS)
+	{
+		charon->credentials->load_crls(charon->credentials);
+	}
+}
+
+/**
+ * purge various information
+ */
+static void stroke_purge(private_stroke_interface_t *this,
+						 stroke_msg_t *msg, FILE *out)
+{
+	if (msg->purge.flags & PURGE_OCSP)
+	{
+		iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+		ca_info_t *ca_info;
+
+		while (iterator->iterate(iterator, (void**)&ca_info))
+		{
+			if (ca_info->is_ca(ca_info))
+			{
+				ca_info->purge_ocsp(ca_info);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+signal_t get_signal_from_logtype(char *type)
+{
+	if      (strcasecmp(type, "any") == 0) return SIG_ANY;
+	else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
+	else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
+	else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
+	else if (strcasecmp(type, "job") == 0) return DBG_JOB;
+	else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
+	else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
+	else if (strcasecmp(type, "net") == 0) return DBG_NET;
+	else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
+	else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
+	else return -1;
+}
+
+/**
+ * set the verbosity debug output
+ */
+static void stroke_loglevel(private_stroke_interface_t *this,
+							stroke_msg_t *msg, FILE *out)
+{
+	signal_t signal;
+	
+	pop_string(msg, &(msg->loglevel.type));
+	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
+		 msg->loglevel.level, msg->loglevel.type);
+	
+	signal = get_signal_from_logtype(msg->loglevel.type);
+	if (signal < 0)
+	{
+		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+		return;
+	}
+	
+	charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
+	charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
+}
+
+/**
+ * process a stroke request from the socket pointed by "fd"
+ */
+static void stroke_process(private_stroke_interface_t *this, int strokefd)
+{
+	stroke_msg_t *msg;
+	u_int16_t msg_length;
+	ssize_t bytes_read;
+	FILE *out;
+	
+	/* peek the length */
+	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
+	if (bytes_read != sizeof(msg_length))
+	{
+		DBG1(DBG_CFG, "reading length of stroke message failed");
+		close(strokefd);
+		return;
+	}
+	
+	/* read message */
+	msg = malloc(msg_length);
+	bytes_read = recv(strokefd, msg, msg_length, 0);
+	if (bytes_read != msg_length)
+	{
+		DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
+		close(strokefd);
+		return;
+	}
+	
+	out = fdopen(dup(strokefd), "w");
+	if (out == NULL)
+	{
+		DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
+		close(strokefd);
+		free(msg);
+		return;
+	}
+	
+	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
+	
+	switch (msg->type)
+	{
+		case STR_INITIATE:
+			stroke_initiate(this, msg, out);
+			break;
+		case STR_ROUTE:
+			stroke_route(this, msg, out);
+			break;
+		case STR_UNROUTE:
+			stroke_unroute(this, msg, out);
+			break;
+		case STR_TERMINATE:
+			stroke_terminate(this, msg, out);
+			break;
+		case STR_STATUS:
+			stroke_status(this, msg, out, FALSE);
+			break;
+		case STR_STATUS_ALL:
+			stroke_status(this, msg, out, TRUE);
+			break;
+		case STR_ADD_CONN:
+			stroke_add_conn(this, msg, out);
+			break;
+		case STR_DEL_CONN:
+			stroke_del_conn(this, msg, out);
+			break;
+		case STR_ADD_CA:
+			stroke_add_ca(this, msg, out);
+			break;
+		case STR_DEL_CA:
+			stroke_del_ca(this, msg, out);
+			break;
+		case STR_LOGLEVEL:
+			stroke_loglevel(this, msg, out);
+			break;
+		case STR_LIST:
+			stroke_list(this, msg, out);
+			break;
+		case STR_REREAD:
+			stroke_reread(this, msg, out);
+			break;
+		case STR_PURGE:
+			stroke_purge(this, msg, out);
+			break;
+		default:
+			DBG1(DBG_CFG, "received unknown stroke");
+	}
+	fclose(out);
+	close(strokefd);
+	free(msg);
+}
+
+/**
+ * Implementation of private_stroke_interface_t.stroke_receive.
+ */
+static void stroke_receive(private_stroke_interface_t *this)
+{
+	struct sockaddr_un strokeaddr;
+	int strokeaddrlen = sizeof(strokeaddr);
+	int oldstate;
+	int strokefd;
+	
+	charon->drop_capabilities(charon, TRUE);
+	
+	/* ignore sigpipe. writing over the pipe back to the console
+	 * only fails if SIGPIPE is ignored. */
+	signal(SIGPIPE, SIG_IGN);
+	
+	/* disable cancellation by default */
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	
+	while (TRUE)
+	{
+		/* wait for connections, but allow thread to terminate */
+		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+		pthread_setcancelstate(oldstate, NULL);
+		
+		if (strokefd < 0)
+		{
+			DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
+			continue;
+		}
+		stroke_process(this, strokefd);
+	}
+}
+
+/**
+ * Implementation of interface_t.destroy.
+ */
+static void destroy(private_stroke_interface_t *this)
+{
+	int i;
+	
+	for (i = 0; i < STROKE_THREADS; i++)
+	{
+		pthread_cancel(this->threads[i]);
+		pthread_join(this->threads[i], NULL);
+	}
+
+	close(this->socket);
+	unlink(socket_addr.sun_path);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+interface_t *interface_create()
+{
+	private_stroke_interface_t *this = malloc_thing(private_stroke_interface_t);
+	mode_t old;
+	int i;
+
+	/* public functions */
+	this->public.interface.destroy = (void (*)(interface_t*))destroy;
+	
+	/* set up unix socket */
+	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "could not create stroke socket");
+		free(this);
+		return NULL;
+	}
+	
+	old = umask(~S_IRWXU);
+	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
+	{
+		DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno));
+		close(this->socket);
+		free(this);
+		return NULL;
+	}
+	umask(old);
+	
+	if (listen(this->socket, 0) < 0)
+	{
+		DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
+		close(this->socket);
+		unlink(socket_addr.sun_path);
+		free(this);
+		return NULL;
+	}
+	
+	/* start threads reading from the socket */
+	for (i = 0; i < STROKE_THREADS; i++)
+	{
+		if (pthread_create(&this->threads[i], NULL, (void*(*)(void*))stroke_receive, this) != 0)
+		{
+			charon->kill(charon, "unable to create stroke thread");
+		}
+	}
+	
+	return &this->public.interface;
+}
diff --git a/src/charon/threads/stroke_interface.h b/src/charon/control/interfaces/stroke_interface.h
index 0def5167e..f1b68023a 100644
--- a/src/charon/threads/stroke_interface.h
+++ b/src/charon/control/interfaces/stroke_interface.h
@@ -1,5 +1,5 @@
 /**
- * @file stroke.h
+ * @file stroke_interface.h
  *
  * @brief Interface of stroke_t.
  *
@@ -23,39 +23,38 @@
 #ifndef STROKE_INTERFACE_H_
 #define STROKE_INTERFACE_H_
 
-typedef struct stroke_t stroke_t;
+typedef struct stroke_interface_t stroke_interface_t;
+
+#include <control/interfaces/interface.h>
 
 /**
- * @brief Stroke is a configuration and control interface which
- * allows other processes to modify charons behavior.
+ * @brief Simple configuration interface using unix-sockets.
  * 
- * stroke_t allows config manipulation (as whack in pluto). 
- * Messages of type stroke_msg_t's are sent over a unix socket
- * (/var/run/charon.ctl).
+ * Stroke is a home-brewed communication interface inspired by whack. It
+ * uses a unix socket (/var/run/charon.ctl).
  * 
  * @b Constructors:
  * - stroke_create()
  * 
- * @ingroup threads
+ * @ingroup interfaces
  */
-struct stroke_t {
+struct stroke_interface_t {
 	
 	/**
-	 * @brief Destroy a stroke_t instance.
-	 * 
-	 * @param this		stroke_t objec to destroy
+	 * implements interface_t.
 	 */
-	void (*destroy) (stroke_t *this);
+	interface_t interface;
 };
 
 
 /**
  * @brief Create the stroke interface and listen on the socket.
  * 
- * @return stroke_t object
+ * @return 			interface_t for the stroke interface
  * 
- * @ingroup threads
+ * @ingroup interfaces
  */
-stroke_t *stroke_create(void);
+interface_t *interface_create(void);
 
 #endif /* STROKE_INTERFACE_H_ */
+
diff --git a/src/charon/control/interfaces/xml_interface.c b/src/charon/control/interfaces/xml_interface.c
new file mode 100644
index 000000000..e570f2543
--- /dev/null
+++ b/src/charon/control/interfaces/xml_interface.c
@@ -0,0 +1,63 @@
+/**
+ * @file xml_interface.c
+ * 
+ * @brief Implementation of xml_interface_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "xml_interface.h"
+
+#include <library.h>
+#include <daemon.h>
+
+
+typedef struct private_xml_interface_t private_xml_interface_t;
+
+/**
+ * Private data of an xml_interface_t object.
+ */
+struct private_xml_interface_t {
+
+	/**
+	 * Public part of xml_t object.
+	 */
+	xml_interface_t public;
+};
+
+
+/**
+ * Implementation of itnerface_t.destroy.
+ */
+static void destroy(private_xml_interface_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header file
+ */
+interface_t *interface_create()
+{
+	private_xml_interface_t *this = malloc_thing(private_xml_interface_t);
+
+	this->public.interface.destroy = (void (*)(xml_interface_t*))destroy;
+	
+	return &this->public.interface;
+}
diff --git a/src/charon/control/interfaces/xml_interface.h b/src/charon/control/interfaces/xml_interface.h
new file mode 100644
index 000000000..6d88c3842
--- /dev/null
+++ b/src/charon/control/interfaces/xml_interface.h
@@ -0,0 +1,57 @@
+/**
+ * @file xml_interface.h
+ *
+ * @brief Interface of xml_interface_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef XML_INTERFACE_H_
+#define XML_INTERFACE_H_
+
+typedef struct xml_interface_t xml_interface_t;
+
+#include <control/interfaces/interface.h>
+
+/**
+ * @brief The XML interface uses a socket to communicate using XML.
+ * 
+ * @b Constructors:
+ * - xml_interface_create()
+ * 
+ * @ingroup interfaces
+ */
+struct xml_interface_t {
+	
+	/**
+	 * implements interface_t.
+	 */
+	interface_t interface;
+};
+
+
+/**
+ * @brief Create the XML interface.
+ *
+ * @return 			stroke_t object
+ * 
+ * @ingroup interfaces
+ */
+interface_t *interface_create(void);
+
+#endif /* XML_INTERFACE_H_ */
+
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 7671aea86..62e29b365 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -23,6 +23,8 @@
  */
 
 #include <stdio.h>
+#include <linux/capability.h>
+#include <sys/prctl.h>
 #include <signal.h>
 #include <pthread.h>
 #include <sys/stat.h>
@@ -42,10 +44,13 @@
 #include <crypto/ca.h>
 #include <utils/fetcher.h>
 #include <config/credentials/local_credential_store.h>
-#include <config/connections/local_connection_store.h>
-#include <config/policies/local_policy_store.h>
+#include <config/backends/local_backend.h>
 #include <sa/authenticators/eap/eap_method.h>
 
+/* on some distros, a capset definition is missing */
+#ifdef NO_CAPSET_DEFINED
+extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
+#endif /* NO_CAPSET_DEFINED */
 
 typedef struct private_daemon_t private_daemon_t;
 
@@ -165,7 +170,7 @@ static void destroy(private_daemon_t *this)
 	/* we don't want to receive anything anymore... */
 	DESTROY_IF(this->public.receiver);
 	/* ignore all incoming user requests */
-	DESTROY_IF(this->public.stroke);
+	DESTROY_IF(this->public.interfaces);
 	/* stop scheduing jobs */
 	DESTROY_IF(this->public.scheduler);
 	/* stop processing jobs */
@@ -177,11 +182,8 @@ static void destroy(private_daemon_t *this)
 	/* destroy other infrastructure */
 	DESTROY_IF(this->public.job_queue);
 	DESTROY_IF(this->public.event_queue);
-	DESTROY_IF(this->public.configuration);
 	DESTROY_IF(this->public.credentials);
-	DESTROY_IF(this->public.connections);
-	DESTROY_IF(this->public.policies);
-	sched_yield();
+	DESTROY_IF(this->public.backends);
 	/* we hope the sender could send the outstanding deletes, but 
 	 * we shut down here at any cost */
 	DESTROY_IF(this->public.sender);
@@ -195,6 +197,7 @@ static void destroy(private_daemon_t *this)
 	free(this);
 }
 
+
 /**
  * Enforce daemon shutdown, with a given reason to do so.
  */
@@ -219,10 +222,49 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 }
 
 /**
+ * drop daemon capabilities
+ */
+static void drop_capabilities(private_daemon_t *this, bool full)
+{
+	struct __user_cap_header_struct hdr;
+	struct __user_cap_data_struct data;
+	/* CAP_NET_ADMIN is needed to use netlink */
+	u_int32_t keep = (1<<CAP_NET_ADMIN);
+	
+	if (full)
+	{
+#		if IPSEC_GID
+			setgid(IPSEC_GID);
+#		endif
+#		if IPSEC_UID
+			setuid(IPSEC_UID);
+#		endif
+	}
+	else
+	{
+		/* CAP_NET_BIND_SERVICE to bind services below port 1024, 
+		 * CAP_NET_RAW to create RAW sockets.
+		 * CAP_DAC_READ_SEARCH is needed to read ipsec.secrets */
+		keep |= (1<<CAP_NET_BIND_SERVICE);
+		keep |= (1<<CAP_NET_RAW);
+		keep |= (1<<CAP_DAC_READ_SEARCH);
+	}
+
+	hdr.version = _LINUX_CAPABILITY_VERSION;
+	hdr.pid = 0;
+	data.effective = data.permitted = keep;
+	data.inheritable = 0;
+	
+	if (capset(&hdr, &data))
+	{
+		kill_daemon(this, "unable to drop threads capabilities");
+	}
+}
+
+/**
  * Initialize the daemon, optional with a strict crl policy
  */
-static void initialize(private_daemon_t *this, bool strict, bool syslog,
-					   level_t levels[])
+static void initialize(private_daemon_t *this, bool syslog, level_t levels[])
 {
 	credential_store_t* credentials;
 	signal_t signal;
@@ -245,12 +287,9 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
 	/* apply loglevels */
 	for (signal = 0; signal < DBG_MAX; signal++)
 	{
-		if (syslog)
-		{
-			this->public.syslog->set_level(this->public.syslog,
-										   signal, levels[signal]);
-		}
-		else
+		this->public.syslog->set_level(this->public.syslog,
+									   signal, levels[signal]);
+		if (!syslog)
 		{
 			this->public.outlog->set_level(this->public.outlog,
 										   signal, levels[signal]);
@@ -259,14 +298,12 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
 	
 	DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
 	
-	this->public.configuration = configuration_create();
 	this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
 	this->public.ike_sa_manager = ike_sa_manager_create();
 	this->public.job_queue = job_queue_create();
 	this->public.event_queue = event_queue_create();
-	this->public.connections = (connection_store_t*)local_connection_store_create();
-	this->public.policies = (policy_store_t*)local_policy_store_create();
-	this->public.credentials = (credential_store_t*)local_credential_store_create(strict);
+	this->public.credentials = (credential_store_t*)local_credential_store_create();
+	this->public.backends = backend_manager_create();
 
 	/* initialize fetcher_t class */
 	fetcher_initialize();
@@ -274,12 +311,14 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
 	/* load secrets, ca certificates and crls */
 	credentials = this->public.credentials;
 	credentials->load_ca_certificates(credentials);
+	credentials->load_aa_certificates(credentials);
+	credentials->load_attr_certificates(credentials);
 	credentials->load_ocsp_certificates(credentials);
 	credentials->load_crls(credentials);
 	credentials->load_secrets(credentials);
 	
 	/* start building threads, we are multi-threaded NOW */
-	this->public.stroke = stroke_create();
+	this->public.interfaces = interface_manager_create();
 	this->public.sender = sender_create();
 	this->public.receiver = receiver_create();
 	this->public.scheduler = scheduler_create();
@@ -327,22 +366,21 @@ private_daemon_t *daemon_create(void)
 		
 	/* assign methods */
 	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
+	this->public.drop_capabilities = (void(*)(daemon_t*,bool))drop_capabilities;
 	
 	/* NULL members for clean destruction */
 	this->public.socket = NULL;
 	this->public.ike_sa_manager = NULL;
 	this->public.job_queue = NULL;
 	this->public.event_queue = NULL;
-	this->public.configuration = NULL;
 	this->public.credentials = NULL;
-	this->public.connections = NULL;
-	this->public.policies = NULL;
+	this->public.backends = NULL;
 	this->public.sender= NULL;
 	this->public.receiver = NULL;
 	this->public.scheduler = NULL;
 	this->public.kernel_interface = NULL;
 	this->public.thread_pool = NULL;
-	this->public.stroke = NULL;
+	this->public.interfaces = NULL;
 	this->public.bus = NULL;
 	this->public.outlog = NULL;
 	this->public.syslog = NULL;
@@ -399,7 +437,7 @@ static void usage(const char *msg)
 int main(int argc, char *argv[])
 {
 	u_int crl_check_interval = 0;
-	bool strict_crl_policy = FALSE;
+	strict_t strict_crl_policy = STRICT_NO;
 	bool cache_crls = FALSE;
 	bool use_syslog = FALSE;
 	char *eapdir = IPSEC_EAPDIR;
@@ -412,6 +450,11 @@ int main(int argc, char *argv[])
 	level_t levels[DBG_MAX];
 	int signal;
 	
+	prctl(PR_SET_KEEPCAPS, 1);
+	
+	/* drop the capabilities we won't need at all */
+	drop_capabilities(NULL, FALSE);
+	
 	/* use CTRL loglevel for default */
 	for (signal = 0; signal < DBG_MAX; signal++)
 	{
@@ -425,7 +468,7 @@ int main(int argc, char *argv[])
 			{ "help", no_argument, NULL, 'h' },
 			{ "version", no_argument, NULL, 'v' },
 			{ "use-syslog", no_argument, NULL, 'l' },
-			{ "strictcrlpolicy", no_argument, NULL, 'r' },
+			{ "strictcrlpolicy", required_argument, NULL, 'r' },
 			{ "cachecrls", no_argument, NULL, 'C' },
 			{ "crlcheckinterval", required_argument, NULL, 'x' },
 			{ "eapdir", required_argument, NULL, 'e' },
@@ -458,7 +501,7 @@ int main(int argc, char *argv[])
 				use_syslog = TRUE;
 				continue;
 			case 'r':
-				strict_crl_policy = TRUE;
+				strict_crl_policy = atoi(optarg);
 				continue;
 			case 'C':
 				cache_crls = TRUE;
@@ -484,13 +527,13 @@ int main(int argc, char *argv[])
 	charon = (daemon_t*)private_charon;
 	
 	/* initialize daemon */
-	initialize(private_charon, strict_crl_policy, use_syslog, levels);
+	initialize(private_charon, use_syslog, levels);
 
 	/* load pluggable EAP modules */
 	eap_method_load(eapdir);
 	
-	/* set cache_crls and crl_check_interval options */
-	ca_info_set_options(cache_crls, crl_check_interval);
+	/* set strict_crl_policy, cache_crls and crl_check_interval options */
+	ca_info_set_options(strict_crl_policy, cache_crls, crl_check_interval);
 
 	/* check/setup PID file */
 	if (stat(PID_FILE, &stb) == 0)
@@ -516,6 +559,9 @@ int main(int argc, char *argv[])
 	}
 	list->destroy(list);
 	
+	/* drop additional capabilites (bind & root) */
+	drop_capabilities(private_charon, TRUE);
+	
 	/* run daemon */
 	run(private_charon);
 	
@@ -527,3 +573,4 @@ int main(int argc, char *argv[])
 	
 	return 0;
 }
+
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 420262474..640bc6a09 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -29,22 +29,20 @@ typedef struct daemon_t daemon_t;
 
 #include <credential_store.h>
 
-#include <threads/sender.h>
-#include <threads/receiver.h>
-#include <threads/scheduler.h>
-#include <threads/kernel_interface.h>
-#include <threads/thread_pool.h>
-#include <threads/stroke_interface.h>
+#include <network/sender.h>
+#include <network/receiver.h>
 #include <network/socket.h>
+#include <processing/scheduler.h>
+#include <processing/thread_pool.h>
+#include <processing/job_queue.h>
+#include <processing/event_queue.h>
+#include <kernel/kernel_interface.h>
+#include <control/interface_manager.h>
 #include <bus/bus.h>
 #include <bus/listeners/file_logger.h>
 #include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
-#include <queues/job_queue.h>
-#include <queues/event_queue.h>
-#include <config/configuration.h>
-#include <config/connections/connection_store.h>
-#include <config/policies/policy_store.h>
+#include <config/backend_manager.h>
 
 /**
  * @defgroup charon charon
@@ -98,6 +96,14 @@ typedef struct daemon_t daemon_t;
  */
 
 /**
+ * @defgroup bus bus
+ *
+ * Signaling bus and its listeners.
+ *
+ * @ingroup charon
+ */
+
+/**
  * @defgroup config config
  *
  * Classes implementing configuration related things.
@@ -106,6 +112,38 @@ typedef struct daemon_t daemon_t;
  */
 
 /**
+ * @defgroup backends backends
+ *
+ * Classes implementing configuration backends.
+ *
+ * @ingroup config
+ */
+
+/**
+ * @defgroup credentials credentials
+ *
+ * Trust chain verification and certificate store.
+ *
+ * @ingroup config
+ */
+
+/**
+ * @defgroup control control
+ *
+ * Handling of loadable control interface modules.
+ *
+ * @ingroup charon
+ */
+
+/**
+ * @defgroup interfaces interfaces
+ *
+ * Classes which control the daemon using IPC mechanisms.
+ *
+ * @ingroup control
+ */
+
+/**
  * @defgroup encoding encoding
  *
  * Classes used to encode and decode IKEv2 messages.
@@ -122,52 +160,49 @@ typedef struct daemon_t daemon_t;
  */
 
 /**
- * @defgroup network network
+ * @defgroup kernel kernel
  *
- * Classes for network relevant stuff.
+ * Classes to configure and query the kernel.
  *
  * @ingroup charon
  */
 
 /**
- * @defgroup queues queues
+ * @defgroup network network
  *
- * Different kind of queues
- * (thread save lists).
+ * Classes for sending and receiving UDP packets over the network.
  *
  * @ingroup charon
  */
 
 /**
- * @defgroup jobs jobs
+ * @defgroup processing processing
  *
- * Jobs used in job queue and event queue.
+ * Queueing, scheduling and processing of jobs
  *
- * @ingroup queues
+ * @ingroup charon
  */
 
 /**
- * @defgroup sa sa
+ * @defgroup jobs jobs
  *
- * Security associations for IKE and IPSec,
- * and some helper classes.
+ * Jobs to queue, schedule and process.
  *
- * @ingroup charon
+ * @ingroup processing
  */
 
 /**
- * @defgroup tasks tasks
+ * @defgroup sa sa
  *
- * Tasks process and build message payloads. They are used to create
- * and process multiple exchanges.
+ * Security associations for IKE and IPSec, and its helper classes.
  *
- * @ingroup sa
+ * @ingroup charon
  */
 
 /**
  * @defgroup authenticators authenticators
  *
- * Authenticator classes to prove identity of peer.
+ * Authenticator classes to prove identity of a peer.
  *
  * @ingroup sa
  */
@@ -175,25 +210,18 @@ typedef struct daemon_t daemon_t;
 /**
  * @defgroup eap eap
  *
- * EAP authentication module interface and it's implementations.
+ * EAP module loader, interface and it's implementations.
  *
  * @ingroup authenticators
  */
-
+ 
 /**
- * @defgroup threads threads
- *
- * Threaded classes, which will do their job alone.
- *
- * @ingroup charon
- */
-
-/**
- * @defgroup bus bus
+ * @defgroup tasks tasks
  *
- * Signaling bus and its listeners.
+ * Tasks process and build message payloads. They are used to create
+ * and process multiple exchanges.
  *
- * @ingroup charon
+ * @ingroup sa
  */
 
 /**
@@ -263,13 +291,27 @@ typedef struct daemon_t daemon_t;
 #define CERTIFICATE_DIR IPSEC_D_DIR "/certs"
 
 /**
- * Default directory for trusted CA certificates
+ * Default directory for trusted Certification Authority certificates
  * 
  * @ingroup charon
  */
 #define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
 
 /**
+ * Default directory for Authorization Authority certificates
+ * 
+ * @ingroup charon
+ */
+#define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts"
+
+/**
+ * Default directory for Attribute certificates
+ * 
+ * @ingroup charon
+ */
+#define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts"
+
+/**
  * Default directory for OCSP signing certificates
  * 
  * @ingroup charon
@@ -317,19 +359,9 @@ struct daemon_t {
 	ike_sa_manager_t *ike_sa_manager;
 	
 	/**
-	 * A configuration_t instance.
+	 * Manager for the different configuration backends.
 	 */
-	configuration_t *configuration;
-	
-	/**
-	 * A connection_store_t instance.
-	 */
-	connection_store_t *connections;
-	
-	/**
-	 * A policy_store_t instance.
-	 */
-	policy_store_t *policies;
+	backend_manager_t *backends;
 	
 	/**
 	 * A credential_store_t instance.
@@ -382,15 +414,23 @@ struct daemon_t {
 	kernel_interface_t *kernel_interface;
 	
 	/**
-	 * IPC interface, as whack in pluto
+	 * Interfaces for IPC
+	 */
+	interface_manager_t *interfaces;
+	
+	/**
+	 * @brief Let the calling thread drop its capabilities.
+	 * 
+	 * @param this			calling daemon
+	 * @param full			TRUE to drop as many as possible
 	 */
-	stroke_t *stroke;
+	void (*drop_capabilities) (daemon_t *this, bool full);
 	
 	/**
 	 * @brief Shut down the daemon.
 	 * 
-	 * @param this		the daemon to kill
-	 * @param reason	describtion why it will be killed
+	 * @param this			the daemon to kill
+	 * @param reason		describtion why it will be killed
 	 */
 	void (*kill) (daemon_t *this, char *reason);
 };
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index 5f3f91f8b..b31b21afa 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -24,7 +24,6 @@
 
 #include <stdlib.h>
 #include <string.h>
-#include <printf.h>
 
 #include "message.h"
 
@@ -603,72 +602,50 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type)
 }
 
 /**
- * output handler in printf()
+ * get a string representation of the message
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+static char* get_string(private_message_t *this, char *buf, int len)
 {
-	private_message_t *this = *((private_message_t**)(args[0]));
 	iterator_t *iterator;
 	payload_t *payload;
-	bool first = TRUE;
-	size_t total_written = 0;
-	size_t written;
+	int written;
+	char *pos = buf;
 	
-	if (this == NULL)
+	written = snprintf(pos, len, "%N %s [", 
+					   exchange_type_names, this->exchange_type,
+					   this->is_request ? "request" : "response");
+	if (written >= len || written < 0)
 	{
-		return fprintf(stream, "(null)");
+		return "";
 	}
+	pos += written;
+	len -= written;
 	
-	written = fprintf(stream, "%N %s [", 
-					  exchange_type_names, this->exchange_type,
-					  this->is_request ? "request" : "response");
-	if (written < 0)
+	if (this->payloads->get_count(this->payloads) == 0)
 	{
-		return written;
+		snprintf(pos, len, "]");
+		return buf;
 	}
-	total_written += written;
 	
 	iterator = this->payloads->create_iterator(this->payloads, TRUE);
 	while (iterator->iterate(iterator, (void**)&payload))
 	{
-		if (!first)
+		written = snprintf(pos, len, "%N ", payload_type_short_names,
+				  		   payload->get_type(payload));
+		if (written >= len || written < 0)
 		{
-			written = fprintf(stream, " ");
-			if (written < 0)
-			{
-				return written;
-			}
-			total_written += written;
-		}
-		else
-		{
-			first = FALSE;
-		}
-		written = fprintf(stream, "%N", payload_type_short_names,
-						  payload->get_type(payload));
-		if (written < 0)
-		{
-			return written;
+			return buf;
 		}
-		total_written += written;
+		pos += written;
+		len -= written;
 	}
 	iterator->destroy(iterator);
-	written = fprintf(stream, "]");
-	if (written < 0)
-	{
-		return written;
-	}
-	total_written += written;
-	return total_written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_MESSAGE, print, arginfo_ptr);
+	
+	/* remove last space */
+	pos--;
+	len++;
+	snprintf(pos, len, "]");
+	return buf;
 }
 
 /**
@@ -757,6 +734,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
 	iterator_t *iterator;
 	status_t status;
 	chunk_t packet_data;
+	char str[128];
 	
 	if (is_encoded(this))
 	{
@@ -765,7 +743,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
 		return SUCCESS;
 	}
 	
-	DBG1(DBG_ENC, "generating %M", this);
+	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
 	
 	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
 	{
@@ -1162,6 +1140,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 {
 	status_t status = SUCCESS;
 	payload_type_t current_payload_type;
+	char str[128];
 		
 	current_payload_type = this->first_payload;	
 		
@@ -1231,7 +1210,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
 		return status;
 	}
 	
-	DBG1(DBG_ENC, "parsed %M", this);
+	DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
 	
 	return SUCCESS;
 }
diff --git a/src/charon/threads/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index 4a70d2ecf..d82783b03 100644
--- a/src/charon/threads/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -45,9 +45,9 @@
 
 #include <daemon.h>
 #include <utils/linked_list.h>
-#include <queues/jobs/delete_child_sa_job.h>
-#include <queues/jobs/rekey_child_sa_job.h>
-#include <queues/jobs/acquire_job.h>
+#include <processing/jobs/delete_child_sa_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/acquire_job.h>
 
 /** kernel level protocol identifiers */
 #define KERNEL_ESP 50
@@ -129,7 +129,7 @@ kernel_algorithm_t integrity_algs[] = {
 	{AUTH_HMAC_SHA2_512_256,	"sha512",		512},
 /*	{AUTH_DES_MAC,				"***",			0}, */
 /*	{AUTH_KPDK_MD5,				"***",			0}, */
-/*	{AUTH_AES_XCBC_96,			"***",			0}, */
+	{AUTH_AES_XCBC_96,			"xcbc(aes)",	128},
 	{END_OF_LIST, 				NULL,			0},
 };
 
@@ -171,6 +171,9 @@ struct route_entry_t {
 
 	/** Source ip of the route */
 	host_t *src_ip;
+	
+	/** gateway for this route */
+	host_t *gateway;
 
 	/** Destination net */
 	chunk_t dst_net;
@@ -185,6 +188,7 @@ struct route_entry_t {
 static void route_entry_destroy(route_entry_t *this)
 {
 	this->src_ip->destroy(this->src_ip);
+	this->gateway->destroy(this->gateway);
 	chunk_free(&this->dst_net);
 	free(this);
 }
@@ -442,6 +446,8 @@ static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
  */
 static void receive_events(private_kernel_interface_t *this)
 {
+	charon->drop_capabilities(charon, TRUE);
+
 	while(TRUE) 
 	{
 		unsigned char response[512];
@@ -571,7 +577,7 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 				continue;
 			}
 			pthread_mutex_unlock(&mutex);
-			DBG1(DBG_KNL, "error sending to netlink socket: %m");
+			DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
 			return FAILED;
 		}
 		break;
@@ -601,7 +607,7 @@ static status_t netlink_send(int socket, struct nlmsghdr *in,
 				/* interrupted, try again */
 				continue;
 			}
-			DBG1(DBG_IKE, "error reading from netlink socket: %m");
+			DBG1(DBG_IKE, "error reading from netlink socket: %s", strerror(errno));
 			pthread_mutex_unlock(&mutex);
 			return FAILED;
 		}
@@ -996,6 +1002,7 @@ static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type
 		half.dst_net = chunk_alloca(route->dst_net.len);
 		memset(half.dst_net.ptr, 0, half.dst_net.len);
 		half.src_ip = route->src_ip;
+		half.gateway = route->gateway;
 		half.if_index = route->if_index;
 		half.prefixlen = 1;
 		
@@ -1023,6 +1030,8 @@ static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type
 	add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
 	chunk = route->src_ip->get_address(route->src_ip);
 	add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	chunk = route->gateway->get_address(route->gateway);
+	add_attribute(hdr, RTA_GATEWAY, chunk, sizeof(request));
 	chunk.ptr = (char*)&route->if_index;
 	chunk.len = sizeof(route->if_index);
 	add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
@@ -1689,6 +1698,7 @@ static status_t add_policy(private_kernel_interface_t *this,
 		policy->route = malloc_thing(route_entry_t);
 		if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
 		{
+			policy->route->gateway = dst->clone(dst);
 			policy->route->if_index = get_interface_index(this, dst);
 			policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
 			memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
diff --git a/src/charon/threads/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 34b06f594..2a3eaff7a 100644
--- a/src/charon/threads/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -35,6 +35,8 @@ typedef struct kernel_interface_t kernel_interface_t;
 
 /**
  * Configuration for NAT-T
+ *
+ * @ingroup kernel
  */
 struct natt_conf_t {
 	/** source port to use for UDP-encapsulated packets */
@@ -47,6 +49,8 @@ struct natt_conf_t {
  * Direction of a policy. These are equal to those
  * defined in xfrm.h, but we want to stay implementation
  * neutral here.
+ *
+ * @ingroup kernel
  */
 enum policy_dir_t {
 	/** Policy for inbound traffic */
@@ -71,7 +75,7 @@ enum policy_dir_t {
  * @b Constructors:
  *  - kernel_interface_create()
  *
- * @ingroup threads
+ * @ingroup kernel
  */
 struct kernel_interface_t {
 
@@ -324,7 +328,7 @@ struct kernel_interface_t {
 /**
  * @brief Creates an object of type kernel_interface_t.
  * 
- * @ingroup threads
+ * @ingroup kernel
  */
 kernel_interface_t *kernel_interface_create(void);
 
diff --git a/src/charon/threads/receiver.c b/src/charon/network/receiver.c
index 7195c162d..9b4bf71ac 100644
--- a/src/charon/threads/receiver.c
+++ b/src/charon/network/receiver.c
@@ -22,6 +22,7 @@
  */
 
 #include <stdlib.h>
+#include <unistd.h>
 #include <pthread.h>
 
 #include "receiver.h"
@@ -29,9 +30,9 @@
 #include <daemon.h>
 #include <network/socket.h>
 #include <network/packet.h>
-#include <queues/job_queue.h>
-#include <queues/jobs/job.h>
-#include <queues/jobs/process_message_job.h>
+#include <processing/job_queue.h>
+#include <processing/jobs/job.h>
+#include <processing/jobs/process_message_job.h>
 
 /** length of the full cookie, including time (u_int32_t + SHA1()) */
 #define COOKIE_LENGTH 24
@@ -254,12 +255,16 @@ static void receive_packets(private_receiver_t *this)
 	DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", 
 		 (int)pthread_self());
 	
+	charon->drop_capabilities(charon, TRUE);
+	
 	while (TRUE)
 	{
 		/* read in a packet */
 		if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
 		{
-			DBG1(DBG_NET, "receiving from socket failed!");
+			DBG2(DBG_NET, "receiving from socket failed!");
+			/* try again after a delay */
+			sleep(1);
 			continue;
 		}
 		
@@ -267,7 +272,7 @@ static void receive_packets(private_receiver_t *this)
 		message = message_create_from_packet(packet);
 		if (message->parse_header(message) != SUCCESS)
 		{
-			DBG1(DBG_NET, "received invalid IKE header from %H, ignored",
+			DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
 				 packet->get_source(packet));
 			message->destroy(message);
 			continue;
diff --git a/src/charon/threads/receiver.h b/src/charon/network/receiver.h
index 68d9136c0..1bfa7b764 100644
--- a/src/charon/threads/receiver.h
+++ b/src/charon/network/receiver.h
@@ -54,7 +54,7 @@ typedef struct receiver_t receiver_t;
  * @b Constructors:
  *  - receiver_create()
  * 
- * @ingroup threads
+ * @ingroup network
  */
 struct receiver_t {
 	
@@ -74,7 +74,7 @@ struct receiver_t {
  * 
  * @return	receiver_t object
  * 
- * @ingroup threads
+ * @ingroup network
  */
 receiver_t * receiver_create(void);
 
diff --git a/src/charon/threads/sender.c b/src/charon/network/sender.c
index c1cd0a68c..933b8c192 100644
--- a/src/charon/threads/sender.c
+++ b/src/charon/network/sender.c
@@ -84,10 +84,11 @@ static void send_(private_sender_t *this, packet_t *packet)
  */
 static void send_packets(private_sender_t * this)
 {
-	
 	/* cancellation disabled by default */
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
 	DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self());
+	
+	charon->drop_capabilities(charon, TRUE);
 
 	while (TRUE)
 	{
@@ -119,9 +120,14 @@ static void send_packets(private_sender_t * this)
  */
 static void destroy(private_sender_t *this)
 {
+	/* send all packets in the queue */
+	while (this->list->get_count(this->list))
+	{
+		sched_yield();
+	}
 	pthread_cancel(this->assigned_thread);
 	pthread_join(this->assigned_thread, NULL);
-	this->list->destroy_offset(this->list, offsetof(packet_t, destroy));
+	this->list->destroy(this->list);
 	free(this);
 }
 
diff --git a/src/charon/threads/sender.h b/src/charon/network/sender.h
index 4f42f6f9e..6f2a06891 100644
--- a/src/charon/threads/sender.h
+++ b/src/charon/network/sender.h
@@ -35,7 +35,7 @@ typedef struct sender_t sender_t;
  * @b Constructors:
  *  - sender_create()
  * 
- * @ingroup threads
+ * @ingroup network
  */
 struct sender_t {
 	
@@ -67,7 +67,7 @@ struct sender_t {
  * 
  * @return		created sender object
  * 
- * @ingroup threads
+ * @ingroup network
  */
 sender_t * sender_create(void);
 
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 00ba22d5a..dd231ebed 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -176,7 +176,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
 		if (bytes_read < 0)
 		{
-			DBG1(DBG_NET, "error reading from IPv4 socket: %m");
+			DBG1(DBG_NET, "error reading from IPv4 socket: %s", strerror(errno));
 			return FAILED;
 		}
 		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
@@ -238,7 +238,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
 		bytes_read = recvmsg(this->recv6, &msg, 0);
 		if (bytes_read < 0)
 		{
-			DBG1(DBG_NET, "error reading from IPv6 socket: %m");
+			DBG1(DBG_NET, "error reading from IPv6 socket: %s", strerror(errno));
 			return FAILED;
 		}
 		DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
@@ -428,7 +428,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
 
 	if (bytes_sent != data.len)
 	{
-		DBG1(DBG_NET, "error writing to socket: %m");
+		DBG1(DBG_NET, "error writing to socket: %s", strerror(errno));
 		return FAILED;
 	}
 	return SUCCESS;
@@ -477,13 +477,14 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
 	if (skt < 0)
 	{
-		DBG1(DBG_NET, "could not open send socket: %m");
+		DBG1(DBG_NET, "could not open send socket: %s", strerror(errno));
 		return 0;
 	}
 	
 	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
 	{
-		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %m");
+		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %s",
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -497,7 +498,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 	
 	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
+		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s",
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -507,7 +509,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
 	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
+		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %s", 
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -515,7 +518,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 	/* bind the send socket */
 	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
 	{
-		DBG1(DBG_NET, "unable to bind send socket: %m");
+		DBG1(DBG_NET, "unable to bind send socket: %s",
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -525,7 +529,8 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
 		/* enable UDP decapsulation globally, only for one socket needed */
 		if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
 		{
-			DBG1(DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail");
+			DBG1(DBG_NET, "unable to set UDP_ENCAP: %s; NAT-T may fail",
+				 strerror(errno));
 		}
 	}
 	
@@ -606,14 +611,15 @@ static int open_recv_socket(private_socket_t *this, int family)
 	skt = socket(family, SOCK_RAW, IPPROTO_UDP);
 	if (skt < 0)
 	{
-		DBG1(DBG_NET, "unable to create raw socket: %m");
+		DBG1(DBG_NET, "unable to create raw socket: %s", strerror(errno));
 		return 0;
 	}
 	
 	if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
 				   &ikev2_filter, sizeof(ikev2_filter)) < 0)
 	{
-		DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %m");
+		DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %s",
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -623,7 +629,8 @@ static int open_recv_socket(private_socket_t *this, int family)
 		 * 2 or 50 depending on kernel header version */
 		setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
 	{
-		DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m");
+		DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %s",
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -637,7 +644,8 @@ static int open_recv_socket(private_socket_t *this, int family)
 	
 	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
 	{
-		DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m");
+		DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %s",
+			 strerror(errno));
 		close(skt);
 		return 0;
 	}
@@ -682,6 +690,7 @@ static void destroy(private_socket_t *this)
  */
 socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
 {
+	int key;
 	private_socket_t *this = malloc_thing(private_socket_t);
 
 	/* public functions */
@@ -698,6 +707,15 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
 	this->send4_natt = 0;
 	this->send6_natt = 0;
 	
+	/* we open a AF_KEY socket to autoload the af_key module. Otherwise
+	 * setsockopt(IPSEC_POLICY) won't work. */
+	key = socket(AF_KEY, SOCK_RAW, PF_KEY_V2);
+	if (key == 0)
+	{
+		charon->kill(charon, "could not open AF_KEY socket");
+	}
+	close(key);
+	
 	this->recv4 = open_recv_socket(this, AF_INET);
 	if (this->recv4 == 0)
 	{
diff --git a/src/charon/queues/event_queue.c b/src/charon/processing/event_queue.c
index 40bcb1ed8..40bcb1ed8 100644
--- a/src/charon/queues/event_queue.c
+++ b/src/charon/processing/event_queue.c
diff --git a/src/charon/queues/event_queue.h b/src/charon/processing/event_queue.h
index cd275123b..c85286bf2 100644
--- a/src/charon/queues/event_queue.h
+++ b/src/charon/processing/event_queue.h
@@ -29,7 +29,7 @@ typedef struct event_queue_t event_queue_t;
 #include <sys/time.h>
 
 #include <library.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 
 /**
  * @brief Event-Queue used to store timed events.
@@ -45,7 +45,7 @@ typedef struct event_queue_t event_queue_t;
  * @b Constructors:
  * - event_queue_create()
  * 
- * @ingroup queues
+ * @ingroup processing
  */
 struct event_queue_t {
 
@@ -111,7 +111,7 @@ struct event_queue_t {
  *
  * @returns event_queue_t object
  * 
- * @ingroup queues
+ * @ingroup processing
  */
 event_queue_t *event_queue_create(void);
 		  
diff --git a/src/charon/queues/job_queue.c b/src/charon/processing/job_queue.c
index 2310ca6ff..2310ca6ff 100644
--- a/src/charon/queues/job_queue.c
+++ b/src/charon/processing/job_queue.c
diff --git a/src/charon/queues/job_queue.h b/src/charon/processing/job_queue.h
index c971ba514..9b58588ae 100644
--- a/src/charon/queues/job_queue.h
+++ b/src/charon/processing/job_queue.h
@@ -27,7 +27,7 @@
 typedef struct job_queue_t job_queue_t;
 
 #include <library.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 
 /**
  * @brief The job queue stores jobs, which will be processed by the thread_pool_t.
@@ -40,7 +40,7 @@ typedef struct job_queue_t job_queue_t;
  * @b Constructors:
  * - job_queue_create()
  * 
- * @ingroup queues
+ * @ingroup processing
  */
 struct job_queue_t {
 
@@ -93,7 +93,7 @@ struct job_queue_t {
  *
  * @return job_queue_t object
  * 
- * @ingroup queues
+ * @ingroup processing
  */
 job_queue_t *job_queue_create(void);
 
diff --git a/src/charon/queues/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
index b4ffb258d..b4ffb258d 100644
--- a/src/charon/queues/jobs/acquire_job.c
+++ b/src/charon/processing/jobs/acquire_job.c
diff --git a/src/charon/queues/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
index 54f1b9b5b..226966215 100644
--- a/src/charon/queues/jobs/acquire_job.h
+++ b/src/charon/processing/jobs/acquire_job.h
@@ -26,7 +26,7 @@
 typedef struct acquire_job_t acquire_job_t;
 
 #include <library.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 
 /**
  * @brief Class representing an ACQUIRE Job.
diff --git a/src/charon/queues/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c
index f694696b0..f694696b0 100644
--- a/src/charon/queues/jobs/delete_child_sa_job.c
+++ b/src/charon/processing/jobs/delete_child_sa_job.c
diff --git a/src/charon/queues/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h
index 9c2e4fa4d..0b90e008d 100644
--- a/src/charon/queues/jobs/delete_child_sa_job.h
+++ b/src/charon/processing/jobs/delete_child_sa_job.h
@@ -27,7 +27,7 @@ typedef struct delete_child_sa_job_t delete_child_sa_job_t;
 
 #include <library.h>
 #include <sa/ike_sa_id.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 #include <config/proposal.h>
 
 
diff --git a/src/charon/queues/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
index 706155aa6..706155aa6 100644
--- a/src/charon/queues/jobs/delete_ike_sa_job.c
+++ b/src/charon/processing/jobs/delete_ike_sa_job.c
diff --git a/src/charon/queues/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h
index 43701a354..11bb46e73 100644
--- a/src/charon/queues/jobs/delete_ike_sa_job.h
+++ b/src/charon/processing/jobs/delete_ike_sa_job.h
@@ -28,7 +28,7 @@ typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
 
 #include <library.h>
 #include <sa/ike_sa_id.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 
 
 /**
diff --git a/src/charon/queues/jobs/job.c b/src/charon/processing/jobs/job.c
index d32d1bc61..d32d1bc61 100644
--- a/src/charon/queues/jobs/job.c
+++ b/src/charon/processing/jobs/job.c
diff --git a/src/charon/queues/jobs/job.h b/src/charon/processing/jobs/job.h
index 28632672d..28632672d 100644
--- a/src/charon/queues/jobs/job.h
+++ b/src/charon/processing/jobs/job.h
diff --git a/src/charon/queues/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c
index ee7484bbd..ee7484bbd 100644
--- a/src/charon/queues/jobs/process_message_job.c
+++ b/src/charon/processing/jobs/process_message_job.c
diff --git a/src/charon/queues/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h
index 2e60a298c..5bb18155a 100644
--- a/src/charon/queues/jobs/process_message_job.h
+++ b/src/charon/processing/jobs/process_message_job.h
@@ -28,7 +28,7 @@ typedef struct process_message_job_t process_message_job_t;
 
 #include <library.h>
 #include <encoding/message.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 
 /**
  * @brief Class representing an PROCESS_MESSAGE job.
diff --git a/src/charon/queues/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c
index 3422b614d..3422b614d 100644
--- a/src/charon/queues/jobs/rekey_child_sa_job.c
+++ b/src/charon/processing/jobs/rekey_child_sa_job.c
diff --git a/src/charon/queues/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h
index 19e1b5d32..df86070bc 100644
--- a/src/charon/queues/jobs/rekey_child_sa_job.h
+++ b/src/charon/processing/jobs/rekey_child_sa_job.h
@@ -27,7 +27,7 @@ typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
 
 #include <library.h>
 #include <sa/ike_sa_id.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 #include <config/proposal.h>
 
 /**
diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c
index 2539d997e..f6c058634 100644
--- a/src/charon/queues/jobs/rekey_ike_sa_job.c
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.c
@@ -67,7 +67,7 @@ static status_t execute(private_rekey_ike_sa_job_t *this)
 											  this->ike_sa_id);
 	if (ike_sa == NULL)
 	{
-		DBG2(DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id);
+		DBG2(DBG_JOB, "IKE_SA to rekey not found");
 		return DESTROY_ME;
 	}
 	
diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h
index f3e336fb3..4031b3813 100644
--- a/src/charon/queues/jobs/rekey_ike_sa_job.h
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.h
@@ -27,7 +27,7 @@ typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
 
 #include <library.h>
 #include <sa/ike_sa_id.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 
 /**
  * @brief Class representing an REKEY_IKE_SA Job.
diff --git a/src/charon/queues/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c
index 5bfa20dfd..5bfa20dfd 100644
--- a/src/charon/queues/jobs/retransmit_job.c
+++ b/src/charon/processing/jobs/retransmit_job.c
diff --git a/src/charon/queues/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h
index 19e29b909..93bb548e7 100644
--- a/src/charon/queues/jobs/retransmit_job.h
+++ b/src/charon/processing/jobs/retransmit_job.h
@@ -27,7 +27,7 @@
 typedef struct retransmit_job_t retransmit_job_t;
 
 #include <library.h>
-#include <queues/jobs/job.h>
+#include <processing/jobs/job.h>
 #include <sa/ike_sa_id.h>
 
 /**
diff --git a/src/charon/queues/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c
index 7294d78d5..7294d78d5 100644
--- a/src/charon/queues/jobs/send_dpd_job.c
+++ b/src/charon/processing/jobs/send_dpd_job.c
diff --git a/src/charon/queues/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
index f3900f9a2..26c9e2e81 100644
--- a/src/charon/queues/jobs/send_dpd_job.h
+++ b/src/charon/processing/jobs/send_dpd_job.h
@@ -25,8 +25,7 @@
 typedef struct send_dpd_job_t send_dpd_job_t;
 
 #include <library.h>
-#include <queues/jobs/job.h>
-#include <config/connections/connection.h>
+#include <processing/jobs/job.h>
 #include <sa/ike_sa_id.h>
 
 /**
diff --git a/src/charon/queues/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c
index 1c1cb288e..1c1cb288e 100644
--- a/src/charon/queues/jobs/send_keepalive_job.c
+++ b/src/charon/processing/jobs/send_keepalive_job.c
diff --git a/src/charon/queues/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
index c7d05be65..f7b38337e 100644
--- a/src/charon/queues/jobs/send_keepalive_job.h
+++ b/src/charon/processing/jobs/send_keepalive_job.h
@@ -25,8 +25,7 @@
 typedef struct send_keepalive_job_t send_keepalive_job_t;
 
 #include <library.h>
-#include <queues/jobs/job.h>
-#include <config/connections/connection.h>
+#include <processing/jobs/job.h>
 #include <sa/ike_sa_id.h>
 
 /**
diff --git a/src/charon/threads/scheduler.c b/src/charon/processing/scheduler.c
index 74091e3a3..7249e43e6 100644
--- a/src/charon/threads/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -27,7 +27,7 @@
 #include "scheduler.h"
 
 #include <daemon.h>
-#include <queues/job_queue.h>
+#include <processing/job_queue.h>
 
 
 typedef struct private_scheduler_t private_scheduler_t;
@@ -60,6 +60,8 @@ static void get_events(private_scheduler_t * this)
 	DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", 
 		 (int)pthread_self());
 
+	charon->drop_capabilities(charon, TRUE);
+
 	while (TRUE)
 	{
 		DBG2(DBG_JOB, "waiting for next event...");
diff --git a/src/charon/threads/scheduler.h b/src/charon/processing/scheduler.h
index daecce3c6..bea93e7c9 100644
--- a/src/charon/threads/scheduler.h
+++ b/src/charon/processing/scheduler.h
@@ -39,7 +39,7 @@ typedef struct scheduler_t scheduler_t;
  * @b Constructors:
  *  - scheduler_create()
  *
- * @ingroup threads
+ * @ingroup processing
  */
 struct scheduler_t { 	
 
@@ -61,7 +61,7 @@ struct scheduler_t {
  * 				- scheduler_t object
  * 				- NULL if thread could not be started
  * 
- * @ingroup threads
+ * @ingroup processing
  */
 scheduler_t * scheduler_create(void);
 
diff --git a/src/charon/threads/thread_pool.c b/src/charon/processing/thread_pool.c
index 052b5aab9..a9891da15 100644
--- a/src/charon/threads/thread_pool.c
+++ b/src/charon/processing/thread_pool.c
@@ -29,7 +29,7 @@
 #include "thread_pool.h"
 
 #include <daemon.h>
-#include <queues/job_queue.h>
+#include <processing/job_queue.h>
 
 
 typedef struct private_thread_pool_t private_thread_pool_t;
@@ -57,7 +57,7 @@ struct private_thread_pool_t {
 	 * Array of thread ids.
 	 */
 	pthread_t *threads;
-} ;
+};
 
 /**
  * Implementation of private_thread_pool_t.process_jobs.
@@ -73,6 +73,8 @@ static void process_jobs(private_thread_pool_t *this)
 	DBG1(DBG_JOB, "worker thread running, thread_ID: %06u",
 		 (int)pthread_self());
 	
+	charon->drop_capabilities(charon, TRUE);
+	
 	while (TRUE)
 	{
 		/* TODO: should be atomic, but is not mission critical */
diff --git a/src/charon/threads/thread_pool.h b/src/charon/processing/thread_pool.h
index 8e1989bda..09a6312a8 100644
--- a/src/charon/threads/thread_pool.h
+++ b/src/charon/processing/thread_pool.h
@@ -41,7 +41,7 @@ typedef struct thread_pool_t thread_pool_t;
  *
  * @todo Add support for dynamic thread handling
  * 
- * @ingroup threads
+ * @ingroup processing
  */
 struct thread_pool_t {
 	
@@ -79,7 +79,7 @@ struct thread_pool_t {
  *							- thread_pool_t object if one ore more threads could be started, or
  *							- NULL if no threads could be created
  *
- * @ingroup threads
+ * @ingroup processing
  */
 thread_pool_t *thread_pool_create(size_t pool_size);
 
diff --git a/src/charon/queues/jobs/initiate_job.c b/src/charon/queues/jobs/initiate_job.c
deleted file mode 100644
index af50663d6..000000000
--- a/src/charon/queues/jobs/initiate_job.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * @file initiate_job.c
- * 
- * @brief Implementation of initiate_job_t.
- * 
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include <stdlib.h>
-
-#include "initiate_job.h"
-
-#include <daemon.h>
-
-typedef struct private_initiate_job_t private_initiate_job_t;
-
-/**
- * Private data of an initiate_job_t Object
- */
-struct private_initiate_job_t {
-	/**
-	 * public initiate_job_t interface
-	 */
-	initiate_job_t public;
-	
-	/**
-	 * associated connection to initiate
-	 */
-	connection_t *connection;
-	
-	/**
-	 * associated policy to initiate
-	 */
-	policy_t *policy;
-};
-
-/**
- * Implements initiate_job_t.get_type.
- */
-static job_type_t get_type(private_initiate_job_t *this)
-{
-	return INITIATE;
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static status_t execute(private_initiate_job_t *this)
-{
-	ike_sa_t *ike_sa;
-	
-	ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager,
-							this->connection->get_my_host(this->connection),
-							this->connection->get_other_host(this->connection),
-							this->policy->get_my_id(this->policy),
-							this->policy->get_other_id(this->policy));
-
-	if (ike_sa->initiate(ike_sa, this->connection, this->policy) != SUCCESS)
-	{
-		DBG1(DBG_JOB, "initiation failed, going to delete IKE_SA");
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-		return DESTROY_ME;
-	}
-	
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_initiate_job_t *this)
-{
-	this->connection->destroy(this->connection);
-	this->policy->destroy(this->policy);
-	free(this);
-}
-
-/*
- * Described in header
- */
-initiate_job_t *initiate_job_create(connection_t *connection, policy_t *policy)
-{
-	private_initiate_job_t *this = malloc_thing(private_initiate_job_t);
-	
-	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
-	/* private variables */
-	this->connection = connection;
-	this->policy = policy;
-	
-	return &this->public;
-}
diff --git a/src/charon/queues/jobs/initiate_job.h b/src/charon/queues/jobs/initiate_job.h
deleted file mode 100644
index af1dd9ece..000000000
--- a/src/charon/queues/jobs/initiate_job.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- * @file initiate_job.h
- * 
- * @brief Interface of initiate_job_t.
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef INITIATE_IKE_SA_JOB_H_
-#define INITIATE_IKE_SA_JOB_H_
-
-typedef struct initiate_job_t initiate_job_t;
-
-#include <library.h>
-#include <queues/jobs/job.h>
-#include <config/connections/connection.h>
-#include <config/policies/policy.h>
-
-/**
- * @brief Class representing an INITIATE_IKE_SA Job.
- * 
- * This job is created if an IKE_SA should be iniated.
- * 
- * @b Constructors:
- * - initiate_job_create()
- * 
- * @ingroup jobs
- */
-struct initiate_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * @brief Creates a job of type INITIATE_IKE_SA.
- * 
- * @param connection	connection_t to initialize
- * @param policy		policy to set up
- * @return				initiate_job_t object
- * 
- * @ingroup jobs
- */
-initiate_job_t *initiate_job_create(connection_t *connection, policy_t *policy);
-
-#endif /*INITIATE_IKE_SA_JOB_H_*/
diff --git a/src/charon/queues/jobs/route_job.c b/src/charon/queues/jobs/route_job.c
deleted file mode 100644
index bb6281dcc..000000000
--- a/src/charon/queues/jobs/route_job.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/**
- * @file route_job.c
- * 
- * @brief Implementation of route_job_t.
- * 
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-
-#include <stdlib.h>
-
-#include "route_job.h"
-
-#include <daemon.h>
-
-typedef struct private_route_job_t private_route_job_t;
-
-/**
- * Private data of an route_job_t Object
- */
-struct private_route_job_t {
-	/**
-	 * public route_job_t interface
-	 */
-	route_job_t public;
-	
-	/**
-	 * associated connection to route
-	 */
-	connection_t *connection;
-	
-	/**
-	 * associated policy to route
-	 */
-	policy_t *policy;
-	
-	/**
-	 * route or unroute?
-	 */
-	bool route;
-};
-
-/**
- * Implements route_job_t.get_type.
- */
-static job_type_t get_type(private_route_job_t *this)
-{
-	return ROUTE;
-}
-
-/**
- * Implementation of job_t.execute.
- */
-static status_t execute(private_route_job_t *this)
-{
-	ike_sa_t *ike_sa;
-	
-	ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager,
-							this->connection->get_my_host(this->connection),
-							this->connection->get_other_host(this->connection),
-							this->policy->get_my_id(this->policy),
-							this->policy->get_other_id(this->policy));
-	if (this->route)
-	{
-		if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS)
-		{
-			DBG1(DBG_JOB, "routing failed");
-		}
-	}
-	else
-	{
-		if (ike_sa->unroute(ike_sa, this->policy) == DESTROY_ME)
-		{
-			DBG1(DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted");
-			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
-			return DESTROY_ME;
-		}
-	}
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-	return DESTROY_ME;
-}
-
-/**
- * Implements job_t.destroy.
- */
-static void destroy(private_route_job_t *this)
-{
-	this->connection->destroy(this->connection);
-	this->policy->destroy(this->policy);
-	free(this);
-}
-
-/*
- * Described in header
- */
-route_job_t *route_job_create(connection_t *connection, policy_t *policy, bool route)
-{
-	private_route_job_t *this = malloc_thing(private_route_job_t);
-	
-	/* interface functions */
-	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
-	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
-	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
-	
-	/* private variables */
-	this->connection = connection;
-	this->policy = policy;
-	this->route = route;
-	
-	return &this->public;
-}
diff --git a/src/charon/queues/jobs/route_job.h b/src/charon/queues/jobs/route_job.h
deleted file mode 100644
index 2743a70ab..000000000
--- a/src/charon/queues/jobs/route_job.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * @file route_job.h
- * 
- * @brief Interface of route_job_t.
- */
-
-/*
- * Copyright (C) 2005-2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef ROUTE_JOB_H_
-#define ROUTE_JOB_H_
-
-typedef struct route_job_t route_job_t;
-
-#include <library.h>
-#include <queues/jobs/job.h>
-#include <config/policies/policy.h>
-#include <config/connections/connection.h>
-
-/**
- * @brief Class representing an ROUTE Job.
- *
- * @b Constructors:
- * - route_job_create()
- *
- * @ingroup jobs
- */
-struct route_job_t {
-	/**
-	 * implements job_t interface
-	 */
-	job_t job_interface;
-};
-
-/**
- * @brief Creates a job of type ROUTE.
- * 
- * @param connection	connection used for routing
- * @param policy		policy to set up
- * @param route			TRUE to route, FALSE to unroute
- * @return				route_job_t object
- * 
- * @ingroup jobs
- */
-route_job_t *route_job_create(connection_t *connection, policy_t *policy, bool route);
-
-#endif /*ROUTE_JOB_H_*/
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index a4d8abb58..e4a58f0a3 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -85,7 +85,7 @@ void eap_method_unload()
 		
 		while (modules->remove_last(modules, (void**)&entry) == SUCCESS)
 		{
-			DBG2(DBG_CFG, "unloaded module for %s", eap_type_names, entry->type);
+			DBG2(DBG_CFG, "unloaded module for %N", eap_type_names, entry->type);
 			dlclose(entry->handle);
 			free(entry);
 		}
@@ -100,27 +100,10 @@ void eap_method_unload()
 void eap_method_load(char *directory)
 {
 	struct dirent* entry;
-	struct stat stb;
 	DIR* dir;
 	
 	eap_method_unload();	
 	modules = linked_list_create();
-	
-	if (stat(directory, &stb) == -1 || !(stb.st_mode & S_IFDIR))
-	{
-		DBG1(DBG_CFG, "error opening EAP modules directory %s", directory);
-		return;
-	}
-	if (stb.st_uid != 0)
-	{
-		DBG1(DBG_CFG, "EAP modules directory %s not owned by root, skipped", directory);
-		return;
-	}
-	if (stb.st_mode & S_IWOTH || stb.st_mode & S_IWGRP)
-	{
-		DBG1(DBG_CFG, "EAP modules directory %s writable by others, skipped", directory);
-		return;
-	}
 
 	dir = opendir(directory);
 	if (dir == NULL)
@@ -141,12 +124,6 @@ void eap_method_load(char *directory)
 		
 		snprintf(file, sizeof(file), "%s/%s", directory, entry->d_name);
 		
-		if (stat(file, &stb) == -1 || !(stb.st_mode & S_IFREG))
-		{
-			DBG2(DBG_CFG, "  skipping %s, doesn't look like a file",
-				 entry->d_name);
-			continue;
-		}
 		ending = entry->d_name + strlen(entry->d_name) - 3;
 		if (ending <= entry->d_name || !streq(ending, ".so"))
 		{
@@ -155,16 +132,6 @@ void eap_method_load(char *directory)
 				 entry->d_name);
 			continue;
 		}
-		if (stb.st_uid != 0)
-		{
-			DBG1(DBG_CFG, "  skipping %s, file is not owned by root", entry->d_name);
-			return;
-		}
-		if (stb.st_mode & S_IWOTH || stb.st_mode & S_IWGRP)
-		{
-			DBG1(DBG_CFG, "  skipping %s, file is writeable by others", entry->d_name);
-			continue;
-		}
 		
 		/* try to load the library */
 		module.handle = dlopen(file, RTLD_LAZY);
diff --git a/src/charon/sa/authenticators/eap/eap_sim.c b/src/charon/sa/authenticators/eap/eap_sim.c
index 3dc59fb6b..38d7f2534 100644
--- a/src/charon/sa/authenticators/eap/eap_sim.c
+++ b/src/charon/sa/authenticators/eap/eap_sim.c
@@ -398,6 +398,30 @@ static status_t process_start(private_eap_sim_t *this, eap_payload_t *in,
 				/* only include AT_IDENTITY if requested */
 				include_id = AT_IDENTITY;
 				break;
+			case AT_NOTIFICATION:
+			{
+				u_int16_t code = 0;
+				if (data.len == 2)
+				{
+					code = ntohs(*(u_int16_t*)data.ptr);
+				}
+				if (code <= 32767) /* no success bit */
+				{
+					DBG1(DBG_IKE, "received %N error %d",
+				 		 sim_attribute_names, attribute, code);
+					*out = build_payload(this,
+									in->get_identifier(in), SIM_CLIENT_ERROR,
+						 			AT_CLIENT_ERROR_CODE, client_error_general,
+									AT_END);
+					return NEED_MORE;
+				}
+				else
+				{
+					DBG1(DBG_IKE, "received %N code %d",
+				 		 sim_attribute_names, attribute, code);
+				}
+				break;
+			}
 			default:
 				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
 					 sim_attribute_names, attribute);
@@ -456,6 +480,30 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in,
 				memset(data.ptr, 0, data.len);
 				break;
 			}
+			case AT_NOTIFICATION:
+			{
+				u_int16_t code = 0;
+				if (data.len == 2)
+				{
+					code = ntohs(*(u_int16_t*)data.ptr);
+				}
+				if (code <= 32767) /* no success bit */
+				{
+					DBG1(DBG_IKE, "received %N error %d",
+				 		 sim_attribute_names, attribute, code);
+					*out = build_payload(this,
+									in->get_identifier(in), SIM_CLIENT_ERROR,
+						 			AT_CLIENT_ERROR_CODE, client_error_general,
+									AT_END);
+					return NEED_MORE;
+				}
+				else
+				{
+					DBG1(DBG_IKE, "received %N code %d",
+				 		 sim_attribute_names, attribute, code);
+				}
+				break;
+			}
 			default:
 				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
 					 sim_attribute_names, attribute);
@@ -472,7 +520,7 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in,
 		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
 							 AT_CLIENT_ERROR_CODE, client_error_insufficient,
 							 AT_END);
-		return FAILED;
+		return NEED_MORE;
 	}
 	if (mac.len != MAC_LEN)
 	{
@@ -557,6 +605,58 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in,
 }
 
 /**
+ * process an EAP-SIM/Request/Notification message
+ */
+static status_t process_notification(private_eap_sim_t *this, eap_payload_t *in,
+									 eap_payload_t **out)
+{
+	chunk_t message, data;
+	sim_attribute_t attribute;
+	
+	message = in->get_data(in);
+	read_header(&message);
+
+	while ((attribute = read_attribute(&message, &data)) != AT_END)
+	{
+		switch (attribute)
+		{
+			case AT_NOTIFICATION:
+			{
+				u_int16_t code = 0;
+				if (data.len == 2)
+				{
+					code = ntohs(*(u_int16_t*)data.ptr);
+				}
+				if (code <= 32767) /* no success bit */
+				{
+					DBG1(DBG_IKE, "received %N error %d",
+				 		 sim_attribute_names, attribute, code);
+					*out = build_payload(this,
+									in->get_identifier(in), SIM_CLIENT_ERROR,
+						 			AT_CLIENT_ERROR_CODE, client_error_general,
+									AT_END);
+					return NEED_MORE;
+				}
+				else
+				{
+					DBG1(DBG_IKE, "received %N code %d",
+				 		 sim_attribute_names, attribute, code);
+				}
+				break;
+			}
+			default:
+				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
+					 sim_attribute_names, attribute);
+				break;
+		}
+	}
+	/* reply with empty notification */
+	*out = build_payload(this, in->get_identifier(in), SIM_NOTIFICATION, AT_END);
+	return NEED_MORE;
+}
+
+
+/**
  * Implementation of eap_method_t.process for the peer
  */
 static status_t process(private_eap_sim_t *this,
@@ -574,6 +674,8 @@ static status_t process(private_eap_sim_t *this,
 			return process_start(this, in, out);
 		case SIM_CHALLENGE:
 			return process_challenge(this, in, out);
+		case SIM_NOTIFICATION:
+			return process_notification(this, in, out);
 		default:
 			DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N",
 				 sim_subtype_names, type);
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 6c8ca8d8f..6e2f73a43 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -25,7 +25,7 @@
 #include "eap_authenticator.h"
 
 #include <daemon.h>
-#include <config/policies/policy.h>
+#include <config/peer_cfg.h>
 #include <sa/authenticators/eap/eap_method.h>
 
 typedef struct private_eap_authenticator_t private_eap_authenticator_t;
@@ -61,21 +61,31 @@ struct private_eap_authenticator_t {
 	chunk_t msk;
 };
 
+/**
+ * reuse shared key signature function from PSK authenticator
+ */
 extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
-								 		  chunk_t secret, identification_t *id,
-										  prf_t *prf_skp, prf_t *prf);
-
+										  chunk_t secret, identification_t *id,
+										  chunk_t skp, prf_t *prf);
 /**
  * Implementation of authenticator_t.verify.
  */
 static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 					   chunk_t my_nonce, auth_payload_t *auth_payload)
 {
-	chunk_t auth_data, recv_auth_data;
+	chunk_t auth_data, recv_auth_data, secret;
 	identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
 	
-	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, this->msk,
-						other_id, this->ike_sa->get_auth_verify(this->ike_sa),
+	if (this->msk.len)
+	{	/* use MSK if EAP method established one... */
+		secret = this->msk;
+	}
+	else
+	{	/* ... or use SKp if not */
+		secret = this->ike_sa->get_skp_verify(this->ike_sa);
+	}
+	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, secret,
+						other_id, this->ike_sa->get_skp_verify(this->ike_sa),
 						this->ike_sa->get_prf(this->ike_sa));
 	
 	recv_auth_data = auth_payload->get_data(auth_payload);
@@ -98,14 +108,22 @@ static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
 					  chunk_t other_nonce, auth_payload_t **auth_payload)
 {
-	chunk_t auth_data;
+	chunk_t auth_data, secret;
 	identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
 	
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
 		 my_id, auth_method_names, AUTH_EAP);
-	
-	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, this->msk,
-							my_id, this->ike_sa->get_auth_build(this->ike_sa),
+
+	if (this->msk.len)
+	{	/* use MSK if EAP method established one... */
+		secret = this->msk;
+	}
+	else
+	{	/* ... or use SKp if not */
+		secret = this->ike_sa->get_skp_build(this->ike_sa);
+	}
+	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, secret,
+							my_id, this->ike_sa->get_skp_build(this->ike_sa),
 							this->ike_sa->get_prf(this->ike_sa));
 	
 	*auth_payload = auth_payload_create();
@@ -233,13 +251,14 @@ static status_t process_server(private_eap_authenticator_t *this,
 				DBG1(DBG_IKE, "EAP method %N succeded, MSK established",
 					 eap_type_names, this->method->get_type(this->method));
 				this->msk = chunk_clone(this->msk);
-				*out = eap_payload_create_code(EAP_SUCCESS);
-				return SUCCESS;
 			}
-			DBG1(DBG_IKE, "EAP method %N succeded, but no MSK established",
-				 eap_type_names, this->method->get_type(this->method));
-			*out = eap_payload_create_code(EAP_FAILURE);
-			return FAILED;
+			else
+			{
+				DBG1(DBG_IKE, "EAP method %N succeded, no MSK established",
+					 eap_type_names, this->method->get_type(this->method));
+			}
+			*out = eap_payload_create_code(EAP_SUCCESS);
+			return SUCCESS;
 		case FAILED:
 		default:
 			DBG1(DBG_IKE, "EAP method %N failed for peer %D",
@@ -290,11 +309,8 @@ static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
 					if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
 					{
 						this->msk = chunk_clone(this->msk);
-						return SUCCESS;
 					}
-					DBG1(DBG_IKE, "EAP method %N has no MSK established",
-						 eap_type_names, this->method->get_type(this->method));
-					return FAILED;
+					return SUCCESS;
 				}
 				case EAP_FAILURE:
 				default:
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index 43aec0971..37465d029 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -25,7 +25,6 @@
 
 #include "psk_authenticator.h"
 
-#include <config/policies/policy.h>
 #include <daemon.h>
 
 /**
@@ -78,11 +77,12 @@ chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
  */
 chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
 								   chunk_t secret, identification_t *id,
-								   prf_t *prf_skp, prf_t *prf)
+								   chunk_t skp, prf_t *prf)
 {
 	chunk_t key_pad, key, auth_data, octets;
 	
-	octets = build_tbs_octets(ike_sa_init, nonce, id, prf_skp);
+	prf->set_key(prf, skp);
+	octets = build_tbs_octets(ike_sa_init, nonce, id, prf);
 	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
 	key_pad.ptr = IKEV2_KEY_PAD;
 	key_pad.len = IKEV2_KEY_PAD_LENGTH;
@@ -122,7 +122,7 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 	}
 	
 	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, shared_key,
-						other_id, this->ike_sa->get_auth_verify(this->ike_sa),
+						other_id, this->ike_sa->get_skp_verify(this->ike_sa),
 						this->ike_sa->get_prf(this->ike_sa));
 	chunk_free(&shared_key);
 	
@@ -165,7 +165,7 @@ static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
 	}
 			
 	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, shared_key,
-							my_id, this->ike_sa->get_auth_build(this->ike_sa),
+							my_id, this->ike_sa->get_skp_build(this->ike_sa),
 							this->ike_sa->get_prf(this->ike_sa));
 	DBG2(DBG_IKE, "successfully created shared key MAC");
 	chunk_free(&shared_key);
diff --git a/src/charon/sa/authenticators/rsa_authenticator.c b/src/charon/sa/authenticators/rsa_authenticator.c
index dfa01e332..e5c5cd60e 100644
--- a/src/charon/sa/authenticators/rsa_authenticator.c
+++ b/src/charon/sa/authenticators/rsa_authenticator.c
@@ -25,7 +25,6 @@
 
 #include "rsa_authenticator.h"
 
-#include <config/policies/policy.h>
 #include <daemon.h>
 
 
@@ -61,8 +60,9 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 {
 	status_t status;
 	chunk_t auth_data, octets;
-	rsa_public_key_t *public_key;
 	identification_t *other_id;
+	ca_info_t *issuer;
+	prf_t *prf;
 	
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	
@@ -71,27 +71,20 @@ static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 		return INVALID_ARG;
 	}
 	auth_data = auth_payload->get_data(auth_payload);
-	public_key = charon->credentials->get_trusted_public_key(charon->credentials,
-															 other_id);
-	if (public_key == NULL)
-	{
-		DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id);
-		return NOT_FOUND;
-	}
-	octets = build_tbs_octets(ike_sa_init, my_nonce, other_id,
-							  this->ike_sa->get_auth_verify(this->ike_sa));
-	status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+	prf = this->ike_sa->get_prf(this->ike_sa);
+	prf->set_key(prf, this->ike_sa->get_skp_verify(this->ike_sa));
+	octets = build_tbs_octets(ike_sa_init, my_nonce, other_id, prf);
+	status = charon->credentials->verify_signature(charon->credentials,
+								  octets, auth_data, other_id, &issuer);
 	chunk_free(&octets);
 	
-	if (status != SUCCESS)
+	if (status == SUCCESS)
 	{
-		DBG1(DBG_IKE, "RSA signature verification failed");
-		return status;
+		this->ike_sa->set_other_ca(this->ike_sa, issuer);
+		DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+					   other_id, auth_method_names, AUTH_RSA);
 	}
-	
-	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
-		 other_id, auth_method_names, AUTH_RSA);
-	return SUCCESS;
+	return status;
 }
 
 /**
@@ -107,6 +100,7 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 	rsa_public_key_t *my_pubkey;
 	rsa_private_key_t *my_key;
 	identification_t *my_id;
+	prf_t *prf;
 
 	my_id = this->ike_sa->get_my_id(this->ike_sa);
 	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
@@ -131,8 +125,9 @@ static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
 	}
 	DBG2(DBG_IKE, "matching RSA private key found");
 
-	octets = build_tbs_octets(ike_sa_init, other_nonce, my_id,
-							  this->ike_sa->get_auth_build(this->ike_sa));
+	prf = this->ike_sa->get_prf(this->ike_sa);
+	prf->set_key(prf, this->ike_sa->get_skp_build(this->ike_sa));
+	octets = build_tbs_octets(ike_sa_init, other_nonce, my_id, prf);
 	status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
 	chunk_free(&octets);
 
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 19131389d..1e7b6cb2c 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -27,7 +27,6 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <printf.h>
 
 #include <daemon.h>
 
@@ -154,9 +153,9 @@ struct private_child_sa_t {
 	host_t *virtual_ip;
 	
 	/**
-	 * policy used to create this child
+	 * config used to create this child
 	 */
-	policy_t *policy;
+	child_cfg_t *config;
 };
 
 /**
@@ -164,7 +163,7 @@ struct private_child_sa_t {
  */
 static char *get_name(private_child_sa_t *this)
 {
-	return this->policy->get_name(this->policy);;
+	return this->config->get_name(this->config);
 }
 
 /**
@@ -204,11 +203,57 @@ static child_sa_state_t get_state(private_child_sa_t *this)
 }
 
 /**
- * Implements child_sa_t.get_policy
+ * Implements child_sa_t.get_config
  */
-static policy_t* get_policy(private_child_sa_t *this)
+static child_cfg_t* get_config(private_child_sa_t *this)
 {
-	return this->policy;
+	return this->config;
+}
+
+/**
+ * Implementation of child_sa_t.get_stats.
+ */
+static void get_stats(private_child_sa_t *this, mode_t *mode,
+					  encryption_algorithm_t *encr_algo, size_t *encr_len,
+					  integrity_algorithm_t *int_algo, size_t *int_len,
+					  u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
+					  u_int32_t *use_fwd)
+{
+	sa_policy_t *policy;
+	iterator_t *iterator;
+	u_int32_t in = 0, out = 0, fwd = 0, time;
+	
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&policy))
+	{
+
+		if (charon->kernel_interface->query_policy(charon->kernel_interface,
+				policy->other_ts, policy->my_ts, POLICY_IN, &time) == SUCCESS)
+		{
+			in = max(in, time);
+		}
+		if (charon->kernel_interface->query_policy(charon->kernel_interface,
+				policy->my_ts, policy->other_ts, POLICY_OUT, &time) == SUCCESS)
+		{
+			out = max(out, time);
+		}
+		if (charon->kernel_interface->query_policy(charon->kernel_interface,
+				policy->other_ts, policy->my_ts, POLICY_FWD, &time) == SUCCESS)
+		{
+			fwd = max(fwd, time);
+		}
+	}
+	iterator->destroy(iterator);
+
+	*mode = this->mode;
+	*encr_algo = this->encryption.algorithm;
+	*encr_len = this->encryption.key_size;
+	*int_algo = this->integrity.algorithm;
+	*int_len = this->integrity.key_size;
+	*rekey = this->rekey_time;
+	*use_in = in;
+	*use_out = out;
+	*use_fwd = fwd;
 }
 
 /**
@@ -220,7 +265,7 @@ static void updown(private_child_sa_t *this, bool up)
 	iterator_t *iterator;
 	char *script;
 	
-	script = this->policy->get_updown(this->policy);
+	script = this->config->get_updown(this->config);
 	
 	if (script == NULL)
 	{
@@ -300,7 +345,7 @@ static void updown(private_child_sa_t *this, bool up)
 				 policy->my_ts->is_host(policy->my_ts,
 							this->me.addr) ? "-host" : "-client",
 				 this->me.addr->get_family(this->me.addr) == AF_INET ? "" : "-ipv6",
-				 this->policy->get_name(this->policy),
+				 this->config->get_name(this->config),
 				 ifname ? ifname : "(unknown)",
 				 this->reqid,
 				 this->me.addr,
@@ -316,7 +361,7 @@ static void updown(private_child_sa_t *this, bool up)
 				 policy->other_ts->get_from_port(policy->other_ts),
 				 policy->other_ts->get_protocol(policy->other_ts),
 				 virtual_ip,
-				 this->policy->get_hostaccess(this->policy) ?
+				 this->config->get_hostaccess(this->config) ?
 				 	"PLUTO_HOST_ACCESS='1' " : "",
 				 script);
 		free(ifname);
@@ -528,8 +573,8 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 		natt = NULL;
 	}
 	
-	soft = this->policy->get_soft_lifetime(this->policy);
-	hard = this->policy->get_hard_lifetime(this->policy);
+	soft = this->config->get_lifetime(this->config, TRUE);
+	hard = this->config->get_lifetime(this->config, FALSE);
 	
 	/* send SA down to the kernel */
 	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
@@ -542,7 +587,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
 	this->encryption = *enc_algo;
 	this->integrity = *int_algo;
 	this->install_time = time(NULL);
-	this->rekey_time = soft;
+	this->rekey_time = this->install_time + soft;
 	
 	return status;
 }
@@ -628,7 +673,7 @@ static status_t add_policies(private_child_sa_t *this,
 			if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
 			{
 				DBG2(DBG_CHD,
-					 "CHILD_SA policy uses two different IP families, ignored");
+					 "CHILD_SA policy uses two different IP families - ignored");
 				continue;
 			}
 			
@@ -637,7 +682,7 @@ static status_t add_policies(private_child_sa_t *this,
 				my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts))
 			{
 				DBG2(DBG_CHD,
-					 "CHILD_SA policy uses two different protocols, ignored");
+					 "CHILD_SA policy uses two different protocols - ignored");
 				continue;
 			}
 			
@@ -665,10 +710,10 @@ static status_t add_policies(private_child_sa_t *this,
 			policy = malloc_thing(sa_policy_t);
 			policy->my_ts = my_ts->clone(my_ts);
 			policy->other_ts = other_ts->clone(other_ts);
-			this->policies->insert_last(this->policies, (void*)policy);
+			this->policies->insert_last(this->policies, policy);
 			/* add to separate list to query them via get_*_traffic_selectors() */
-			this->my_ts->insert_last(this->my_ts, (void*)policy->my_ts);
-			this->other_ts->insert_last(this->other_ts, (void*)policy->other_ts);
+			this->my_ts->insert_last(this->my_ts, policy->my_ts);
+			this->other_ts->insert_last(this->other_ts, policy->other_ts);
 		}
 	}
 	my_iter->destroy(my_iter);
@@ -685,18 +730,14 @@ static status_t add_policies(private_child_sa_t *this,
 }
 
 /**
- * Implementation of child_sa_t.get_my_traffic_selectors.
+ * Implementation of child_sa_t.get_traffic_selectors.
  */
-static linked_list_t *get_my_traffic_selectors(private_child_sa_t *this)
-{
-	return this->my_ts;
-}
-
-/**
- * Implementation of child_sa_t.get_my_traffic_selectors.
- */
-static linked_list_t *get_other_traffic_selectors(private_child_sa_t *this)
+static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local)
 {
+	if (local)
+	{
+		return this->my_ts;
+	}
 	return this->other_ts;
 }
 
@@ -741,126 +782,6 @@ static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use
 }
 
 /**
- * output handler in printf()
- */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
-{
-	private_child_sa_t *this = *((private_child_sa_t**)(args[0]));
-	iterator_t *iterator;
-	sa_policy_t *policy;
-	u_int32_t now, rekeying;
-	u_int32_t use, use_in, use_fwd;
-	status_t status;
-	size_t written = 0;
-	
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-	
-	now = time(NULL);
-	
-	written += fprintf(stream, "%12s{%d}:  %N, %N", 
-					   this->policy->get_name(this->policy), this->reqid,
-					   child_sa_state_names, this->state,
-					   mode_names, this->mode);
-	
-	if (this->state == CHILD_INSTALLED)
-	{
-		written += fprintf(stream, ", %N SPIs: 0x%0x_i 0x%0x_o",
-						   protocol_id_names, this->protocol,
-						   htonl(this->me.spi), htonl(this->other.spi));
-		
-		if (info->alt)
-		{
-			written += fprintf(stream, "\n%12s{%d}:  ",
-							   this->policy->get_name(this->policy),
-							   this->reqid);
-			
-			if (this->protocol == PROTO_ESP)
-			{
-				written += fprintf(stream, "%N", encryption_algorithm_names,
-								   this->encryption.algorithm);
-				
-				if (this->encryption.key_size)
-				{
-					written += fprintf(stream, "-%d", this->encryption.key_size);
-				}
-				written += fprintf(stream, "/");
-			}
-			
-			written += fprintf(stream, "%N", integrity_algorithm_names,
-							   this->integrity.algorithm);
-			if (this->integrity.key_size)
-			{
-				written += fprintf(stream, "-%d", this->integrity.key_size);
-			}
-			written += fprintf(stream, ", rekeying ");
-			
-			/* calculate rekey times */
-			if (this->rekey_time)
-			{
-				rekeying = this->install_time + this->rekey_time - now;
-				written += fprintf(stream, "in %ds", rekeying);
-			}
-			else
-			{
-				written += fprintf(stream, "disabled");
-			}
-		}
-	}
-	iterator = this->policies->create_iterator(this->policies, TRUE);
-	while (iterator->iterate(iterator, (void**)&policy))
-	{
-		written += fprintf(stream, "\n%12s{%d}:   %R===%R, last use: ",
-						   this->policy->get_name(this->policy), this->reqid,
-						   policy->my_ts, policy->other_ts);
-		
-		/* query time of last policy use */
-
-		/* inbound: POLICY_IN or POLICY_FWD */
-		status = charon->kernel_interface->query_policy(charon->kernel_interface,
-							policy->other_ts, policy->my_ts, POLICY_IN, &use_in);
-		use_in = (status == SUCCESS)? use_in : 0;
-		status = charon->kernel_interface->query_policy(charon->kernel_interface,
-				policy->other_ts, policy->my_ts, POLICY_FWD, &use_fwd);
-		use_fwd = (status == SUCCESS)? use_fwd : 0;
-		use = max(use_in, use_fwd);
-		if (use)
-		{
-			written += fprintf(stream, "%ds_i ", now - use);
-		}
-		else
-		{
-			written += fprintf(stream, "no_i ");
-		}
-
-		/* outbound: POLICY_OUT */
-		status = charon->kernel_interface->query_policy(charon->kernel_interface,
-							policy->my_ts, policy->other_ts, POLICY_OUT, &use);
-		if (status == SUCCESS && use)
-		{
-			written += fprintf(stream, "%ds_o ", now - use);
-		}
-		else
-		{
-			written += fprintf(stream, "no_o ");
-		}
-	}
-	iterator->destroy(iterator);
-	return written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_CHILD_SA, print, arginfo_ptr);
-}
-
-/**
  * Update the host adress/port of a SA
  */
 static status_t update_sa_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other, 
@@ -1066,7 +987,7 @@ static void destroy(private_child_sa_t *this)
 	this->other.addr->destroy(this->other.addr);
 	this->me.id->destroy(this->me.id);
 	this->other.id->destroy(this->other.id);
-	this->policy->destroy(this->policy);
+	this->config->destroy(this->config);
 	DESTROY_IF(this->virtual_ip);
 	free(this);
 }
@@ -1076,7 +997,7 @@ static void destroy(private_child_sa_t *this)
  */
 child_sa_t * child_sa_create(host_t *me, host_t* other,
 							 identification_t *my_id, identification_t *other_id,
-							 policy_t *policy, u_int32_t rekey, bool use_natt)
+							 child_cfg_t *config, u_int32_t rekey, bool use_natt)
 {
 	static u_int32_t reqid = 0;
 	private_child_sa_t *this = malloc_thing(private_child_sa_t);
@@ -1086,17 +1007,17 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
 	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
 	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
+	this->public.get_stats = (void(*)(child_sa_t*, mode_t*,encryption_algorithm_t*,size_t*,integrity_algorithm_t*,size_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
 	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
 	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))add;
 	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))update;
 	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,host_diff_t,host_diff_t))update_hosts;
 	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t))add_policies;
-	this->public.get_my_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_my_traffic_selectors;
-	this->public.get_other_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_other_traffic_selectors;
+	this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
 	this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
 	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
 	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
-	this->public.get_policy = (policy_t*(*)(child_sa_t*))get_policy;
+	this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
 	this->public.set_virtual_ip = (void(*)(child_sa_t*,host_t*))set_virtual_ip;
 	this->public.destroy = (void(*)(child_sa_t*))destroy;
 
@@ -1123,8 +1044,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
 	this->protocol = PROTO_NONE;
 	this->mode = MODE_TUNNEL;
 	this->virtual_ip = NULL;
-	this->policy = policy;
-	policy->get_ref(policy);
+	this->config = config;
+	config->get_ref(config);
 	
 	return &this->public;
 }
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 216e56659..cf5f3e7d7 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -32,7 +32,7 @@ typedef struct child_sa_t child_sa_t;
 #include <crypto/prf_plus.h>
 #include <encoding/payloads/proposal_substructure.h>
 #include <config/proposal.h>
-#include <config/policies/policy.h>
+#include <config/child_cfg.h>
 
 /**
  * Where we should start with reqid enumeration
@@ -101,7 +101,7 @@ extern enum_name_t *child_sa_state_names;
 struct child_sa_t {
 	
 	/**
-	 * @brief Get the name of the policy this CHILD_SA uses.
+	 * @brief Get the name of the config this CHILD_SA uses.
 	 *
 	 * @param this			calling object
 	 * @return				name
@@ -141,6 +141,25 @@ struct child_sa_t {
 	protocol_id_t (*get_protocol) (child_sa_t *this);
 	
 	/**
+	 * @brief Get info and statistics about this CHILD_SA.
+	 *
+	 * @param mode		mode this IKE_SA uses
+	 * @param encr_algo	encryption algorithm used by this CHILD_SA.
+	 * @param encr_len	key length of the algorithm, if any
+	 * @param int_algo	integrity algorithm used by this CHILD_SA
+	 * @param int_len	key length of the algorithm, if any
+	 * @param rekey		time when rekeying is scheduled
+	 * @param use_in	time when last traffic was seen coming in
+	 * @param use_out	time when last traffic was seen going out
+	 * @param use_fwd	time when last traffic was getting forwarded
+	 */
+	void (*get_stats)(child_sa_t *this, mode_t *mode,
+					  encryption_algorithm_t *encr, size_t *encr_len,
+					  integrity_algorithm_t *int_algo, size_t *int_len,
+					  u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
+					  u_int32_t *use_fwd);
+	
+	/**
 	 * @brief Allocate SPIs for given proposals.
 	 * 
 	 * Since the kernel manages SPIs for us, we need
@@ -214,17 +233,10 @@ struct child_sa_t {
 	 * @brief Get the traffic selectors of added policies of local host.
 	 *
 	 * @param this 		calling object
+	 * @param local		TRUE for own traffic selectors, FALSE for remote
 	 * @return			list of traffic selectors
 	 */	
-	linked_list_t* (*get_my_traffic_selectors) (child_sa_t *this);
-	
-	/**
-	 * @brief Get the traffic selectors of added policies of remote host.
-	 *
-	 * @param this 		calling object
-	 * @return			list of traffic selectors
-	 */	
-	linked_list_t* (*get_other_traffic_selectors) (child_sa_t *this);
+	linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
 	
 	/**
 	 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
@@ -251,12 +263,12 @@ struct child_sa_t {
 	void (*set_state) (child_sa_t *this, child_sa_state_t state);
 	
 	/**
-	 * @brief Get the policy used to set up this child sa.
+	 * @brief Get the config used to set up this child sa.
 	 *
 	 * @param this 		calling object
-	 * @return			policy
+	 * @return			child_cfg
 	 */
-	policy_t* (*get_policy) (child_sa_t *this);
+	child_cfg_t* (*get_config) (child_sa_t *this);
 	
 	/**
 	 * @brief Set the virtual IP used received from IRAS.
@@ -284,7 +296,7 @@ struct child_sa_t {
  * @param other			remote address
  * @param my_id			id of own peer
  * @param other_id		id of remote peer
- * @param policy		policy this CHILD_SA instantiates
+ * @param config		config to use for this CHILD_SA
  * @param reqid			reqid of old CHILD_SA when rekeying, 0 otherwise
  * @param use_natt		TRUE if NAT traversal is used
  * @return				child_sa_t object
@@ -293,6 +305,6 @@ struct child_sa_t {
  */
 child_sa_t * child_sa_create(host_t *me, host_t *other,
 							 identification_t *my_id, identification_t* other_id,
-							 policy_t *policy, u_int32_t reqid, bool use_natt);
+							 child_cfg_t *config, u_int32_t reqid, bool use_natt);
 
 #endif /*CHILD_SA_H_*/
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 68aba3064..8b4b53e10 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -26,6 +26,7 @@
 #include <string.h>
 #include <printf.h>
 #include <sys/stat.h>
+#include <errno.h>
 
 #include "ike_sa.h"
 
@@ -56,13 +57,11 @@
 #include <sa/tasks/child_create.h>
 #include <sa/tasks/child_delete.h>
 #include <sa/tasks/child_rekey.h>
-#include <queues/jobs/retransmit_job.h>
-#include <queues/jobs/delete_ike_sa_job.h>
-#include <queues/jobs/send_dpd_job.h>
-#include <queues/jobs/send_keepalive_job.h>
-#include <queues/jobs/rekey_ike_sa_job.h>
-#include <queues/jobs/route_job.h>
-#include <queues/jobs/initiate_job.h>
+#include <processing/jobs/retransmit_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/send_dpd_job.h>
+#include <processing/jobs/send_keepalive_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
 
 
 #ifndef RESOLV_CONF
@@ -105,14 +104,14 @@ struct private_ike_sa_t {
 	ike_sa_state_t state;	
 	
 	/**
-	 * connection used to establish this IKE_SA.
+	 * IKE configuration used to set up this IKE_SA
 	 */
-	connection_t *connection;
+	ike_cfg_t *ike_cfg;
 	
 	/**
 	 * Peer and authentication information to establish IKE_SA.
 	 */
-	policy_t *policy;
+	peer_cfg_t *peer_cfg;
 	
 	/**
 	 * Juggles tasks to process messages
@@ -140,6 +139,11 @@ struct private_ike_sa_t {
 	identification_t *other_id;
 	
 	/**
+	 * CA that issued the certificate of other
+	 */
+	ca_info_t *other_ca;
+
+	/**
 	 * Linked List containing the child sa's of the current IKE_SA.
 	 */
 	linked_list_t *child_sas;
@@ -175,14 +179,14 @@ struct private_ike_sa_t {
 	prf_t *child_prf;
 	
 	/**
-	 * PRF to build outging authentication data
+	 * Key to build outging authentication data (SKp)
 	 */
-	prf_t *auth_build;
+	chunk_t skp_build;
 
 	/**
-	 * PRF to verify incoming authentication data
+	 * Key to verify incoming authentication data (SKp)
 	 */
-	prf_t *auth_verify;
+	chunk_t skp_verify;
 	
 	/**
 	 * NAT status of local host.
@@ -273,79 +277,126 @@ static u_int32_t get_unique_id(private_ike_sa_t *this)
  */
 static char *get_name(private_ike_sa_t *this)
 {
-	if (this->connection)
+	if (this->peer_cfg)
 	{
-		return this->connection->get_name(this->connection);
+		return this->peer_cfg->get_name(this->peer_cfg);
 	}
 	return "(unnamed)";
 }
 
+	
 /**
- * Implementation of ike_sa_t.get_connection
+ * Implementation of ike_sa_t.get_stats.
  */
-static connection_t* get_connection(private_ike_sa_t *this)
+static void get_stats(private_ike_sa_t *this, u_int32_t *next_rekeying)
 {
-	return this->connection;
+	if (next_rekeying)
+	{
+		*next_rekeying = this->time.rekey;
+	}
 }
 
 /**
- * Implementation of ike_sa_t.set_connection
+ * Implementation of ike_sa_t.get_my_host.
  */
-static void set_connection(private_ike_sa_t *this, connection_t *connection)
+static host_t *get_my_host(private_ike_sa_t *this)
 {
-	this->connection = connection;
-	connection->get_ref(connection);
+	return this->my_host;
 }
 
 /**
- * Implementation of ike_sa_t.get_policy
+ * Implementation of ike_sa_t.set_my_host.
  */
-static policy_t *get_policy(private_ike_sa_t *this)
+static void set_my_host(private_ike_sa_t *this, host_t *me)
 {
-	return this->policy;
+	DESTROY_IF(this->my_host);
+	this->my_host = me;
 }
 
 /**
- * Implementation of ike_sa_t.set_policy
+ * Implementation of ike_sa_t.get_other_host.
  */
-static void set_policy(private_ike_sa_t *this, policy_t *policy)
+static host_t *get_other_host(private_ike_sa_t *this)
 {
-	policy->get_ref(policy);
-	this->policy = policy;
+	return this->other_host;
 }
 
 /**
- * Implementation of ike_sa_t.get_my_host.
+ * Implementation of ike_sa_t.set_other_host.
  */
-static host_t *get_my_host(private_ike_sa_t *this)
+static void set_other_host(private_ike_sa_t *this, host_t *other)
 {
-	return this->my_host;
+	DESTROY_IF(this->other_host);
+	this->other_host = other;
 }
 
 /**
- * Implementation of ike_sa_t.set_my_host.
+ * Implementation of ike_sa_t.get_peer_cfg
  */
-static void set_my_host(private_ike_sa_t *this, host_t *me)
+static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
 {
-	DESTROY_IF(this->my_host);
-	this->my_host = me;
+	return this->peer_cfg;
 }
 
 /**
- * Implementation of ike_sa_t.get_other_host.
+ * Implementation of ike_sa_t.set_peer_cfg
  */
-static host_t *get_other_host(private_ike_sa_t *this)
+static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
 {
-	return this->other_host;
+	peer_cfg->get_ref(peer_cfg);
+	this->peer_cfg = peer_cfg;
+
+	if (this->ike_cfg == NULL)
+	{
+		this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
+		this->ike_cfg->get_ref(this->ike_cfg);
+	}
+	
+	/* apply values, so we are ready to initate/acquire */
+	if (this->my_host->is_anyaddr(this->my_host))
+	{
+		host_t *me = this->ike_cfg->get_my_host(this->ike_cfg);
+
+		set_my_host(this, me->clone(me));
+	}
+	if (this->other_host->is_anyaddr(this->other_host))
+	{
+		host_t *other = this->ike_cfg->get_other_host(this->ike_cfg);
+
+		set_other_host(this, other->clone(other));
+	}
+	/* apply IDs if they are not already set */
+	if (this->my_id->contains_wildcards(this->my_id))
+	{
+		identification_t *my_id = this->peer_cfg->get_my_id(this->peer_cfg);
+		
+		DESTROY_IF(this->my_id);
+		this->my_id = my_id->clone(my_id);
+	}
+	if (this->other_id->contains_wildcards(this->other_id))
+	{
+		identification_t *other_id = this->peer_cfg->get_other_id(this->peer_cfg);
+
+		DESTROY_IF(this->other_id);
+		this->other_id = other_id->clone(other_id);
+	}
 }
 
 /**
- * Implementation of ike_sa_t.set_other_host.
+ * Implementation of ike_sa_t.get_ike_cfg
  */
-static void set_other_host(private_ike_sa_t *this, host_t *other)
+static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
 {
-	DESTROY_IF(this->other_host);
-	this->other_host = other;
+	return this->ike_cfg;
+}
+
+/**
+ * Implementation of ike_sa_t.set_ike_cfg
+ */
+static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
+{
+	ike_cfg->get_ref(ike_cfg);
+	this->ike_cfg = ike_cfg;
 }
 
 /**
@@ -356,7 +407,7 @@ static status_t send_dpd(private_ike_sa_t *this)
 	send_dpd_job_t *job;
 	time_t diff, delay;
 	
-	delay = this->connection->get_dpd_delay(this->connection);
+	delay = this->peer_cfg->get_dpd_delay(this->peer_cfg);
 	
 	if (delay == 0)
 	{
@@ -402,15 +453,14 @@ static status_t send_dpd(private_ike_sa_t *this)
 static void send_keepalive(private_ike_sa_t *this)
 {
 	send_keepalive_job_t *job;
-	time_t last_out, now, diff, interval;
+	time_t last_out, now, diff;
 	
 	last_out = get_use_time(this, FALSE);
 	now = time(NULL);
 	
 	diff = now - last_out;
-	interval = charon->configuration->get_keepalive_interval(charon->configuration);
 	
-	if (diff >= interval)
+	if (diff >= KEEPALIVE_INTERVAL)
 	{
 		packet_t *packet;
 		chunk_t data;
@@ -428,7 +478,7 @@ static void send_keepalive(private_ike_sa_t *this)
 	}
 	job = send_keepalive_job_create(this->ike_sa_id);
 	charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
-									  (interval - diff) * 1000);
+									  (KEEPALIVE_INTERVAL - diff) * 1000);
 }
 
 /**
@@ -464,9 +514,9 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 				send_dpd(this);
 				
 				/* schedule rekeying/reauthentication */
-				soft = this->connection->get_soft_lifetime(this->connection);
-				hard = this->connection->get_hard_lifetime(this->connection);
-				reauth = this->connection->get_reauth(this->connection);
+				soft = this->peer_cfg->get_lifetime(this->peer_cfg, TRUE);
+				hard = this->peer_cfg->get_lifetime(this->peer_cfg, FALSE);
+				reauth = this->peer_cfg->use_reauth(this->peer_cfg);
 				DBG1(DBG_IKE, "scheduling %s in %ds, maximum lifetime %ds",
 					 reauth ? "reauthentication": "rekeying", soft, hard);
 					 
@@ -492,9 +542,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
 		{
 			/* delete may fail if a packet gets lost, so set a timeout */
 			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
-			charon->event_queue->add_relative(charon->event_queue, job,
-						  charon->configuration->get_half_open_ike_sa_timeout(
-					  									charon->configuration));
+			charon->event_queue->add_relative(charon->event_queue, job, 
+											  HALF_OPEN_IKE_SA_TIMEOUT);
 			break;
 		}
 		default:
@@ -521,7 +570,7 @@ static void reset(private_ike_sa_t *this)
 }
 
 /**
- * Update connection host, as addresses may change (NAT)
+ * Update hosts, as addresses may change (NAT)
  */
 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
 {
@@ -696,16 +745,16 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 		me = message->get_destination(message);
 		other = message->get_source(message);
 	
-		/* if this IKE_SA is virgin, we check for a connection */
-		if (this->connection == NULL)
+		/* if this IKE_SA is virgin, we check for a config */
+		if (this->ike_cfg == NULL)
 		{
 			job_t *job;
-			this->connection = charon->connections->get_connection_by_hosts(
-												charon->connections, me, other);
-			if (this->connection == NULL)
+			this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
+														  me, other);
+			if (this->ike_cfg == NULL)
 			{
-				/* no connection found for these hosts, destroy */
-				DBG1(DBG_IKE, "no connection found for %H...%H, sending %N",
+				/* no config found for these hosts, destroy */
+				DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
 					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
 				send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
 				return DESTROY_ME;
@@ -713,11 +762,10 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 			/* add a timeout if peer does not establish it completely */
 			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
 			charon->event_queue->add_relative(charon->event_queue, job,
-						  charon->configuration->get_half_open_ike_sa_timeout(
-					  									charon->configuration));
+											  HALF_OPEN_IKE_SA_TIMEOUT);
 		}
-	
-		/* check if message is trustworthy, and update connection information */
+		
+		/* check if message is trustworthy, and update host information */
 		if (this->state == IKE_CREATED ||
 			message->get_exchange_type(message) != IKE_SA_INIT)
 		{
@@ -729,46 +777,14 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
 }
 
 /**
- * apply the connection/policy information to this IKE_SA
- */
-static void apply_config(private_ike_sa_t *this,
-						 connection_t *connection, policy_t *policy)
-{
-	host_t *me, *other;
-	identification_t *my_id, *other_id;
-	
-	if (this->connection == NULL && this->policy == NULL)
-	{
-		this->connection = connection;
-		connection->get_ref(connection);
-		this->policy = policy;
-		policy->get_ref(policy);
-		
-		me = connection->get_my_host(connection);
-		other = connection->get_other_host(connection);
-		my_id = policy->get_my_id(policy);
-		other_id = policy->get_other_id(policy);
-		set_my_host(this, me->clone(me));
-		set_other_host(this, other->clone(other));
-		DESTROY_IF(this->my_id);
-		DESTROY_IF(this->other_id);
-		this->my_id = my_id->clone(my_id);
-		this->other_id = other_id->clone(other_id);
-	}
-}
-
-/**
  * Implementation of ike_sa_t.initiate.
  */
-static status_t initiate(private_ike_sa_t *this,
-						 connection_t *connection, policy_t *policy)
+static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
 {
 	task_t *task;
 	
 	if (this->state == IKE_CREATED)
 	{
-		/* if we aren't established/establishing, do so */
-		apply_config(this, connection, policy);
 		
 		if (this->other_host->is_anyaddr(this->other_host))
 		{
@@ -785,11 +801,12 @@ static status_t initiate(private_ike_sa_t *this,
 		this->task_manager->queue_task(this->task_manager, task);
 		task = (task_t*)ike_auth_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_config_create(&this->public, policy);
+		task = (task_t*)ike_config_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
 	}
 	
-	task = (task_t*)child_create_create(&this->public, policy);
+	task = (task_t*)child_create_create(&this->public, child_cfg);
+	child_cfg->destroy(child_cfg);
 	this->task_manager->queue_task(this->task_manager, task);
 	
 	return this->task_manager->initiate(this->task_manager);
@@ -800,7 +817,7 @@ static status_t initiate(private_ike_sa_t *this,
  */
 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 {
-	policy_t *policy;
+	child_cfg_t *child_cfg;
 	iterator_t *iterator;
 	child_sa_t *current, *child_sa = NULL;
 	task_t *task;
@@ -833,7 +850,6 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 		return FAILED;
 	}
 	
-	policy = child_sa->get_policy(child_sa);
 	
 	if (this->state == IKE_CREATED)
 	{
@@ -845,11 +861,12 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 		this->task_manager->queue_task(this->task_manager, task);
 		task = (task_t*)ike_auth_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
-		task = (task_t*)ike_config_create(&this->public, policy);
+		task = (task_t*)ike_config_create(&this->public, TRUE);
 		this->task_manager->queue_task(this->task_manager, task);
 	}
 	
-	child_create = child_create_create(&this->public, policy);
+	child_cfg = child_sa->get_config(child_sa);
+	child_create = child_create_create(&this->public, child_cfg);
 	child_create->use_reqid(child_create, reqid);
 	this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
 	
@@ -857,40 +874,11 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
 }
 
 /**
- * compare two lists of traffic selectors for equality
- */
-static bool ts_list_equals(linked_list_t *l1, linked_list_t *l2)
-{
-	bool equals = TRUE;
-	iterator_t *i1, *i2;
-	traffic_selector_t *t1, *t2;
-	
-	if (l1->get_count(l1) != l2->get_count(l2))
-	{
-		return FALSE;
-	}
-	
-	i1 = l1->create_iterator(l1, TRUE);
-	i2 = l2->create_iterator(l2, TRUE);
-	while (i1->iterate(i1, (void**)&t1) && i2->iterate(i2, (void**)&t2))
-	{
-		if (!t1->equals(t1, t2))
-		{
-			equals = FALSE;
-			break;
-		}
-	}
-	i1->destroy(i1);
-	i2->destroy(i2);
-	return equals;
-}
-
-/**
  * Implementation of ike_sa_t.route.
  */
-static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t *policy)
+static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
 {
-	child_sa_t *child_sa = NULL;
+	child_sa_t *child_sa;
 	iterator_t *iterator;
 	linked_list_t *my_ts, *other_ts;
 	status_t status;
@@ -901,27 +889,12 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		if (child_sa->get_state(child_sa) == CHILD_ROUTED)
+		if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
+			streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
 		{
-			linked_list_t *my_ts_conf, *other_ts_conf;
-			
-			my_ts = child_sa->get_my_traffic_selectors(child_sa);
-			other_ts = child_sa->get_other_traffic_selectors(child_sa);
-			
-			my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
-			other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
-			
-			if (ts_list_equals(my_ts, my_ts_conf) &&
-				ts_list_equals(other_ts, other_ts_conf))
-			{
-				iterator->destroy(iterator);
-				my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
-				other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
-				SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed");
-				return FAILED;
-			}
-			my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
-			other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
+			iterator->destroy(iterator);
+			SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed");
+			return FAILED;
 		}
 	}
 	iterator->destroy(iterator);
@@ -934,9 +907,6 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
 				"unable to route CHILD_SA, as its IKE_SA gets deleted");
 			return FAILED;
 		case IKE_CREATED:
-			/* apply connection information, we need it to acquire */
-			apply_config(this, connection, policy);
-			break;
 		case IKE_CONNECTING:
 		case IKE_ESTABLISHED:
 		default:
@@ -944,29 +914,37 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
 	}
 
 	/* install kernel policies */
-	child_sa = child_sa_create(this->my_host, this->other_host,
-							   this->my_id, this->other_id, policy, FALSE, 0);
+	child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
+							   this->other_id, child_cfg, FALSE, 0);
 	
-	my_ts = policy->get_my_traffic_selectors(policy, this->my_host);
-	other_ts = policy->get_other_traffic_selectors(policy, this->other_host);
+	my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL,
+											 this->my_host);
+	other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL,
+												this->other_host);
 	status = child_sa->add_policies(child_sa, my_ts, other_ts,
-									policy->get_mode(policy));
+									child_cfg->get_mode(child_cfg));
 	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
 	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-	this->child_sas->insert_last(this->child_sas, child_sa);
-	SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
+	if (status == SUCCESS)
+	{
+		this->child_sas->insert_last(this->child_sas, child_sa);
+		SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
+	}
+	else
+	{
+		SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed");
+	}
 	return status;
 }
 
 /**
  * Implementation of ike_sa_t.unroute.
  */
-static status_t unroute(private_ike_sa_t *this, policy_t *policy)
+static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
 {
 	iterator_t *iterator;
-	child_sa_t *child_sa = NULL;
+	child_sa_t *child_sa;
 	bool found = FALSE;
-	linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf;
 	
 	SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
 	
@@ -974,27 +952,14 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy)
 	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 	while (iterator->iterate(iterator, (void**)&child_sa))
 	{
-		if (child_sa->get_state(child_sa) == CHILD_ROUTED)
+		if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
+			child_sa->get_reqid(child_sa) == reqid)
 		{
-			my_ts = child_sa->get_my_traffic_selectors(child_sa);
-			other_ts = child_sa->get_other_traffic_selectors(child_sa);
-			
-			my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
-			other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
-			
-			if (ts_list_equals(my_ts, my_ts_conf) &&
-				ts_list_equals(other_ts, other_ts_conf))
-			{
-				iterator->remove(iterator);
-				SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
-				child_sa->destroy(child_sa);
-				my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
-				other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
-				found = TRUE;
-				break;
-			}
-			my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
-			other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
+			iterator->remove(iterator);
+			SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
+			child_sa->destroy(child_sa);
+			found = TRUE;
+			break;
 		}
 	}
 	iterator->destroy(iterator);
@@ -1021,7 +986,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 	this->time.outbound = time(NULL);
 	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
 	{
-		policy_t *policy;
+		child_cfg_t *child_cfg;
 		child_sa_t* child_sa;
 		linked_list_t *to_route, *to_restart;
 		iterator_t *iterator;
@@ -1032,7 +997,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 			case IKE_CONNECTING:
 			{
 				/* retry IKE_SA_INIT if we have multiple keyingtries */
-				u_int32_t tries = this->connection->get_keyingtries(this->connection);
+				u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
 				this->keyingtry++;
 				if (tries == 0 || tries > this->keyingtry)
 				{
@@ -1060,23 +1025,23 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
 		while (iterator->iterate(iterator, (void**)&child_sa))
 		{
-			policy = child_sa->get_policy(child_sa);
+			child_cfg = child_sa->get_config(child_sa);
 			
 			if (child_sa->get_state(child_sa) == CHILD_ROUTED)
 			{
 				/* reroute routed CHILD_SAs */
-				to_route->insert_last(to_route, policy);
+				to_route->insert_last(to_route, child_cfg);
 			}
 			else
 			{
 				/* use DPD action for established CHILD_SAs */
-				switch (policy->get_dpd_action(policy))
+				switch (this->peer_cfg->get_dpd_action(this->peer_cfg))
 				{
 					case DPD_ROUTE:
-						to_route->insert_last(to_route, policy);
+						to_route->insert_last(to_route, child_cfg);
 						break;
 					case DPD_RESTART:
-						to_restart->insert_last(to_restart, policy);
+						to_restart->insert_last(to_restart, child_cfg);
 						break;
 					default:
 						break;
@@ -1094,15 +1059,15 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 			new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
 												charon->ike_sa_manager, TRUE);
 			
-			apply_config(new, this->connection, this->policy);
-			/* use actual used host, not the wildcarded one in connection */
+			set_peer_cfg(new, this->peer_cfg);
+			/* use actual used host, not the wildcarded one in config */
 			new->other_host->destroy(new->other_host);
 			new->other_host = this->other_host->clone(this->other_host);
 			
 			/* install routes */
-			while (to_route->remove_last(to_route, (void**)&policy) == SUCCESS)
+			while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS)
 			{
-				route(new, new->connection, policy);
+				route(new, child_cfg);
 			}
 			
 			/* restart children */
@@ -1114,14 +1079,14 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
 				new->task_manager->queue_task(new->task_manager, task);
 				task = (task_t*)ike_cert_create(&new->public, TRUE);
 				new->task_manager->queue_task(new->task_manager, task);
-				task = (task_t*)ike_config_create(&new->public, new->policy);
+				task = (task_t*)ike_config_create(&new->public, TRUE);
 				new->task_manager->queue_task(new->task_manager, task);
 				task = (task_t*)ike_auth_create(&new->public, TRUE);
 				new->task_manager->queue_task(new->task_manager, task);
 				
-				while (to_restart->remove_last(to_restart, (void**)&policy) == SUCCESS)
+				while (to_restart->remove_last(to_restart, (void**)&child_cfg) == SUCCESS)
 				{
-					task = (task_t*)child_create_create(&new->public, policy);
+					task = (task_t*)child_create_create(&new->public, child_cfg);
 					new->task_manager->queue_task(new->task_manager, task);
 				}
 				new->task_manager->initiate(new->task_manager);
@@ -1152,19 +1117,19 @@ static prf_t *get_child_prf(private_ike_sa_t *this)
 }
 
 /**
- * Implementation of ike_sa_t.get_auth_bild
+ * Implementation of ike_sa_t.get_skp_bild
  */
-static prf_t *get_auth_build(private_ike_sa_t *this)
+static chunk_t get_skp_build(private_ike_sa_t *this)
 {
-	return this->auth_build;
+	return this->skp_build;
 }
 
 /**
- * Implementation of ike_sa_t.get_auth_verify
+ * Implementation of ike_sa_t.get_skp_verify
  */
-static prf_t *get_auth_verify(private_ike_sa_t *this)
+static chunk_t get_skp_verify(private_ike_sa_t *this)
 {
-	return this->auth_verify;
+	return this->skp_verify;
 }
 
 /**
@@ -1210,6 +1175,71 @@ static void set_other_id(private_ike_sa_t *this, identification_t *other)
 }
 
 /**
+ * Implementation of ike_sa_t.get_other_ca.
+ */
+static ca_info_t* get_other_ca(private_ike_sa_t *this)
+{
+	return this->other_ca;
+}
+
+/**
+ * Implementation of ike_sa_t.set_other_ca.
+ */
+static void set_other_ca(private_ike_sa_t *this, ca_info_t *other_ca)
+{
+	this->other_ca = other_ca;
+}
+
+/**
+ * Implementation of ike_sa_t.set_virtual_ip
+ */
+static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
+{
+	if (local)
+	{
+		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+		if (this->my_virtual_ip)
+		{
+			DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
+			charon->kernel_interface->del_ip(charon->kernel_interface,
+											 this->my_virtual_ip,
+											 this->my_host);
+			this->my_virtual_ip->destroy(this->my_virtual_ip);
+		}
+		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
+											 this->my_host) == SUCCESS)
+		{
+			this->my_virtual_ip = ip->clone(ip);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			this->my_virtual_ip = NULL;
+		}
+	}
+	else
+	{
+		DESTROY_IF(this->other_virtual_ip);
+		this->other_virtual_ip = ip->clone(ip);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_virtual_ip
+ */
+static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
+{
+	if (local)
+	{
+		return this->my_virtual_ip;
+	}
+	else
+	{
+		return this->other_virtual_ip;
+	}
+}
+
+/**
  * Implementation of ike_sa_t.derive_keys.
  */
 static status_t derive_keys(private_ike_sa_t *this,
@@ -1223,7 +1253,6 @@ static status_t derive_keys(private_ike_sa_t *this,
 	size_t key_size;
 	crypter_t *crypter_i, *crypter_r;
 	signer_t *signer_i, *signer_r;
-	prf_t *prf_i, *prf_r;
 	u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
 	chunk_t spi_i = chunk_from_buf(spi_i_buf);
 	chunk_t spi_r = chunk_from_buf(spi_r_buf);
@@ -1364,31 +1393,27 @@ static status_t derive_keys(private_ike_sa_t *this,
 		this->crypter_out = crypter_r;
 	}
 	
-	/* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */	
-	proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
-	prf_i = prf_create(algo->algorithm);
-	prf_r = prf_create(algo->algorithm);
-	
-	key_size = prf_i->get_key_size(prf_i);
+	/* SK_pi/SK_pr used for authentication => stored for later */	
+	key_size = this->prf->get_key_size(this->prf);
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
-	prf_i->set_key(prf_i, key);
-	chunk_free(&key);
-	
+	if (initiator)
+	{
+		this->skp_build = key;
+	}
+	else
+	{
+		this->skp_verify = key;
+	}
 	prf_plus->allocate_bytes(prf_plus, key_size, &key);
 	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
-	prf_r->set_key(prf_r, key);
-	chunk_free(&key);
-	
 	if (initiator)
 	{
-		this->auth_verify = prf_r;
-		this->auth_build = prf_i;
+		this->skp_verify = key;
 	}
 	else
 	{
-		this->auth_verify = prf_i;
-		this->auth_build = prf_r;
+		this->skp_build = key;
 	}
 	
 	/* all done, prf_plus not needed anymore */
@@ -1507,8 +1532,6 @@ static status_t delete_(private_ike_sa_t *this)
 	switch (this->state)
 	{
 		case IKE_ESTABLISHED:
-			DBG1(DBG_IKE, "deleting IKE_SA");
-			/* do not log when rekeyed */
 		case IKE_REKEYING:
 			ike_delete = ike_delete_create(&this->public, TRUE);
 			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
@@ -1542,16 +1565,21 @@ static void reestablish(private_ike_sa_t *this)
 	private_ike_sa_t *other;
 	iterator_t *iterator;
 	child_sa_t *child_sa;
-	policy_t *policy;
+	child_cfg_t *child_cfg;
 	task_t *task;
 	job_t *job;
 	
 	other = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
 											charon->ike_sa_manager, TRUE);
 	
-	apply_config(other, this->connection, this->policy);
+	set_peer_cfg(other, this->peer_cfg);
 	other->other_host->destroy(other->other_host);
 	other->other_host = this->other_host->clone(this->other_host);
+	if (this->my_virtual_ip)
+	{
+		/* if we already have a virtual IP, we reuse it */
+		set_virtual_ip(other, TRUE, this->my_virtual_ip);
+	}
 		
 	if (this->state == IKE_ESTABLISHED)
 	{
@@ -1561,7 +1589,7 @@ static void reestablish(private_ike_sa_t *this)
 		other->task_manager->queue_task(other->task_manager, task);
 		task = (task_t*)ike_cert_create(&other->public, TRUE);
 		other->task_manager->queue_task(other->task_manager, task);
-		task = (task_t*)ike_config_create(&other->public, other->policy);
+		task = (task_t*)ike_config_create(&other->public, TRUE);
 		other->task_manager->queue_task(other->task_manager, task);
 		task = (task_t*)ike_auth_create(&other->public, TRUE);
 		other->task_manager->queue_task(other->task_manager, task);
@@ -1583,8 +1611,8 @@ static void reestablish(private_ike_sa_t *this)
 			}
 			default:
 			{
-				policy = child_sa->get_policy(child_sa);
-				task = (task_t*)child_create_create(&other->public, policy);
+				child_cfg = child_sa->get_config(child_sa);
+				task = (task_t*)child_create_create(&other->public, child_cfg);
 				other->task_manager->queue_task(other->task_manager, task);
 				break;
 			}
@@ -1678,55 +1706,6 @@ static void enable_natt(private_ike_sa_t *this, bool local)
 }
 
 /**
- * Implementation of ike_sa_t.set_virtual_ip
- */
-static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
-{
-	if (local)
-	{
-		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
-		if (this->my_virtual_ip)
-		{
-			DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
-			charon->kernel_interface->del_ip(charon->kernel_interface,
-											 this->my_virtual_ip,
-											 this->my_host);
-			this->my_virtual_ip->destroy(this->my_virtual_ip);
-		}
-		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
-											 this->my_host) == SUCCESS)
-		{
-			this->my_virtual_ip = ip->clone(ip);
-		}
-		else
-		{
-			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
-			this->my_virtual_ip = NULL;
-		}
-	}
-	else
-	{
-		DESTROY_IF(this->other_virtual_ip);
-		this->other_virtual_ip = ip->clone(ip);
-	}
-}
-
-/**
- * Implementation of ike_sa_t.get_virtual_ip
- */
-static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
-{
-	if (local)
-	{
-		return this->my_virtual_ip;
-	}
-	else
-	{
-		return this->other_virtual_ip;
-	}
-}
-
-/**
  * Implementation of ike_sa_t.remove_dns_server
  */
 static void remove_dns_servers(private_ike_sa_t *this)
@@ -1747,7 +1726,8 @@ static void remove_dns_servers(private_ike_sa_t *this)
 	file = fopen(RESOLV_CONF, "r");
 	if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
 	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
+			 RESOLV_CONF, strerror(errno));
 		return;
 	}
 	
@@ -1755,7 +1735,7 @@ static void remove_dns_servers(private_ike_sa_t *this)
 	
 	if (fread(contents.ptr, 1, contents.len, file) != contents.len)
 	{
-		DBG1(DBG_IKE, "unable to read DNS configuration file: %m");
+		DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
 		fclose(file);
 		return;
 	}
@@ -1764,7 +1744,8 @@ static void remove_dns_servers(private_ike_sa_t *this)
 	file = fopen(RESOLV_CONF, "w");
 	if (file == NULL)
 	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
+			 RESOLV_CONF, strerror(errno));
 		return;
 	}
 	
@@ -1820,7 +1801,8 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
 	file = fopen(RESOLV_CONF, "a+");
 	if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
 	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
+			 RESOLV_CONF, strerror(errno));
 		return;
 	}
 
@@ -1828,7 +1810,7 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
 	
 	if (fread(contents.ptr, 1, contents.len, file) != contents.len)
 	{
-		DBG1(DBG_IKE, "unable to read DNS configuration file: %m");
+		DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
 		fclose(file);
 		return;
 	}
@@ -1837,14 +1819,15 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
 	file = fopen(RESOLV_CONF, "w");
 	if (file == NULL)
 	{
-		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
+			 RESOLV_CONF, strerror(errno));
 		return;
 	}
 	
 	if (fprintf(file, "nameserver %H   # added by strongSwan, assigned by %D\n",
 		dns, this->other_id) < 0)
 	{
-		DBG1(DBG_IKE, "unable to write DNS configuration: %m");
+		DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
 	}
 	else
 	{
@@ -1856,50 +1839,6 @@ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
 }
 
 /**
- * output handler in printf()
- */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
-{
-	int written = 0;
-	bool reauth = FALSE;
-	private_ike_sa_t *this = *((private_ike_sa_t**)(args[0]));
-	
-	if (this->connection)
-	{
-		reauth = this->connection->get_reauth(this->connection);
-	}
-	
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-	
-	written = fprintf(stream, "%12s[%d]: %N, %H[%D]...%H[%D]", get_name(this),
-					  this->unique_id, ike_sa_state_names, this->state,
-					  this->my_host, this->my_id, this->other_host,
-					  this->other_id);
-	written += fprintf(stream, "\n%12s[%d]: IKE SPIs: %J, %s in %ds",
-					  get_name(this), this->unique_id, this->ike_sa_id, 
-					  this->connection && reauth? "reauthentication":"rekeying",
-					  this->time.rekey - time(NULL));
-
-	if (info->alt)
-	{
-
-	}
-	return written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_IKE_SA, print, arginfo_ptr);
-}
-
-/**
  * Implementation of ike_sa_t.destroy.
  */
 static void destroy(private_ike_sa_t *this)
@@ -1912,8 +1851,8 @@ static void destroy(private_ike_sa_t *this)
 	DESTROY_IF(this->signer_out);
 	DESTROY_IF(this->prf);
 	DESTROY_IF(this->child_prf);
-	DESTROY_IF(this->auth_verify);
-	DESTROY_IF(this->auth_build);
+	chunk_free(&this->skp_verify);
+	chunk_free(&this->skp_build);
 	
 	if (this->my_virtual_ip)
 	{
@@ -1931,8 +1870,8 @@ static void destroy(private_ike_sa_t *this)
 	DESTROY_IF(this->my_id);
 	DESTROY_IF(this->other_id);
 	
-	DESTROY_IF(this->connection);
-	DESTROY_IF(this->policy);
+	DESTROY_IF(this->ike_cfg);
+	DESTROY_IF(this->peer_cfg);
 	
 	this->ike_sa_id->destroy(this->ike_sa_id);
 	this->task_manager->destroy(this->task_manager);
@@ -1948,54 +1887,57 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	static u_int32_t unique_id = 0;
 	
 	/* Public functions */
-	this->public.get_state = (ike_sa_state_t(*)(ike_sa_t*)) get_state;
-	this->public.set_state = (void(*)(ike_sa_t*,ike_sa_state_t)) set_state;
-	this->public.get_name = (char*(*)(ike_sa_t*))get_name;
-	this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
-	this->public.initiate = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) initiate;
-	this->public.route = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) route;
-	this->public.unroute = (status_t(*)(ike_sa_t*,policy_t*)) unroute;
-	this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
-	this->public.get_connection = (connection_t*(*)(ike_sa_t*))get_connection;
-	this->public.set_connection = (void(*)(ike_sa_t*,connection_t*))set_connection;
-	this->public.get_policy = (policy_t*(*)(ike_sa_t*))get_policy;
-	this->public.set_policy = (void(*)(ike_sa_t*,policy_t*))set_policy;
-	this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
-	this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
-	this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host;
-	this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
-	this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host;
-	this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
-	this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
-	this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
-	this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id;
-	this->public.retransmit = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit;
-	this->public.delete = (status_t(*)(ike_sa_t*))delete_;
-	this->public.destroy = (void(*)(ike_sa_t*))destroy;
+	this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
+	this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
+	this->public.get_stats = (void (*)(ike_sa_t*,u_int32_t*))get_stats;
+	this->public.get_name = (char* (*)(ike_sa_t*))get_name;
+	this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
+	this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
+	this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
+	this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
+	this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
+	this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
+	this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
+	this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
+	this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
+	this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
+	this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
+	this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
+	this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
+	this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
+	this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
+	this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
+	this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
+	this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
+	this->public.get_other_ca = (ca_info_t* (*)(ike_sa_t*)) get_other_ca;
+	this->public.set_other_ca = (void (*)(ike_sa_t*,ca_info_t*)) set_other_ca;
+	this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
+	this->public.delete = (status_t (*)(ike_sa_t*))delete_;
+	this->public.destroy = (void (*)(ike_sa_t*))destroy;
 	this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
 	this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
-	this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf;
-	this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
-	this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify;
-	this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build;
-	this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
-	this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
+	this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
+	this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
+	this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
+	this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
+	this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
+	this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
 	this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
 	this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
-	this->public.rekey_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
-	this->public.delete_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
+	this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
+	this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
 	this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
-	this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
-	this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
-	this->public.rekey = (status_t(*)(ike_sa_t*))rekey;
-	this->public.reestablish = (void(*)(ike_sa_t*))reestablish;
-	this->public.inherit = (status_t(*)(ike_sa_t*,ike_sa_t*))inherit;
-	this->public.generate_message = (status_t(*)(ike_sa_t*,message_t*,packet_t**))generate_message;
-	this->public.reset = (void(*)(ike_sa_t*))reset;
-	this->public.get_unique_id = (u_int32_t(*)(ike_sa_t*))get_unique_id;
-	this->public.set_virtual_ip = (void(*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
-	this->public.get_virtual_ip = (host_t*(*)(ike_sa_t*,bool))get_virtual_ip;
-	this->public.add_dns_server = (void(*)(ike_sa_t*,host_t*))add_dns_server;
+	this->public.enable_natt = (void (*)(ike_sa_t*, bool)) enable_natt;
+	this->public.is_natt_enabled = (bool (*)(ike_sa_t*)) is_natt_enabled;
+	this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
+	this->public.reestablish = (void (*)(ike_sa_t*))reestablish;
+	this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
+	this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
+	this->public.reset = (void (*)(ike_sa_t*))reset;
+	this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
+	this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
+	this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
+	this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
 	
 	/* initialize private fields */
 	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
@@ -2004,13 +1946,14 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->other_host = host_create_any(AF_INET);
 	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
 	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->other_ca = NULL;
 	this->crypter_in = NULL;
 	this->crypter_out = NULL;
 	this->signer_in = NULL;
 	this->signer_out = NULL;
 	this->prf = NULL;
-	this->auth_verify = NULL;
-	this->auth_build = NULL;
+	this->skp_verify = chunk_empty;
+	this->skp_build = chunk_empty;
  	this->child_prf = NULL;
 	this->nat_here = FALSE;
 	this->nat_there = FALSE;
@@ -2019,8 +1962,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 	this->time.established = 0;
 	this->time.rekey = 0;
 	this->time.delete = 0;
-	this->connection = NULL;
-	this->policy = NULL;
+	this->ike_cfg = NULL;
+	this->peer_cfg = NULL;
 	this->task_manager = task_manager_create(&this->public);
 	this->unique_id = ++unique_id;
 	this->my_virtual_ip = NULL;
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 604ec94a9..76942b208 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -34,14 +34,42 @@ typedef struct ike_sa_t ike_sa_t;
 #include <sa/ike_sa_id.h>
 #include <sa/child_sa.h>
 #include <sa/tasks/task.h>
-#include <config/configuration.h>
 #include <utils/randomizer.h>
 #include <crypto/prfs/prf.h>
 #include <crypto/crypters/crypter.h>
 #include <crypto/signers/signer.h>
-#include <config/connections/connection.h>
-#include <config/policies/policy.h>
-#include <config/proposal.h>
+#include <crypto/ca.h>
+#include <config/peer_cfg.h>
+#include <config/ike_cfg.h>
+
+/**
+ * Timeout in milliseconds after that a half open IKE_SA gets deleted.
+ *
+ * @ingroup sa
+ */
+#define HALF_OPEN_IKE_SA_TIMEOUT 30000
+
+/**
+ * Interval to send keepalives when NATed, in seconds.
+ *
+ * @ingroup sa
+ */
+#define KEEPALIVE_INTERVAL 20
+
+/**
+ * After which time rekeying should be retried if it failed, in seconds.
+ *
+ * @ingroup sa
+ */
+#define RETRY_INTERVAL 30
+
+/**
+ * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
+ *
+ * @ingroup sa
+ */
+#define RETRY_JITTER 20
+
 
 /**
  * @brief State of an IKE_SA.
@@ -157,6 +185,13 @@ struct ike_sa_t {
 	ike_sa_state_t (*get_state) (ike_sa_t *this);
 	
 	/**
+	 * @brief Get some statistics about this IKE_SA.
+	 *
+	 * @param next_rekeying			when the next rekeying is scheduled
+	 */
+	void (*get_stats)(ike_sa_t *this, u_int32_t *next_rekeying);	
+	
+	/**
 	 * @brief Set the state of the IKE_SA.
 	 *
 	 * @param this			calling object
@@ -221,7 +256,7 @@ struct ike_sa_t {
 	void (*set_my_id) (ike_sa_t *this, identification_t *me);
 	
 	/**
-	 * @brief Get the other peers identification.
+	 * @brief Get the other peer's identification.
 	 * 
 	 * @param this 			calling object
 	 * @return				identification
@@ -229,7 +264,7 @@ struct ike_sa_t {
 	identification_t* (*get_other_id) (ike_sa_t *this);
 	
 	/**
-	 * @brief Set the other peers identification.
+	 * @brief Set the other peer's identification.
 	 * 
 	 * @param this 			calling object
 	 * @param other			identification
@@ -237,51 +272,65 @@ struct ike_sa_t {
 	void (*set_other_id) (ike_sa_t *this, identification_t *other);
 	
 	/**
-	 * @brief Get the connection used by this IKE_SA.
+	 * @brief Get the other peer's certification authority
+	 * 
+	 * @param this 			calling object
+	 * @return			ca_info_t record of other ca
+	 */
+	ca_info_t* (*get_other_ca) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the other peer's certification authority
+	 * 
+	 * @param this 			calling object
+	 * @param other_ca		ca_info_t record of other ca
+	 */
+	void (*set_other_ca) (ike_sa_t *this, ca_info_t *other_ca);
+	
+	/**
+	 * @brief Get the config used to setup this IKE_SA.
 	 * 
 	 * @param this 			calling object
-	 * @return				connection
+	 * @return				ike_config
 	 */
-	connection_t* (*get_connection) (ike_sa_t *this);
+	ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
 	
 	/**
-	 * @brief Set the connection to use with this IKE_SA.
+	 * @brief Set the config to setup this IKE_SA.
 	 * 
 	 * @param this 			calling object
-	 * @param connection	connection to use
+	 * @param config		ike_config to use
 	 */
-	void (*set_connection) (ike_sa_t *this, connection_t* connection);
+	void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
 
 	/**
-	 * @brief Get the policy used by this IKE_SA.
+	 * @brief Get the peer config used by this IKE_SA.
 	 * 
 	 * @param this 			calling object
-	 * @return				policy
+	 * @return				peer_config
 	 */
-	policy_t* (*get_policy) (ike_sa_t *this);
+	peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
 	
 	/**
-	 * @brief Set the policy to use with this IKE_SA.
+	 * @brief Set the peer config to use with this IKE_SA.
 	 * 
 	 * @param this 			calling object
-	 * @param policy		policy to use
+	 * @param config		peer_config to use
 	 */
-	void (*set_policy) (ike_sa_t *this, policy_t *policy);
+	void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
 
 	/**
 	 * @brief Initiate a new connection.
 	 *
-	 * The policy/connection is owned by the IKE_SA after the call, so
-	 * do not modify or destroy it.
+	 * The configs are owned by the IKE_SA after the call.
 	 * 
 	 * @param this 			calling object
-	 * @param connection	connection to initiate
-	 * @param policy		policy to set up
+	 * @param child_cfg		child config to create CHILD from
 	 * @return				
 	 * 						- SUCCESS if initialization started
-	 * 						- DESTROY_ME if initialization failed and IKE_SA MUST be deleted
+	 * 						- DESTROY_ME if initialization failed
 	 */
-	status_t (*initiate) (ike_sa_t *this, connection_t *connection, policy_t *policy);
+	status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg);
 
 	/**
 	 * @brief Route a policy in the kernel.
@@ -290,28 +339,27 @@ struct ike_sa_t {
 	 * the kernel requests connection setup from the IKE_SA via acquire().
 	 * 
 	 * @param this 			calling object
-	 * @param connection	connection definition used for routing
-	 * @param policy		policy to route
+	 * @param child_cfg		child config to route
 	 * @return				
 	 * 						- SUCCESS if routed successfully
 	 * 						- FAILED if routing failed
 	 */
-	status_t (*route) (ike_sa_t *this, connection_t *connection, policy_t *policy);
+	status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg);
 
 	/**
 	 * @brief Unroute a policy in the kernel previously routed.
 	 *
 	 * @param this 			calling object
-	 * @param policy		policy to route
+	 * @param reqid			reqid of CHILD_SA to unroute
 	 * @return				
 	 * 						- SUCCESS if route removed
-	 * 						- DESTROY_ME if last route was removed from
-	 * 						  an IKE_SA which was not established
+	 *						- NOT_FOUND if CHILD_SA not found
+	 * 						- DESTROY_ME if last CHILD_SA was unrouted
 	 */
-	status_t (*unroute) (ike_sa_t *this, policy_t *policy);
+	status_t (*unroute) (ike_sa_t *this, u_int32_t reqid);
 	
 	/**
-	 * @brief Acquire connection setup for a policy.
+	 * @brief Acquire connection setup for an installed kernel policy.
 	 *
 	 * If an installed policy raises an acquire, the kernel calls
 	 * this function to establish the CHILD_SA (and maybe the IKE_SA).
@@ -320,7 +368,7 @@ struct ike_sa_t {
 	 * @param reqid			reqid of the CHILD_SA the policy belongs to.
 	 * @return				
 	 * 						- SUCCESS if initialization started
-	 * 						- DESTROY_ME if initialization failed and IKE_SA MUST be deleted
+	 * 						- DESTROY_ME if initialization failed
 	 */
 	status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
 	
@@ -456,7 +504,7 @@ struct ike_sa_t {
 							bool initiator, prf_t *child_prf, prf_t *old_prf);
 	
 	/**
-	 * @brief Get the multi purpose prf.
+	 * @brief Get a multi purpose prf for the negotiated PRF function.
 	 * 
 	 * @param this 			calling object
 	 * @return				pointer to prf_t object
@@ -472,20 +520,20 @@ struct ike_sa_t {
 	prf_t *(*get_child_prf) (ike_sa_t *this);
 	
 	/**
-	 * @brief Get the prf to build outgoing authentication data.
+	 * @brief Get the key to build outgoing authentication data.
 	 * 
 	 * @param this 			calling object
 	 * @return				pointer to prf_t object
 	 */
-	prf_t *(*get_auth_build) (ike_sa_t *this);
+	chunk_t (*get_skp_build) (ike_sa_t *this);
 	
 	/**
-	 * @brief Get the prf to verify incoming authentication data.
+	 * @brief Get the key to verify incoming authentication data.
 	 * 
 	 * @param this 			calling object
 	 * @return				pointer to prf_t object
 	 */
-	prf_t *(*get_auth_verify) (ike_sa_t *this);
+	chunk_t (*get_skp_verify) (ike_sa_t *this);
 	
 	/**
 	 * @brief Associates a child SA to this IKE SA
diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c
index c143fc0ba..a838c0b8a 100644
--- a/src/charon/sa/ike_sa_id.c
+++ b/src/charon/sa/ike_sa_id.c
@@ -24,7 +24,6 @@
 
 #include "ike_sa_id.h"
 
-#include <printf.h>
 #include <stdio.h>
 
 
@@ -153,33 +152,6 @@ static ike_sa_id_t* clone_(private_ike_sa_id_t *this)
 }
 
 /**
- * output handler in printf()
- */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
-{
-	private_ike_sa_id_t *this = *((private_ike_sa_id_t**)(args[0]));
-	
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-	return fprintf(stream, "0x%0llx_i%s 0x%0llx_r%s",
-				   this->initiator_spi,
-				   this->is_initiator_flag ? "*" : "",
-				   this->responder_spi,
-				   this->is_initiator_flag ? "" : "*");
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_IKE_SA_ID, print, arginfo_ptr);
-}
-
-/**
  * Implementation of ike_sa_id_t.destroy.
  */
 static void destroy(private_ike_sa_id_t *this)
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index 791ef805e..a62ec5e3c 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -322,8 +322,8 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
 	ike_sa_t *ike_sa = NULL;
 	entry_t *entry;
 	
-	DBG2(DBG_MGR, "checkout IKE_SA: %J, %d IKE_SAs in manager",
-		 ike_sa_id, this->ike_sa_list->get_count(this->ike_sa_list));
+	DBG2(DBG_MGR, "checkout IKE_SA, %d IKE_SAs in manager",
+		 this->ike_sa_list->get_count(this->ike_sa_list));
 	
 	pthread_mutex_lock(&(this->mutex));
 	if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
@@ -356,13 +356,14 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
 	{
 		id = ike_sa_id_create(0, get_next_spi(this), FALSE);
 	}
-	entry = entry_create(id);	
+	entry = entry_create(id);
+	id->destroy(id);
 	pthread_mutex_lock(&this->mutex);	
 	this->ike_sa_list->insert_last(this->ike_sa_list, entry);
 	entry->checked_out = TRUE;
 	pthread_mutex_unlock(&this->mutex);	
-	DBG2(DBG_MGR, "created IKE_SA: %J, %d IKE_SAs in manager",
-		 id, this->ike_sa_list->get_count(this->ike_sa_list));
+	DBG2(DBG_MGR, "created IKE_SA, %d IKE_SAs in manager",
+		 this->ike_sa_list->get_count(this->ike_sa_list));
 	return entry->ike_sa;
 }
 
@@ -378,8 +379,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 	id = id->clone(id);
 	id->switch_initiator(id);
 	
-	DBG2(DBG_MGR, "checkout IKE_SA: %J by message, %d IKE_SAs in manager",
-		 id, this->ike_sa_list->get_count(this->ike_sa_list));
+	DBG2(DBG_MGR, "checkout IKE_SA by message, %d IKE_SAs in manager",
+		 this->ike_sa_list->get_count(this->ike_sa_list));
 	
 	if (message->get_request(message) &&
 		message->get_exchange_type(message) == IKE_SA_INIT)
@@ -439,7 +440,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
 			}
 			else
 			{
-				DBG1(DBG_MGR, "ignoring message for %J, no such IKE_SA", id);
+				chunk_free(&hash);
+				DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
 			}
 		}
 		else
@@ -554,7 +556,7 @@ static ike_sa_t* checkout_by_peer(private_ike_sa_manager_t *this,
 		
 		/* create entry */
 		new_entry = entry_create(new_ike_sa_id);
-		DBG2(DBG_MGR, "created IKE_SA: %J", new_ike_sa_id);
+		DBG2(DBG_MGR, "created IKE_SA");
 		new_ike_sa_id->destroy(new_ike_sa_id);
 		
 		this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
@@ -720,7 +722,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 	
 	ike_sa_id = ike_sa->get_id(ike_sa);
 	
-	DBG2(DBG_MGR, "checkin IKE_SA: %J", ike_sa_id);
+	DBG2(DBG_MGR, "checkin IKE_SA");
 	
 	pthread_mutex_lock(&(this->mutex));
 
@@ -767,7 +769,7 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
 	ike_sa_id_t *ike_sa_id;
 	
 	ike_sa_id = ike_sa->get_id(ike_sa);
-	DBG2(DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id);
+	DBG2(DBG_MGR, "checkin and destroy IKE_SA");
 
 	pthread_mutex_lock(&(this->mutex));
 
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index 844300735..e67508ed1 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -22,6 +22,8 @@
 
 #include "task_manager.h"
 
+#include <math.h>
+
 #include <daemon.h>
 #include <sa/tasks/ike_init.h>
 #include <sa/tasks/ike_natd.h>
@@ -35,7 +37,7 @@
 #include <sa/tasks/child_rekey.h>
 #include <sa/tasks/child_delete.h>
 #include <encoding/payloads/delete_payload.h>
-#include <queues/jobs/retransmit_job.h>
+#include <processing/jobs/retransmit_job.h>
 
 typedef struct exchange_t exchange_t;
 
@@ -210,9 +212,12 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
 		u_int32_t timeout;
 		job_t *job;
 
-		timeout = charon->configuration->get_retransmit_timeout(
-						charon->configuration, this->initiating.retransmitted);
-		if (timeout == 0)
+		if (this->initiating.retransmitted <= RETRANSMIT_TRIES)
+		{
+			timeout = (u_int32_t)(RETRANSMIT_TIMEOUT *
+						pow(RETRANSMIT_BASE, this->initiating.retransmitted));
+		}
+		else
 		{
 			DBG1(DBG_IKE, "giving up after %d retransmits",
 				 this->initiating.retransmitted - 1);
@@ -262,6 +267,7 @@ static status_t build_request(private_task_manager_t *this)
 			case IKE_CREATED:
 				if (activate_task(this, IKE_INIT))
 				{
+					this->initiating.mid = 0;
 					exchange = IKE_SA_INIT;
 					activate_task(this, IKE_NATD);
 					activate_task(this, IKE_CERT);
@@ -274,7 +280,6 @@ static status_t build_request(private_task_manager_t *this)
 				if (activate_task(this, CHILD_CREATE))
 				{
 					exchange = CREATE_CHILD_SA;
-					activate_task(this, IKE_CONFIG);
 					break;
 				}
 				if (activate_task(this, CHILD_DELETE))
@@ -328,6 +333,11 @@ static status_t build_request(private_task_manager_t *this)
 				case IKE_AUTHENTICATE:
 					exchange = IKE_AUTH;
 					break;
+				case CHILD_CREATE:
+				case CHILD_REKEY:
+				case IKE_REKEY:
+					exchange = CREATE_CHILD_SA;
+					break;
 				default:
 					continue;
 			}
@@ -577,7 +587,7 @@ static status_t process_request(private_task_manager_t *this,
 			this->passive_tasks->insert_last(this->passive_tasks, task);
 			task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
 			this->passive_tasks->insert_last(this->passive_tasks, task);
-			task = (task_t*)ike_config_create(this->ike_sa, NULL);
+			task = (task_t*)ike_config_create(this->ike_sa, FALSE);
 			this->passive_tasks->insert_last(this->passive_tasks, task);
 			task = (task_t*)child_create_create(this->ike_sa, NULL);
 			this->passive_tasks->insert_last(this->passive_tasks, task);
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
index c766d4a65..fb34aab6a 100644
--- a/src/charon/sa/task_manager.h
+++ b/src/charon/sa/task_manager.h
@@ -31,6 +31,28 @@ typedef struct task_manager_t task_manager_t;
 #include <sa/tasks/task.h>
 
 /**
+ * First retransmit timeout in milliseconds.
+ *
+ * @ingroup sa
+ */
+#define RETRANSMIT_TIMEOUT 4000
+
+/**
+ * Base which is raised to the power of the retransmission try.
+ *
+ * @ingroup sa
+ */
+#define RETRANSMIT_BASE 1.8
+
+/**
+ * Number of retransmits done before giving up.
+ *
+ * @ingroup sa
+ */
+#define RETRANSMIT_TRIES 5
+
+
+/**
  * @brief The task manager, juggles task and handles message exchanges.
  *
  * On incoming requests, the task manager creates new tasks on demand and
@@ -43,6 +65,24 @@ typedef struct task_manager_t task_manager_t;
  * For the initial IKE_SA setup, several tasks are queued: One for the
  * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
  * and maybe one for virtual IP assignement.
+ * The task manager is also responsible for retransmission. It uses a backoff 
+ * algorithm. The timeout is calculated using
+ * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try).
+ * When try reaches RETRANSMIT_TRIES, retransmission is given up.
+ *
+ * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us:
+ * @verbatim
+                   | relative | absolute
+   ---------------------------------------------------------
+   4s * (1.8 ** 0) =    4s         4s
+   4s * (1.8 ** 1) =    7s        11s
+   4s * (1.8 ** 2) =   13s        24s
+   4s * (1.8 ** 3) =   23s        47s
+   4s * (1.8 ** 4) =   42s        89s
+   4s * (1.8 ** 5) =   76s       165s
+ 
+   @endberbatim
+ * The peer is considered dead after 2min 45s when no reply comes in.
  *
  * @b Constructors:
  *  - task_manager_create()
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index 781d679f2..f70730b05 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -26,6 +26,7 @@
 #include <daemon.h>
 #include <crypto/diffie_hellman.h>
 #include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
 #include <encoding/payloads/ts_payload.h>
 #include <encoding/payloads/nonce_payload.h>
 #include <encoding/payloads/notify_payload.h>
@@ -64,9 +65,9 @@ struct private_child_create_t {
 	chunk_t other_nonce;
 	
 	/**
-	 * policy to create the CHILD_SA from
+	 * config to create the CHILD_SA from
 	 */
-	policy_t *policy;
+	child_cfg_t *config;
 	
 	/**
 	 * list of proposal candidates
@@ -89,6 +90,16 @@ struct private_child_create_t {
 	linked_list_t *tsr;
 	
 	/**
+	 * optional diffie hellman exchange
+	 */
+	diffie_hellman_t *dh;
+	
+	/**
+	 * group used for DH exchange
+	 */
+	diffie_hellman_group_t dh_group;
+	
+	/**
 	 * mode the new CHILD_SA uses (transport/tunnel/beet)
 	 */
 	mode_t mode;
@@ -162,21 +173,29 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host)
 }
 
 /**
- * Install a CHILD_SA for usage
+ * Install a CHILD_SA for usage, return value:
+ * - FAILED: no acceptable proposal
+ * - INVALID_ARG: diffie hellman group inacceptable
+ * - NOT_FOUND: TS inacceptable
  */
-static status_t select_and_install(private_child_create_t *this)
+static status_t select_and_install(private_child_create_t *this, bool no_dh)
 {
 	prf_plus_t *prf_plus;
 	status_t status;
-	chunk_t nonce_i, nonce_r, seed;
+	chunk_t nonce_i, nonce_r, secret, seed;
 	linked_list_t *my_ts, *other_ts;
 	host_t *me, *other, *other_vip, *my_vip;
 	
-	if (this->proposals == NULL || this->tsi == NULL || this->tsr == NULL)
+	if (this->proposals == NULL)
 	{
-		SIG(CHILD_UP_FAILED, "SA/TS payloads missing in message");
+		SIG(CHILD_UP_FAILED, "SA payload missing in message");
 		return FAILED;
 	}
+	if (this->tsi == NULL || this->tsr == NULL)
+	{
+		SIG(CHILD_UP_FAILED, "TS payloads missing in message");
+		return NOT_FOUND;
+	}
 	
 	if (this->initiator)
 	{
@@ -198,36 +217,61 @@ static status_t select_and_install(private_child_create_t *this)
 	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
 	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
 
-	this->proposal = this->policy->select_proposal(this->policy, this->proposals);
-	
+	this->proposal = this->config->select_proposal(this->config, this->proposals,
+												   no_dh);
 	if (this->proposal == NULL)
 	{
 		SIG(CHILD_UP_FAILED, "no acceptable proposal found");
 		return FAILED;
 	}
 	
-	if (this->initiator && my_vip)
-	{	/* if we have a virtual IP, shorten our TS to the minimum */
-		my_ts = this->policy->select_my_traffic_selectors(this->policy, my_ts,
-											 			  my_vip);
+	if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
+	{
+		algorithm_t *algo;
+		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+										  &algo))
+		{
+			u_int16_t group = algo->algorithm;
+			SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
+				diffie_hellman_group_names, this->dh_group,
+				diffie_hellman_group_names, group);
+			this->dh_group = group;
+			return INVALID_ARG;
+		}
+		else
+		{
+			SIG(CHILD_UP_FAILED, "no acceptable proposal found");
+			return FAILED;
+		}
+	}
+	
+	if (my_vip == NULL)
+	{
+		my_vip = me;
+	}
+	else if (this->initiator)
+	{
 		/* to setup firewall rules correctly, CHILD_SA needs the virtual IP */
 		this->child_sa->set_virtual_ip(this->child_sa, my_vip);
 	}
-	else
-	{	/* shorten in the host2host case only */
-		my_ts = this->policy->select_my_traffic_selectors(this->policy, 
-															my_ts, me);
-	}
-	if (other_vip)
-	{	/* if other has a virtual IP, shorten it's traffic selectors to it */
-		other_ts = this->policy->select_other_traffic_selectors(this->policy,
-															other_ts, other_vip);
+	if (other_vip == NULL)
+	{
+		other_vip = other;
 	}
-	else
-	{	/* use his host for the host2host case */
-		other_ts = this->policy->select_other_traffic_selectors(this->policy,
-															other_ts, other);
+	
+	my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
+												my_vip);
+	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, 
+												   other_vip);
+	
+	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+	{
+		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+		SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
+		return NOT_FOUND;
 	}
+	
 	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
 	if (this->initiator)
@@ -241,13 +285,6 @@ static status_t select_and_install(private_child_create_t *this)
 		this->tsi = other_ts;
 	}
 	
-	if (this->tsi->get_count(this->tsi) == 0 ||
-		this->tsr->get_count(this->tsr) == 0)
-	{
-		SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
-		return FAILED;
-	}
-	
 	if (!this->initiator)
 	{
 		/* check if requested mode is acceptable, downgrade if required */
@@ -279,7 +316,20 @@ static status_t select_and_install(private_child_create_t *this)
 		}
 	}
 	
-	seed = chunk_cata("cc", nonce_i, nonce_r);
+	if (this->dh)
+	{
+		if (this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
+		{
+			SIG(CHILD_UP_FAILED, "DH exchange incomplete");
+			return FAILED;
+		}
+		DBG3(DBG_IKE, "DH secret %B", &secret);
+		seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
+	}
+	else
+	{
+		seed = chunk_cata("cc", nonce_i, nonce_r);
+	}
 	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
 	
 	if (this->initiator)
@@ -297,7 +347,7 @@ static status_t select_and_install(private_child_create_t *this)
 	if (status != SUCCESS)
 	{
 		SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
-		return status;
+		return FAILED;
 	}
 	
 	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
@@ -306,7 +356,7 @@ static status_t select_and_install(private_child_create_t *this)
 	if (status != SUCCESS)
 	{	
 		SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
-		return status;
+		return NOT_FOUND;
 	}
 	/* add to IKE_SA, and remove from task */
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
@@ -321,8 +371,9 @@ static status_t select_and_install(private_child_create_t *this)
 static void build_payloads(private_child_create_t *this, message_t *message)
 {
 	sa_payload_t *sa_payload;
-	ts_payload_t *ts_payload;
 	nonce_payload_t *nonce_payload;
+	ke_payload_t *ke_payload;
+	ts_payload_t *ts_payload;
 
 	/* add SA payload */
 	if (this->initiator)
@@ -343,6 +394,13 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 		message->add_payload(message, (payload_t*)nonce_payload);
 	}
 	
+	/* diffie hellman exchange, if PFS enabled */
+	if (this->dh)
+	{
+		ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
+		message->add_payload(message, (payload_t*)ke_payload);
+	}
+	
 	/* add TSi/TSr payloads */
 	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
 	message->add_payload(message, (payload_t*)ts_payload);
@@ -371,6 +429,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 	iterator_t *iterator;
 	payload_t *payload;
 	sa_payload_t *sa_payload;
+	ke_payload_t *ke_payload;
 	ts_payload_t *ts_payload;
 	notify_payload_t *notify_payload;
 	
@@ -386,6 +445,19 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 				sa_payload = (sa_payload_t*)payload;
 				this->proposals = sa_payload->get_proposals(sa_payload);
 				break;
+			case KEY_EXCHANGE:
+				ke_payload = (ke_payload_t*)payload;
+				if (!this->initiator)
+				{
+					this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+					this->dh = diffie_hellman_create(this->dh_group);
+				}
+				if (this->dh)
+				{
+					this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
+				}
+				break;
 			case TRAFFIC_SELECTOR_INITIATOR:
 				ts_payload = (ts_payload_t*)payload;
 				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
@@ -421,6 +493,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
 static status_t build_i(private_child_create_t *this, message_t *message)
 {
 	host_t *me, *other, *vip;
+	peer_cfg_t *peer_cfg;
 
 	switch (message->get_exchange_type(message))
 	{
@@ -432,6 +505,10 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
 				return SUCCESS;
 			}
+			if (this->dh_group == MODP_NONE)
+			{
+				this->dh_group = this->config->get_dh_group(this->config);
+			}
 			break;
 		case IKE_AUTH:
 			if (!message->get_payload(message, ID_INITIATOR))
@@ -448,25 +525,30 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	
 	me = this->ike_sa->get_my_host(this->ike_sa);
 	other = this->ike_sa->get_other_host(this->ike_sa);
-	vip = this->policy->get_virtual_ip(this->policy, NULL);
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	vip = peer_cfg->get_my_virtual_ip(peer_cfg);
 	
 	if (vip)
 	{	/* propose a 0.0.0.0/0 subnet when we use virtual ip */
-		this->tsi = this->policy->get_my_traffic_selectors(this->policy, NULL);
+		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
+														NULL, NULL);
 		vip->destroy(vip);
 	}
 	else
 	{	/* but shorten a 0.0.0.0/0 subnet to the actual address if host2host */
-		this->tsi = this->policy->get_my_traffic_selectors(this->policy, me);
+		this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
+														NULL, me);
 	}
-	this->tsr = this->policy->get_other_traffic_selectors(this->policy, other);
-	this->proposals = this->policy->get_proposals(this->policy);
-	this->mode = this->policy->get_mode(this->policy);
+	this->tsr = this->config->get_traffic_selectors(this->config, FALSE, 
+													NULL, other);
+	this->proposals = this->config->get_proposals(this->config,
+												  this->dh_group == MODP_NONE);
+	this->mode = this->config->get_mode(this->config);
 	
 	this->child_sa = child_sa_create(me, other,
 									 this->ike_sa->get_my_id(this->ike_sa),
 									 this->ike_sa->get_other_id(this->ike_sa),
-									 this->policy, this->reqid,
+									 this->config, this->reqid,
 									 this->ike_sa->is_natt_enabled(this->ike_sa));
 	
 	if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
@@ -475,6 +557,11 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		return FAILED;
 	}
 	
+	if (this->dh_group != MODP_NONE)
+	{
+		this->dh = diffie_hellman_create(this->dh_group);
+	}
+	
 	build_payloads(this, message);
 	
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
@@ -492,6 +579,8 @@ static status_t build_i(private_child_create_t *this, message_t *message)
  */
 static status_t process_r(private_child_create_t *this, message_t *message)
 {
+	peer_cfg_t *peer_cfg;
+
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -517,18 +606,13 @@ static status_t process_r(private_child_create_t *this, message_t *message)
 		return NEED_MORE;
 	}
 		  
-	this->policy = charon->policies->get_policy(charon->policies,
-							this->ike_sa->get_my_id(this->ike_sa),
-							this->ike_sa->get_other_id(this->ike_sa), 
-							this->tsr, this->tsi,
-							this->ike_sa->get_my_host(this->ike_sa),
-							this->ike_sa->get_other_host(this->ike_sa));
-	
-	if (this->policy && this->ike_sa->get_policy(this->ike_sa) == NULL)
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (peer_cfg)
 	{
-		this->ike_sa->set_policy(this->ike_sa, this->policy);
+		this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr, this->tsi,
+									this->ike_sa->get_my_host(this->ike_sa),
+									this->ike_sa->get_other_host(this->ike_sa));
 	}
-	
 	return NEED_MORE;
 }
 
@@ -537,6 +621,8 @@ static status_t process_r(private_child_create_t *this, message_t *message)
  */
 static status_t build_r(private_child_create_t *this, message_t *message)
 {
+	bool no_dh = TRUE;
+
 	switch (message->get_exchange_type(message))
 	{
 		case IKE_SA_INIT:
@@ -547,6 +633,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
 				return SUCCESS;
 			}
+			no_dh = FALSE;
 			break;
 		case IKE_AUTH:
 			if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
@@ -565,10 +652,11 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		return SUCCESS;
 	}
 	
-	if (this->policy == NULL)
+	if (this->config == NULL)
 	{
-		SIG(CHILD_UP_FAILED, "no acceptable policy found");
-		message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		SIG(CHILD_UP_FAILED, "traffic selectors %#R=== %#R inacceptable",
+			this->tsr, this->tsi);
+		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
 		return SUCCESS;
 	}
 	
@@ -576,13 +664,27 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 									 this->ike_sa->get_other_host(this->ike_sa),
 									 this->ike_sa->get_my_id(this->ike_sa),
 									 this->ike_sa->get_other_id(this->ike_sa),
-									 this->policy, this->reqid,
+									 this->config, this->reqid,
 									 this->ike_sa->is_natt_enabled(this->ike_sa));
 	
-	if (select_and_install(this) != SUCCESS)
+	switch (select_and_install(this, no_dh))
 	{
-		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
-		return SUCCESS;
+		case SUCCESS:
+			break;
+		case NOT_FOUND:
+			message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+			return SUCCESS;
+		case INVALID_ARG:
+		{
+			u_int16_t group = htons(this->dh_group);
+			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+								chunk_from_thing(group));
+			return SUCCESS;
+		}
+		case FAILED:
+		default:
+			message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+			return SUCCESS;
 	}
 	
 	build_payloads(this, message);
@@ -599,6 +701,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 {
 	iterator_t *iterator;
 	payload_t *payload;
+	bool no_dh = TRUE;
 
 	switch (message->get_exchange_type(message))
 	{
@@ -606,6 +709,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			return get_nonce(message, &this->other_nonce);
 		case CREATE_CHILD_SA:
 			get_nonce(message, &this->other_nonce);
+			no_dh = FALSE;
 			break;
 		case IKE_AUTH:
 			if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
@@ -643,6 +747,22 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 					/* an error in CHILD_SA creation is not critical */
 					return SUCCESS;
 				}
+				case INVALID_KE_PAYLOAD:
+				{
+					chunk_t data;
+					diffie_hellman_group_t bad_group;
+					
+					bad_group = this->dh_group;
+					data = notify->get_notification_data(notify);
+					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
+					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+						 "it requested %N", diffie_hellman_group_names,
+						 bad_group, diffie_hellman_group_names, this->dh_group);
+					
+					this->public.task.migrate(&this->public.task, this->ike_sa);
+					iterator->destroy(iterator);
+					return NEED_MORE;
+				}
 				default:
 					break;
 			}
@@ -652,7 +772,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 	
 	process_payloads(this, message);
 	
-	if (select_and_install(this) == SUCCESS)
+	if (select_and_install(this, no_dh) == SUCCESS)
 	{
 		SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
 	}
@@ -716,6 +836,7 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
 	}
 	DESTROY_IF(this->child_sa);
 	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->dh);
 	if (this->proposals)
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
@@ -725,6 +846,7 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
 	this->proposals = NULL;
 	this->tsi = NULL;
 	this->tsr = NULL;
+	this->dh = NULL;
 	this->child_sa = NULL;
 	this->mode = MODE_TUNNEL;
 	this->reqid = 0;
@@ -751,19 +873,20 @@ static void destroy(private_child_create_t *this)
 		DESTROY_IF(this->child_sa);
 	}
 	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->dh);
 	if (this->proposals)
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
 	}
 	
-	DESTROY_IF(this->policy);
+	DESTROY_IF(this->config);
 	free(this);
 }
 
 /*
  * Described in header.
  */
-child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy)
+child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
 {
 	private_child_create_t *this = malloc_thing(private_child_create_t);
 
@@ -773,12 +896,12 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy)
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
-	if (policy)
+	if (config)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
 		this->initiator = TRUE;
-		policy->get_ref(policy);
+		config->get_ref(config);
 	}
 	else
 	{
@@ -788,13 +911,15 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy)
 	}
 	
 	this->ike_sa = ike_sa;
-	this->policy = policy;
+	this->config = config;
 	this->my_nonce = chunk_empty;
 	this->other_nonce = chunk_empty;
 	this->proposals = NULL;
 	this->proposal = NULL;
 	this->tsi = NULL;
 	this->tsr = NULL;
+	this->dh = NULL;
+	this->dh_group = MODP_NONE;
 	this->child_sa = NULL;
 	this->mode = MODE_TUNNEL;
 	this->reqid = 0;
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index 200d37457..9f4815215 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -28,7 +28,7 @@ typedef struct child_create_t child_create_t;
 #include <library.h>
 #include <sa/ike_sa.h>
 #include <sa/tasks/task.h>
-#include <config/policies/policy.h>
+#include <config/child_cfg.h>
 
 /**
  * @brief Task of type CHILD_CREATE, established a new CHILD_SA.
@@ -80,9 +80,9 @@ struct child_create_t {
  * @brief Create a new child_create task.
  *
  * @param ike_sa		IKE_SA this task works for
- * @param policy		policy if task initiator, NULL if responder
+ * @param config		child_cfg if task initiator, NULL if responder
  * @return			 	child_create task to handle by the task_manager
  */
-child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy);
+child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config);
 
 #endif /* CHILD_CREATE_H_ */
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 23d509de5..d0b34a276 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -177,10 +177,29 @@ static void destroy_children(private_child_delete_t *this)
 }
 
 /**
+ * send closing signals for all CHILD_SAs over the bus
+ */
+static void log_children(private_child_delete_t *this)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		SIG(CHILD_DOWN_START, "closing CHILD_SA %#R=== %#R",
+			child_sa->get_traffic_selectors(child_sa, TRUE),
+			child_sa->get_traffic_selectors(child_sa, FALSE));
+	}
+	iterator->destroy(iterator);
+}
+
+/**
  * Implementation of task_t.build for initiator
  */
 static status_t build_i(private_child_delete_t *this, message_t *message)
 {
+	log_children(this);
 	build_payloads(this, message);
 	return NEED_MORE;
 }
@@ -196,6 +215,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message)
 	
 	process_payloads(this, message);
 	destroy_children(this);
+	SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed");
 	return SUCCESS;
 }
 
@@ -205,6 +225,7 @@ static status_t process_i(private_child_delete_t *this, message_t *message)
 static status_t process_r(private_child_delete_t *this, message_t *message)
 {
 	process_payloads(this, message);
+	log_children(this);
 	return NEED_MORE;
 }
 
@@ -219,6 +240,7 @@ static status_t build_r(private_child_delete_t *this, message_t *message)
 		build_payloads(this, message);	
 	}
 	destroy_children(this);
+	SIG(CHILD_DOWN_SUCCESS, "CHILD_SA closed");
 	return SUCCESS;
 }
 
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 745895dbb..4f3c69034 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -27,7 +27,7 @@
 #include <encoding/payloads/notify_payload.h>
 #include <sa/tasks/child_create.h>
 #include <sa/tasks/child_delete.h>
-#include <queues/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
 
 
 typedef struct private_child_rekey_t private_child_rekey_t;
@@ -183,7 +183,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 	u_int32_t spi;
 	child_sa_t *to_delete;
 	
-	this->child_create->task.process(&this->child_create->task, message);
+	if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE)
+	{
+		/* bad DH group while rekeying, try again */
+		this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
+		return NEED_MORE;
+	}
 	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
 	{
 		/* establishing new child failed, reuse old. but not when we
@@ -192,8 +197,8 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
 			  this->collision->get_type(this->collision) == CHILD_DELETE))
 		{
 			job_t *job;
-			u_int32_t retry = charon->configuration->get_retry_interval(
-								charon->configuration);
+			u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+			
 			job = (job_t*)rekey_child_sa_job_create(
 								this->child_sa->get_reqid(this->child_sa),
 								this->child_sa->get_protocol(this->child_sa),
@@ -315,8 +320,8 @@ static void destroy(private_child_rekey_t *this)
  */
 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
+	child_cfg_t *config;
 	private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
-	policy_t *policy;
 
 	this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
 	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
@@ -327,8 +332,8 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
 		this->initiator = TRUE;
-		policy = child_sa->get_policy(child_sa);
-		this->child_create = child_create_create(ike_sa, policy);
+		config = child_sa->get_config(child_sa);
+		this->child_create = child_create_create(ike_sa, config);
 	}
 	else
 	{
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 541e1bb37..d0dd49aee 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -100,18 +100,18 @@ static status_t build_auth(private_ike_auth_t *this, message_t *message)
 {
 	authenticator_t *auth;
 	auth_payload_t *auth_payload;
-	policy_t *policy;
+	peer_cfg_t *config;
 	auth_method_t method;
 	status_t status;
 	
 	/* create own authenticator and add auth payload */
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (!policy)
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (!config)
 	{
-		SIG(IKE_UP_FAILED, "unable to authenticate, no policy found");
+		SIG(IKE_UP_FAILED, "unable to authenticate, no peer config found");
 		return FAILED;
 	}
-	method = policy->get_auth_method(policy);
+	method = config->get_auth_method(config);
 	
 	auth = authenticator_create(this->ike_sa, method);
 	if (auth == NULL)
@@ -140,15 +140,15 @@ static status_t build_id(private_ike_auth_t *this, message_t *message)
 {
 	identification_t *me, *other;
 	id_payload_t *id;
-	policy_t *policy;
+	peer_cfg_t *config;
 	
 	me = this->ike_sa->get_my_id(this->ike_sa);
 	other = this->ike_sa->get_other_id(this->ike_sa);
-	policy = this->ike_sa->get_policy(this->ike_sa);
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
 	
 	if (me->contains_wildcards(me))
 	{
-		me = policy->get_my_id(policy);
+		me = config->get_my_id(config);
 		if (me->contains_wildcards(me))
 		{
 			SIG(IKE_UP_FAILED, "negotiation of own ID failed");
@@ -202,7 +202,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
 	auth->destroy(auth);
 	if (status != SUCCESS)
 	{
-		SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+		SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_method_names, auth_method);	
 		return FAILED;
@@ -215,7 +215,7 @@ static status_t process_auth(private_ike_auth_t *this, message_t *message)
  */
 static status_t process_id(private_ike_auth_t *this, message_t *message)
 {
-	identification_t *id;
+	identification_t *id, *req;
 	id_payload_t *idr, *idi;
 
 	idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
@@ -230,6 +230,13 @@ static status_t process_id(private_ike_auth_t *this, message_t *message)
 	if (this->initiator)
 	{
 		id = idr->get_identification(idr);
+		req = this->ike_sa->get_other_id(this->ike_sa);
+		if (!id->matches(id, req, NULL))
+		{
+			SIG(IKE_UP_FAILED, "peer ID %D unacceptable, %D required", id, req);
+			id->destroy(id);
+			return FAILED;
+		}
 		this->ike_sa->set_other_id(this->ike_sa, id);
 	}
 	else
@@ -346,7 +353,7 @@ static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
 
 	if (!this->peer_authenticated)
 	{
-		SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+		SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
 			 this->ike_sa->get_other_id(this->ike_sa), 
 			 auth_method_names, AUTH_EAP);
 		if (this->initiator)
@@ -444,7 +451,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
 			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
 			break;
 		default:
-			SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+			SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed",
 				this->ike_sa->get_other_id(this->ike_sa),
 				auth_method_names, AUTH_EAP);
 			status = FAILED;
@@ -459,7 +466,7 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t build_i(private_ike_auth_t *this, message_t *message)
 {
-	policy_t *policy;
+	peer_cfg_t *config;
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
@@ -471,8 +478,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (policy->get_auth_method(policy) == AUTH_EAP)
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (config->get_auth_method(config) == AUTH_EAP)
 	{
 		this->eap_auth = eap_authenticator_create(this->ike_sa);
 	}
@@ -488,10 +495,12 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.process for initiator
+ * Implementation of task_t.process for responder
  */
 static status_t process_r(private_ike_auth_t *this, message_t *message)
-{	
+{
+	peer_cfg_t *config;
+	
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
 		return collect_other_init_data(this, message);
@@ -514,6 +523,17 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
 		default:
 			break;
 	}
+
+	config = charon->backends->get_peer_cfg(charon->backends,
+									this->ike_sa->get_my_id(this->ike_sa),
+									this->ike_sa->get_other_id(this->ike_sa),
+									this->ike_sa->get_other_ca(this->ike_sa));
+	if (config)
+	{
+		this->ike_sa->set_peer_cfg(this->ike_sa, config);
+		config->destroy(config);
+	}
+	
 	return NEED_MORE;
 }
 
@@ -522,7 +542,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
  */
 static status_t build_r(private_ike_auth_t *this, message_t *message)
 {
-	policy_t *policy;
+	peer_cfg_t *config;
 	eap_type_t eap_type;
 	eap_payload_t *eap_payload;
 	status_t status;
@@ -532,10 +552,12 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 		return collect_my_init_data(this, message);
 	}
 	
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	if (policy == NULL)
+	config = this->ike_sa->get_peer_cfg(this->ike_sa);
+	if (config == NULL)
 	{
-		SIG(IKE_UP_FAILED, "no acceptable policy found");
+		SIG(IKE_UP_FAILED, "no matching config found for %D...%D",
+			this->ike_sa->get_my_id(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
 		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
 		return FAILED;
 	}
@@ -567,7 +589,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
 	}
 		
 	/* initiate EAP authenitcation */
-	eap_type = policy->get_eap_type(policy);
+	eap_type = config->get_eap_type(config);
 	status = this->eap_auth->initiate(this->eap_auth, eap_type, &eap_payload);
 	message->add_payload(message, (payload_t*)eap_payload);
 	if (status != NEED_MORE)
diff --git a/src/charon/sa/tasks/ike_cert.c b/src/charon/sa/tasks/ike_cert.c
index 160600742..880ed9c42 100644
--- a/src/charon/sa/tasks/ike_cert.c
+++ b/src/charon/sa/tasks/ike_cert.c
@@ -84,7 +84,7 @@ static void process_certreqs(private_ike_cert_t *this, message_t *message)
 			encoding = certreq->get_cert_encoding(certreq);
 			if (encoding != CERT_X509_SIGNATURE)
 			{
-				DBG1(DBG_IKE, "certreq payload %N not supported, ignored",
+				DBG1(DBG_IKE, "certreq payload %N not supported - ignored",
 					 cert_encoding_names, encoding);
 				continue;
 			}
@@ -125,7 +125,7 @@ static void process_certs(private_ike_cert_t *this, message_t *message)
 			encoding = cert_payload->get_cert_encoding(cert_payload);
 			if (encoding != CERT_X509_SIGNATURE)
 			{
-				DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
+				DBG1(DBG_IKE, "certificate payload %N not supported - ignored",
 					 cert_encoding_names, encoding);
 				continue;
 			}
@@ -134,31 +134,29 @@ static void process_certs(private_ike_cert_t *this, message_t *message)
 			cert = x509_create_from_chunk(cert_data, 0);
 			if (cert)
 			{
-				if (charon->credentials->verify(charon->credentials,
-												cert, &found))
+				if (charon->credentials->verify(charon->credentials, cert, &found))
 				{
-					DBG2(DBG_IKE, "received end entity certificate is trusted, "
-						 "added to store");
-					if (!found)
+					DBG2(DBG_IKE, "received end entity certificate is trusted - "
+								  "added to store");
+					if (found)
 					{
-						charon->credentials->add_end_certificate(
-													charon->credentials, cert);
+						cert->destroy(cert);
 					}
 					else
 					{
-						cert->destroy(cert);
+						charon->credentials->add_end_certificate(charon->credentials, cert);
 					}
 				}
 				else
 				{
-					DBG1(DBG_IKE, "received end entity certificate is not "
-						 "trusted, discarded");
+					DBG1(DBG_IKE, "received end entity certificate is not trusted - "
+								  "discarded");
 					cert->destroy(cert);
 				}
 			}
 			else
 			{
-				DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
+				DBG1(DBG_IKE, "parsing of received certificate failed - discarded");
 				chunk_free(&cert_data);
 			}
 		}
@@ -171,20 +169,20 @@ static void process_certs(private_ike_cert_t *this, message_t *message)
  */
 static void build_certreqs(private_ike_cert_t *this, message_t *message)
 {
-	connection_t *connection;
-	policy_t *policy;
+	ike_cfg_t *ike_cfg;
+	peer_cfg_t *peer_cfg;
 	identification_t *ca;
 	certreq_payload_t *certreq;
 	
-	connection = this->ike_sa->get_connection(this->ike_sa);
+	ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
 	
-	if (connection->get_certreq_policy(connection) != CERT_NEVER_SEND)
+	if (ike_cfg->send_certreq(ike_cfg) != CERT_NEVER_SEND)
 	{	
-		policy = this->ike_sa->get_policy(this->ike_sa);
+		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 		
-		if (policy)
+		if (peer_cfg)
 		{
-			ca = policy->get_other_ca(policy);
+			ca = peer_cfg->get_other_ca(peer_cfg);
 			
 			if (ca && ca->get_type(ca) != ID_ANY)
 			{
@@ -212,17 +210,15 @@ static void build_certreqs(private_ike_cert_t *this, message_t *message)
  */
 static void build_certs(private_ike_cert_t *this, message_t *message)
 {
-	policy_t *policy;
-	connection_t *connection;
+	peer_cfg_t *peer_cfg;
 	x509_t *cert;
 	cert_payload_t *payload;
 	
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	connection = this->ike_sa->get_connection(this->ike_sa);
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 
-	if (policy && policy->get_auth_method(policy) == AUTH_RSA)
+	if (peer_cfg && peer_cfg->get_auth_method(peer_cfg) == AUTH_RSA)
 	{
-		switch (connection->get_cert_policy(connection))
+		switch (peer_cfg->get_cert_policy(peer_cfg))
 		{
 			case CERT_NEVER_SEND:
 				break;
@@ -236,7 +232,7 @@ static void build_certs(private_ike_cert_t *this, message_t *message)
 			{
 				/* TODO: respect CA cert request */
 				cert = charon->credentials->get_certificate(charon->credentials,
-													policy->get_my_id(policy));
+												peer_cfg->get_my_id(peer_cfg));
 				if (cert)
 				{
 					payload = cert_payload_create_from_x509(cert);
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index ce29b9220..3c73395a5 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -49,11 +49,6 @@ struct private_ike_config_t {
 	bool initiator;
 	
 	/**
-	 * associated policy with virtual IP configuration
-	 */
-	policy_t *policy;
-	
-	/**
 	 * virtual ip
 	 */
 	host_t *virtual_ip;
@@ -266,7 +261,20 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		message->get_payload(message, ID_INITIATOR))
 	{
-		this->virtual_ip = this->policy->get_virtual_ip(this->policy, NULL);
+		peer_cfg_t *config;
+		host_t *vip;
+		
+		/* reuse virtual IP if we already have one */
+		vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+		if (vip)
+		{
+			this->virtual_ip = vip->clone(vip);
+		}
+		else
+		{
+			config = this->ike_sa->get_peer_cfg(this->ike_sa);
+			this->virtual_ip = config->get_my_virtual_ip(config);
+		}
 		
 		build_payloads(this, message, CFG_REQUEST);
 	}
@@ -295,17 +303,18 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		message->get_payload(message, EXTENSIBLE_AUTHENTICATION) == NULL)
 	{
-		this->policy = this->ike_sa->get_policy(this->ike_sa);
+		peer_cfg_t *config = this->ike_sa->get_peer_cfg(this->ike_sa);
 		
-		if (this->policy && this->virtual_ip)
+		if (config && this->virtual_ip)
 		{
 			host_t *ip;
 			
 			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
-			ip = this->policy->get_virtual_ip(this->policy, this->virtual_ip);
+			ip = config->get_other_virtual_ip(config, this->virtual_ip);
 			if (ip == NULL || ip->is_anyaddr(ip))
 			{
 				DBG1(DBG_IKE, "not assigning a virtual IP to peer");
+				DESTROY_IF(ip);
 				return SUCCESS;
 			}
 			DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
@@ -340,13 +349,20 @@ static status_t process_i(private_ike_config_t *this, message_t *message)
 		!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
 	{
 		host_t *ip;
+		peer_cfg_t *config;
 		
 		DESTROY_IF(this->virtual_ip);
 		this->virtual_ip = NULL;
 
 		process_payloads(this, message);
+		
+		if (this->virtual_ip == NULL)
+		{	/* force a configured virtual IP, even server didn't return one */
+			config = this->ike_sa->get_peer_cfg(this->ike_sa);
+			this->virtual_ip = config->get_my_virtual_ip(config);
+		}
 
-		if (this->virtual_ip)
+		if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip))
 		{
 			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
 			
@@ -398,7 +414,7 @@ static void destroy(private_ike_config_t *this)
 /*
  * Described in header.
  */
-ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy)
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
 {
 	private_ike_config_t *this = malloc_thing(private_ike_config_t);
 
@@ -406,21 +422,18 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy)
 	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 	this->public.task.destroy = (void(*)(task_t*))destroy;
 	
-	if (policy)
+	if (initiator)
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
-		this->initiator = TRUE;
 	}
 	else
 	{
 		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
 		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
-		this->initiator = FALSE;
 	}
-	
+	this->initiator = initiator;
 	this->ike_sa = ike_sa;
-	this->policy = policy;
 	this->virtual_ip = NULL;
 	this->dns = linked_list_create();
 	
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
index 0c9b961b4..a7cfddff0 100644
--- a/src/charon/sa/tasks/ike_config.h
+++ b/src/charon/sa/tasks/ike_config.h
@@ -28,7 +28,6 @@ typedef struct ike_config_t ike_config_t;
 #include <library.h>
 #include <sa/ike_sa.h>
 #include <sa/tasks/task.h>
-#include <config/policies/policy.h>
 
 /**
  * @brief Task of type IKE_CONFIG, sets up a virtual IP and other
@@ -51,9 +50,9 @@ struct ike_config_t {
  * @brief Create a new ike_config task.
  *
  * @param ike_sa		IKE_SA this task works for
- * @param policy		policy for the initiator, NULL for the responder
+ * @param initiator		TRUE for initiator
  * @return			  	ike_config task to handle by the task_manager
  */
-ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy);
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator);
 
 #endif /* IKE_CONFIG_H_ */
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index 9c4fdac0e..1a3656ca6 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -28,7 +28,7 @@
 
 typedef struct private_ike_delete_t private_ike_delete_t;
 
-/**
+/**file
  * Private members of a ike_delete_t task.
  */
 struct private_ike_delete_t {
@@ -94,7 +94,6 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
 			DBG1(DBG_IKE, "deleting IKE_SA on request");
 			break;
 		case IKE_REKEYING:
-			DBG1(DBG_IKE, "initiated rekeying, but received delete for IKE_SA");
 			break;
 		default:
 			break;
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 0b493666a..f78b5dd66 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -57,9 +57,9 @@ struct private_ike_init_t {
 	bool initiator;
 	
 	/**
-	 * Connection established by this IKE_SA
+	 * IKE config to establish
 	 */
-	connection_t *connection;
+	ike_cfg_t *config;
 	
 	/**
 	 * diffie hellman group to use
@@ -69,7 +69,7 @@ struct private_ike_init_t {
 	/**
 	 * Diffie hellman object used to generate public DH value.
 	 */
-	diffie_hellman_t *diffie_hellman;
+	diffie_hellman_t *dh;
 	
 	/**
 	 * nonce chosen by us
@@ -117,11 +117,11 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 	
 	id = this->ike_sa->get_id(this->ike_sa);
 	
-	this->connection = this->ike_sa->get_connection(this->ike_sa);
+	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 
 	if (this->initiator)
 	{
-		proposal_list = this->connection->get_proposals(this->connection);
+		proposal_list = this->config->get_proposals(this->config);
 		if (this->old_sa)
 		{	
 			/* include SPI of new IKE_SA when we are rekeying */
@@ -151,7 +151,7 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
 	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
 	message->add_payload(message, (payload_t*)nonce_payload);
 	
-	ke_payload = ke_payload_create_from_diffie_hellman(this->diffie_hellman);
+	ke_payload = ke_payload_create_from_diffie_hellman(this->dh);
 	message->add_payload(message, (payload_t*)ke_payload);
 }
 
@@ -174,8 +174,8 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 				linked_list_t *proposal_list;
 	
 				proposal_list = sa_payload->get_proposals(sa_payload);
-				this->proposal = this->connection->select_proposal(
-											  this->connection, proposal_list);
+				this->proposal = this->config->select_proposal(this->config,
+															   proposal_list);
 				proposal_list->destroy_offset(proposal_list, 
 											  offsetof(proposal_t, destroy));
 				break;
@@ -183,34 +183,16 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
 			case KEY_EXCHANGE:
 			{
 				ke_payload_t *ke_payload = (ke_payload_t*)payload;
-				diffie_hellman_group_t dh_group;
-				chunk_t key_data;
 				
-				dh_group = ke_payload->get_dh_group_number(ke_payload);
-				
-				if (this->initiator)
+				this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+				if (!this->initiator)
 				{
-					if (dh_group != this->dh_group)
-					{
-						DBG1(DBG_IKE, "received a DH group not requested (%N)",
-							 diffie_hellman_group_names, dh_group);
-						break;
-					}
+					this->dh = diffie_hellman_create(this->dh_group);
 				}
-				else
+				if (this->dh)
 				{
-					this->dh_group = dh_group;
-					if (!this->connection->check_dh_group(this->connection, 
-														  dh_group))
-					{
-						break;
-					}
-					this->diffie_hellman = diffie_hellman_create(dh_group);
-				}
-				if (this->diffie_hellman)
-				{
-					key_data = ke_payload->get_key_exchange_data(ke_payload);
-					this->diffie_hellman->set_other_public_value(this->diffie_hellman, key_data);
+					this->dh->set_other_public_value(this->dh,
+								ke_payload->get_key_exchange_data(ke_payload));
 				}
 				break;
 			}
@@ -235,9 +217,9 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 	randomizer_t *randomizer;
 	status_t status;
 	
-	this->connection = this->ike_sa->get_connection(this->ike_sa);
+	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	SIG(IKE_UP_START, "initiating IKE_SA to %H",
-		this->connection->get_other_host(this->connection));
+		this->config->get_other_host(this->config));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
 	
 	if (this->retry++ >= MAX_RETRIES)
@@ -247,11 +229,11 @@ static status_t build_i(private_ike_init_t *this, message_t *message)
 	}
 
 	/* if the DH group is set via use_dh_group(), we already have a DH object */
-	if (!this->diffie_hellman)
+	if (!this->dh)
 	{
-		this->dh_group = this->connection->get_dh_group(this->connection);
-		this->diffie_hellman = diffie_hellman_create(this->dh_group);
-		if (this->diffie_hellman == NULL)
+		this->dh_group = this->config->get_dh_group(this->config);
+		this->dh = diffie_hellman_create(this->dh_group);
+		if (this->dh == NULL)
 		{
 			SIG(IKE_UP_FAILED, "configured DH group %N not supported",
 				diffie_hellman_group_names, this->dh_group);
@@ -291,7 +273,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 {	
 	randomizer_t *randomizer;
 	
-	this->connection = this->ike_sa->get_connection(this->ike_sa);
+	this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
 	SIG(IKE_UP_FAILED, "%H is initiating an IKE_SA",
 		message->get_source(message));
 	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
@@ -326,25 +308,29 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	if (this->diffie_hellman == NULL ||
-		this->diffie_hellman->get_shared_secret(this->diffie_hellman,
-												&secret) != SUCCESS)
+	if (this->dh == NULL ||
+		!this->proposal->has_dh_group(this->proposal, this->dh_group) ||
+		this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
 	{
-		chunk_t chunk;
-		u_int16_t dh_enc;
-		
-		SIG(IKE_UP_FAILED, "received inacceptable DH group (%N)",
-			 diffie_hellman_group_names, this->dh_group);
-		this->dh_group = this->connection->get_dh_group(this->connection);
-		dh_enc = htons(this->dh_group);
-		chunk.ptr = (u_int8_t*)&dh_enc;
-		chunk.len = sizeof(dh_enc);
-		message->add_notify(message, TRUE, INVALID_KE_PAYLOAD, chunk);
-		DBG1(DBG_IKE, "requesting DH group %N",
-			 diffie_hellman_group_names, this->dh_group);
+		algorithm_t *algo;
+		if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+										  &algo))
+		{
+			u_int16_t group = algo->algorithm;
+			SIG(CHILD_UP_FAILED, "DH group %N inacceptable, requesting %N",
+				diffie_hellman_group_names, this->dh_group,
+				diffie_hellman_group_names, group);
+			this->dh_group = group;
+			group = htons(group);
+			message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+								chunk_from_thing(group));
+		}
+		else
+		{
+			SIG(IKE_UP_FAILED, "no acceptable proposal found");
+		}
 		return FAILED;
 	}
-
 	
 	if (this->old_sa)
 	{
@@ -405,27 +391,20 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 				case INVALID_KE_PAYLOAD:
 				{
 					chunk_t data;
-					diffie_hellman_group_t old_dh_group;
+					diffie_hellman_group_t bad_group;
 					
-					old_dh_group = this->dh_group;
+					bad_group = this->dh_group;
 					data = notify->get_notification_data(notify);
 					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
-					
-					DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested"
-						 " %N", diffie_hellman_group_names, old_dh_group,
-						 diffie_hellman_group_names, this->dh_group);
-					if (!this->connection->check_dh_group(this->connection,
-														  this->dh_group))
-					{
-						DBG1(DBG_IKE, "requested DH group %N not acceptable, "
-							"giving up", diffie_hellman_group_names,
-							this->dh_group);
-						iterator->destroy(iterator);
-						return FAILED;
+					DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+						 "it requested %N", diffie_hellman_group_names,
+						 bad_group, diffie_hellman_group_names, this->dh_group);
+						 
+					if (this->old_sa == NULL)
+					{	/* reset the IKE_SA if we are not rekeying */
+						this->ike_sa->reset(this->ike_sa);
 					}
 					
-					this->ike_sa->reset(this->ike_sa);
-					
 					iterator->destroy(iterator);
 					return NEED_MORE;
 				}
@@ -470,9 +449,9 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
 		return FAILED;
 	}
 	
-	if (this->diffie_hellman == NULL ||
-		this->diffie_hellman->get_shared_secret(this->diffie_hellman,
-												&secret) != SUCCESS)
+	if (this->dh == NULL ||
+		!this->proposal->has_dh_group(this->proposal, this->dh_group) ||
+		this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
 	{
 		SIG(IKE_UP_FAILED, "peers DH group selection invalid");
 		return FAILED;
@@ -539,12 +518,12 @@ static chunk_t get_lower_nonce(private_ike_init_t *this)
 static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
 {
 	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->diffie_hellman);
+	DESTROY_IF(this->dh);
 	chunk_free(&this->other_nonce);
 	
 	this->ike_sa = ike_sa;
 	this->proposal = NULL;
-	this->diffie_hellman = diffie_hellman_create(this->dh_group);
+	this->dh = diffie_hellman_create(this->dh_group);
 }
 
 /**
@@ -553,7 +532,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
 static void destroy(private_ike_init_t *this)
 {
 	DESTROY_IF(this->proposal);
-	DESTROY_IF(this->diffie_hellman);
+	DESTROY_IF(this->dh);
 	chunk_free(&this->my_nonce);
 	chunk_free(&this->other_nonce);
 	chunk_free(&this->cookie);
@@ -585,12 +564,12 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
 	this->ike_sa = ike_sa;
 	this->initiator = initiator;
 	this->dh_group = MODP_NONE;
-	this->diffie_hellman = NULL;
+	this->dh = NULL;
 	this->my_nonce = chunk_empty;
 	this->other_nonce = chunk_empty;
 	this->cookie = chunk_empty;
 	this->proposal = NULL;
-	this->connection = NULL;
+	this->config = NULL;
 	this->old_sa = old_sa;
 	this->retry = 0;
 	
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index a33e7ee34..d54fc3524 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -26,8 +26,8 @@
 #include <daemon.h>
 #include <encoding/payloads/notify_payload.h>
 #include <sa/tasks/ike_init.h>
-#include <queues/jobs/delete_ike_sa_job.h>
-#include <queues/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
 
 
 typedef struct private_ike_rekey_t private_ike_rekey_t;
@@ -73,21 +73,20 @@ struct private_ike_rekey_t {
  */
 static status_t build_i(private_ike_rekey_t *this, message_t *message)
 {
-	connection_t *connection;
-	policy_t *policy;
+	peer_cfg_t *peer_cfg;
 	
-	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
-														TRUE);
-	
-	connection = this->ike_sa->get_connection(this->ike_sa);
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	this->new_sa->set_connection(this->new_sa, connection);
-	this->new_sa->set_policy(this->new_sa, policy);
-
-	this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
+	/* create new SA only on first try */
+	if (this->new_sa == NULL)
+	{
+		this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+															TRUE);
+		
+		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+		this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+		this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
+		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+	}
 	this->ike_init->task.build(&this->ike_init->task, message);
-	
-	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 
 	return NEED_MORE;
 }
@@ -97,8 +96,7 @@ static status_t build_i(private_ike_rekey_t *this, message_t *message)
  */
 static status_t process_r(private_ike_rekey_t *this, message_t *message)
 {
-	connection_t *connection;
-	policy_t *policy;
+	peer_cfg_t *peer_cfg;
 	iterator_t *iterator;
 	child_sa_t *child_sa;
 	
@@ -129,11 +127,8 @@ static status_t process_r(private_ike_rekey_t *this, message_t *message)
 	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 														FALSE);
 	
-	connection = this->ike_sa->get_connection(this->ike_sa);
-	policy = this->ike_sa->get_policy(this->ike_sa);
-	this->new_sa->set_connection(this->new_sa, connection);
-	this->new_sa->set_policy(this->new_sa, policy);
-	
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+	this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
 	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
 	this->ike_init->task.process(&this->ike_init->task, message);
 	
@@ -171,23 +166,29 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
 	job_t *job;
 	ike_sa_id_t *to_delete;
 
-	if (this->ike_init->task.process(&this->ike_init->task, message) == FAILED)
+	switch (this->ike_init->task.process(&this->ike_init->task, message))
 	{
-		/* rekeying failed, fallback to old SA */
-		if (!(this->collision &&
-			this->collision->get_type(this->collision) == IKE_DELETE))
-		{
-			job_t *job;
-			u_int32_t retry = charon->configuration->get_retry_interval(
-									charon->configuration);
-			job = (job_t*)rekey_ike_sa_job_create(
-									this->ike_sa->get_id(this->ike_sa), FALSE);
-			DBG1(DBG_IKE, "IKE_SA rekeying failed, "
-				 					"trying again in %d seconds", retry);
-			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
-			charon->event_queue->add_relative(charon->event_queue, job, retry * 1000);
-		}
-		return SUCCESS;
+		case FAILED:
+			/* rekeying failed, fallback to old SA */
+			if (!(this->collision &&
+				this->collision->get_type(this->collision) == IKE_DELETE))
+			{
+				job_t *job;
+				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+				job = (job_t*)rekey_ike_sa_job_create(
+										this->ike_sa->get_id(this->ike_sa), FALSE);
+				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
+					 					"trying again in %d seconds", retry);
+				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+				charon->event_queue->add_relative(charon->event_queue, job, retry * 1000);
+			}
+			return SUCCESS;
+		case NEED_MORE:
+			/* bad dh group, try again */
+			this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
+			return NEED_MORE;
+		default:
+			break;
 	}
 
 	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c
deleted file mode 100755
index a9074debb..000000000
--- a/src/charon/threads/stroke_interface.c
+++ /dev/null
@@ -1,1456 +0,0 @@
-/**
- * @file stroke.c
- * 
- * @brief Implementation of stroke_t.
- * 
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/fcntl.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <errno.h>
-#include <pthread.h>
-#include <signal.h>
-
-#include "stroke_interface.h"
-
-#include <library.h>
-#include <stroke.h>
-#include <daemon.h>
-#include <crypto/x509.h>
-#include <crypto/ca.h>
-#include <crypto/crl.h>
-#include <queues/jobs/initiate_job.h>
-#include <queues/jobs/route_job.h>
-#include <utils/leak_detective.h>
-
-#define IKE_PORT	500
-#define PATH_BUF	256
-
-
-struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
-
-
-typedef struct private_stroke_t private_stroke_t;
-
-/**
- * Private data of an stroke_t object.
- */
-struct private_stroke_t {
-
-	/**
-	 * Public part of stroke_t object.
-	 */
-	stroke_t public;
-	
-	/**
-	 * Output stream (stroke console)
-	 */
-	FILE *out;
-		
-	/**
-	 * Unix socket to listen for strokes
-	 */
-	int socket;
-	
-	/**
-	 * Thread which reads from the Socket
-	 */
-	pthread_t assigned_thread;
-};
-
-/**
- * Helper function which corrects the string pointers
- * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
- * contains RELATIVE addresses (relative to the beginning of the
- * stroke_msg). They must be corrected if they reach our address
- * space...
- */
-static void pop_string(stroke_msg_t *msg, char **string)
-{
-	if (*string == NULL)
-		return;
-
-	/* check for sanity of string pointer and string */
-	if (string < (char**)msg
-	||	string > (char**)msg + sizeof(stroke_msg_t)
-	|| (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg)
-	|| (unsigned long)*string > msg->length)
-	{
-		*string = "(invalid pointer in stroke msg)";
-	}
-	else
-	{
-		*string = (char*)msg + (unsigned long)*string;
-	}
-}
-
-/**
- * Load end entitity certificate
- */
-static x509_t* load_end_certificate(const char *filename, identification_t **idp)
-{
-	char path[PATH_BUF];
-	x509_t *cert;
-
-	if (*filename == '/')
-	{
-		/* absolute path name */
-		snprintf(path, sizeof(path), "%s", filename);
-	}
-	else
-	{
-		/* relative path name */
-		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
-	}
-
-	cert = x509_create_from_file(path, "end entity");
-
-	if (cert)
-	{
-		identification_t *id = *idp;
-		identification_t *subject = cert->get_subject(cert);
-
-		err_t ugh = cert->is_valid(cert, NULL);
-
-		if (ugh != NULL)	
-		{
-			DBG1(DBG_CFG, "warning: certificate %s", ugh);
-		}
-		if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id))
-		{
-			id->destroy(id);
-			id = subject;
-			*idp = id->clone(id);
-		}
-		return charon->credentials->add_end_certificate(charon->credentials, cert);
-	}
-	return NULL;
-}
-
-/**
- * Load ca certificate
- */
-static x509_t* load_ca_certificate(const char *filename)
-{
-	char path[PATH_BUF];
-	x509_t *cert;
-
-	if (*filename == '/')
-	{
-		/* absolute path name */
-		snprintf(path, sizeof(path), "%s", filename);
-	}
-	else
-	{
-		/* relative path name */
-		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
-	}
-
-	cert = x509_create_from_file(path, "ca");
-
-	if (cert)
-	{
-		if (cert->is_ca(cert))
-		{
-			return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
-		}
-		else
-		{
-			DBG1(DBG_CFG, "  CA basic constraints flag not set, cert discarded");
-			cert->destroy(cert);
-		}
-	}
-	return NULL;
-}
-
-/**
- * Add a connection to the configuration list
- */
-static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
-{
-	connection_t *connection;
-	policy_t *policy;
-	identification_t *my_id, *other_id;
-	identification_t *my_ca = NULL;
-	identification_t *other_ca = NULL;
-	bool my_ca_same = FALSE;
-	bool other_ca_same =FALSE;
-	host_t *my_host, *other_host, *my_subnet, *other_subnet;
-	host_t *my_vip = NULL, *other_vip = NULL;
-	proposal_t *proposal;
-	traffic_selector_t *my_ts, *other_ts;
-	char *interface;
-	
-	pop_string(msg, &msg->add_conn.name);
-	pop_string(msg, &msg->add_conn.me.address);
-	pop_string(msg, &msg->add_conn.other.address);
-	pop_string(msg, &msg->add_conn.me.subnet);
-	pop_string(msg, &msg->add_conn.other.subnet);
-	pop_string(msg, &msg->add_conn.me.sourceip);
-	pop_string(msg, &msg->add_conn.other.sourceip);
-	pop_string(msg, &msg->add_conn.me.id);
-	pop_string(msg, &msg->add_conn.other.id);
-	pop_string(msg, &msg->add_conn.me.cert);
-	pop_string(msg, &msg->add_conn.other.cert);
-	pop_string(msg, &msg->add_conn.me.ca);
-	pop_string(msg, &msg->add_conn.other.ca);
-	pop_string(msg, &msg->add_conn.me.updown);
-	pop_string(msg, &msg->add_conn.other.updown);
-	pop_string(msg, &msg->add_conn.algorithms.ike);
-	pop_string(msg, &msg->add_conn.algorithms.esp);
-	
-	DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
-	
-	DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
-	DBG2(DBG_CFG, "  left=%s", msg->add_conn.me.address);
-	DBG2(DBG_CFG, "  right=%s", msg->add_conn.other.address);
-	DBG2(DBG_CFG, "  leftsubnet=%s", msg->add_conn.me.subnet);
-	DBG2(DBG_CFG, "  rightsubnet=%s", msg->add_conn.other.subnet);
-	DBG2(DBG_CFG, "  leftsourceip=%s", msg->add_conn.me.sourceip);
-	DBG2(DBG_CFG, "  rightsourceip=%s", msg->add_conn.other.sourceip);
-	DBG2(DBG_CFG, "  leftid=%s", msg->add_conn.me.id);
-	DBG2(DBG_CFG, "  rightid=%s", msg->add_conn.other.id);
-	DBG2(DBG_CFG, "  leftcert=%s", msg->add_conn.me.cert);
-	DBG2(DBG_CFG, "  rightcert=%s", msg->add_conn.other.cert);
-	DBG2(DBG_CFG, "  leftca=%s", msg->add_conn.me.ca);
-	DBG2(DBG_CFG, "  rightca=%s", msg->add_conn.other.ca);
-	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
-	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
-	
-	my_host = msg->add_conn.me.address?
-			  host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL;
-	if (my_host == NULL)
-	{
-		DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
-		return;
-	}
-
-	other_host = msg->add_conn.other.address ?
-			host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL;
-	if (other_host == NULL)
-	{
-		DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
-		my_host->destroy(my_host);
-		return;
-	}
-	
-	interface = charon->kernel_interface->get_interface(charon->kernel_interface, 
-														other_host);
-	if (interface)
-	{
-		stroke_end_t tmp_end;
-		host_t *tmp_host;
-
-		DBG2(DBG_CFG, "left is other host, swapping ends\n");
-
-		tmp_host = my_host;
-		my_host = other_host;
-		other_host = tmp_host;
-
-		tmp_end = msg->add_conn.me;
-		msg->add_conn.me = msg->add_conn.other;
-		msg->add_conn.other = tmp_end;
-		free(interface);
-	}
-	if (!interface)
-	{
-		interface = charon->kernel_interface->get_interface(
-											charon->kernel_interface, my_host);
-		if (!interface)
-		{
-			DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
-			goto destroy_hosts;
-		}
-		free(interface);
-	}
-
-	my_id = identification_create_from_string(msg->add_conn.me.id ?
-						msg->add_conn.me.id : msg->add_conn.me.address);
-	if (my_id == NULL)
-	{
-		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
-		goto destroy_hosts;
-	}
-
-	other_id = identification_create_from_string(msg->add_conn.other.id ?
-						msg->add_conn.other.id : msg->add_conn.other.address);
-	if (other_id == NULL)
-	{
-		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
-		my_id->destroy(my_id);
-		goto destroy_hosts;
-	}
-	
-	my_subnet = host_create_from_string(msg->add_conn.me.subnet ?
-					msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT);
-	if (my_subnet == NULL)
-	{
-		DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
-		goto destroy_ids;
-	}
-	
-	other_subnet = host_create_from_string(msg->add_conn.other.subnet ?
-					msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT);
-	if (other_subnet == NULL)
-	{
-		DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
-		my_subnet->destroy(my_subnet);
-		goto destroy_ids;
-	}
-	
-	if (msg->add_conn.me.virtual_ip)
-	{
-		my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
-	}
-	other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0);
-	
-	if (msg->add_conn.me.tohost)
-	{
-		my_ts = traffic_selector_create_dynamic(msg->add_conn.me.protocol,
-					my_host->get_family(my_host) == AF_INET ?
-						TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE,
-					msg->add_conn.me.port ? msg->add_conn.me.port : 0,
-					msg->add_conn.me.port ? msg->add_conn.me.port : 65535);
-	}
-	else
-	{
-		my_ts = traffic_selector_create_from_subnet(my_subnet,
-				msg->add_conn.me.subnet ?  msg->add_conn.me.subnet_mask : 0,
-				msg->add_conn.me.protocol, msg->add_conn.me.port);
-	}
-	my_subnet->destroy(my_subnet);
-	
-	if (msg->add_conn.other.tohost)
-	{
-		other_ts = traffic_selector_create_dynamic(msg->add_conn.other.protocol,
-					other_host->get_family(other_host) == AF_INET ?
-						TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE,
-					msg->add_conn.other.port ? msg->add_conn.other.port : 0,
-					msg->add_conn.other.port ? msg->add_conn.other.port : 65535);
-	}
-	else
-	{
-		other_ts = traffic_selector_create_from_subnet(other_subnet, 
-				msg->add_conn.other.subnet ?  msg->add_conn.other.subnet_mask : 0,
-				msg->add_conn.other.protocol, msg->add_conn.other.port);
-	}
-	other_subnet->destroy(other_subnet);
-
-	if (msg->add_conn.me.ca)
-	{
-		if (streq(msg->add_conn.me.ca, "%same"))
-		{
-			my_ca_same = TRUE;
-		}
-		else
-		{
-			my_ca = identification_create_from_string(msg->add_conn.me.ca);
-		}
-	}
-	if (msg->add_conn.other.ca)
-	{
-		if (streq(msg->add_conn.other.ca, "%same"))
-		{
-			other_ca_same = TRUE;
-		}
-		else
-		{
-			other_ca = identification_create_from_string(msg->add_conn.other.ca);
-		}
-	}
-	if (msg->add_conn.me.cert)
-	{
-		x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id);
-
-		if (my_ca == NULL && !my_ca_same && cert)
-		{
-			identification_t *issuer = cert->get_issuer(cert);
-
-			my_ca = issuer->clone(issuer);
-		}
-	}
-	if (msg->add_conn.other.cert)
-	{
-		x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id);
-
-		if (other_ca == NULL && !other_ca_same && cert)
-		{
-			identification_t *issuer = cert->get_issuer(cert);
-
-			other_ca = issuer->clone(issuer);
-		}
-	}
-	if (other_ca_same && my_ca)
-	{
-		other_ca = my_ca->clone(my_ca);
-	}
-	else if (my_ca_same && other_ca)
-	{
-		my_ca = other_ca->clone(other_ca);
-	}
-	if (my_ca == NULL)
-	{
-		my_ca = identification_create_from_string("%any");
-	}
-	if (other_ca == NULL)
-	{
-		other_ca = identification_create_from_string("%any");
-	}
-	DBG2(DBG_CFG, "  my ca:   '%D'", my_ca);
-	DBG2(DBG_CFG, "  other ca:'%D'", other_ca);
-	DBG2(DBG_CFG, "  updown: '%s'", msg->add_conn.me.updown);
-
-	connection = connection_create(msg->add_conn.name,
-								   msg->add_conn.ikev2,
-								   msg->add_conn.me.sendcert,
-								   msg->add_conn.other.sendcert,
-								   my_host, other_host,
-								   msg->add_conn.dpd.delay,
-								   msg->add_conn.rekey.reauth,
-								   msg->add_conn.rekey.tries,
-								   msg->add_conn.rekey.ike_lifetime,
-								   msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
-								   msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100);
-
-	if (msg->add_conn.algorithms.ike)
-	{
-		char *proposal_string;
-		char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1;
-
-		if (*strict == '!')
-			*strict = '\0';
-		else
-			strict = NULL;
-
-		while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ",")))
-		{
-			proposal = proposal_create_from_string(PROTO_IKE, proposal_string);
-			if (proposal == NULL)
-			{
-				DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
-				my_id->destroy(my_id);
-				other_id->destroy(other_id);
-				my_ts->destroy(my_ts);
-				other_ts->destroy(other_ts);
-				my_ca->destroy(my_ca);
-				other_ca->destroy(other_ca);
-				connection->destroy(connection);
-				return;
-			}
-			connection->add_proposal(connection, proposal);
-		}
-		if (!strict)
-		{
-			proposal = proposal_create_default(PROTO_IKE);
-			connection->add_proposal(connection, proposal);
-		}
-	}
-	else
-	{
-		proposal = proposal_create_default(PROTO_IKE);
-		connection->add_proposal(connection, proposal);
-	}
-	
-	policy = policy_create(msg->add_conn.name, my_id, other_id, my_vip, other_vip,
-						   msg->add_conn.auth_method, msg->add_conn.eap_type,
-						   msg->add_conn.rekey.ipsec_lifetime,
-						   msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
-						   msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
-						   msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
-						   msg->add_conn.mode, msg->add_conn.dpd.action);
-	policy->add_my_traffic_selector(policy, my_ts);
-	policy->add_other_traffic_selector(policy, other_ts);
-	policy->add_authorities(policy, my_ca, other_ca);
-	
-	if (msg->add_conn.algorithms.esp)
-	{
-		char *proposal_string;
-		char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1;
-
-		if (*strict == '!')
-			*strict = '\0';
-		else
-			strict = NULL;
-		
-		while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ",")))
-		{
-			proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
-			if (proposal == NULL)
-			{
-				DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
-				policy->destroy(policy);
-				connection->destroy(connection);
-				return;
-			}
-			policy->add_proposal(policy, proposal);
-		}
-		if (!strict)
-		{
-			proposal = proposal_create_default(PROTO_ESP);
-			policy->add_proposal(policy, proposal);
-		}
-	}
-	else
-	{
-		proposal = proposal_create_default(PROTO_ESP);
-		policy->add_proposal(policy, proposal);
-	}
-	
-	/* add to global connection list */
-	charon->connections->add_connection(charon->connections, connection);
-	DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]",
-		 msg->add_conn.name, my_host, my_id, other_host, other_id);
-	/* add to global policy list */
-	charon->policies->add_policy(charon->policies, policy);
-	
-	return;
-
-	/* mopping up after parsing errors */
-
-destroy_ids:
-	my_id->destroy(my_id);
-	other_id->destroy(other_id);
-
-destroy_hosts:
-	my_host->destroy(my_host);
-	other_host->destroy(other_host);
-}
-
-/**
- * Delete a connection from the list
- */
-static void stroke_del_conn(stroke_msg_t *msg, FILE *out)
-{
-	status_t status;
-	
-	pop_string(msg, &(msg->del_conn.name));
-	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
-	
-	status = charon->connections->delete_connection(charon->connections, 
-													msg->del_conn.name);
-	charon->policies->delete_policy(charon->policies, msg->del_conn.name);
-	if (status == SUCCESS)
-	{
-		fprintf(out, "deleted connection '%s'\n", msg->del_conn.name);
-	}
-	else
-	{
-		fprintf(out, "no connection named '%s'\n", msg->del_conn.name);
-	}
-}
-
-/**
- * initiate a connection by name
- */
-static void stroke_initiate(stroke_msg_t *msg, FILE *out)
-{
-	initiate_job_t *job;
-	connection_t *connection;
-	policy_t *policy;
-	ike_sa_t *init_ike_sa = NULL;
-	signal_t signal;
-	
-	pop_string(msg, &(msg->initiate.name));
-	DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
-	
-	connection = charon->connections->get_connection_by_name(charon->connections,
-															 msg->initiate.name);
-	if (connection == NULL)
-	{
-		if (msg->output_verbosity >= 0)
-		{
-			fprintf(out, "no connection named '%s'\n", msg->initiate.name);
-		}
-		return;
-	}
-	if (!connection->is_ikev2(connection))
-	{
-		connection->destroy(connection);
-		return;
-	}
-	
-	policy = charon->policies->get_policy_by_name(charon->policies, 
-												  msg->initiate.name);
-	if (policy == NULL)
-	{
-		if (msg->output_verbosity >= 0)
-		{
-			fprintf(out, "no policy named '%s'\n", msg->initiate.name);
-		}
-		connection->destroy(connection);
-		return;
-	}
-	
-	job = initiate_job_create(connection, policy);
-	charon->bus->set_listen_state(charon->bus, TRUE);
-	charon->job_queue->add(charon->job_queue, (job_t*)job);
-	while (TRUE)
-	{
-		level_t level;
-		int thread;
-		ike_sa_t *ike_sa;
-		char* format;
-		va_list args;
-		
-		signal = charon->bus->listen(charon->bus, &level, &thread, &ike_sa, &format, &args);
-		
-		if ((init_ike_sa == NULL || ike_sa == init_ike_sa) &&
-			level <= msg->output_verbosity)
-		{
-			if (vfprintf(out, format, args) < 0 ||
-				fprintf(out, "\n") < 0 ||
-				fflush(out))
-			{
-				charon->bus->set_listen_state(charon->bus, FALSE);
-				break;
-			}
-		}
-		
-		switch (signal)
-		{
-			case CHILD_UP_SUCCESS:
-			case CHILD_UP_FAILED:
-			case IKE_UP_FAILED:
-				if (ike_sa == init_ike_sa)
-				{
-					charon->bus->set_listen_state(charon->bus, FALSE);
-					return;
-				}
-				continue;
-			case CHILD_UP_START:
-			case IKE_UP_START:
-				if (init_ike_sa == NULL)
-				{
-					init_ike_sa = ike_sa;
-				}
-				continue;
-			default:
-				continue;
-		}
-	}
-}
-
-/**
- * route/unroute a policy (install SPD entries)
- */
-static void stroke_route(stroke_msg_t *msg, FILE *out, bool route)
-{
-	route_job_t *job;
-	connection_t *connection;
-	policy_t *policy;
-	
-	pop_string(msg, &(msg->route.name));
-	DBG1(DBG_CFG, "received stroke: %s '%s'",
-		 route ? "route" : "unroute", msg->route.name);
-	
-	/* we wouldn't need a connection, but we only want to route policies
-	 * whose connections are keyexchange=ikev2. */
-	connection = charon->connections->get_connection_by_name(charon->connections,
-															 msg->route.name);
-	if (connection == NULL)
-	{
-		fprintf(out, "no connection named '%s'\n", msg->route.name);
-		return;
-	}
-	if (!connection->is_ikev2(connection))
-	{
-		connection->destroy(connection);
-		return;
-	}
-		
-	policy = charon->policies->get_policy_by_name(charon->policies, 
-												  msg->route.name);
-	if (policy == NULL)
-	{
-		fprintf(out, "no policy named '%s'\n", msg->route.name);
-		connection->destroy(connection);
-		return;
-	}
-	fprintf(out, "%s policy '%s'\n",
-			route ? "routing" : "unrouting", msg->route.name);
-	job = route_job_create(connection, policy, route);
-	charon->job_queue->add(charon->job_queue, (job_t*)job);
-}
-
-/**
- * terminate a connection by name
- */
-static void stroke_terminate(stroke_msg_t *msg, FILE *out)
-{
-	char *string, *pos = NULL, *name = NULL;
-	u_int32_t id = 0;
-	bool child;
-	int len;
-	status_t status = SUCCESS;;
-	ike_sa_t *ike_sa;
-	
-	pop_string(msg, &(msg->terminate.name));
-	string = msg->terminate.name;
-	DBG1(DBG_CFG, "received stroke: terminate '%s'", string);
-	
-	len = strlen(string);
-	if (len < 1)
-	{
-		DBG1(DBG_CFG, "error parsing string");
-		return;
-	}
-	switch (string[len-1])
-	{
-		case '}':
-			child = TRUE;
-			pos = strchr(string, '{');
-			break;
-		case ']':
-			child = FALSE;
-			pos = strchr(string, '[');
-			break;
-		default:
-			name = string;
-			child = FALSE;
-			break;
-	}
-	
-	if (name)
-	{	/* must be a single name */
-		DBG1(DBG_CFG, "check out by single name '%s'", name);
-		ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
-														  name, child);
-	}
-	else if (pos == string + len - 2)
-	{	/* must be name[] or name{} */
-		string[len-2] = '\0';
-		DBG1(DBG_CFG, "check out by name '%s'", string);
-		ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
-														  string, child);
-	}
-	else
-	{	/* must be name[123] or name{23} */
-		string[len-1] = '\0';
-		id = atoi(pos + 1);
-		if (id == 0)
-		{
-			DBG1(DBG_CFG, "error parsing string");
-			return;
-		}
-		DBG1(DBG_CFG, "check out by id '%d'", id);
-		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
-														id, child);
-	}
-	if (ike_sa == NULL)
-	{
-		DBG1(DBG_CFG, "no such IKE_SA found");
-		return;
-	}
-	
-	if (!child)
-	{
-		status = ike_sa->delete(ike_sa);
-	}
-	else
-	{
-		child_sa_t *child_sa;
-		iterator_t *iterator = ike_sa->create_child_sa_iterator(ike_sa);
-		while (iterator->iterate(iterator, (void**)&child_sa))
-		{
-			if ((id && id == child_sa->get_reqid(child_sa)) ||
-				(string && streq(string, child_sa->get_name(child_sa))))
-			{
-				u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
-				protocol_id_t proto = child_sa->get_protocol(child_sa);
-				
-				status = ike_sa->delete_child_sa(ike_sa, proto, spi);
-				break;
-			}
-		}
-		iterator->destroy(iterator);
-	}
-	if (status == DESTROY_ME)
-	{
-		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-													ike_sa);
-		return;
-	}
-	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-}
-
-/**
- * Add a ca information record to the cainfo list
- */
-static void stroke_add_ca(stroke_msg_t *msg, FILE *out)
-{
-	x509_t *cacert;
-	ca_info_t *ca_info;
-
-	pop_string(msg, &msg->add_ca.name);
-	pop_string(msg, &msg->add_ca.cacert);
-	pop_string(msg, &msg->add_ca.crluri);
-	pop_string(msg, &msg->add_ca.crluri2);
-	pop_string(msg, &msg->add_ca.ocspuri);
-	pop_string(msg, &msg->add_ca.ocspuri2);
-	
-	DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name);
-	
-	DBG2(DBG_CFG, "ca %s",        msg->add_ca.name);
-	DBG2(DBG_CFG, "  cacert=%s",  msg->add_ca.cacert);
-	DBG2(DBG_CFG, "  crluri=%s",  msg->add_ca.crluri);
-	DBG2(DBG_CFG, "  crluri2=%s", msg->add_ca.crluri2);
-	DBG2(DBG_CFG, "  ocspuri=%s", msg->add_ca.ocspuri);
-	DBG2(DBG_CFG, "  ocspuri2=%s", msg->add_ca.ocspuri2);
-
-	if (msg->add_ca.cacert == NULL)
-	{
-		DBG1(DBG_CFG, "missing cacert parameter\n");
-		return;
-	}
-
-	cacert = load_ca_certificate(msg->add_ca.cacert);
-
-	if (cacert == NULL)
-	{
-		return;
-	}
-	ca_info = ca_info_create(msg->add_ca.name, cacert);
-
-	if (msg->add_ca.crluri)
-	{
-		chunk_t uri = { msg->add_ca.crluri, strlen(msg->add_ca.crluri) };
-		
-		ca_info->add_crluri(ca_info, uri);
-	}
-	if (msg->add_ca.crluri2)
-	{
-		chunk_t uri = { msg->add_ca.crluri2, strlen(msg->add_ca.crluri2) };
-		
-		ca_info->add_crluri(ca_info, uri);
-	}
-	if (msg->add_ca.ocspuri)
-	{
-		chunk_t uri = { msg->add_ca.ocspuri, strlen(msg->add_ca.ocspuri) };
-		
-		ca_info->add_ocspuri(ca_info, uri);
-	}
-	if (msg->add_ca.ocspuri2)
-	{
-		chunk_t uri = { msg->add_ca.ocspuri2, strlen(msg->add_ca.ocspuri2) };
-		
-		ca_info->add_ocspuri(ca_info, uri);
-	}
-	charon->credentials->add_ca_info(charon->credentials, ca_info);
-	DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
-
-}
-
-/**
- * Delete a ca information record from the cainfo list
- */
-static void stroke_del_ca(stroke_msg_t *msg, FILE *out)
-{
-	status_t status;
-	
-	pop_string(msg, &(msg->del_ca.name));
-	DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
-	
-	status = charon->credentials->release_ca_info(charon->credentials,
-												  msg->del_ca.name);
-
-	if (status == SUCCESS)
-	{
-		fprintf(out, "deleted ca '%s'\n", msg->del_ca.name);
-	}
-	else
-	{
-		fprintf(out, "no ca named '%s'\n", msg->del_ca.name);
-	}
-}
-
-/**
- * show status of daemon
- */
-static void stroke_statusall(stroke_msg_t *msg, FILE *out)
-{
-	iterator_t *iterator;
-	linked_list_t *list;
-	host_t *host;
-	connection_t *connection;
-	policy_t *policy;
-	ike_sa_t *ike_sa;
-	char *name = NULL;
-
-	leak_detective_status(out);
-	
-	fprintf(out, "Performance:\n");
-	fprintf(out, "  worker threads: %d idle of %d,",
-			charon->thread_pool->get_idle_threads(charon->thread_pool),
-			charon->thread_pool->get_pool_size(charon->thread_pool));
-	fprintf(out, " job queue load: %d,",
-			charon->job_queue->get_count(charon->job_queue));
-	fprintf(out, " scheduled events: %d\n",
-			charon->event_queue->get_count(charon->event_queue));
-	list = charon->kernel_interface->create_address_list(charon->kernel_interface);
-
-	fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list));
-	while (list->remove_first(list, (void**)&host) == SUCCESS)
-	{
-		fprintf(out, "  %H\n", host);
-		host->destroy(host);
-	}
-	list->destroy(list);
-	
-	if (msg->status.name)
-	{
-		pop_string(msg, &(msg->status.name));
-		name = msg->status.name;
-	}
-	
-	iterator = charon->connections->create_iterator(charon->connections);
-	if (iterator->get_count(iterator) > 0)
-	{
-		fprintf(out, "Connections:\n");
-	}
-	while (iterator->iterate(iterator, (void**)&connection))
-	{
-		if (connection->is_ikev2(connection)
-		&& (name == NULL || streq(name, connection->get_name(connection))))
-		{
-			fprintf(out, "%12s:  %H...%H\n",
-					connection->get_name(connection),
-					connection->get_my_host(connection),
-					connection->get_other_host(connection));
-		}
-	}
-	iterator->destroy(iterator);
-	
-	iterator = charon->policies->create_iterator(charon->policies);
-	if (iterator->get_count(iterator) > 0)
-	{
-		fprintf(out, "Policies:\n");
-	}
-	while (iterator->iterate(iterator, (void**)&policy))
-	{
-		if (name == NULL || streq(name, policy->get_name(policy)))
-		{
-			fprintf(out, "%12s:  '%D'...'%D'\n",
-					policy->get_name(policy),
-					policy->get_my_id(policy),
-					policy->get_other_id(policy));
-		}
-	}
-	iterator->destroy(iterator);
-	
-	iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
-	if (iterator->get_count(iterator) > 0)
-	{
-		fprintf(out, "Security Associations:\n");
-	}
-	while (iterator->iterate(iterator, (void**)&ike_sa))
-	{
-		bool ike_sa_printed = FALSE;
-		child_sa_t *child_sa;
-		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
-
-		/* print IKE_SA */
-		if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0)
-		{
-			fprintf(out, "%#K\n", ike_sa);
-			ike_sa_printed = TRUE;
-		}
-
-		while (children->iterate(children, (void**)&child_sa))
-		{
-			bool child_sa_match = name == NULL ||
-								  strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0;
-
-			/* print IKE_SA if its name differs from the CHILD_SA's name */
-			if (!ike_sa_printed && child_sa_match)
-			{
-				fprintf(out, "%#K\n", ike_sa);
-				ike_sa_printed = TRUE;
-			}
-
-			/* print CHILD_SA */
-			if (child_sa_match)
-			{
-				fprintf(out, "%#P\n", child_sa);
-			}
-		}
-		children->destroy(children);
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * show status of daemon
- */
-static void stroke_status(stroke_msg_t *msg, FILE *out)
-{
-	iterator_t *iterator;
-	ike_sa_t *ike_sa;
-	char *name = NULL;
-	
-	if (msg->status.name)
-	{
-		pop_string(msg, &(msg->status.name));
-		name = msg->status.name;
-	}
-	
-	iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
-	while (iterator->iterate(iterator, (void**)&ike_sa))
-	{
-		bool ike_sa_printed = FALSE;
-		child_sa_t *child_sa;
-		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
-
-		/* print IKE_SA */
-		if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0)
-		{
-			fprintf(out, "%K\n", ike_sa);
-			ike_sa_printed = TRUE;
-		}
-
-		while (children->iterate(children, (void**)&child_sa))
-		{
-			bool child_sa_match = name == NULL ||
-								  strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0;
-
-			/* print IKE_SA if its name differs from the CHILD_SA's name */
-			if (!ike_sa_printed && child_sa_match)
-			{
-				fprintf(out, "%K\n", ike_sa);
-				ike_sa_printed = TRUE;
-			}
-
-			/* print CHILD_SA */
-			if (child_sa_match)
-			{
-				fprintf(out, "%P\n", child_sa);
-			}
-		}
-		children->destroy(children);
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * list all authority certificates matching a specified flag 
- */
-static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out)
-{
-	bool first = TRUE;
-	x509_t *cert;
-	
-	iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
-
-	while (iterator->iterate(iterator, (void**)&cert))
-	{
-		if (cert->has_authority_flag(cert, flag))
-		{
-			if (first)
-			{
-				fprintf(out, "\n");
-				fprintf(out, "List of X.509 %s Certificates:\n", label);
-				fprintf(out, "\n");
-				first = FALSE;
-			}
-			fprintf(out, "%#Q\n", cert, utc);
-		}
-	}
-	iterator->destroy(iterator);
-}
-
-/**
- * list various information
- */
-static void stroke_list(stroke_msg_t *msg, FILE *out)
-{
-	iterator_t *iterator;
-	
-	if (msg->list.flags & LIST_CERTS)
-	{
-		x509_t *cert;
-		
-		iterator = charon->credentials->create_cert_iterator(charon->credentials);
-		if (iterator->get_count(iterator))
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 End Entity Certificates:\n");
-			fprintf(out, "\n");
-		}
-		while (iterator->iterate(iterator, (void**)&cert))
-		{
-			fprintf(out, "%#Q", cert, msg->list.utc);
-			if (charon->credentials->has_rsa_private_key(
-					charon->credentials, cert->get_public_key(cert)))
-			{
-				fprintf(out, ", has private key");
-			}
-			fprintf(out, "\n");
-			
-		}
-		iterator->destroy(iterator);
-	}
-	if (msg->list.flags & LIST_CACERTS)
-	{
-		list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
-	}
-	if (msg->list.flags & LIST_CAINFOS)
-	{
-		ca_info_t *ca_info;
-
-		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
-		if (iterator->get_count(iterator))
-		{
-			fprintf(out, "\n");
-			fprintf(out, "List of X.509 CA Information Records:\n");
-			fprintf(out, "\n");
-		}
-		while (iterator->iterate(iterator, (void**)&ca_info))
-		{
-			fprintf(out, "%#W", ca_info, msg->list.utc);
-		}
-		iterator->destroy(iterator);
-	}
-	if (msg->list.flags & LIST_CRLS)
-	{
-		ca_info_t *ca_info;
-		bool first = TRUE;
-
-		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
-
-		while (iterator->iterate(iterator, (void **)&ca_info))
-		{
-			if (ca_info->has_crl(ca_info))
-			{
-				if (first)
-				{
-					fprintf(out, "\n");
-					fprintf(out, "List of X.509 CRLs:\n");
-					fprintf(out, "\n");
-					first = FALSE;
-				}
-				ca_info->list_crl(ca_info, out, msg->list.utc);
-			}
-		}
-		iterator->destroy(iterator);
-	}
-	if (msg->list.flags & LIST_OCSPCERTS)
-	{
-		list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
-	}
-	if (msg->list.flags & LIST_OCSP)
-	{
-		ca_info_t *ca_info;
-		bool first = TRUE;
-
-		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
-
-		while (iterator->iterate(iterator, (void **)&ca_info))
-		{
-			if (ca_info->has_certinfos(ca_info))
-			{
-				if (first)
-				{
-					fprintf(out, "\n");
-					fprintf(out, "List of OCSP responses:\n");
-					first = FALSE;
-				}
-				fprintf(out, "\n");
-				ca_info->list_certinfos(ca_info, out, msg->list.utc);
-			}
-		}
-		iterator->destroy(iterator);
-	}
-}
-
-/**
- * reread various information
- */
-static void stroke_reread(stroke_msg_t *msg, FILE *out)
-{
-	if (msg->reread.flags & REREAD_CACERTS)
-	{
-		charon->credentials->load_ca_certificates(charon->credentials);
-	}
-	if (msg->reread.flags & REREAD_OCSPCERTS)
-	{
-		charon->credentials->load_ocsp_certificates(charon->credentials);
-	}
-	if (msg->reread.flags & REREAD_CRLS)
-	{
-		charon->credentials->load_crls(charon->credentials);
-	}
-}
-
-/**
- * purge various information
- */
-static void stroke_purge(stroke_msg_t *msg, FILE *out)
-{
-	if (msg->purge.flags & PURGE_OCSP)
-	{
-		iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
-		ca_info_t *ca_info;
-
-		while (iterator->iterate(iterator, (void**)&ca_info))
-		{
-			ca_info->purge_ocsp(ca_info);
-		}
-		iterator->destroy(iterator);
-	}
-}
-
-signal_t get_signal_from_logtype(char *type)
-{
-	if      (strcasecmp(type, "any") == 0) return SIG_ANY;
-	else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
-	else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
-	else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
-	else if (strcasecmp(type, "job") == 0) return DBG_JOB;
-	else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
-	else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
-	else if (strcasecmp(type, "net") == 0) return DBG_NET;
-	else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
-	else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
-	else return -1;
-}
-
-/**
- * set the verbosity debug output
- */
-static void stroke_loglevel(stroke_msg_t *msg, FILE *out)
-{
-	signal_t signal;
-	
-	pop_string(msg, &(msg->loglevel.type));
-	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
-		 msg->loglevel.level, msg->loglevel.type);
-	
-	signal = get_signal_from_logtype(msg->loglevel.type);
-	if (signal < 0)
-	{
-		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
-		return;
-	}
-	
-	charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
-	charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
-}
-
-/**
- * process a stroke request from the socket pointed by "fd"
- */
-static void stroke_process(int *fd)
-{
-	stroke_msg_t *msg;
-	u_int16_t msg_length;
-	ssize_t bytes_read;
-	FILE *out;
-	int strokefd = *fd;
-	
-	/* peek the length */
-	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
-	if (bytes_read != sizeof(msg_length))
-	{
-		DBG1(DBG_CFG, "reading length of stroke message failed");
-		close(strokefd);
-		return;
-	}
-	
-	/* read message */
-	msg = malloc(msg_length);
-	bytes_read = recv(strokefd, msg, msg_length, 0);
-	if (bytes_read != msg_length)
-	{
-		DBG1(DBG_CFG, "reading stroke message failed: %m");
-		close(strokefd);
-		return;
-	}
-	
-	out = fdopen(dup(strokefd), "w");
-	if (out == NULL)
-	{
-		DBG1(DBG_CFG, "opening stroke output channel failed: %m");
-		close(strokefd);
-		free(msg);
-		return;
-	}
-	
-	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-	
-	switch (msg->type)
-	{
-		case STR_INITIATE:
-			stroke_initiate(msg, out);
-			break;
-		case STR_ROUTE:
-			stroke_route(msg, out, TRUE);
-			break;
-		case STR_UNROUTE:
-			stroke_route(msg, out, FALSE);
-			break;
-		case STR_TERMINATE:
-			stroke_terminate(msg, out);
-			break;
-		case STR_STATUS:
-			stroke_status(msg, out);
-			break;
-		case STR_STATUS_ALL:
-			stroke_statusall(msg, out);
-			break;
-		case STR_ADD_CONN:
-			stroke_add_conn(msg, out);
-			break;
-		case STR_DEL_CONN:
-			stroke_del_conn(msg, out);
-			break;
-		case STR_ADD_CA:
-			stroke_add_ca(msg, out);
-			break;
-		case STR_DEL_CA:
-			stroke_del_ca(msg, out);
-			break;
-		case STR_LOGLEVEL:
-			stroke_loglevel(msg, out);
-			break;
-		case STR_LIST:
-			stroke_list(msg, out);
-			break;
-		case STR_REREAD:
-			stroke_reread(msg, out);
-			break;
-		case STR_PURGE:
-			stroke_purge(msg, out);
-			break;
-		default:
-			DBG1(DBG_CFG, "received unknown stroke");
-	}
-	fclose(out);
-	close(strokefd);
-	free(msg);
-}
-
-/**
- * Implementation of private_stroke_t.stroke_receive.
- */
-static void stroke_receive(private_stroke_t *this)
-{
-	struct sockaddr_un strokeaddr;
-	int strokeaddrlen = sizeof(strokeaddr);
-	int strokefd;
-	int oldstate;
-	pthread_t thread;
-	
-	/* ignore sigpipe. writing over the pipe back to the console
-	 * only fails if SIGPIPE is ignored. */
-	signal(SIGPIPE, SIG_IGN);
-	
-	/* disable cancellation by default */
-	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
-	
-	while (TRUE)
-	{
-		/* wait for connections, but allow thread to terminate */
-		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
-		strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
-		pthread_setcancelstate(oldstate, NULL);
-		
-		if (strokefd < 0)
-		{
-			DBG1(DBG_CFG, "accepting stroke connection failed: %m");
-			continue;
-		}
-		
-		/* handle request asynchronously */
-		if (pthread_create(&thread, NULL, (void*(*)(void*))stroke_process, (void*)&strokefd) != 0)
-		{		
-			DBG1(DBG_CFG, "failed to spawn stroke thread: %m");
-		}
-		/* detach so the thread terminates cleanly */
-		pthread_detach(thread);
-	}
-}
-
-/**
- * Implementation of stroke_t.destroy.
- */
-static void destroy(private_stroke_t *this)
-{
-	pthread_cancel(this->assigned_thread);
-	pthread_join(this->assigned_thread, NULL);
-
-	close(this->socket);
-	unlink(socket_addr.sun_path);
-	free(this);
-}
-
-/*
- * Described in header-file
- */
-stroke_t *stroke_create()
-{
-	private_stroke_t *this = malloc_thing(private_stroke_t);
-	mode_t old;
-
-	/* public functions */
-	this->public.destroy = (void (*)(stroke_t*))destroy;
-	
-	/* set up unix socket */
-	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (this->socket == -1)
-	{
-		DBG1(DBG_CFG, "could not create whack socket");
-		free(this);
-		return NULL;
-	}
-	
-	old = umask(~S_IRWXU);
-	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
-	{
-		DBG1(DBG_CFG, "could not bind stroke socket: %m");
-		close(this->socket);
-		free(this);
-		return NULL;
-	}
-	umask(old);
-	
-	if (listen(this->socket, 0) < 0)
-	{
-		DBG1(DBG_CFG, "could not listen on stroke socket: %m");
-		close(this->socket);
-		unlink(socket_addr.sun_path);
-		free(this);
-		return NULL;
-	}
-	
-	/* start a thread reading from the socket */
-	if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0)
-	{
-		DBG1(DBG_CFG, "could not spawn stroke thread");
-		close(this->socket);
-		unlink(socket_addr.sun_path);
-		free(this);
-		return NULL;
-	}
-	
-	return (&this->public);
-}
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
new file mode 100644
index 000000000..c7e9ca9ff
--- /dev/null
+++ b/src/include/Makefile.am
@@ -0,0 +1,2 @@
+EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
+             linux/pfkeyv2.h linux/udp.h linux/xfrm.h
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
new file mode 100644
index 000000000..68477343f
--- /dev/null
+++ b/src/include/Makefile.in
@@ -0,0 +1,358 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/include
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+backenddir = @backenddir@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+interfacedir = @interfacedir@
+ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+EXTRA_DIST = linux/ipsec.h linux/netlink.h linux/rtnetlink.h \
+             linux/pfkeyv2.h linux/udp.h linux/xfrm.h
+
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/include/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/include/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	$(mkdir_p) $(distdir)/linux
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-exec install-exec-am \
+	install-info install-info-am install-man install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \
+	uninstall-info-am
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/include/linux/ipsec.h b/src/include/linux/ipsec.h
new file mode 100644
index 000000000..81ac63a18
--- /dev/null
+++ b/src/include/linux/ipsec.h
@@ -0,0 +1,46 @@
+#ifndef _LINUX_IPSEC_H
+#define _LINUX_IPSEC_H
+
+/* The definitions, required to talk to KAME racoon IKE. */
+
+#include "pfkeyv2.h"
+
+#define IPSEC_PORT_ANY		0
+#define IPSEC_ULPROTO_ANY	255
+#define IPSEC_PROTO_ANY		255
+
+enum {
+	IPSEC_MODE_ANY		= 0,	/* We do not support this for SA */
+	IPSEC_MODE_TRANSPORT	= 1,
+	IPSEC_MODE_TUNNEL	= 2
+};
+
+enum {
+	IPSEC_DIR_ANY		= 0,
+	IPSEC_DIR_INBOUND	= 1,
+	IPSEC_DIR_OUTBOUND	= 2,
+	IPSEC_DIR_FWD		= 3,	/* It is our own */
+	IPSEC_DIR_MAX		= 4,
+	IPSEC_DIR_INVALID	= 5
+};
+
+enum {
+	IPSEC_POLICY_DISCARD	= 0,
+	IPSEC_POLICY_NONE	= 1,
+	IPSEC_POLICY_IPSEC	= 2,
+	IPSEC_POLICY_ENTRUST	= 3,
+	IPSEC_POLICY_BYPASS	= 4
+};
+
+enum {
+	IPSEC_LEVEL_DEFAULT	= 0,
+	IPSEC_LEVEL_USE		= 1,
+	IPSEC_LEVEL_REQUIRE	= 2,
+	IPSEC_LEVEL_UNIQUE	= 3
+};
+
+#define IPSEC_MANUAL_REQID_MAX	0x3fff
+
+#define IPSEC_REPLAYWSIZE  32
+
+#endif	/* _LINUX_IPSEC_H */
diff --git a/src/include/linux/netlink.h b/src/include/linux/netlink.h
new file mode 100644
index 000000000..af65dc499
--- /dev/null
+++ b/src/include/linux/netlink.h
@@ -0,0 +1,241 @@
+#ifndef __LINUX_NETLINK_H
+#define __LINUX_NETLINK_H
+
+#include <linux/socket.h> /* for sa_family_t */
+#include <linux/types.h>
+
+#define NETLINK_ROUTE		0	/* Routing/device hook				*/
+#define NETLINK_W1		1	/* 1-wire subsystem				*/
+#define NETLINK_USERSOCK	2	/* Reserved for user mode socket protocols 	*/
+#define NETLINK_FIREWALL	3	/* Firewalling hook				*/
+#define NETLINK_INET_DIAG	4	/* INET socket monitoring			*/
+#define NETLINK_NFLOG		5	/* netfilter/iptables ULOG */
+#define NETLINK_XFRM		6	/* ipsec */
+#define NETLINK_SELINUX		7	/* SELinux event notifications */
+#define NETLINK_ISCSI		8	/* Open-iSCSI */
+#define NETLINK_AUDIT		9	/* auditing */
+#define NETLINK_FIB_LOOKUP	10	
+#define NETLINK_CONNECTOR	11
+#define NETLINK_NETFILTER	12	/* netfilter subsystem */
+#define NETLINK_IP6_FW		13
+#define NETLINK_DNRTMSG		14	/* DECnet routing messages */
+#define NETLINK_KOBJECT_UEVENT	15	/* Kernel messages to userspace */
+#define NETLINK_GENERIC		16
+
+#define MAX_LINKS 32		
+
+struct sockaddr_nl
+{
+	sa_family_t	nl_family;	/* AF_NETLINK	*/
+	unsigned short	nl_pad;		/* zero		*/
+	__u32		nl_pid;		/* process pid	*/
+       	__u32		nl_groups;	/* multicast groups mask */
+};
+
+struct nlmsghdr
+{
+	__u32		nlmsg_len;	/* Length of message including header */
+	__u16		nlmsg_type;	/* Message content */
+	__u16		nlmsg_flags;	/* Additional flags */
+	__u32		nlmsg_seq;	/* Sequence number */
+	__u32		nlmsg_pid;	/* Sending process PID */
+};
+
+/* Flags values */
+
+#define NLM_F_REQUEST		1	/* It is request message. 	*/
+#define NLM_F_MULTI		2	/* Multipart message, terminated by NLMSG_DONE */
+#define NLM_F_ACK		4	/* Reply with ack, with zero or error code */
+#define NLM_F_ECHO		8	/* Echo this request 		*/
+
+/* Modifiers to GET request */
+#define NLM_F_ROOT	0x100	/* specify tree	root	*/
+#define NLM_F_MATCH	0x200	/* return all matching	*/
+#define NLM_F_ATOMIC	0x400	/* atomic GET		*/
+#define NLM_F_DUMP	(NLM_F_ROOT|NLM_F_MATCH)
+
+/* Modifiers to NEW request */
+#define NLM_F_REPLACE	0x100	/* Override existing		*/
+#define NLM_F_EXCL	0x200	/* Do not touch, if it exists	*/
+#define NLM_F_CREATE	0x400	/* Create, if it does not exist	*/
+#define NLM_F_APPEND	0x800	/* Add to end of list		*/
+
+/*
+   4.4BSD ADD		NLM_F_CREATE|NLM_F_EXCL
+   4.4BSD CHANGE	NLM_F_REPLACE
+
+   True CHANGE		NLM_F_CREATE|NLM_F_REPLACE
+   Append		NLM_F_CREATE
+   Check		NLM_F_EXCL
+ */
+
+#define NLMSG_ALIGNTO	4
+#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) )
+#define NLMSG_HDRLEN	 ((int) NLMSG_ALIGN(sizeof(struct nlmsghdr)))
+#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(NLMSG_HDRLEN))
+#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len))
+#define NLMSG_DATA(nlh)  ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
+#define NLMSG_NEXT(nlh,len)	 ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
+				  (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len)))
+#define NLMSG_OK(nlh,len) ((len) >= (int)sizeof(struct nlmsghdr) && \
+			   (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
+			   (nlh)->nlmsg_len <= (len))
+#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len)))
+
+#define NLMSG_NOOP		0x1	/* Nothing.		*/
+#define NLMSG_ERROR		0x2	/* Error		*/
+#define NLMSG_DONE		0x3	/* End of a dump	*/
+#define NLMSG_OVERRUN		0x4	/* Data lost		*/
+
+#define NLMSG_MIN_TYPE		0x10	/* < 0x10: reserved control messages */
+
+struct nlmsgerr
+{
+	int		error;
+	struct nlmsghdr msg;
+};
+
+#define NETLINK_ADD_MEMBERSHIP	1
+#define NETLINK_DROP_MEMBERSHIP	2
+#define NETLINK_PKTINFO		3
+
+struct nl_pktinfo
+{
+	__u32	group;
+};
+
+#define NET_MAJOR 36		/* Major 36 is reserved for networking 						*/
+
+enum {
+	NETLINK_UNCONNECTED = 0,
+	NETLINK_CONNECTED,
+};
+
+/*
+ *  <------- NLA_HDRLEN ------> <-- NLA_ALIGN(payload)-->
+ * +---------------------+- - -+- - - - - - - - - -+- - -+
+ * |        Header       | Pad |     Payload       | Pad |
+ * |   (struct nlattr)   | ing |                   | ing |
+ * +---------------------+- - -+- - - - - - - - - -+- - -+
+ *  <-------------- nlattr->nla_len -------------->
+ */
+
+struct nlattr
+{
+	__u16           nla_len;
+	__u16           nla_type;
+};
+
+#define NLA_ALIGNTO		4
+#define NLA_ALIGN(len)		(((len) + NLA_ALIGNTO - 1) & ~(NLA_ALIGNTO - 1))
+#define NLA_HDRLEN		((int) NLA_ALIGN(sizeof(struct nlattr)))
+
+#ifdef __KERNEL__
+
+#include <linux/capability.h>
+#include <linux/skbuff.h>
+
+struct netlink_skb_parms
+{
+	struct ucred		creds;		/* Skb credentials	*/
+	__u32			pid;
+	__u32			dst_pid;
+	__u32			dst_group;
+	kernel_cap_t		eff_cap;
+	__u32			loginuid;	/* Login (audit) uid */
+	__u32			sid;		/* SELinux security id */
+};
+
+#define NETLINK_CB(skb)		(*(struct netlink_skb_parms*)&((skb)->cb))
+#define NETLINK_CREDS(skb)	(&NETLINK_CB((skb)).creds)
+
+
+extern struct sock *netlink_kernel_create(int unit, unsigned int groups, void (*input)(struct sock *sk, int len), struct module *module);
+extern void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err);
+extern int netlink_has_listeners(struct sock *sk, unsigned int group);
+extern int netlink_unicast(struct sock *ssk, struct sk_buff *skb, __u32 pid, int nonblock);
+extern int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, __u32 pid,
+			     __u32 group, gfp_t allocation);
+extern void netlink_set_err(struct sock *ssk, __u32 pid, __u32 group, int code);
+extern int netlink_register_notifier(struct notifier_block *nb);
+extern int netlink_unregister_notifier(struct notifier_block *nb);
+
+/* finegrained unicast helpers: */
+struct sock *netlink_getsockbyfilp(struct file *filp);
+int netlink_attachskb(struct sock *sk, struct sk_buff *skb, int nonblock,
+		long timeo, struct sock *ssk);
+void netlink_detachskb(struct sock *sk, struct sk_buff *skb);
+int netlink_sendskb(struct sock *sk, struct sk_buff *skb, int protocol);
+
+/*
+ *	skb should fit one page. This choice is good for headerless malloc.
+ */
+#define NLMSG_GOODORDER 0
+#define NLMSG_GOODSIZE (SKB_MAX_ORDER(0, NLMSG_GOODORDER))
+
+
+struct netlink_callback
+{
+	struct sk_buff	*skb;
+	struct nlmsghdr	*nlh;
+	int		(*dump)(struct sk_buff * skb, struct netlink_callback *cb);
+	int		(*done)(struct netlink_callback *cb);
+	int		family;
+	long		args[5];
+};
+
+struct netlink_notify
+{
+	int pid;
+	int protocol;
+};
+
+static __inline__ struct nlmsghdr *
+__nlmsg_put(struct sk_buff *skb, __u32 pid, __u32 seq, int type, int len, int flags)
+{
+	struct nlmsghdr *nlh;
+	int size = NLMSG_LENGTH(len);
+
+	nlh = (struct nlmsghdr*)skb_put(skb, NLMSG_ALIGN(size));
+	nlh->nlmsg_type = type;
+	nlh->nlmsg_len = size;
+	nlh->nlmsg_flags = flags;
+	nlh->nlmsg_pid = pid;
+	nlh->nlmsg_seq = seq;
+	memset(NLMSG_DATA(nlh) + len, 0, NLMSG_ALIGN(size) - size);
+	return nlh;
+}
+
+#define NLMSG_NEW(skb, pid, seq, type, len, flags) \
+({	if (skb_tailroom(skb) < (int)NLMSG_SPACE(len)) \
+		goto nlmsg_failure; \
+	__nlmsg_put(skb, pid, seq, type, len, flags); })
+
+#define NLMSG_PUT(skb, pid, seq, type, len) \
+	NLMSG_NEW(skb, pid, seq, type, len, 0)
+
+#define NLMSG_NEW_ANSWER(skb, cb, type, len, flags) \
+	NLMSG_NEW(skb, NETLINK_CB((cb)->skb).pid, \
+		  (cb)->nlh->nlmsg_seq, type, len, flags)
+
+#define NLMSG_END(skb, nlh) \
+({	(nlh)->nlmsg_len = (skb)->tail - (unsigned char *) (nlh); \
+	(skb)->len; })
+
+#define NLMSG_CANCEL(skb, nlh) \
+({	skb_trim(skb, (unsigned char *) (nlh) - (skb)->data); \
+	-1; })
+
+extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+			      struct nlmsghdr *nlh,
+			      int (*dump)(struct sk_buff *skb, struct netlink_callback*),
+			      int (*done)(struct netlink_callback*));
+
+
+#define NL_NONROOT_RECV 0x1
+#define NL_NONROOT_SEND 0x2
+extern void netlink_set_nonroot(int protocol, unsigned flag);
+
+#endif /* __KERNEL__ */
+
+#endif	/* __LINUX_NETLINK_H */
diff --git a/src/include/linux/pfkeyv2.h b/src/include/linux/pfkeyv2.h
new file mode 100644
index 000000000..bac0fb389
--- /dev/null
+++ b/src/include/linux/pfkeyv2.h
@@ -0,0 +1,348 @@
+/* PF_KEY user interface, this is defined by rfc2367 so
+ * do not make arbitrary modifications or else this header
+ * file will not be compliant.
+ */
+
+#ifndef _LINUX_PFKEY2_H
+#define _LINUX_PFKEY2_H
+
+#include <linux/types.h>
+
+#define PF_KEY_V2		2
+#define PFKEYV2_REVISION	199806L
+
+struct sadb_msg {
+	uint8_t		sadb_msg_version;
+	uint8_t		sadb_msg_type;
+	uint8_t		sadb_msg_errno;
+	uint8_t		sadb_msg_satype;
+	uint16_t	sadb_msg_len;
+	uint16_t	sadb_msg_reserved;
+	uint32_t	sadb_msg_seq;
+	uint32_t	sadb_msg_pid;
+} __attribute__((packed));
+/* sizeof(struct sadb_msg) == 16 */
+
+struct sadb_ext {
+	uint16_t	sadb_ext_len;
+	uint16_t	sadb_ext_type;
+} __attribute__((packed));
+/* sizeof(struct sadb_ext) == 4 */
+
+struct sadb_sa {
+	uint16_t	sadb_sa_len;
+	uint16_t	sadb_sa_exttype;
+	uint32_t	sadb_sa_spi;
+	uint8_t		sadb_sa_replay;
+	uint8_t		sadb_sa_state;
+	uint8_t		sadb_sa_auth;
+	uint8_t		sadb_sa_encrypt;
+	uint32_t	sadb_sa_flags;
+} __attribute__((packed));
+/* sizeof(struct sadb_sa) == 16 */
+
+struct sadb_lifetime {
+	uint16_t	sadb_lifetime_len;
+	uint16_t	sadb_lifetime_exttype;
+	uint32_t	sadb_lifetime_allocations;
+	uint64_t	sadb_lifetime_bytes;
+	uint64_t	sadb_lifetime_addtime;
+	uint64_t	sadb_lifetime_usetime;
+} __attribute__((packed));
+/* sizeof(struct sadb_lifetime) == 32 */
+
+struct sadb_address {
+	uint16_t	sadb_address_len;
+	uint16_t	sadb_address_exttype;
+	uint8_t		sadb_address_proto;
+	uint8_t		sadb_address_prefixlen;
+	uint16_t	sadb_address_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_address) == 8 */
+
+struct sadb_key {
+	uint16_t	sadb_key_len;
+	uint16_t	sadb_key_exttype;
+	uint16_t	sadb_key_bits;
+	uint16_t	sadb_key_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_key) == 8 */
+
+struct sadb_ident {
+	uint16_t	sadb_ident_len;
+	uint16_t	sadb_ident_exttype;
+	uint16_t	sadb_ident_type;
+	uint16_t	sadb_ident_reserved;
+	uint64_t	sadb_ident_id;
+} __attribute__((packed));
+/* sizeof(struct sadb_ident) == 16 */
+
+struct sadb_sens {
+	uint16_t	sadb_sens_len;
+	uint16_t	sadb_sens_exttype;
+	uint32_t	sadb_sens_dpd;
+	uint8_t		sadb_sens_sens_level;
+	uint8_t		sadb_sens_sens_len;
+	uint8_t		sadb_sens_integ_level;
+	uint8_t		sadb_sens_integ_len;
+	uint32_t	sadb_sens_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_sens) == 16 */
+
+/* followed by:
+	uint64_t	sadb_sens_bitmap[sens_len];
+	uint64_t	sadb_integ_bitmap[integ_len];  */
+
+struct sadb_prop {
+	uint16_t	sadb_prop_len;
+	uint16_t	sadb_prop_exttype;
+	uint8_t		sadb_prop_replay;
+	uint8_t		sadb_prop_reserved[3];
+} __attribute__((packed));
+/* sizeof(struct sadb_prop) == 8 */
+
+/* followed by:
+	struct sadb_comb sadb_combs[(sadb_prop_len +
+		sizeof(uint64_t) - sizeof(struct sadb_prop)) /
+		sizeof(struct sadb_comb)]; */
+
+struct sadb_comb {
+	uint8_t		sadb_comb_auth;
+	uint8_t		sadb_comb_encrypt;
+	uint16_t	sadb_comb_flags;
+	uint16_t	sadb_comb_auth_minbits;
+	uint16_t	sadb_comb_auth_maxbits;
+	uint16_t	sadb_comb_encrypt_minbits;
+	uint16_t	sadb_comb_encrypt_maxbits;
+	uint32_t	sadb_comb_reserved;
+	uint32_t	sadb_comb_soft_allocations;
+	uint32_t	sadb_comb_hard_allocations;
+	uint64_t	sadb_comb_soft_bytes;
+	uint64_t	sadb_comb_hard_bytes;
+	uint64_t	sadb_comb_soft_addtime;
+	uint64_t	sadb_comb_hard_addtime;
+	uint64_t	sadb_comb_soft_usetime;
+	uint64_t	sadb_comb_hard_usetime;
+} __attribute__((packed));
+/* sizeof(struct sadb_comb) == 72 */
+
+struct sadb_supported {
+	uint16_t	sadb_supported_len;
+	uint16_t	sadb_supported_exttype;
+	uint32_t	sadb_supported_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_supported) == 8 */
+
+/* followed by:
+	struct sadb_alg sadb_algs[(sadb_supported_len +
+		sizeof(uint64_t) - sizeof(struct sadb_supported)) /
+		sizeof(struct sadb_alg)]; */
+
+struct sadb_alg {
+	uint8_t		sadb_alg_id;
+	uint8_t		sadb_alg_ivlen;
+	uint16_t	sadb_alg_minbits;
+	uint16_t	sadb_alg_maxbits;
+	uint16_t	sadb_alg_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_alg) == 8 */
+
+struct sadb_spirange {
+	uint16_t	sadb_spirange_len;
+	uint16_t	sadb_spirange_exttype;
+	uint32_t	sadb_spirange_min;
+	uint32_t	sadb_spirange_max;
+	uint32_t	sadb_spirange_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_spirange) == 16 */
+
+struct sadb_x_kmprivate {
+	uint16_t	sadb_x_kmprivate_len;
+	uint16_t	sadb_x_kmprivate_exttype;
+	u_int32_t	sadb_x_kmprivate_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_kmprivate) == 8 */
+
+struct sadb_x_sa2 {
+	uint16_t	sadb_x_sa2_len;
+	uint16_t	sadb_x_sa2_exttype;
+	uint8_t		sadb_x_sa2_mode;
+	uint8_t		sadb_x_sa2_reserved1;
+	uint16_t	sadb_x_sa2_reserved2;
+	uint32_t	sadb_x_sa2_sequence;
+	uint32_t	sadb_x_sa2_reqid;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_sa2) == 16 */
+
+struct sadb_x_policy {
+	uint16_t	sadb_x_policy_len;
+	uint16_t	sadb_x_policy_exttype;
+	uint16_t	sadb_x_policy_type;
+	uint8_t		sadb_x_policy_dir;
+	uint8_t		sadb_x_policy_reserved;
+	uint32_t	sadb_x_policy_id;
+	uint32_t	sadb_x_policy_priority;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_policy) == 16 */
+
+struct sadb_x_ipsecrequest {
+	uint16_t	sadb_x_ipsecrequest_len;
+	uint16_t	sadb_x_ipsecrequest_proto;
+	uint8_t		sadb_x_ipsecrequest_mode;
+	uint8_t		sadb_x_ipsecrequest_level;
+	uint16_t	sadb_x_ipsecrequest_reserved1;
+	uint32_t	sadb_x_ipsecrequest_reqid;
+	uint32_t	sadb_x_ipsecrequest_reserved2;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_ipsecrequest) == 16 */
+
+/* This defines the TYPE of Nat Traversal in use.  Currently only one
+ * type of NAT-T is supported, draft-ietf-ipsec-udp-encaps-06
+ */
+struct sadb_x_nat_t_type {
+	uint16_t	sadb_x_nat_t_type_len;
+	uint16_t	sadb_x_nat_t_type_exttype;
+	uint8_t		sadb_x_nat_t_type_type;
+	uint8_t		sadb_x_nat_t_type_reserved[3];
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_type) == 8 */
+
+/* Pass a NAT Traversal port (Source or Dest port) */
+struct sadb_x_nat_t_port {
+	uint16_t	sadb_x_nat_t_port_len;
+	uint16_t	sadb_x_nat_t_port_exttype;
+	uint16_t	sadb_x_nat_t_port_port;
+	uint16_t	sadb_x_nat_t_port_reserved;
+} __attribute__((packed));
+/* sizeof(struct sadb_x_nat_t_port) == 8 */
+
+/* Generic LSM security context */
+struct sadb_x_sec_ctx {
+	uint16_t	sadb_x_sec_len;
+	uint16_t	sadb_x_sec_exttype;
+	uint8_t		sadb_x_ctx_alg;  /* LSMs: e.g., selinux == 1 */
+	uint8_t		sadb_x_ctx_doi;
+	uint16_t	sadb_x_ctx_len;
+} __attribute__((packed));
+/* sizeof(struct sadb_sec_ctx) = 8 */
+
+/* Message types */
+#define SADB_RESERVED		0
+#define SADB_GETSPI		1
+#define SADB_UPDATE		2
+#define SADB_ADD		3
+#define SADB_DELETE		4
+#define SADB_GET		5
+#define SADB_ACQUIRE		6
+#define SADB_REGISTER		7
+#define SADB_EXPIRE		8
+#define SADB_FLUSH		9
+#define SADB_DUMP		10
+#define SADB_X_PROMISC		11
+#define SADB_X_PCHANGE		12
+#define SADB_X_SPDUPDATE	13
+#define SADB_X_SPDADD		14
+#define SADB_X_SPDDELETE	15
+#define SADB_X_SPDGET		16
+#define SADB_X_SPDACQUIRE	17
+#define SADB_X_SPDDUMP		18
+#define SADB_X_SPDFLUSH		19
+#define SADB_X_SPDSETIDX	20
+#define SADB_X_SPDEXPIRE	21
+#define SADB_X_SPDDELETE2	22
+#define SADB_X_NAT_T_NEW_MAPPING	23
+#define SADB_MAX		23
+
+/* Security Association flags */
+#define SADB_SAFLAGS_PFS	1
+#define SADB_SAFLAGS_NOPMTUDISC	0x20000000
+#define SADB_SAFLAGS_DECAP_DSCP	0x40000000
+#define SADB_SAFLAGS_NOECN	0x80000000
+
+/* Security Association states */
+#define SADB_SASTATE_LARVAL	0
+#define SADB_SASTATE_MATURE	1
+#define SADB_SASTATE_DYING	2
+#define SADB_SASTATE_DEAD	3
+#define SADB_SASTATE_MAX	3
+
+/* Security Association types */
+#define SADB_SATYPE_UNSPEC	0
+#define SADB_SATYPE_AH		2
+#define SADB_SATYPE_ESP		3
+#define SADB_SATYPE_RSVP	5
+#define SADB_SATYPE_OSPFV2	6
+#define SADB_SATYPE_RIPV2	7
+#define SADB_SATYPE_MIP		8
+#define SADB_X_SATYPE_IPCOMP	9
+#define SADB_SATYPE_MAX		9
+
+/* Authentication algorithms */
+#define SADB_AALG_NONE			0
+#define SADB_AALG_MD5HMAC		2
+#define SADB_AALG_SHA1HMAC		3
+#define SADB_X_AALG_SHA2_256HMAC	5
+#define SADB_X_AALG_SHA2_384HMAC	6
+#define SADB_X_AALG_SHA2_512HMAC	7
+#define SADB_X_AALG_RIPEMD160HMAC	8
+#define SADB_X_AALG_NULL		251	/* kame */
+#define SADB_AALG_MAX			251
+
+/* Encryption algorithms */
+#define SADB_EALG_NONE			0
+#define SADB_EALG_DESCBC		2
+#define SADB_EALG_3DESCBC		3
+#define SADB_X_EALG_CASTCBC		6
+#define SADB_X_EALG_BLOWFISHCBC		7
+#define SADB_EALG_NULL			11
+#define SADB_X_EALG_AESCBC		12
+#define SADB_EALG_MAX                   253 /* last EALG */
+/* private allocations should use 249-255 (RFC2407) */
+#define SADB_X_EALG_SERPENTCBC  252     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
+#define SADB_X_EALG_TWOFISHCBC  253     /* draft-ietf-ipsec-ciph-aes-cbc-00 */
+
+/* Compression algorithms */
+#define SADB_X_CALG_NONE		0
+#define SADB_X_CALG_OUI			1
+#define SADB_X_CALG_DEFLATE		2
+#define SADB_X_CALG_LZS			3
+#define SADB_X_CALG_LZJH		4
+#define SADB_X_CALG_MAX			4
+
+/* Extension Header values */
+#define SADB_EXT_RESERVED		0
+#define SADB_EXT_SA			1
+#define SADB_EXT_LIFETIME_CURRENT	2
+#define SADB_EXT_LIFETIME_HARD		3
+#define SADB_EXT_LIFETIME_SOFT		4
+#define SADB_EXT_ADDRESS_SRC		5
+#define SADB_EXT_ADDRESS_DST		6
+#define SADB_EXT_ADDRESS_PROXY		7
+#define SADB_EXT_KEY_AUTH		8
+#define SADB_EXT_KEY_ENCRYPT		9
+#define SADB_EXT_IDENTITY_SRC		10
+#define SADB_EXT_IDENTITY_DST		11
+#define SADB_EXT_SENSITIVITY		12
+#define SADB_EXT_PROPOSAL		13
+#define SADB_EXT_SUPPORTED_AUTH		14
+#define SADB_EXT_SUPPORTED_ENCRYPT	15
+#define SADB_EXT_SPIRANGE		16
+#define SADB_X_EXT_KMPRIVATE		17
+#define SADB_X_EXT_POLICY		18
+#define SADB_X_EXT_SA2			19
+/* The next four entries are for setting up NAT Traversal */
+#define SADB_X_EXT_NAT_T_TYPE		20
+#define SADB_X_EXT_NAT_T_SPORT		21
+#define SADB_X_EXT_NAT_T_DPORT		22
+#define SADB_X_EXT_NAT_T_OA		23
+#define SADB_X_EXT_SEC_CTX		24
+#define SADB_EXT_MAX			24
+
+/* Identity Extension values */
+#define SADB_IDENTTYPE_RESERVED	0
+#define SADB_IDENTTYPE_PREFIX	1
+#define SADB_IDENTTYPE_FQDN	2
+#define SADB_IDENTTYPE_USERFQDN	3
+#define SADB_IDENTTYPE_MAX	3
+
+#endif /* !(_LINUX_PFKEY2_H) */
diff --git a/src/include/linux/rtnetlink.h b/src/include/linux/rtnetlink.h
new file mode 100644
index 000000000..56bf7b01c
--- /dev/null
+++ b/src/include/linux/rtnetlink.h
@@ -0,0 +1,1072 @@
+#ifndef __LINUX_RTNETLINK_H
+#define __LINUX_RTNETLINK_H
+
+#include "netlink.h"
+
+/****
+ *		Routing/neighbour discovery messages.
+ ****/
+
+/* Types of messages */
+
+enum {
+	RTM_BASE	= 16,
+#define RTM_BASE	RTM_BASE
+
+	RTM_NEWLINK	= 16,
+#define RTM_NEWLINK	RTM_NEWLINK
+	RTM_DELLINK,
+#define RTM_DELLINK	RTM_DELLINK
+	RTM_GETLINK,
+#define RTM_GETLINK	RTM_GETLINK
+	RTM_SETLINK,
+#define RTM_SETLINK	RTM_SETLINK
+
+	RTM_NEWADDR	= 20,
+#define RTM_NEWADDR	RTM_NEWADDR
+	RTM_DELADDR,
+#define RTM_DELADDR	RTM_DELADDR
+	RTM_GETADDR,
+#define RTM_GETADDR	RTM_GETADDR
+
+	RTM_NEWROUTE	= 24,
+#define RTM_NEWROUTE	RTM_NEWROUTE
+	RTM_DELROUTE,
+#define RTM_DELROUTE	RTM_DELROUTE
+	RTM_GETROUTE,
+#define RTM_GETROUTE	RTM_GETROUTE
+
+	RTM_NEWNEIGH	= 28,
+#define RTM_NEWNEIGH	RTM_NEWNEIGH
+	RTM_DELNEIGH,
+#define RTM_DELNEIGH	RTM_DELNEIGH
+	RTM_GETNEIGH,
+#define RTM_GETNEIGH	RTM_GETNEIGH
+
+	RTM_NEWRULE	= 32,
+#define RTM_NEWRULE	RTM_NEWRULE
+	RTM_DELRULE,
+#define RTM_DELRULE	RTM_DELRULE
+	RTM_GETRULE,
+#define RTM_GETRULE	RTM_GETRULE
+
+	RTM_NEWQDISC	= 36,
+#define RTM_NEWQDISC	RTM_NEWQDISC
+	RTM_DELQDISC,
+#define RTM_DELQDISC	RTM_DELQDISC
+	RTM_GETQDISC,
+#define RTM_GETQDISC	RTM_GETQDISC
+
+	RTM_NEWTCLASS	= 40,
+#define RTM_NEWTCLASS	RTM_NEWTCLASS
+	RTM_DELTCLASS,
+#define RTM_DELTCLASS	RTM_DELTCLASS
+	RTM_GETTCLASS,
+#define RTM_GETTCLASS	RTM_GETTCLASS
+
+	RTM_NEWTFILTER	= 44,
+#define RTM_NEWTFILTER	RTM_NEWTFILTER
+	RTM_DELTFILTER,
+#define RTM_DELTFILTER	RTM_DELTFILTER
+	RTM_GETTFILTER,
+#define RTM_GETTFILTER	RTM_GETTFILTER
+
+	RTM_NEWACTION	= 48,
+#define RTM_NEWACTION   RTM_NEWACTION
+	RTM_DELACTION,
+#define RTM_DELACTION   RTM_DELACTION
+	RTM_GETACTION,
+#define RTM_GETACTION   RTM_GETACTION
+
+	RTM_NEWPREFIX	= 52,
+#define RTM_NEWPREFIX	RTM_NEWPREFIX
+	RTM_GETPREFIX	= 54,
+#define RTM_GETPREFIX	RTM_GETPREFIX
+
+	RTM_GETMULTICAST = 58,
+#define RTM_GETMULTICAST RTM_GETMULTICAST
+
+	RTM_GETANYCAST	= 62,
+#define RTM_GETANYCAST	RTM_GETANYCAST
+
+	RTM_NEWNEIGHTBL	= 64,
+#define RTM_NEWNEIGHTBL	RTM_NEWNEIGHTBL
+	RTM_GETNEIGHTBL	= 66,
+#define RTM_GETNEIGHTBL	RTM_GETNEIGHTBL
+	RTM_SETNEIGHTBL,
+#define RTM_SETNEIGHTBL	RTM_SETNEIGHTBL
+
+	__RTM_MAX,
+#define RTM_MAX		(((__RTM_MAX + 3) & ~3) - 1)
+};
+
+#define RTM_NR_MSGTYPES	(RTM_MAX + 1 - RTM_BASE)
+#define RTM_NR_FAMILIES	(RTM_NR_MSGTYPES >> 2)
+#define RTM_FAM(cmd)	(((cmd) - RTM_BASE) >> 2)
+
+/* 
+   Generic structure for encapsulation of optional route information.
+   It is reminiscent of sockaddr, but with sa_family replaced
+   with attribute type.
+ */
+
+struct rtattr
+{
+	unsigned short	rta_len;
+	unsigned short	rta_type;
+};
+
+/* Macros to handle rtattributes */
+
+#define RTA_ALIGNTO	4
+#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) )
+#define RTA_OK(rta,len) ((len) >= (int)sizeof(struct rtattr) && \
+			 (rta)->rta_len >= sizeof(struct rtattr) && \
+			 (rta)->rta_len <= (len))
+#define RTA_NEXT(rta,attrlen)	((attrlen) -= RTA_ALIGN((rta)->rta_len), \
+				 (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
+#define RTA_LENGTH(len)	(RTA_ALIGN(sizeof(struct rtattr)) + (len))
+#define RTA_SPACE(len)	RTA_ALIGN(RTA_LENGTH(len))
+#define RTA_DATA(rta)   ((void*)(((char*)(rta)) + RTA_LENGTH(0)))
+#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
+
+
+
+
+/******************************************************************************
+ *		Definitions used in routing table administration.
+ ****/
+
+struct rtmsg
+{
+	unsigned char		rtm_family;
+	unsigned char		rtm_dst_len;
+	unsigned char		rtm_src_len;
+	unsigned char		rtm_tos;
+
+	unsigned char		rtm_table;	/* Routing table id */
+	unsigned char		rtm_protocol;	/* Routing protocol; see below	*/
+	unsigned char		rtm_scope;	/* See below */	
+	unsigned char		rtm_type;	/* See below	*/
+
+	unsigned		rtm_flags;
+};
+
+/* rtm_type */
+
+enum
+{
+	RTN_UNSPEC,
+	RTN_UNICAST,		/* Gateway or direct route	*/
+	RTN_LOCAL,		/* Accept locally		*/
+	RTN_BROADCAST,		/* Accept locally as broadcast,
+				   send as broadcast */
+	RTN_ANYCAST,		/* Accept locally as broadcast,
+				   but send as unicast */
+	RTN_MULTICAST,		/* Multicast route		*/
+	RTN_BLACKHOLE,		/* Drop				*/
+	RTN_UNREACHABLE,	/* Destination is unreachable   */
+	RTN_PROHIBIT,		/* Administratively prohibited	*/
+	RTN_THROW,		/* Not in this table		*/
+	RTN_NAT,		/* Translate this address	*/
+	RTN_XRESOLVE,		/* Use external resolver	*/
+	__RTN_MAX
+};
+
+#define RTN_MAX (__RTN_MAX - 1)
+
+
+/* rtm_protocol */
+
+#define RTPROT_UNSPEC	0
+#define RTPROT_REDIRECT	1	/* Route installed by ICMP redirects;
+				   not used by current IPv4 */
+#define RTPROT_KERNEL	2	/* Route installed by kernel		*/
+#define RTPROT_BOOT	3	/* Route installed during boot		*/
+#define RTPROT_STATIC	4	/* Route installed by administrator	*/
+
+/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel;
+   they are just passed from user and back as is.
+   It will be used by hypothetical multiple routing daemons.
+   Note that protocol values should be standardized in order to
+   avoid conflicts.
+ */
+
+#define RTPROT_GATED	8	/* Apparently, GateD */
+#define RTPROT_RA	9	/* RDISC/ND router advertisements */
+#define RTPROT_MRT	10	/* Merit MRT */
+#define RTPROT_ZEBRA	11	/* Zebra */
+#define RTPROT_BIRD	12	/* BIRD */
+#define RTPROT_DNROUTED	13	/* DECnet routing daemon */
+#define RTPROT_XORP	14	/* XORP */
+#define RTPROT_NTK	15	/* Netsukuku */
+
+/* rtm_scope
+
+   Really it is not scope, but sort of distance to the destination.
+   NOWHERE are reserved for not existing destinations, HOST is our
+   local addresses, LINK are destinations, located on directly attached
+   link and UNIVERSE is everywhere in the Universe.
+
+   Intermediate values are also possible f.e. interior routes
+   could be assigned a value between UNIVERSE and LINK.
+*/
+
+enum rt_scope_t
+{
+	RT_SCOPE_UNIVERSE=0,
+/* User defined values  */
+	RT_SCOPE_SITE=200,
+	RT_SCOPE_LINK=253,
+	RT_SCOPE_HOST=254,
+	RT_SCOPE_NOWHERE=255
+};
+
+/* rtm_flags */
+
+#define RTM_F_NOTIFY		0x100	/* Notify user of route change	*/
+#define RTM_F_CLONED		0x200	/* This route is cloned		*/
+#define RTM_F_EQUALIZE		0x400	/* Multipath equalizer: NI	*/
+#define RTM_F_PREFIX		0x800	/* Prefix addresses		*/
+
+/* Reserved table identifiers */
+
+enum rt_class_t
+{
+	RT_TABLE_UNSPEC=0,
+/* User defined values */
+	RT_TABLE_DEFAULT=253,
+	RT_TABLE_MAIN=254,
+	RT_TABLE_LOCAL=255,
+	__RT_TABLE_MAX
+};
+#define RT_TABLE_MAX (__RT_TABLE_MAX - 1)
+
+
+
+/* Routing message attributes */
+
+enum rtattr_type_t
+{
+	RTA_UNSPEC,
+	RTA_DST,
+	RTA_SRC,
+	RTA_IIF,
+	RTA_OIF,
+	RTA_GATEWAY,
+	RTA_PRIORITY,
+	RTA_PREFSRC,
+	RTA_METRICS,
+	RTA_MULTIPATH,
+	RTA_PROTOINFO,
+	RTA_FLOW,
+	RTA_CACHEINFO,
+	RTA_SESSION,
+	RTA_MP_ALGO,
+	__RTA_MAX
+};
+
+#define RTA_MAX (__RTA_MAX - 1)
+
+#define RTM_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg))))
+#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg))
+
+/* RTM_MULTIPATH --- array of struct rtnexthop.
+ *
+ * "struct rtnexthop" describes all necessary nexthop information,
+ * i.e. parameters of path to a destination via this nexthop.
+ *
+ * At the moment it is impossible to set different prefsrc, mtu, window
+ * and rtt for different paths from multipath.
+ */
+
+struct rtnexthop
+{
+	unsigned short		rtnh_len;
+	unsigned char		rtnh_flags;
+	unsigned char		rtnh_hops;
+	int			rtnh_ifindex;
+};
+
+/* rtnh_flags */
+
+#define RTNH_F_DEAD		1	/* Nexthop is dead (used by multipath)	*/
+#define RTNH_F_PERVASIVE	2	/* Do recursive gateway lookup	*/
+#define RTNH_F_ONLINK		4	/* Gateway is forced on link	*/
+
+/* Macros to handle hexthops */
+
+#define RTNH_ALIGNTO	4
+#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) )
+#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \
+			   ((int)(rtnh)->rtnh_len) <= (len))
+#define RTNH_NEXT(rtnh)	((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len)))
+#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len))
+#define RTNH_SPACE(len)	RTNH_ALIGN(RTNH_LENGTH(len))
+#define RTNH_DATA(rtnh)   ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0)))
+
+/* RTM_CACHEINFO */
+
+struct rta_cacheinfo
+{
+	__u32	rta_clntref;
+	__u32	rta_lastuse;
+	__s32	rta_expires;
+	__u32	rta_error;
+	__u32	rta_used;
+
+#define RTNETLINK_HAVE_PEERINFO 1
+	__u32	rta_id;
+	__u32	rta_ts;
+	__u32	rta_tsage;
+};
+
+/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */
+
+enum
+{
+	RTAX_UNSPEC,
+#define RTAX_UNSPEC RTAX_UNSPEC
+	RTAX_LOCK,
+#define RTAX_LOCK RTAX_LOCK
+	RTAX_MTU,
+#define RTAX_MTU RTAX_MTU
+	RTAX_WINDOW,
+#define RTAX_WINDOW RTAX_WINDOW
+	RTAX_RTT,
+#define RTAX_RTT RTAX_RTT
+	RTAX_RTTVAR,
+#define RTAX_RTTVAR RTAX_RTTVAR
+	RTAX_SSTHRESH,
+#define RTAX_SSTHRESH RTAX_SSTHRESH
+	RTAX_CWND,
+#define RTAX_CWND RTAX_CWND
+	RTAX_ADVMSS,
+#define RTAX_ADVMSS RTAX_ADVMSS
+	RTAX_REORDERING,
+#define RTAX_REORDERING RTAX_REORDERING
+	RTAX_HOPLIMIT,
+#define RTAX_HOPLIMIT RTAX_HOPLIMIT
+	RTAX_INITCWND,
+#define RTAX_INITCWND RTAX_INITCWND
+	RTAX_FEATURES,
+#define RTAX_FEATURES RTAX_FEATURES
+	__RTAX_MAX
+};
+
+#define RTAX_MAX (__RTAX_MAX - 1)
+
+#define RTAX_FEATURE_ECN	0x00000001
+#define RTAX_FEATURE_SACK	0x00000002
+#define RTAX_FEATURE_TIMESTAMP	0x00000004
+#define RTAX_FEATURE_ALLFRAG	0x00000008
+
+struct rta_session
+{
+	__u8	proto;
+	__u8	pad1;
+	__u16	pad2;
+
+	union {
+		struct {
+			__u16	sport;
+			__u16	dport;
+		} ports;
+
+		struct {
+			__u8	type;
+			__u8	code;
+			__u16	ident;
+		} icmpt;
+
+		__u32		spi;
+	} u;
+};
+
+
+/*********************************************************
+ *		Interface address.
+ ****/
+
+struct ifaddrmsg
+{
+	unsigned char	ifa_family;
+	unsigned char	ifa_prefixlen;	/* The prefix length		*/
+	unsigned char	ifa_flags;	/* Flags			*/
+	unsigned char	ifa_scope;	/* See above			*/
+	int		ifa_index;	/* Link index			*/
+};
+
+enum
+{
+	IFA_UNSPEC,
+	IFA_ADDRESS,
+	IFA_LOCAL,
+	IFA_LABEL,
+	IFA_BROADCAST,
+	IFA_ANYCAST,
+	IFA_CACHEINFO,
+	IFA_MULTICAST,
+	__IFA_MAX
+};
+
+#define IFA_MAX (__IFA_MAX - 1)
+
+/* ifa_flags */
+
+#define IFA_F_SECONDARY		0x01
+#define IFA_F_TEMPORARY		IFA_F_SECONDARY
+
+#define IFA_F_DEPRECATED	0x20
+#define IFA_F_TENTATIVE		0x40
+#define IFA_F_PERMANENT		0x80
+
+struct ifa_cacheinfo
+{
+	__u32	ifa_prefered;
+	__u32	ifa_valid;
+	__u32	cstamp; /* created timestamp, hundredths of seconds */
+	__u32	tstamp; /* updated timestamp, hundredths of seconds */
+};
+
+
+#define IFA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
+#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg))
+
+/*
+   Important comment:
+   IFA_ADDRESS is prefix address, rather than local interface address.
+   It makes no difference for normally configured broadcast interfaces,
+   but for point-to-point IFA_ADDRESS is DESTINATION address,
+   local address is supplied in IFA_LOCAL attribute.
+ */
+
+/**************************************************************
+ *		Neighbour discovery.
+ ****/
+
+struct ndmsg
+{
+	unsigned char	ndm_family;
+	unsigned char	ndm_pad1;
+	unsigned short	ndm_pad2;
+	int		ndm_ifindex;	/* Link index			*/
+	__u16		ndm_state;
+	__u8		ndm_flags;
+	__u8		ndm_type;
+};
+
+enum
+{
+	NDA_UNSPEC,
+	NDA_DST,
+	NDA_LLADDR,
+	NDA_CACHEINFO,
+	NDA_PROBES,
+	__NDA_MAX
+};
+
+#define NDA_MAX (__NDA_MAX - 1)
+
+#define NDA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg))))
+#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg))
+
+/*
+ *	Neighbor Cache Entry Flags
+ */
+
+#define NTF_PROXY	0x08	/* == ATF_PUBL */
+#define NTF_ROUTER	0x80
+
+/*
+ *	Neighbor Cache Entry States.
+ */
+
+#define NUD_INCOMPLETE	0x01
+#define NUD_REACHABLE	0x02
+#define NUD_STALE	0x04
+#define NUD_DELAY	0x08
+#define NUD_PROBE	0x10
+#define NUD_FAILED	0x20
+
+/* Dummy states */
+#define NUD_NOARP	0x40
+#define NUD_PERMANENT	0x80
+#define NUD_NONE	0x00
+
+
+struct nda_cacheinfo
+{
+	__u32		ndm_confirmed;
+	__u32		ndm_used;
+	__u32		ndm_updated;
+	__u32		ndm_refcnt;
+};
+
+
+/*****************************************************************
+ *		Neighbour tables specific messages.
+ *
+ * To retrieve the neighbour tables send RTM_GETNEIGHTBL with the
+ * NLM_F_DUMP flag set. Every neighbour table configuration is
+ * spread over multiple messages to avoid running into message
+ * size limits on systems with many interfaces. The first message
+ * in the sequence transports all not device specific data such as
+ * statistics, configuration, and the default parameter set.
+ * This message is followed by 0..n messages carrying device
+ * specific parameter sets.
+ * Although the ordering should be sufficient, NDTA_NAME can be
+ * used to identify sequences. The initial message can be identified
+ * by checking for NDTA_CONFIG. The device specific messages do
+ * not contain this TLV but have NDTPA_IFINDEX set to the
+ * corresponding interface index.
+ *
+ * To change neighbour table attributes, send RTM_SETNEIGHTBL
+ * with NDTA_NAME set. Changeable attribute include NDTA_THRESH[1-3],
+ * NDTA_GC_INTERVAL, and all TLVs in NDTA_PARMS unless marked
+ * otherwise. Device specific parameter sets can be changed by
+ * setting NDTPA_IFINDEX to the interface index of the corresponding
+ * device.
+ ****/
+
+struct ndt_stats
+{
+	__u64		ndts_allocs;
+	__u64		ndts_destroys;
+	__u64		ndts_hash_grows;
+	__u64		ndts_res_failed;
+	__u64		ndts_lookups;
+	__u64		ndts_hits;
+	__u64		ndts_rcv_probes_mcast;
+	__u64		ndts_rcv_probes_ucast;
+	__u64		ndts_periodic_gc_runs;
+	__u64		ndts_forced_gc_runs;
+};
+
+enum {
+	NDTPA_UNSPEC,
+	NDTPA_IFINDEX,			/* __u32, unchangeable */
+	NDTPA_REFCNT,			/* __u32, read-only */
+	NDTPA_REACHABLE_TIME,		/* __u64, read-only, msecs */
+	NDTPA_BASE_REACHABLE_TIME,	/* __u64, msecs */
+	NDTPA_RETRANS_TIME,		/* __u64, msecs */
+	NDTPA_GC_STALETIME,		/* __u64, msecs */
+	NDTPA_DELAY_PROBE_TIME,		/* __u64, msecs */
+	NDTPA_QUEUE_LEN,		/* __u32 */
+	NDTPA_APP_PROBES,		/* __u32 */
+	NDTPA_UCAST_PROBES,		/* __u32 */
+	NDTPA_MCAST_PROBES,		/* __u32 */
+	NDTPA_ANYCAST_DELAY,		/* __u64, msecs */
+	NDTPA_PROXY_DELAY,		/* __u64, msecs */
+	NDTPA_PROXY_QLEN,		/* __u32 */
+	NDTPA_LOCKTIME,			/* __u64, msecs */
+	__NDTPA_MAX
+};
+#define NDTPA_MAX (__NDTPA_MAX - 1)
+
+struct ndtmsg
+{
+	__u8		ndtm_family;
+	__u8		ndtm_pad1;
+	__u16		ndtm_pad2;
+};
+
+struct ndt_config
+{
+	__u16		ndtc_key_len;
+	__u16		ndtc_entry_size;
+	__u32		ndtc_entries;
+	__u32		ndtc_last_flush;	/* delta to now in msecs */
+	__u32		ndtc_last_rand;		/* delta to now in msecs */
+	__u32		ndtc_hash_rnd;
+	__u32		ndtc_hash_mask;
+	__u32		ndtc_hash_chain_gc;
+	__u32		ndtc_proxy_qlen;
+};
+
+enum {
+	NDTA_UNSPEC,
+	NDTA_NAME,			/* char *, unchangeable */
+	NDTA_THRESH1,			/* __u32 */
+	NDTA_THRESH2,			/* __u32 */
+	NDTA_THRESH3,			/* __u32 */
+	NDTA_CONFIG,			/* struct ndt_config, read-only */
+	NDTA_PARMS,			/* nested TLV NDTPA_* */
+	NDTA_STATS,			/* struct ndt_stats, read-only */
+	NDTA_GC_INTERVAL,		/* __u64, msecs */
+	__NDTA_MAX
+};
+#define NDTA_MAX (__NDTA_MAX - 1)
+
+#define NDTA_RTA(r) ((struct rtattr*)(((char*)(r)) + \
+		     NLMSG_ALIGN(sizeof(struct ndtmsg))))
+#define NDTA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndtmsg))
+
+
+/****
+ *		General form of address family dependent message.
+ ****/
+
+struct rtgenmsg
+{
+	unsigned char		rtgen_family;
+};
+
+/*****************************************************************
+ *		Link layer specific messages.
+ ****/
+
+/* struct ifinfomsg
+ * passes link level specific information, not dependent
+ * on network protocol.
+ */
+
+struct ifinfomsg
+{
+	unsigned char	ifi_family;
+	unsigned char	__ifi_pad;
+	unsigned short	ifi_type;		/* ARPHRD_* */
+	int		ifi_index;		/* Link index	*/
+	unsigned	ifi_flags;		/* IFF_* flags	*/
+	unsigned	ifi_change;		/* IFF_* change mask */
+};
+
+/********************************************************************
+ *		prefix information 
+ ****/
+
+struct prefixmsg
+{
+	unsigned char	prefix_family;
+	unsigned char	prefix_pad1;
+	unsigned short	prefix_pad2;
+	int		prefix_ifindex;
+	unsigned char	prefix_type;
+	unsigned char	prefix_len;
+	unsigned char	prefix_flags;
+	unsigned char	prefix_pad3;
+};
+
+enum 
+{
+	PREFIX_UNSPEC,
+	PREFIX_ADDRESS,
+	PREFIX_CACHEINFO,
+	__PREFIX_MAX
+};
+
+#define PREFIX_MAX	(__PREFIX_MAX - 1)
+
+struct prefix_cacheinfo
+{
+	__u32	preferred_time;
+	__u32	valid_time;
+};
+
+/* The struct should be in sync with struct net_device_stats */
+struct rtnl_link_stats
+{
+	__u32	rx_packets;		/* total packets received	*/
+	__u32	tx_packets;		/* total packets transmitted	*/
+	__u32	rx_bytes;		/* total bytes received 	*/
+	__u32	tx_bytes;		/* total bytes transmitted	*/
+	__u32	rx_errors;		/* bad packets received		*/
+	__u32	tx_errors;		/* packet transmit problems	*/
+	__u32	rx_dropped;		/* no space in linux buffers	*/
+	__u32	tx_dropped;		/* no space available in linux	*/
+	__u32	multicast;		/* multicast packets received	*/
+	__u32	collisions;
+
+	/* detailed rx_errors: */
+	__u32	rx_length_errors;
+	__u32	rx_over_errors;		/* receiver ring buff overflow	*/
+	__u32	rx_crc_errors;		/* recved pkt with crc error	*/
+	__u32	rx_frame_errors;	/* recv'd frame alignment error */
+	__u32	rx_fifo_errors;		/* recv'r fifo overrun		*/
+	__u32	rx_missed_errors;	/* receiver missed packet	*/
+
+	/* detailed tx_errors */
+	__u32	tx_aborted_errors;
+	__u32	tx_carrier_errors;
+	__u32	tx_fifo_errors;
+	__u32	tx_heartbeat_errors;
+	__u32	tx_window_errors;
+	
+	/* for cslip etc */
+	__u32	rx_compressed;
+	__u32	tx_compressed;
+};
+
+/* The struct should be in sync with struct ifmap */
+struct rtnl_link_ifmap
+{
+	__u64	mem_start;
+	__u64	mem_end;
+	__u64	base_addr;
+	__u16	irq;
+	__u8	dma;
+	__u8	port;
+};
+
+enum
+{
+	IFLA_UNSPEC,
+	IFLA_ADDRESS,
+	IFLA_BROADCAST,
+	IFLA_IFNAME,
+	IFLA_MTU,
+	IFLA_LINK,
+	IFLA_QDISC,
+	IFLA_STATS,
+	IFLA_COST,
+#define IFLA_COST IFLA_COST
+	IFLA_PRIORITY,
+#define IFLA_PRIORITY IFLA_PRIORITY
+	IFLA_MASTER,
+#define IFLA_MASTER IFLA_MASTER
+	IFLA_WIRELESS,		/* Wireless Extension event - see wireless.h */
+#define IFLA_WIRELESS IFLA_WIRELESS
+	IFLA_PROTINFO,		/* Protocol specific information for a link */
+#define IFLA_PROTINFO IFLA_PROTINFO
+	IFLA_TXQLEN,
+#define IFLA_TXQLEN IFLA_TXQLEN
+	IFLA_MAP,
+#define IFLA_MAP IFLA_MAP
+	IFLA_WEIGHT,
+#define IFLA_WEIGHT IFLA_WEIGHT
+	IFLA_OPERSTATE,
+	IFLA_LINKMODE,
+	__IFLA_MAX
+};
+
+
+#define IFLA_MAX (__IFLA_MAX - 1)
+
+#define IFLA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg))))
+#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg))
+
+/* ifi_flags.
+
+   IFF_* flags.
+
+   The only change is:
+   IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are
+   more not changeable by user. They describe link media
+   characteristics and set by device driver.
+
+   Comments:
+   - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid
+   - If neither of these three flags are set;
+     the interface is NBMA.
+
+   - IFF_MULTICAST does not mean anything special:
+   multicasts can be used on all not-NBMA links.
+   IFF_MULTICAST means that this media uses special encapsulation
+   for multicast frames. Apparently, all IFF_POINTOPOINT and
+   IFF_BROADCAST devices are able to use multicasts too.
+ */
+
+/* IFLA_LINK.
+   For usual devices it is equal ifi_index.
+   If it is a "virtual interface" (f.e. tunnel), ifi_link
+   can point to real physical interface (f.e. for bandwidth calculations),
+   or maybe 0, what means, that real media is unknown (usual
+   for IPIP tunnels, when route to endpoint is allowed to change)
+ */
+
+/* Subtype attributes for IFLA_PROTINFO */
+enum
+{
+	IFLA_INET6_UNSPEC,
+	IFLA_INET6_FLAGS,	/* link flags			*/
+	IFLA_INET6_CONF,	/* sysctl parameters		*/
+	IFLA_INET6_STATS,	/* statistics			*/
+	IFLA_INET6_MCAST,	/* MC things. What of them?	*/
+	IFLA_INET6_CACHEINFO,	/* time values and max reasm size */
+	__IFLA_INET6_MAX
+};
+
+#define IFLA_INET6_MAX	(__IFLA_INET6_MAX - 1)
+
+struct ifla_cacheinfo
+{
+	__u32	max_reasm_len;
+	__u32	tstamp;		/* ipv6InterfaceTable updated timestamp */
+	__u32	reachable_time;
+	__u32	retrans_time;
+};
+
+/*****************************************************************
+ *		Traffic control messages.
+ ****/
+
+struct tcmsg
+{
+	unsigned char	tcm_family;
+	unsigned char	tcm__pad1;
+	unsigned short	tcm__pad2;
+	int		tcm_ifindex;
+	__u32		tcm_handle;
+	__u32		tcm_parent;
+	__u32		tcm_info;
+};
+
+enum
+{
+	TCA_UNSPEC,
+	TCA_KIND,
+	TCA_OPTIONS,
+	TCA_STATS,
+	TCA_XSTATS,
+	TCA_RATE,
+	TCA_FCNT,
+	TCA_STATS2,
+	__TCA_MAX
+};
+
+#define TCA_MAX (__TCA_MAX - 1)
+
+#define TCA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg))))
+#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg))
+
+#ifndef __KERNEL__
+/* RTnetlink multicast groups - backwards compatibility for userspace */
+#define RTMGRP_LINK		1
+#define RTMGRP_NOTIFY		2
+#define RTMGRP_NEIGH		4
+#define RTMGRP_TC		8
+
+#define RTMGRP_IPV4_IFADDR	0x10
+#define RTMGRP_IPV4_MROUTE	0x20
+#define RTMGRP_IPV4_ROUTE	0x40
+#define RTMGRP_IPV4_RULE	0x80
+
+#define RTMGRP_IPV6_IFADDR	0x100
+#define RTMGRP_IPV6_MROUTE	0x200
+#define RTMGRP_IPV6_ROUTE	0x400
+#define RTMGRP_IPV6_IFINFO	0x800
+
+#define RTMGRP_DECnet_IFADDR    0x1000
+#define RTMGRP_DECnet_ROUTE     0x4000
+
+#define RTMGRP_IPV6_PREFIX	0x20000
+#endif
+
+/* RTnetlink multicast groups */
+enum rtnetlink_groups {
+	RTNLGRP_NONE,
+#define RTNLGRP_NONE		RTNLGRP_NONE
+	RTNLGRP_LINK,
+#define RTNLGRP_LINK		RTNLGRP_LINK
+	RTNLGRP_NOTIFY,
+#define RTNLGRP_NOTIFY		RTNLGRP_NOTIFY
+	RTNLGRP_NEIGH,
+#define RTNLGRP_NEIGH		RTNLGRP_NEIGH
+	RTNLGRP_TC,
+#define RTNLGRP_TC		RTNLGRP_TC
+	RTNLGRP_IPV4_IFADDR,
+#define RTNLGRP_IPV4_IFADDR	RTNLGRP_IPV4_IFADDR
+	RTNLGRP_IPV4_MROUTE,
+#define	RTNLGRP_IPV4_MROUTE	RTNLGRP_IPV4_MROUTE
+	RTNLGRP_IPV4_ROUTE,
+#define RTNLGRP_IPV4_ROUTE	RTNLGRP_IPV4_ROUTE
+	RTNLGRP_IPV4_RULE,
+#define RTNLGRP_IPV4_RULE	RTNLGRP_IPV4_RULE
+	RTNLGRP_IPV6_IFADDR,
+#define RTNLGRP_IPV6_IFADDR	RTNLGRP_IPV6_IFADDR
+	RTNLGRP_IPV6_MROUTE,
+#define RTNLGRP_IPV6_MROUTE	RTNLGRP_IPV6_MROUTE
+	RTNLGRP_IPV6_ROUTE,
+#define RTNLGRP_IPV6_ROUTE	RTNLGRP_IPV6_ROUTE
+	RTNLGRP_IPV6_IFINFO,
+#define RTNLGRP_IPV6_IFINFO	RTNLGRP_IPV6_IFINFO
+	RTNLGRP_DECnet_IFADDR,
+#define RTNLGRP_DECnet_IFADDR	RTNLGRP_DECnet_IFADDR
+	RTNLGRP_NOP2,
+	RTNLGRP_DECnet_ROUTE,
+#define RTNLGRP_DECnet_ROUTE	RTNLGRP_DECnet_ROUTE
+	RTNLGRP_NOP3,
+	RTNLGRP_NOP4,
+	RTNLGRP_IPV6_PREFIX,
+#define RTNLGRP_IPV6_PREFIX	RTNLGRP_IPV6_PREFIX
+	__RTNLGRP_MAX
+};
+#define RTNLGRP_MAX	(__RTNLGRP_MAX - 1)
+
+/* TC action piece */
+struct tcamsg
+{
+	unsigned char	tca_family;
+	unsigned char	tca__pad1;
+	unsigned short	tca__pad2;
+};
+#define TA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcamsg))))
+#define TA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcamsg))
+#define TCA_ACT_TAB 1 /* attr type must be >=1 */	
+#define TCAA_MAX 1
+
+/* End of information exported to user level */
+
+#ifdef __KERNEL__
+
+#include <linux/config.h>
+#include <linux/mutex.h>
+
+extern size_t rtattr_strlcpy(char *dest, const struct rtattr *rta, size_t size);
+static __inline__ int rtattr_strcmp(const struct rtattr *rta, const char *str)
+{
+	int len = strlen(str) + 1;
+	return len > rta->rta_len || memcmp(RTA_DATA(rta), str, len);
+}
+
+extern int rtattr_parse(struct rtattr *tb[], int maxattr, struct rtattr *rta, int len);
+
+#define rtattr_parse_nested(tb, max, rta) \
+	rtattr_parse((tb), (max), RTA_DATA((rta)), RTA_PAYLOAD((rta)))
+
+extern struct sock *rtnl;
+
+struct rtnetlink_link
+{
+	int (*doit)(struct sk_buff *, struct nlmsghdr*, void *attr);
+	int (*dumpit)(struct sk_buff *, struct netlink_callback *cb);
+};
+
+extern struct rtnetlink_link * rtnetlink_links[NPROTO];
+extern int rtnetlink_send(struct sk_buff *skb, __u32 pid, __u32 group, int echo);
+extern int rtnetlink_put_metrics(struct sk_buff *skb, __u32 *metrics);
+
+extern void __rta_fill(struct sk_buff *skb, int attrtype, int attrlen, const void *data);
+
+#define RTA_PUT(skb, attrtype, attrlen, data) \
+({	if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \
+		 goto rtattr_failure; \
+   	__rta_fill(skb, attrtype, attrlen, data); }) 
+
+#define RTA_APPEND(skb, attrlen, data) \
+({	if (unlikely(skb_tailroom(skb) < (int)(attrlen))) \
+		goto rtattr_failure; \
+	memcpy(skb_put(skb, attrlen), data, attrlen); })
+
+#define RTA_PUT_NOHDR(skb, attrlen, data) \
+({	RTA_APPEND(skb, RTA_ALIGN(attrlen), data); \
+	memset(skb->tail - (RTA_ALIGN(attrlen) - attrlen), 0, \
+	       RTA_ALIGN(attrlen) - attrlen); })
+
+#define RTA_PUT_U8(skb, attrtype, value) \
+({	__u8 _tmp = (value); \
+	RTA_PUT(skb, attrtype, sizeof(__u8), &_tmp); })
+
+#define RTA_PUT_U16(skb, attrtype, value) \
+({	__u16 _tmp = (value); \
+	RTA_PUT(skb, attrtype, sizeof(__u16), &_tmp); })
+
+#define RTA_PUT_U32(skb, attrtype, value) \
+({	__u32 _tmp = (value); \
+	RTA_PUT(skb, attrtype, sizeof(__u32), &_tmp); })
+
+#define RTA_PUT_U64(skb, attrtype, value) \
+({	__u64 _tmp = (value); \
+	RTA_PUT(skb, attrtype, sizeof(__u64), &_tmp); })
+
+#define RTA_PUT_SECS(skb, attrtype, value) \
+	RTA_PUT_U64(skb, attrtype, (value) / HZ)
+
+#define RTA_PUT_MSECS(skb, attrtype, value) \
+	RTA_PUT_U64(skb, attrtype, jiffies_to_msecs(value))
+
+#define RTA_PUT_STRING(skb, attrtype, value) \
+	RTA_PUT(skb, attrtype, strlen(value) + 1, value)
+
+#define RTA_PUT_FLAG(skb, attrtype) \
+	RTA_PUT(skb, attrtype, 0, NULL);
+
+#define RTA_NEST(skb, type) \
+({	struct rtattr *__start = (struct rtattr *) (skb)->tail; \
+	RTA_PUT(skb, type, 0, NULL); \
+	__start;  })
+
+#define RTA_NEST_END(skb, start) \
+({	(start)->rta_len = ((skb)->tail - (unsigned char *) (start)); \
+	(skb)->len; })
+
+#define RTA_NEST_CANCEL(skb, start) \
+({	if (start) \
+		skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
+	-1; })
+
+#define RTA_GET_U8(rta) \
+({	if (!rta || RTA_PAYLOAD(rta) < sizeof(__u8)) \
+		goto rtattr_failure; \
+	*(__u8 *) RTA_DATA(rta); })
+
+#define RTA_GET_U16(rta) \
+({	if (!rta || RTA_PAYLOAD(rta) < sizeof(__u16)) \
+		goto rtattr_failure; \
+	*(__u16 *) RTA_DATA(rta); })
+
+#define RTA_GET_U32(rta) \
+({	if (!rta || RTA_PAYLOAD(rta) < sizeof(__u32)) \
+		goto rtattr_failure; \
+	*(__u32 *) RTA_DATA(rta); })
+
+#define RTA_GET_U64(rta) \
+({	__u64 _tmp; \
+	if (!rta || RTA_PAYLOAD(rta) < sizeof(__u64)) \
+		goto rtattr_failure; \
+	memcpy(&_tmp, RTA_DATA(rta), sizeof(_tmp)); \
+	_tmp; })
+
+#define RTA_GET_FLAG(rta) (!!(rta))
+
+#define RTA_GET_SECS(rta) ((unsigned long) RTA_GET_U64(rta) * HZ)
+#define RTA_GET_MSECS(rta) (msecs_to_jiffies((unsigned long) RTA_GET_U64(rta)))
+		
+static __inline__ struct rtattr *
+__rta_reserve(struct sk_buff *skb, int attrtype, int attrlen)
+{
+	struct rtattr *rta;
+	int size = RTA_LENGTH(attrlen);
+
+	rta = (struct rtattr*)skb_put(skb, RTA_ALIGN(size));
+	rta->rta_type = attrtype;
+	rta->rta_len = size;
+	memset(RTA_DATA(rta) + attrlen, 0, RTA_ALIGN(size) - size);
+	return rta;
+}
+
+#define __RTA_PUT(skb, attrtype, attrlen) \
+({ 	if (unlikely(skb_tailroom(skb) < (int)RTA_SPACE(attrlen))) \
+		goto rtattr_failure; \
+   	__rta_reserve(skb, attrtype, attrlen); })
+
+extern void rtmsg_ifinfo(int type, struct net_device *dev, unsigned change);
+
+/* RTNL is used as a global lock for all changes to network configuration  */
+extern void rtnl_lock(void);
+extern void rtnl_unlock(void);
+extern int rtnl_trylock(void);
+
+extern void rtnetlink_init(void);
+extern void __rtnl_unlock(void);
+
+#define ASSERT_RTNL() do { \
+	if (unlikely(rtnl_trylock())) { \
+		rtnl_unlock(); \
+		printk(KERN_ERR "RTNL: assertion failed at %s (%d)\n", \
+		       __FILE__,  __LINE__); \
+		dump_stack(); \
+	} \
+} while(0)
+
+#define BUG_TRAP(x) do { \
+	if (unlikely(!(x))) { \
+		printk(KERN_ERR "KERNEL: assertion (%s) failed at %s (%d)\n", \
+			#x,  __FILE__ , __LINE__); \
+	} \
+} while(0)
+
+#endif /* __KERNEL__ */
+
+
+#endif	/* __LINUX_RTNETLINK_H */
diff --git a/src/include/linux/udp.h b/src/include/linux/udp.h
new file mode 100644
index 000000000..2ee121bd0
--- /dev/null
+++ b/src/include/linux/udp.h
@@ -0,0 +1,63 @@
+/*
+ * INET		An implementation of the TCP/IP protocol suite for the LINUX
+ *		operating system.  INET is implemented using the  BSD Socket
+ *		interface as the means of communication with the user level.
+ *
+ *		Definitions for the UDP protocol.
+ *
+ * Version:	@(#)udp.h	1.0.2	04/28/93
+ *
+ * Author:	Fred N. van Kempen, <waltje@uWalt.NL.Mugnet.ORG>
+ *
+ *		This program is free software; you can redistribute it and/or
+ *		modify it under the terms of the GNU General Public License
+ *		as published by the Free Software Foundation; either version
+ *		2 of the License, or (at your option) any later version.
+ */
+#ifndef _LINUX_UDP_H
+#define _LINUX_UDP_H
+
+#include <linux/types.h>
+
+struct udphdr {
+	__u16	source;
+	__u16	dest;
+	__u16	len;
+	__u16	check;
+};
+
+/* UDP socket options */
+#define UDP_CORK	1	/* Never send partially complete segments */
+#define UDP_ENCAP	100	/* Set the socket to accept encapsulated packets */
+
+/* UDP encapsulation types */
+#define UDP_ENCAP_ESPINUDP_NON_IKE	1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
+#define UDP_ENCAP_ESPINUDP	2 /* draft-ietf-ipsec-udp-encaps-06 */
+
+#ifdef __KERNEL__
+#include <linux/config.h>
+#include <linux/types.h>
+
+#include <net/inet_sock.h>
+
+struct udp_sock {
+	/* inet_sock has to be the first member */
+	struct inet_sock inet;
+	int		 pending;	/* Any pending frames ? */
+	unsigned int	 corkflag;	/* Cork is required */
+  	__u16		 encap_type;	/* Is this an Encapsulation socket? */
+	/*
+	 * Following member retains the infomation to create a UDP header
+	 * when the socket is uncorked.
+	 */
+	__u16		 len;		/* total length of pending frames */
+};
+
+static __inline__ struct udp_sock *udp_sk(const struct sock *sk)
+{
+	return (struct udp_sock *)sk;
+}
+
+#endif
+
+#endif	/* _LINUX_UDP_H */
diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h
new file mode 100644
index 000000000..6b42cc474
--- /dev/null
+++ b/src/include/linux/xfrm.h
@@ -0,0 +1,343 @@
+#ifndef _LINUX_XFRM_H
+#define _LINUX_XFRM_H
+
+#include <linux/types.h>
+
+/* All of the structures in this file may not change size as they are
+ * passed into the kernel from userspace via netlink sockets.
+ */
+
+/* Structure to encapsulate addresses. I do not want to use
+ * "standard" structure. My apologies.
+ */
+typedef union
+{
+	__u32		a4;
+	__u32		a6[4];
+} xfrm_address_t;
+
+/* Ident of a specific xfrm_state. It is used on input to lookup
+ * the state by (spi,daddr,ah/esp) or to store information about
+ * spi, protocol and tunnel address on output.
+ */
+struct xfrm_id
+{
+	xfrm_address_t	daddr;
+	__u32		spi;
+	__u8		proto;
+};
+
+struct xfrm_sec_ctx {
+	__u8	ctx_doi;
+	__u8	ctx_alg;
+	__u16	ctx_len;
+	__u32	ctx_sid;
+	char	ctx_str[0];
+};
+
+/* Security Context Domains of Interpretation */
+#define XFRM_SC_DOI_RESERVED 0
+#define XFRM_SC_DOI_LSM 1
+
+/* Security Context Algorithms */
+#define XFRM_SC_ALG_RESERVED 0
+#define XFRM_SC_ALG_SELINUX 1
+
+/* Selector, used as selector both on policy rules (SPD) and SAs. */
+
+struct xfrm_selector
+{
+	xfrm_address_t	daddr;
+	xfrm_address_t	saddr;
+	__u16	dport;
+	__u16	dport_mask;
+	__u16	sport;
+	__u16	sport_mask;
+	__u16	family;
+	__u8	prefixlen_d;
+	__u8	prefixlen_s;
+	__u8	proto;
+	int	ifindex;
+	uid_t	user;
+};
+
+#define XFRM_INF (~(__u64)0)
+
+struct xfrm_lifetime_cfg
+{
+	__u64	soft_byte_limit;
+	__u64	hard_byte_limit;
+	__u64	soft_packet_limit;
+	__u64	hard_packet_limit;
+	__u64	soft_add_expires_seconds;
+	__u64	hard_add_expires_seconds;
+	__u64	soft_use_expires_seconds;
+	__u64	hard_use_expires_seconds;
+};
+
+struct xfrm_lifetime_cur
+{
+	__u64	bytes;
+	__u64	packets;
+	__u64	add_time;
+	__u64	use_time;
+};
+
+struct xfrm_replay_state
+{
+	__u32	oseq;
+	__u32	seq;
+	__u32	bitmap;
+};
+
+struct xfrm_algo {
+	char	alg_name[64];
+	int	alg_key_len;    /* in bits */
+	char	alg_key[0];
+};
+
+struct xfrm_stats {
+	__u32	replay_window;
+	__u32	replay;
+	__u32	integrity_failed;
+};
+
+enum
+{
+	XFRM_POLICY_IN	= 0,
+	XFRM_POLICY_OUT	= 1,
+	XFRM_POLICY_FWD	= 2,
+	XFRM_POLICY_MAX	= 3
+};
+
+enum
+{
+	XFRM_SHARE_ANY,		/* No limitations */
+	XFRM_SHARE_SESSION,	/* For this session only */
+	XFRM_SHARE_USER,	/* For this user only */
+	XFRM_SHARE_UNIQUE	/* Use once */
+};
+
+/* Netlink configuration messages.  */
+enum {
+	XFRM_MSG_BASE = 0x10,
+
+	XFRM_MSG_NEWSA = 0x10,
+#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
+	XFRM_MSG_DELSA,
+#define XFRM_MSG_DELSA XFRM_MSG_DELSA
+	XFRM_MSG_GETSA,
+#define XFRM_MSG_GETSA XFRM_MSG_GETSA
+
+	XFRM_MSG_NEWPOLICY,
+#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
+	XFRM_MSG_DELPOLICY,
+#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
+	XFRM_MSG_GETPOLICY,
+#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
+
+	XFRM_MSG_ALLOCSPI,
+#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
+	XFRM_MSG_ACQUIRE,
+#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
+	XFRM_MSG_EXPIRE,
+#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
+
+	XFRM_MSG_UPDPOLICY,
+#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
+	XFRM_MSG_UPDSA,
+#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
+
+	XFRM_MSG_POLEXPIRE,
+#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
+
+	XFRM_MSG_FLUSHSA,
+#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
+	XFRM_MSG_FLUSHPOLICY,
+#define XFRM_MSG_FLUSHPOLICY XFRM_MSG_FLUSHPOLICY
+
+	XFRM_MSG_NEWAE,
+#define XFRM_MSG_NEWAE XFRM_MSG_NEWAE
+	XFRM_MSG_GETAE,
+#define XFRM_MSG_GETAE XFRM_MSG_GETAE
+	__XFRM_MSG_MAX
+};
+#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
+
+#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
+
+/*
+ * Generic LSM security context for comunicating to user space
+ * NOTE: Same format as sadb_x_sec_ctx
+ */
+struct xfrm_user_sec_ctx {
+	__u16			len;
+	__u16			exttype;
+	__u8			ctx_alg;  /* LSMs: e.g., selinux == 1 */
+	__u8			ctx_doi;
+	__u16			ctx_len;
+};
+
+struct xfrm_user_tmpl {
+	struct xfrm_id		id;
+	__u16			family;
+	xfrm_address_t		saddr;
+	__u32			reqid;
+	__u8			mode;
+	__u8			share;
+	__u8			optional;
+	__u32			aalgos;
+	__u32			ealgos;
+	__u32			calgos;
+};
+
+struct xfrm_encap_tmpl {
+	__u16		encap_type;
+	__u16		encap_sport;
+	__u16		encap_dport;
+	xfrm_address_t	encap_oa;
+};
+
+/* AEVENT flags  */
+enum xfrm_ae_ftype_t {
+	XFRM_AE_UNSPEC,
+	XFRM_AE_RTHR=1,	/* replay threshold*/
+	XFRM_AE_RVAL=2, /* replay value */
+	XFRM_AE_LVAL=4, /* lifetime value */
+	XFRM_AE_ETHR=8, /* expiry timer threshold */
+	XFRM_AE_CR=16, /* Event cause is replay update */
+	XFRM_AE_CE=32, /* Event cause is timer expiry */
+	XFRM_AE_CU=64, /* Event cause is policy update */
+	__XFRM_AE_MAX
+
+#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
+};
+
+/* Netlink message attributes.  */
+enum xfrm_attr_type_t {
+	XFRMA_UNSPEC,
+	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
+	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
+	XFRMA_ALG_COMP,		/* struct xfrm_algo */
+	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
+	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
+	XFRMA_SA,
+	XFRMA_POLICY,
+	XFRMA_SEC_CTX,		/* struct xfrm_sec_ctx */
+	XFRMA_LTIME_VAL,
+	XFRMA_REPLAY_VAL,
+	XFRMA_REPLAY_THRESH,
+	XFRMA_ETIMER_THRESH,
+	__XFRMA_MAX
+
+#define XFRMA_MAX (__XFRMA_MAX - 1)
+};
+
+struct xfrm_usersa_info {
+	struct xfrm_selector		sel;
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_lifetime_cfg	lft;
+	struct xfrm_lifetime_cur	curlft;
+	struct xfrm_stats		stats;
+	__u32				seq;
+	__u32				reqid;
+	__u16				family;
+	__u8				mode; /* 0=transport,1=tunnel */
+	__u8				replay_window;
+	__u8				flags;
+#define XFRM_STATE_NOECN	1
+#define XFRM_STATE_DECAP_DSCP	2
+#define XFRM_STATE_NOPMTUDISC	4
+};
+
+struct xfrm_usersa_id {
+	xfrm_address_t			daddr;
+	__u32				spi;
+	__u16				family;
+	__u8				proto;
+};
+
+struct xfrm_aevent_id {
+	struct xfrm_usersa_id		sa_id;
+	__u32				flags;
+};
+
+struct xfrm_userspi_info {
+	struct xfrm_usersa_info		info;
+	__u32				min;
+	__u32				max;
+};
+
+struct xfrm_userpolicy_info {
+	struct xfrm_selector		sel;
+	struct xfrm_lifetime_cfg	lft;
+	struct xfrm_lifetime_cur	curlft;
+	__u32				priority;
+	__u32				index;
+	__u8				dir;
+	__u8				action;
+#define XFRM_POLICY_ALLOW	0
+#define XFRM_POLICY_BLOCK	1
+	__u8				flags;
+#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
+	__u8				share;
+};
+
+struct xfrm_userpolicy_id {
+	struct xfrm_selector		sel;
+	__u32				index;
+	__u8				dir;
+};
+
+struct xfrm_user_acquire {
+	struct xfrm_id			id;
+	xfrm_address_t			saddr;
+	struct xfrm_selector		sel;
+	struct xfrm_userpolicy_info	policy;
+	__u32				aalgos;
+	__u32				ealgos;
+	__u32				calgos;
+	__u32				seq;
+};
+
+struct xfrm_user_expire {
+	struct xfrm_usersa_info		state;
+	__u8				hard;
+};
+
+struct xfrm_user_polexpire {
+	struct xfrm_userpolicy_info	pol;
+	__u8				hard;
+};
+
+struct xfrm_usersa_flush {
+	__u8				proto;
+};
+
+#ifndef __KERNEL__
+/* backwards compatibility for userspace */
+#define XFRMGRP_ACQUIRE		1
+#define XFRMGRP_EXPIRE		2
+#define XFRMGRP_SA		4
+#define XFRMGRP_POLICY		8
+#endif
+
+enum xfrm_nlgroups {
+	XFRMNLGRP_NONE,
+#define XFRMNLGRP_NONE		XFRMNLGRP_NONE
+	XFRMNLGRP_ACQUIRE,
+#define XFRMNLGRP_ACQUIRE	XFRMNLGRP_ACQUIRE
+	XFRMNLGRP_EXPIRE,
+#define XFRMNLGRP_EXPIRE	XFRMNLGRP_EXPIRE
+	XFRMNLGRP_SA,
+#define XFRMNLGRP_SA		XFRMNLGRP_SA
+	XFRMNLGRP_POLICY,
+#define XFRMNLGRP_POLICY	XFRMNLGRP_POLICY
+	XFRMNLGRP_AEVENTS,
+#define XFRMNLGRP_AEVENTS	XFRMNLGRP_AEVENTS
+	__XFRMNLGRP_MAX
+};
+#define XFRMNLGRP_MAX	(__XFRMNLGRP_MAX - 1)
+
+#endif /* _LINUX_XFRM_H */
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index eaf0e9d79..3a12ba5b9 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -98,6 +98,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -110,6 +111,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -120,8 +122,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -143,6 +149,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -152,6 +159,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -165,9 +174,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -182,6 +195,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 sbin_SCRIPTS = ipsec
 CLEANFILES = ipsec
 dist_man8_MANS = ipsec.8
diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in
index bd74b6f16..067d24784 100755
--- a/src/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -111,10 +111,8 @@ down)
 	fi
 	exit 0
 	;;
-listalgs|listpubkeys|listaacerts|\
-listacerts|listgroups|\listcards|\
-rereadsecrets|rereadgroups|\
-rereadaacerts|rereadacerts)
+listalgs|listpubkeys|\listcards|\
+rereadsecrets|rereadgroups)
 	op="$1"
 	shift
 	if test -e $IPSEC_PLUTO_PID
@@ -123,9 +121,11 @@ rereadaacerts|rereadacerts)
 	fi
 	exit 0
 	;;
-listcerts|listcacerts|listocspcerts|\
+listcerts|listcacerts|listaacerts|\
+listacerts|listgroups|listocspcerts|\
 listcainfos|listcrls|listocsp|listall|\
-rereadcacerts|rereadocspcerts|rereadcrls|\
+rereadcacerts|rereadaacerts|rereadacerts|\
+rereadocspcerts|rereadcrls|\
 rereadall|purgeocsp)
 	op="$1"
 	shift
diff --git a/src/libcrypto/Makefile.am b/src/libcrypto/Makefile.am
index 23066033d..4416c8daf 100644
--- a/src/libcrypto/Makefile.am
+++ b/src/libcrypto/Makefile.am
@@ -5,7 +5,7 @@ include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/b
 libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \
 libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \
 libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \
-libdes/podd.h libdes/sk.h libdes/set_key.c libdes/speed.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
-libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_opts.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
+libdes/podd.h libdes/sk.h libdes/set_key.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
+libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
 
 INCLUDES = -I$(top_srcdir)/src/libcrypto/include
diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in
index 63b7d4907..dca1b18e7 100644
--- a/src/libcrypto/Makefile.in
+++ b/src/libcrypto/Makefile.in
@@ -52,9 +52,9 @@ am_libcrypto_a_OBJECTS = aes_xcbc_mac.$(OBJEXT) aes_cbc.$(OBJEXT) \
 	aes.$(OBJEXT) bf_skey.$(OBJEXT) bf_enc.$(OBJEXT) \
 	hmac_sha2.$(OBJEXT) sha2.$(OBJEXT) serpent_cbc.$(OBJEXT) \
 	serpent.$(OBJEXT) twofish_cbc.$(OBJEXT) twofish.$(OBJEXT) \
-	des_enc.$(OBJEXT) set_key.$(OBJEXT) speed.$(OBJEXT) \
-	fcrypt_b.$(OBJEXT) fcrypt.$(OBJEXT) destest.$(OBJEXT) \
-	cbc_enc.$(OBJEXT) ecb_enc.$(OBJEXT) des_opts.$(OBJEXT)
+	des_enc.$(OBJEXT) set_key.$(OBJEXT) fcrypt_b.$(OBJEXT) \
+	fcrypt.$(OBJEXT) destest.$(OBJEXT) cbc_enc.$(OBJEXT) \
+	ecb_enc.$(OBJEXT)
 libcrypto_a_OBJECTS = $(am_libcrypto_a_OBJECTS)
 DEFAULT_INCLUDES = -I. -I$(srcdir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -116,6 +116,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -128,6 +129,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -138,8 +140,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -161,6 +167,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -170,6 +177,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -183,9 +192,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -200,6 +213,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 noinst_LIBRARIES = libcrypto.a
 libcrypto_a_SOURCES = \
 libaes/aes_xcbc_mac.c libaes/aes_cbc.c libaes/aes_xcbc_mac.h libaes/aes_cbc.h libaes/aes.c libaes/aes.h \
@@ -207,8 +222,8 @@ include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/b
 libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \
 libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \
 libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \
-libdes/podd.h libdes/sk.h libdes/set_key.c libdes/speed.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
-libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_opts.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
+libdes/podd.h libdes/sk.h libdes/set_key.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
+libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
 
 INCLUDES = -I$(top_srcdir)/src/libcrypto/include
 all: all-am
@@ -265,7 +280,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_skey.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cbc_enc.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_enc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_opts.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/destest.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecb_enc.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fcrypt.Po@am__quote@
@@ -275,7 +289,6 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_key.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/speed.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Po@am__quote@
 
@@ -482,20 +495,6 @@ set_key.obj: libdes/set_key.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_key.obj `if test -f 'libdes/set_key.c'; then $(CYGPATH_W) 'libdes/set_key.c'; else $(CYGPATH_W) '$(srcdir)/libdes/set_key.c'; fi`
 
-speed.o: libdes/speed.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT speed.o -MD -MP -MF "$(DEPDIR)/speed.Tpo" -c -o speed.o `test -f 'libdes/speed.c' || echo '$(srcdir)/'`libdes/speed.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/speed.Tpo" "$(DEPDIR)/speed.Po"; else rm -f "$(DEPDIR)/speed.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/speed.c' object='speed.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o speed.o `test -f 'libdes/speed.c' || echo '$(srcdir)/'`libdes/speed.c
-
-speed.obj: libdes/speed.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT speed.obj -MD -MP -MF "$(DEPDIR)/speed.Tpo" -c -o speed.obj `if test -f 'libdes/speed.c'; then $(CYGPATH_W) 'libdes/speed.c'; else $(CYGPATH_W) '$(srcdir)/libdes/speed.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/speed.Tpo" "$(DEPDIR)/speed.Po"; else rm -f "$(DEPDIR)/speed.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/speed.c' object='speed.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o speed.obj `if test -f 'libdes/speed.c'; then $(CYGPATH_W) 'libdes/speed.c'; else $(CYGPATH_W) '$(srcdir)/libdes/speed.c'; fi`
-
 fcrypt_b.o: libdes/fcrypt_b.c
 @am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt_b.o -MD -MP -MF "$(DEPDIR)/fcrypt_b.Tpo" -c -o fcrypt_b.o `test -f 'libdes/fcrypt_b.c' || echo '$(srcdir)/'`libdes/fcrypt_b.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fcrypt_b.Tpo" "$(DEPDIR)/fcrypt_b.Po"; else rm -f "$(DEPDIR)/fcrypt_b.Tpo"; exit 1; fi
@@ -566,20 +565,6 @@ ecb_enc.obj: libdes/ecb_enc.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ecb_enc.obj `if test -f 'libdes/ecb_enc.c'; then $(CYGPATH_W) 'libdes/ecb_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/ecb_enc.c'; fi`
 
-des_opts.o: libdes/des_opts.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_opts.o -MD -MP -MF "$(DEPDIR)/des_opts.Tpo" -c -o des_opts.o `test -f 'libdes/des_opts.c' || echo '$(srcdir)/'`libdes/des_opts.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_opts.Tpo" "$(DEPDIR)/des_opts.Po"; else rm -f "$(DEPDIR)/des_opts.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_opts.c' object='des_opts.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_opts.o `test -f 'libdes/des_opts.c' || echo '$(srcdir)/'`libdes/des_opts.c
-
-des_opts.obj: libdes/des_opts.c
-@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_opts.obj -MD -MP -MF "$(DEPDIR)/des_opts.Tpo" -c -o des_opts.obj `if test -f 'libdes/des_opts.c'; then $(CYGPATH_W) 'libdes/des_opts.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_opts.c'; fi`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_opts.Tpo" "$(DEPDIR)/des_opts.Po"; else rm -f "$(DEPDIR)/des_opts.Tpo"; exit 1; fi
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_opts.c' object='des_opts.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_opts.obj `if test -f 'libdes/des_opts.c'; then $(CYGPATH_W) 'libdes/des_opts.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_opts.c'; fi`
-
 mostlyclean-libtool:
 	-rm -f *.lo
 
diff --git a/src/libcrypto/libdes/des_opts.c b/src/libcrypto/libdes/des_opts.c
deleted file mode 100644
index b6693c405..000000000
--- a/src/libcrypto/libdes/des_opts.c
+++ /dev/null
@@ -1,620 +0,0 @@
-/* crypto/des/des_opts.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
- * This is for machines with 64k code segment size restrictions. */
-
-#ifndef MSDOS
-#define TIMES
-#endif
-
-#include <stdio.h>
-#ifndef MSDOS
-#include <unistd.h>
-#else
-#include <io.h>
-extern void exit();
-#endif
-#include <signal.h>
-#ifndef VMS
-#ifndef _IRIX
-#include <time.h>
-#endif
-#ifdef TIMES
-#include <sys/types.h>
-#include <sys/times.h>
-#endif
-#else /* VMS */
-#include <types.h>
-struct tms {
-	time_t tms_utime;
-	time_t tms_stime;
-	time_t tms_uchild;	/* I dunno...  */
-	time_t tms_uchildsys;	/* so these names are a guess :-) */
-	}
-#endif
-#ifndef TIMES
-#include <sys/timeb.h>
-#endif
-
-#ifdef sun
-#include <limits.h>
-#include <sys/param.h>
-#endif
-
-#include "des_locl.h"
-#include "spr.h"
-
-#define DES_DEFAULT_OPTIONS
-
-#if !defined(PART1) && !defined(PART2) && !defined(PART3) && !defined(PART4)
-#define PART1
-#define PART2
-#define PART3
-#define PART4
-#endif
-
-#ifdef PART1
-
-#undef DES_UNROLL
-#undef DES_RISC1
-#undef DES_RISC2
-#undef DES_PTR
-#undef D_ENCRYPT
-#define des_encrypt  des_encrypt_u4_cisc_idx
-#define des_encrypt2 des_encrypt2_u4_cisc_idx
-#define des_encrypt3 des_encrypt3_u4_cisc_idx
-#define des_decrypt3 des_decrypt3_u4_cisc_idx
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#define DES_UNROLL
-#undef DES_RISC1
-#undef DES_RISC2
-#undef DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u16_cisc_idx
-#define des_encrypt2 des_encrypt2_u16_cisc_idx
-#define des_encrypt3 des_encrypt3_u16_cisc_idx
-#define des_decrypt3 des_decrypt3_u16_cisc_idx
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#undef DES_UNROLL
-#define DES_RISC1
-#undef DES_RISC2
-#undef DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u4_risc1_idx
-#define des_encrypt2 des_encrypt2_u4_risc1_idx
-#define des_encrypt3 des_encrypt3_u4_risc1_idx
-#define des_decrypt3 des_decrypt3_u4_risc1_idx
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#endif
-
-#ifdef PART2
-
-#undef DES_UNROLL
-#undef DES_RISC1
-#define DES_RISC2
-#undef DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u4_risc2_idx
-#define des_encrypt2 des_encrypt2_u4_risc2_idx
-#define des_encrypt3 des_encrypt3_u4_risc2_idx
-#define des_decrypt3 des_decrypt3_u4_risc2_idx
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#define DES_UNROLL
-#define DES_RISC1
-#undef DES_RISC2
-#undef DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u16_risc1_idx
-#define des_encrypt2 des_encrypt2_u16_risc1_idx
-#define des_encrypt3 des_encrypt3_u16_risc1_idx
-#define des_decrypt3 des_decrypt3_u16_risc1_idx
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#define DES_UNROLL
-#undef DES_RISC1
-#define DES_RISC2
-#undef DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u16_risc2_idx
-#define des_encrypt2 des_encrypt2_u16_risc2_idx
-#define des_encrypt3 des_encrypt3_u16_risc2_idx
-#define des_decrypt3 des_decrypt3_u16_risc2_idx
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#endif
-
-#ifdef PART3
-
-#undef DES_UNROLL
-#undef DES_RISC1
-#undef DES_RISC2
-#define DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u4_cisc_ptr
-#define des_encrypt2 des_encrypt2_u4_cisc_ptr
-#define des_encrypt3 des_encrypt3_u4_cisc_ptr
-#define des_decrypt3 des_decrypt3_u4_cisc_ptr
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#define DES_UNROLL
-#undef DES_RISC1
-#undef DES_RISC2
-#define DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u16_cisc_ptr
-#define des_encrypt2 des_encrypt2_u16_cisc_ptr
-#define des_encrypt3 des_encrypt3_u16_cisc_ptr
-#define des_decrypt3 des_decrypt3_u16_cisc_ptr
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#undef DES_UNROLL
-#define DES_RISC1
-#undef DES_RISC2
-#define DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u4_risc1_ptr
-#define des_encrypt2 des_encrypt2_u4_risc1_ptr
-#define des_encrypt3 des_encrypt3_u4_risc1_ptr
-#define des_decrypt3 des_decrypt3_u4_risc1_ptr
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#endif
-
-#ifdef PART4
-
-#undef DES_UNROLL
-#undef DES_RISC1
-#define DES_RISC2
-#define DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u4_risc2_ptr
-#define des_encrypt2 des_encrypt2_u4_risc2_ptr
-#define des_encrypt3 des_encrypt3_u4_risc2_ptr
-#define des_decrypt3 des_decrypt3_u4_risc2_ptr
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#define DES_UNROLL
-#define DES_RISC1
-#undef DES_RISC2
-#define DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u16_risc1_ptr
-#define des_encrypt2 des_encrypt2_u16_risc1_ptr
-#define des_encrypt3 des_encrypt3_u16_risc1_ptr
-#define des_decrypt3 des_decrypt3_u16_risc1_ptr
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#define DES_UNROLL
-#undef DES_RISC1
-#define DES_RISC2
-#define DES_PTR
-#undef D_ENCRYPT
-#undef des_encrypt
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt  des_encrypt_u16_risc2_ptr
-#define des_encrypt2 des_encrypt2_u16_risc2_ptr
-#define des_encrypt3 des_encrypt3_u16_risc2_ptr
-#define des_decrypt3 des_decrypt3_u16_risc2_ptr
-#undef HEADER_DES_LOCL_H
-#include "des_enc.c"
-
-#endif
-
-/* The following if from times(3) man page.  It may need to be changed */
-#ifndef HZ
-# ifndef CLK_TCK
-#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
-#   ifndef VMS
-#    define HZ	100.0
-#   else /* VMS */
-#    define HZ	100.0
-#   endif
-#  else /* _BSD_CLK_TCK_ */
-#   define HZ ((double)_BSD_CLK_TCK_)
-#  endif
-# else /* CLK_TCK */
-#  define HZ ((double)CLK_TCK)
-# endif
-#endif
-
-#define BUFSIZE	((long)1024)
-long run=0;
-
-#ifndef NOPROTO
-double Time_F(int s);
-#else
-double Time_F();
-#endif
-
-#ifdef SIGALRM
-#if defined(__STDC__) || defined(sgi)
-#define SIGRETTYPE void
-#else
-#define SIGRETTYPE int
-#endif
-
-#ifndef NOPROTO
-SIGRETTYPE sig_done(int sig);
-#else
-SIGRETTYPE sig_done();
-#endif
-
-SIGRETTYPE sig_done(sig)
-int sig;
-	{
-	signal(SIGALRM,sig_done);
-	run=0;
-#ifdef LINT
-	sig=sig;
-#endif
-	}
-#endif
-
-#define START	0
-#define STOP	1
-
-double Time_F(s)
-int s;
-	{
-	double ret;
-#ifdef TIMES
-	static struct tms tstart,tend;
-
-	if (s == START)
-		{
-		times(&tstart);
-		return(0);
-		}
-	else
-		{
-		times(&tend);
-		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
-		return((ret == 0.0)?1e-6:ret);
-		}
-#else /* !times() */
-	static struct timeb tstart,tend;
-	long i;
-
-	if (s == START)
-		{
-		ftime(&tstart);
-		return(0);
-		}
-	else
-		{
-		ftime(&tend);
-		i=(long)tend.millitm-(long)tstart.millitm;
-		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
-		return((ret == 0.0)?1e-6:ret);
-		}
-#endif
-	}
-
-#ifdef SIGALRM
-#define print_name(name) fprintf(stderr,"Doing %s's for 10 seconds\n",name); alarm(10);
-#else
-#define print_name(name) fprintf(stderr,"Doing %s %ld times\n",name,cb);
-#endif
-	
-#define time_it(func,name,index) \
-	print_name(name); \
-	Time_F(START); \
-	for (count=0,run=1; COND(cb); count++) \
-		{ \
-		unsigned long d[2]; \
-		func(d,&(sch[0]),DES_ENCRYPT); \
-		} \
-	tm[index]=Time_F(STOP); \
-	fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \
-	tm[index]=((double)COUNT(cb))/tm[index];
-
-#define print_it(name,index) \
-	fprintf(stderr,"%s bytes per sec = %12.2f (%5.1fuS)\n",name, \
-		tm[index]*8,1.0e6/tm[index]);
-
-int main(argc,argv)
-int argc;
-char **argv;
-	{
-	long count;
-	static unsigned char buf[BUFSIZE];
-	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
-	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
-	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
-	des_key_schedule sch,sch2,sch3;
-	double d,tm[16],max=0;
-	int rank[16];
-	char *str[16];
-	int max_idx=0,i,num=0,j;
-#ifndef SIGALARM
-	long ca,cb,cc,cd,ce;
-#endif
-
-	for (i=0; i<12; i++)
-		{
-		tm[i]=0.0;
-		rank[i]=0;
-		}
-
-#ifndef TIMES
-	fprintf(stderr,"To get the most acurate results, try to run this\n");
-	fprintf(stderr,"program when this computer is idle.\n");
-#endif
-
-	des_set_key((C_Block *)key,sch);
-	des_set_key((C_Block *)key2,sch2);
-	des_set_key((C_Block *)key3,sch3);
-
-#ifndef SIGALRM
-	fprintf(stderr,"First we calculate the approximate speed ...\n");
-	des_set_key((C_Block *)key,sch);
-	count=10;
-	do	{
-		long i;
-		unsigned long data[2];
-
-		count*=2;
-		Time_F(START);
-		for (i=count; i; i--)
-			des_encrypt(data,&(sch[0]),DES_ENCRYPT);
-		d=Time_F(STOP);
-		} while (d < 3.0);
-	ca=count;
-	cb=count*3;
-	cc=count*3*8/BUFSIZE+1;
-	cd=count*8/BUFSIZE+1;
-
-	ce=count/20+1;
-#define COND(d) (count != (d))
-#define COUNT(d) (d)
-#else
-#define COND(c) (run)
-#define COUNT(d) (count)
-        signal(SIGALRM,sig_done);
-        alarm(10);
-#endif
-
-#ifdef PART1
-	time_it(des_encrypt_u4_cisc_idx,  "des_encrypt_u4_cisc_idx  ", 0);
-	time_it(des_encrypt_u16_cisc_idx, "des_encrypt_u16_cisc_idx ", 1);
-	time_it(des_encrypt_u4_risc1_idx, "des_encrypt_u4_risc1_idx ", 2);
-	num+=3;
-#endif
-#ifdef PART2
-	time_it(des_encrypt_u16_risc1_idx,"des_encrypt_u16_risc1_idx", 3);
-	time_it(des_encrypt_u4_risc2_idx, "des_encrypt_u4_risc2_idx ", 4);
-	time_it(des_encrypt_u16_risc2_idx,"des_encrypt_u16_risc2_idx", 5);
-	num+=3;
-#endif
-#ifdef PART3
-	time_it(des_encrypt_u4_cisc_ptr,  "des_encrypt_u4_cisc_ptr  ", 6);
-	time_it(des_encrypt_u16_cisc_ptr, "des_encrypt_u16_cisc_ptr ", 7);
-	time_it(des_encrypt_u4_risc1_ptr, "des_encrypt_u4_risc1_ptr ", 8);
-	num+=3;
-#endif
-#ifdef PART4
-	time_it(des_encrypt_u16_risc1_ptr,"des_encrypt_u16_risc1_ptr", 9);
-	time_it(des_encrypt_u4_risc2_ptr, "des_encrypt_u4_risc2_ptr ",10);
-	time_it(des_encrypt_u16_risc2_ptr,"des_encrypt_u16_risc2_ptr",11);
-	num+=3;
-#endif
-
-#ifdef PART1
-	str[0]=" 4  c i";
-	print_it("des_encrypt_u4_cisc_idx  ",0);
-	max=tm[0];
-	max_idx=0;
-	str[1]="16  c i";
-	print_it("des_encrypt_u16_cisc_idx ",1);
-	if (max < tm[1]) { max=tm[1]; max_idx=1; }
-	str[2]=" 4 r1 i";
-	print_it("des_encrypt_u4_risc1_idx ",2);
-	if (max < tm[2]) { max=tm[2]; max_idx=2; }
-#endif
-#ifdef PART2
-	str[3]="16 r1 i";
-	print_it("des_encrypt_u16_risc1_idx",3);
-	if (max < tm[3]) { max=tm[3]; max_idx=3; }
-	str[4]=" 4 r2 i";
-	print_it("des_encrypt_u4_risc2_idx ",4);
-	if (max < tm[4]) { max=tm[4]; max_idx=4; }
-	str[5]="16 r2 i";
-	print_it("des_encrypt_u16_risc2_idx",5);
-	if (max < tm[5]) { max=tm[5]; max_idx=5; }
-#endif
-#ifdef PART3
-	str[6]=" 4  c p";
-	print_it("des_encrypt_u4_cisc_ptr  ",6);
-	if (max < tm[6]) { max=tm[6]; max_idx=6; }
-	str[7]="16  c p";
-	print_it("des_encrypt_u16_cisc_ptr ",7);
-	if (max < tm[7]) { max=tm[7]; max_idx=7; }
-	str[8]=" 4 r1 p";
-	print_it("des_encrypt_u4_risc1_ptr ",8);
-	if (max < tm[8]) { max=tm[8]; max_idx=8; }
-#endif
-#ifdef PART4
-	str[9]="16 r1 p";
-	print_it("des_encrypt_u16_risc1_ptr",9);
-	if (max < tm[9]) { max=tm[9]; max_idx=9; }
-	str[10]=" 4 r2 p";
-	print_it("des_encrypt_u4_risc2_ptr ",10);
-	if (max < tm[10]) { max=tm[10]; max_idx=10; }
-	str[11]="16 r2 p";
-	print_it("des_encrypt_u16_risc2_ptr",11);
-	if (max < tm[11]) { max=tm[11]; max_idx=11; }
-#endif
-	printf("options    des ecb/s\n");
-	printf("%s %12.2f 100.0%%\n",str[max_idx],tm[max_idx]);
-	d=tm[max_idx];
-	tm[max_idx]= -2.0;
-	max= -1.0;
-	for (;;)
-		{
-		for (i=0; i<12; i++)
-			{
-			if (max < tm[i]) { max=tm[i]; j=i; }
-			}
-		if (max < 0.0) break;
-		printf("%s %12.2f  %4.1f%%\n",str[j],tm[j],tm[j]/d*100.0);
-		tm[j]= -2.0;
-		max= -1.0;
-		}
-
-	switch (max_idx)
-		{
-	case 0:
-		printf("-DDES_DEFAULT_OPTIONS\n");
-		break;
-	case 1:
-		printf("-DDES_UNROLL\n");
-		break;
-	case 2:
-		printf("-DDES_RISC1\n");
-		break;
-	case 3:
-		printf("-DDES_UNROLL -DDES_RISC1\n");
-		break;
-	case 4:
-		printf("-DDES_RISC2\n");
-		break;
-	case 5:
-		printf("-DDES_UNROLL -DDES_RISC2\n");
-		break;
-	case 6:
-		printf("-DDES_PTR\n");
-		break;
-	case 7:
-		printf("-DDES_UNROLL -DDES_PTR\n");
-		break;
-	case 8:
-		printf("-DDES_RISC1 -DDES_PTR\n");
-		break;
-	case 9:
-		printf("-DDES_UNROLL -DDES_RISC1 -DDES_PTR\n");
-		break;
-	case 10:
-		printf("-DDES_RISC2 -DDES_PTR\n");
-		break;
-	case 11:
-		printf("-DDES_UNROLL -DDES_RISC2 -DDES_PTR\n");
-		break;
-		}
-	exit(0);
-#if defined(LINT) || defined(MSDOS)
-	return(0);
-#endif
-	}
diff --git a/src/libcrypto/libdes/speed.c b/src/libcrypto/libdes/speed.c
deleted file mode 100644
index e3d753b2e..000000000
--- a/src/libcrypto/libdes/speed.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/* crypto/des/speed.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
-/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
-
-#ifndef MSDOS
-#define TIMES
-#endif
-
-#include <stdio.h>
-#ifndef MSDOS
-#include <unistd.h>
-#else
-#include <io.h>
-extern int exit();
-#endif
-#include <signal.h>
-#ifndef VMS
-#ifndef _IRIX
-#include <time.h>
-#endif
-#ifdef TIMES
-#include <sys/types.h>
-#include <sys/times.h>
-#endif
-#else /* VMS */
-#include <types.h>
-struct tms {
-	time_t tms_utime;
-	time_t tms_stime;
-	time_t tms_uchild;	/* I dunno...  */
-	time_t tms_uchildsys;	/* so these names are a guess :-) */
-	}
-#endif
-#ifndef TIMES
-#include <sys/timeb.h>
-#endif
-
-#ifdef sun
-#include <limits.h>
-#include <sys/param.h>
-#endif
-
-#include "des_locl.h"
-
-/* The following if from times(3) man page.  It may need to be changed */
-#ifndef HZ
-# ifndef CLK_TCK
-#  ifndef _BSD_CLK_TCK_ /* FreeBSD fix */
-#   ifndef VMS
-#    define HZ	100.0
-#   else /* VMS */
-#    define HZ	100.0
-#   endif
-#  else /* _BSD_CLK_TCK_ */
-#   define HZ ((double)_BSD_CLK_TCK_)
-#  endif
-# else /* CLK_TCK */
-#  define HZ ((double)CLK_TCK)
-# endif
-#endif
-
-#define BUFSIZE	((long)1024)
-long run=0;
-
-#ifndef NOPROTO
-double Time_F(int s);
-#else
-double Time_F();
-#endif
-
-#ifdef SIGALRM
-#if defined(__STDC__) || defined(sgi) || defined(_AIX)
-#define SIGRETTYPE void
-#else
-#define SIGRETTYPE int
-#endif
-
-#ifndef NOPROTO
-SIGRETTYPE sig_done(int sig);
-#else
-SIGRETTYPE sig_done();
-#endif
-
-SIGRETTYPE sig_done(sig)
-int sig;
-	{
-	signal(SIGALRM,sig_done);
-	run=0;
-#ifdef LINT
-	sig=sig;
-#endif
-	}
-#endif
-
-#define START	0
-#define STOP	1
-
-double Time_F(s)
-int s;
-	{
-	double ret;
-#ifdef TIMES
-	static struct tms tstart,tend;
-
-	if (s == START)
-		{
-		times(&tstart);
-		return(0);
-		}
-	else
-		{
-		times(&tend);
-		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
-		return((ret == 0.0)?1e-6:ret);
-		}
-#else /* !times() */
-	static struct timeb tstart,tend;
-	long i;
-
-	if (s == START)
-		{
-		ftime(&tstart);
-		return(0);
-		}
-	else
-		{
-		ftime(&tend);
-		i=(long)tend.millitm-(long)tstart.millitm;
-		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
-		return((ret == 0.0)?1e-6:ret);
-		}
-#endif
-	}
-
-int main(argc,argv)
-int argc;
-char **argv;
-	{
-	long count;
-	static unsigned char buf[BUFSIZE];
-	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
-	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
-	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
-	des_key_schedule sch,sch2,sch3;
-	double a,b,c,d,e;
-#ifndef SIGALRM
-	long ca,cb,cc,cd,ce;
-#endif
-
-#ifndef TIMES
-	printf("To get the most acurate results, try to run this\n");
-	printf("program when this computer is idle.\n");
-#endif
-
-	des_set_key((C_Block *)key2,sch2);
-	des_set_key((C_Block *)key3,sch3);
-
-#ifndef SIGALRM
-	printf("First we calculate the approximate speed ...\n");
-	des_set_key((C_Block *)key,sch);
-	count=10;
-	do	{
-		long i;
-		DES_LONG data[2];
-
-		count*=2;
-		Time_F(START);
-		for (i=count; i; i--)
-			des_encrypt(data,&(sch[0]),DES_ENCRYPT);
-		d=Time_F(STOP);
-		} while (d < 3.0);
-	ca=count;
-	cb=count*3;
-	cc=count*3*8/BUFSIZE+1;
-	cd=count*8/BUFSIZE+1;
-	ce=count/20+1;
-	printf("Doing set_key %ld times\n",ca);
-#define COND(d)	(count != (d))
-#define COUNT(d) (d)
-#else
-#define COND(c)	(run)
-#define COUNT(d) (count)
-	signal(SIGALRM,sig_done);
-	printf("Doing set_key for 10 seconds\n");
-	alarm(10);
-#endif
-
-	Time_F(START);
-	for (count=0,run=1; COND(ca); count++)
-		des_set_key((C_Block *)key,sch);
-	d=Time_F(STOP);
-	printf("%ld set_key's in %.2f seconds\n",count,d);
-	a=((double)COUNT(ca))/d;
-
-#ifdef SIGALRM
-	printf("Doing des_encrypt's for 10 seconds\n");
-	alarm(10);
-#else
-	printf("Doing des_encrypt %ld times\n",cb);
-#endif
-	Time_F(START);
-	for (count=0,run=1; COND(cb); count++)
-		{
-		DES_LONG data[2];
-
-		des_encrypt(data,&(sch[0]),DES_ENCRYPT);
-		}
-	d=Time_F(STOP);
-	printf("%ld des_encrypt's in %.2f second\n",count,d);
-	b=((double)COUNT(cb)*8)/d;
-
-#ifdef SIGALRM
-	printf("Doing des_cbc_encrypt on %ld byte blocks for 10 seconds\n",
-		BUFSIZE);
-	alarm(10);
-#else
-	printf("Doing des_cbc_encrypt %ld times on %ld byte blocks\n",cc,
-		BUFSIZE);
-#endif
-	Time_F(START);
-	for (count=0,run=1; COND(cc); count++)
-		des_ncbc_encrypt((C_Block *)buf,(C_Block *)buf,BUFSIZE,&(sch[0]),
-			(C_Block *)&(key[0]),DES_ENCRYPT);
-	d=Time_F(STOP);
-	printf("%ld des_cbc_encrypt's of %ld byte blocks in %.2f second\n",
-		count,BUFSIZE,d);
-	c=((double)COUNT(cc)*BUFSIZE)/d;
-
-#ifdef SIGALRM
-	printf("Doing des_ede_cbc_encrypt on %ld byte blocks for 10 seconds\n",
-		BUFSIZE);
-	alarm(10);
-#else
-	printf("Doing des_ede_cbc_encrypt %ld times on %ld byte blocks\n",cd,
-		BUFSIZE);
-#endif
-	Time_F(START);
-	for (count=0,run=1; COND(cd); count++)
-		des_ede3_cbc_encrypt((C_Block *)buf,(C_Block *)buf,BUFSIZE,
-			&(sch[0]),
-			&(sch2[0]),
-			&(sch3[0]),
-			(C_Block *)&(key[0]),
-			DES_ENCRYPT);
-	d=Time_F(STOP);
-	printf("%ld des_ede_cbc_encrypt's of %ld byte blocks in %.2f second\n",
-		count,BUFSIZE,d);
-	d=((double)COUNT(cd)*BUFSIZE)/d;
-
-#ifdef SIGALRM
-	printf("Doing crypt for 10 seconds\n");
-	alarm(10);
-#else
-	printf("Doing crypt %ld times\n",ce);
-#endif
-	Time_F(START);
-	for (count=0,run=1; COND(ce); count++)
-		crypt("testing1","ef");
-	e=Time_F(STOP);
-	printf("%ld crypts in %.2f second\n",count,e);
-	e=((double)COUNT(ce))/e;
-
-	printf("set_key            per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
-	printf("DES raw ecb bytes  per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
-	printf("DES cbc bytes      per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
-	printf("DES ede cbc bytes  per sec = %12.2f (%9.3fuS)\n",d,8.0e6/d);
-	printf("crypt              per sec = %12.2f (%9.3fuS)\n",e,1.0e6/e);
-	exit(0);
-#if defined(LINT) || defined(MSDOS)
-	return(0);
-#endif
-	}
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 97b53d7c0..fa57d5aab 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -129,6 +129,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -141,6 +142,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -151,8 +153,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -174,6 +180,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -183,6 +190,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -196,9 +205,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -213,6 +226,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 noinst_LIBRARIES = libfreeswan.a
 libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
 			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
diff --git a/src/libfreeswan/ipsec_ah.h b/src/libfreeswan/ipsec_ah.h
index e088288d3..7a250248e 100644
--- a/src/libfreeswan/ipsec_ah.h
+++ b/src/libfreeswan/ipsec_ah.h
@@ -109,127 +109,3 @@ struct ahhdr				/* Generic AH header */
 extern int debug_ah;
 #endif /* CONFIG_IPSEC_DEBUG */
 #endif /* __KERNEL__ */
-
-/*
- * $Log: ipsec_ah.h,v $
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.4.1  2004/03/16 09:48:18  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.20  2003/02/06 02:21:34  rgb
- *
- * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
- * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
- * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
- *
- * Revision 1.19  2002/09/16 21:19:13  mcr
- * 	fixes for west-ah-icmp-01 - length of AH header must be
- * 	calculated properly, and next_header field properly copied.
- *
- * Revision 1.18  2002/05/14 02:37:02  rgb
- * Change reference from _TDB to _IPSA.
- *
- * Revision 1.17  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_ah.h,v
- *
- * Revision 1.16  2002/02/20 01:27:06  rgb
- * Ditched a pile of structs only used by the old Netlink interface.
- *
- * Revision 1.15  2001/12/11 02:35:57  rgb
- * Change "struct net_device" to "struct device" for 2.2 compatibility.
- *
- * Revision 1.14  2001/11/26 09:23:47  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.13.2.1  2001/09/25 02:18:24  mcr
- * 	replace "struct device" with "struct netdevice"
- *
- * Revision 1.13  2001/06/14 19:35:08  rgb
- * Update copyright date.
- *
- * Revision 1.12  2000/09/12 03:21:20  rgb
- * Cleared out unused htonq.
- *
- * Revision 1.11  2000/09/08 19:12:55  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.10  2000/01/21 06:13:10  rgb
- * Tidied up spacing.
- * Added macros for HMAC padding magic numbers.(kravietz)
- *
- * Revision 1.9  1999/12/07 18:16:23  rgb
- * Fixed comments at end of #endif lines.
- *
- * Revision 1.8  1999/04/11 00:28:56  henry
- * GPL boilerplate
- *
- * Revision 1.7  1999/04/06 04:54:25  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.6  1999/01/26 02:06:01  rgb
- * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
- *
- * Revision 1.5  1999/01/22 06:17:49  rgb
- * Updated macro comments.
- * Added context types to support algorithm switch code.
- * 64-bit clean-up -- converting 'u long long' to __u64.
- *
- * Revision 1.4  1998/07/14 15:54:56  rgb
- * Add #ifdef __KERNEL__ to protect kernel-only structures.
- *
- * Revision 1.3  1998/06/30 18:05:16  rgb
- * Comment out references to htonq.
- *
- * Revision 1.2  1998/06/25 19:33:46  rgb
- * Add prototype for protocol receive function.
- * Rearrange for more logical layout.
- *
- * Revision 1.1  1998/06/18 21:27:43  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.4  1998/05/18 22:28:43  rgb
- * Disable key printing facilities from /proc/net/ipsec_*.
- *
- * Revision 1.3  1998/04/21 21:29:07  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.2  1998/04/12 22:03:17  rgb
- * Updated ESP-3DES-HMAC-MD5-96,
- * 	ESP-DES-HMAC-MD5-96,
- * 	AH-HMAC-MD5-96,
- * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
- * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
- *
- * Fixed eroute references in /proc/net/ipsec*.
- *
- * Started to patch module unloading memory leaks in ipsec_netlink and
- * radij tree unloading.
- *
- * Revision 1.1  1998/04/09 03:05:55  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:02  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * Added definitions for new AH transforms.
- *
- * Revision 0.3  1996/11/20 14:35:48  ji
- * Minor Cleanup.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_encap.h b/src/libfreeswan/ipsec_encap.h
index 17cd69269..f95259466 100644
--- a/src/libfreeswan/ipsec_encap.h
+++ b/src/libfreeswan/ipsec_encap.h
@@ -53,91 +53,3 @@ struct sockaddr_encap
 
 #define _IPSEC_ENCAP_H_
 #endif /* _IPSEC_ENCAP_H_ */
-
-/*
- * $Log: ipsec_encap.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.17  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_encap.h,v
- *
- * Revision 1.16  2001/11/26 09:23:47  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.15.2.1  2001/09/25 02:18:54  mcr
- * 	struct eroute moved to ipsec_eroute.h
- *
- * Revision 1.15  2001/09/14 16:58:36  rgb
- * Added support for storing the first and last packets through a HOLD.
- *
- * Revision 1.14  2001/09/08 21:13:31  rgb
- * Added pfkey ident extension support for ISAKMPd. (NetCelo)
- *
- * Revision 1.13  2001/06/14 19:35:08  rgb
- * Update copyright date.
- *
- * Revision 1.12  2001/05/27 06:12:10  rgb
- * Added structures for pid, packet count and last access time to eroute.
- * Added packet count to beginning of /proc/net/ipsec_eroute.
- *
- * Revision 1.11  2000/09/08 19:12:56  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.10  2000/03/22 16:15:36  rgb
- * Fixed renaming of dev_get (MB).
- *
- * Revision 1.9  2000/01/21 06:13:26  rgb
- * Added a macro for AF_ENCAP
- *
- * Revision 1.8  1999/12/31 14:56:55  rgb
- * MB fix for 2.3 dev-use-count.
- *
- * Revision 1.7  1999/11/18 04:09:18  rgb
- * Replaced all kernel version macros to shorter, readable form.
- *
- * Revision 1.6  1999/09/24 00:34:13  rgb
- * Add Marc Boucher's support for 2.3.xx+.
- *
- * Revision 1.5  1999/04/11 00:28:57  henry
- * GPL boilerplate
- *
- * Revision 1.4  1999/04/06 04:54:25  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.3  1998/10/19 14:44:28  rgb
- * Added inclusion of freeswan.h.
- * sa_id structure implemented and used: now includes protocol.
- *
- * Revision 1.2  1998/07/14 18:19:33  rgb
- * Added #ifdef __KERNEL__ directives to restrict scope of header.
- *
- * Revision 1.1  1998/06/18 21:27:44  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.2  1998/04/21 21:29:10  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.1  1998/04/09 03:05:58  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:02  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * Minor cosmetic changes.
- *
- * Revision 0.3  1996/11/20 14:35:48  ji
- * Minor Cleanup.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_eroute.h b/src/libfreeswan/ipsec_eroute.h
index 2ee2a10b8..9bba4bfb4 100644
--- a/src/libfreeswan/ipsec_eroute.h
+++ b/src/libfreeswan/ipsec_eroute.h
@@ -80,24 +80,3 @@ struct eroute
 
 #define _IPSEC_EROUTE_H_
 #endif /* _IPSEC_EROUTE_H_ */
-
-/*
- * $Log: ipsec_eroute.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.3  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_eroute.h,v
- *
- * Revision 1.2  2001/11/26 09:16:13  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.1.2.1  2001/09/25 02:18:54  mcr
- * 	struct eroute moved to ipsec_eroute.h
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/ipsec_errs.h b/src/libfreeswan/ipsec_errs.h
index f14b5e675..39cfece2b 100644
--- a/src/libfreeswan/ipsec_errs.h
+++ b/src/libfreeswan/ipsec_errs.h
@@ -30,24 +30,3 @@ struct ipsec_errs {
 	__u32		ips_encpad_errs;       /* # of encryption pad  errors*/
 	__u32		ips_replaywin_errs;    /* # of pkt sequence errors */
 };
-
-/*
- * $Log: ipsec_errs.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.3  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_errs.h,v
- *
- * Revision 1.2  2001/11/26 09:16:13  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.1.2.1  2001/09/25 02:25:57  mcr
- * 	lifetime structure created and common functions created.
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/ipsec_esp.h b/src/libfreeswan/ipsec_esp.h
index c7d5ea15d..90ef28e9b 100644
--- a/src/libfreeswan/ipsec_esp.h
+++ b/src/libfreeswan/ipsec_esp.h
@@ -78,143 +78,3 @@ struct esphdr
 extern int debug_esp;
 #endif /* CONFIG_IPSEC_DEBUG */
 #endif /* __KERNEL__ */
-
-/*
- * $Log: ipsec_esp.h,v $
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.4.1  2004/03/16 09:48:18  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.21  2003/02/06 02:21:34  rgb
- *
- * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
- * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
- * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
- *
- * Revision 1.20  2002/05/14 02:37:02  rgb
- * Change reference from _TDB to _IPSA.
- *
- * Revision 1.19  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.18  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_esp.h,v
- *
- * Revision 1.17  2002/02/20 01:27:07  rgb
- * Ditched a pile of structs only used by the old Netlink interface.
- *
- * Revision 1.16  2001/12/11 02:35:57  rgb
- * Change "struct net_device" to "struct device" for 2.2 compatibility.
- *
- * Revision 1.15  2001/11/26 09:23:48  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.14.2.3  2001/10/23 04:16:42  mcr
- * 	get definition of des_key_schedule from des.h
- *
- * Revision 1.14.2.2  2001/10/22 20:33:13  mcr
- * 	use "des_key_schedule" structure instead of cooking our own.
- *
- * Revision 1.14.2.1  2001/09/25 02:18:25  mcr
- * 	replace "struct device" with "struct netdevice"
- *
- * Revision 1.14  2001/06/14 19:35:08  rgb
- * Update copyright date.
- *
- * Revision 1.13  2000/09/08 19:12:56  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.12  2000/08/01 14:51:50  rgb
- * Removed _all_ remaining traces of DES.
- *
- * Revision 1.11  2000/01/10 16:36:20  rgb
- * Ditch last of EME option flags, including initiator.
- *
- * Revision 1.10  1999/12/07 18:16:22  rgb
- * Fixed comments at end of #endif lines.
- *
- * Revision 1.9  1999/04/11 00:28:57  henry
- * GPL boilerplate
- *
- * Revision 1.8  1999/04/06 04:54:25  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.7  1999/01/26 02:06:00  rgb
- * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
- *
- * Revision 1.6  1999/01/22 15:22:05  rgb
- * Re-enable IV in the espblkrply_edata structure to avoid breaking pluto
- * until pluto can be fixed properly.
- *
- * Revision 1.5  1999/01/22 06:18:16  rgb
- * Updated macro comments.
- * Added key schedule types to support algorithm switch code.
- *
- * Revision 1.4  1998/08/12 00:07:32  rgb
- * Added data structures for new xforms: null, {,3}dessha1.
- *
- * Revision 1.3  1998/07/14 15:57:01  rgb
- * Add #ifdef __KERNEL__ to protect kernel-only structures.
- *
- * Revision 1.2  1998/06/25 19:33:46  rgb
- * Add prototype for protocol receive function.
- * Rearrange for more logical layout.
- *
- * Revision 1.1  1998/06/18 21:27:45  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.6  1998/06/05 02:28:08  rgb
- * Minor comment fix.
- *
- * Revision 1.5  1998/05/27 22:34:00  rgb
- * Changed structures to accomodate key separation.
- *
- * Revision 1.4  1998/05/18 22:28:43  rgb
- * Disable key printing facilities from /proc/net/ipsec_*.
- *
- * Revision 1.3  1998/04/21 21:29:07  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.2  1998/04/12 22:03:20  rgb
- * Updated ESP-3DES-HMAC-MD5-96,
- * 	ESP-DES-HMAC-MD5-96,
- * 	AH-HMAC-MD5-96,
- * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
- * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
- *
- * Fixed eroute references in /proc/net/ipsec*.
- *
- * Started to patch module unloading memory leaks in ipsec_netlink and
- * radij tree unloading.
- *
- * Revision 1.1  1998/04/09 03:06:00  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:02  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.5  1997/06/03 04:24:48  ji
- * Added ESP-3DES-MD5-96 transform.
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * Added definitions for new ESP transforms.
- *
- * Revision 0.3  1996/11/20 14:35:48  ji
- * Minor Cleanup.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_ipe4.h b/src/libfreeswan/ipsec_ipe4.h
index 73b6ae899..14d1eadee 100644
--- a/src/libfreeswan/ipsec_ipe4.h
+++ b/src/libfreeswan/ipsec_ipe4.h
@@ -25,44 +25,3 @@ struct ipe4_xdata			/* transform table data */
 };
 
 #define EMT_IPE4_ULEN	8	/* coming from user mode */
- 
-
-/*
- * $Log: ipsec_ipe4.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.5  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_ipe4.h,v
- *
- * Revision 1.4  2001/06/14 19:35:08  rgb
- * Update copyright date.
- *
- * Revision 1.3  1999/04/11 00:28:57  henry
- * GPL boilerplate
- *
- * Revision 1.2  1999/04/06 04:54:25  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.1  1998/06/18 21:27:47  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.1  1998/04/09 03:06:07  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:03  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * No changes.
- *
- * Revision 0.3  1996/11/20 14:48:53  ji
- * Release update only.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_kversion.h b/src/libfreeswan/ipsec_kversion.h
index 7bf56ac7f..332c21bd5 100644
--- a/src/libfreeswan/ipsec_kversion.h
+++ b/src/libfreeswan/ipsec_kversion.h
@@ -189,39 +189,3 @@
 #endif /* !SPINLOCK_23 */
 
 #endif /* _FREESWAN_KVERSIONS_H */
-
-/*
- * $Log: ipsec_kversion.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.7  2003/07/31 22:48:08  mcr
- * 	derive NET25-ness from presence of NETLINK_XFRM macro.
- *
- * Revision 1.6  2003/06/24 20:22:32  mcr
- * 	added new global: ipsecdevices[] so that we can keep track of
- * 	the ipsecX devices. They will be referenced with dev_hold(),
- * 	so 2.2 may need this as well.
- *
- * Revision 1.5  2003/04/03 17:38:09  rgb
- * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
- *
- * Revision 1.4  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_kversion.h,v
- *
- * Revision 1.3  2002/04/12 03:21:17  mcr
- * 	three parameter version of ip_select_ident appears first
- * 	in 2.4.2 (RH7.1) not 2.4.4.
- *
- * Revision 1.2  2002/03/08 21:35:22  rgb
- * Defined LINUX_KERNEL_HAS_SNPRINTF to shut up compiler warnings after
- * 2.4.9.  (Andreas Piesk).
- *
- * Revision 1.1  2002/01/29 02:11:42  mcr
- * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
- * 	updating of IPv6 structures to match latest in6.h version.
- * 	removed dead code from freeswan.h that also duplicated kversions.h
- * 	code.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_life.h b/src/libfreeswan/ipsec_life.h
index 4cf270272..598a73665 100644
--- a/src/libfreeswan/ipsec_life.h
+++ b/src/libfreeswan/ipsec_life.h
@@ -88,25 +88,3 @@ enum ipsec_life_type {
 
 #define _IPSEC_LIFE_H_
 #endif /* _IPSEC_LIFE_H_ */
-
-
-/*
- * $Log: ipsec_life.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.3  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_life.h,v
- *
- * Revision 1.2  2001/11/26 09:16:14  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.1.2.1  2001/09/25 02:25:58  mcr
- * 	lifetime structure created and common functions created.
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/ipsec_md5h.h b/src/libfreeswan/ipsec_md5h.h
index 3fc54bc82..a79c8256f 100644
--- a/src/libfreeswan/ipsec_md5h.h
+++ b/src/libfreeswan/ipsec_md5h.h
@@ -81,60 +81,3 @@ void MD5Update PROTO_LIST
 void MD5Final PROTO_LIST ((unsigned char [16], void *));
  
 #endif /* _IPSEC_MD5H_H_ */
-
-/*
- * $Log: ipsec_md5h.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.8  2002/09/10 01:45:09  mcr
- * 	changed type of MD5_CTX and SHA1_CTX to void * so that
- * 	the function prototypes would match, and could be placed
- * 	into a pointer to a function.
- *
- * Revision 1.7  2002/04/24 07:36:46  mcr
- * Moved from ./klips/net/ipsec/ipsec_md5h.h,v
- *
- * Revision 1.6  1999/12/13 13:59:13  rgb
- * Quick fix to argument size to Update bugs.
- *
- * Revision 1.5  1999/12/07 18:16:23  rgb
- * Fixed comments at end of #endif lines.
- *
- * Revision 1.4  1999/04/06 04:54:26  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.3  1999/01/22 06:19:58  rgb
- * 64-bit clean-up.
- *
- * Revision 1.2  1998/11/30 13:22:54  rgb
- * Rationalised all the klips kernel file headers.  They are much shorter
- * now and won't conflict under RH5.2.
- *
- * Revision 1.1  1998/06/18 21:27:48  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.2  1998/04/23 20:54:03  rgb
- * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
- * verified.
- *
- * Revision 1.1  1998/04/09 03:04:21  henry
- * sources moved up from linux/net/ipsec
- * these two include files modified not to include others except in kernel
- *
- * Revision 1.1.1.1  1998/04/08 05:35:03  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * No changes.
- *
- * Revision 0.3  1996/11/20 14:48:53  ji
- * Release update only.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_rcv.h b/src/libfreeswan/ipsec_rcv.h
index 3ae239bf9..063ccf462 100644
--- a/src/libfreeswan/ipsec_rcv.h
+++ b/src/libfreeswan/ipsec_rcv.h
@@ -70,127 +70,3 @@ extern int debug_rcv;
 #endif /* CONFIG_IPSEC_DEBUG */
 extern int sysctl_ipsec_inbound_policy_check;
 #endif /* __KERNEL__ */
-
-/*
- * $Log: ipsec_rcv.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.17  2002/09/03 16:32:32  mcr
- * 	definitions of ipsec_birth_reply.
- *
- * Revision 1.16  2002/05/14 02:36:00  rgb
- * Change references to _TDB to _IPSA.
- *
- * Revision 1.15  2002/04/24 07:36:47  mcr
- * Moved from ./klips/net/ipsec/ipsec_rcv.h,v
- *
- * Revision 1.14  2001/09/07 22:15:48  rgb
- * Fix for removal of transport layer protocol handler arg in 2.4.4.
- *
- * Revision 1.13  2001/06/14 19:35:09  rgb
- * Update copyright date.
- *
- * Revision 1.12  2001/03/16 07:36:44  rgb
- * Fixed #endif comment to sate compiler.
- *
- * Revision 1.11  2000/09/21 04:34:21  rgb
- * Moved declaration of sysctl_ipsec_inbound_policy_check outside
- * CONFIG_IPSEC_DEBUG. (MB)
- *
- * Revision 1.10  2000/09/18 02:36:10  rgb
- * Exported sysctl_ipsec_inbound_policy_check for skb_decompress().
- *
- * Revision 1.9  2000/09/08 19:12:56  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.8  1999/11/18 04:09:19  rgb
- * Replaced all kernel version macros to shorter, readable form.
- *
- * Revision 1.7  1999/05/25 01:45:37  rgb
- * Fix version macros for 2.0.x as a module.
- *
- * Revision 1.6  1999/05/08 21:24:27  rgb
- * Add includes for 2.2.x include into net/ipv4/protocol.c
- *
- * Revision 1.5  1999/05/05 22:02:32  rgb
- * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
- *
- * Revision 1.4  1999/04/11 00:28:59  henry
- * GPL boilerplate
- *
- * Revision 1.3  1999/04/06 04:54:27  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.2  1999/01/22 20:06:59  rgb
- * Fixed cut-and-paste error from ipsec_esp.h.
- *
- * Revision 1.1  1999/01/21 20:29:12  rgb
- * Converted from transform switching to algorithm switching.
- *
- * Log: ipsec_esp.h,v 
- * Revision 1.4  1998/08/12 00:07:32  rgb
- * Added data structures for new xforms: null, {,3}dessha1.
- *
- * Revision 1.3  1998/07/14 15:57:01  rgb
- * Add #ifdef __KERNEL__ to protect kernel-only structures.
- *
- * Revision 1.2  1998/06/25 19:33:46  rgb
- * Add prototype for protocol receive function.
- * Rearrange for more logical layout.
- *
- * Revision 1.1  1998/06/18 21:27:45  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.6  1998/06/05 02:28:08  rgb
- * Minor comment fix.
- *
- * Revision 1.5  1998/05/27 22:34:00  rgb
- * Changed structures to accomodate key separation.
- *
- * Revision 1.4  1998/05/18 22:28:43  rgb
- * Disable key printing facilities from /proc/net/ipsec_*.
- *
- * Revision 1.3  1998/04/21 21:29:07  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.2  1998/04/12 22:03:20  rgb
- * Updated ESP-3DES-HMAC-MD5-96,
- * 	ESP-DES-HMAC-MD5-96,
- * 	AH-HMAC-MD5-96,
- * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
- * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
- *
- * Fixed eroute references in /proc/net/ipsec*.
- *
- * Started to patch module unloading memory leaks in ipsec_netlink and
- * radij tree unloading.
- *
- * Revision 1.1  1998/04/09 03:06:00  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:02  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.5  1997/06/03 04:24:48  ji
- * Added ESP-3DES-MD5-96 transform.
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * Added definitions for new ESP transforms.
- *
- * Revision 0.3  1996/11/20 14:35:48  ji
- * Minor Cleanup.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
-
-
diff --git a/src/libfreeswan/ipsec_sa.h b/src/libfreeswan/ipsec_sa.h
index 555df42d3..4dd682569 100644
--- a/src/libfreeswan/ipsec_sa.h
+++ b/src/libfreeswan/ipsec_sa.h
@@ -250,89 +250,3 @@ enum ipsec_direction {
 
 #define _IPSEC_SA_H_
 #endif /* _IPSEC_SA_H_ */
-
-/*
- * $Log: ipsec_sa.h,v $
- * Revision 1.3  2004/04/28 08:07:11  as
- * added dhr's freeswan-2.06 changes
- *
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.2.1.2.1  2004/03/16 09:48:18  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1.2.1  2004/03/15 22:30:06  as
- * nat-0.6c patch merged
- *
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.15  2003/05/11 00:53:09  mcr
- * 	IPsecSAref_t and macros were moved to freeswan.h.
- *
- * Revision 1.14  2003/02/12 19:31:55  rgb
- * Fixed bug in "file seen" machinery.
- * Updated copyright year.
- *
- * Revision 1.13  2003/01/30 02:31:52  rgb
- *
- * Re-wrote comments describing SAref system for accuracy.
- * Rename SAref table macro names for clarity.
- * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
- * Transmit error code through to caller from callee for better diagnosis of problems.
- * Enclose all macro arguments in parens to avoid any possible obscrure bugs.
- *
- * Revision 1.12  2002/10/07 18:31:19  rgb
- * Change comment to reflect the flexible nature of the main and sub-table widths.
- * Added a counter for the number of unused entries in each subtable.
- * Further break up host field type macro to host field.
- * Move field width sanity checks to ipsec_sa.c
- * Define a mask for an entire saref.
- *
- * Revision 1.11  2002/09/20 15:40:33  rgb
- * Re-write most of the SAref macros and types to eliminate any pointer references to Entrys.
- * Fixed SAref/nfmark macros.
- * Rework saref freeslist.
- * Place all ipsec sadb globals into one struct.
- * Restrict some bits to kernel context for use to klips utils.
- *
- * Revision 1.10  2002/09/20 05:00:34  rgb
- * Update copyright date.
- *
- * Revision 1.9  2002/09/17 17:19:29  mcr
- * 	make it compile even if there is no netfilter - we lost
- * 	functionality, but it works, especially on 2.2.
- *
- * Revision 1.8  2002/07/28 22:59:53  mcr
- * 	clarified/expanded one comment.
- *
- * Revision 1.7  2002/07/26 08:48:31  rgb
- * Added SA ref table code.
- *
- * Revision 1.6  2002/05/31 17:27:48  rgb
- * Comment fix.
- *
- * Revision 1.5  2002/05/27 18:55:03  rgb
- * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
- *
- * Revision 1.4  2002/05/23 07:13:36  rgb
- * Convert "usecount" to "refcount" to remove ambiguity.
- *
- * Revision 1.3  2002/04/24 07:36:47  mcr
- * Moved from ./klips/net/ipsec/ipsec_sa.h,v
- *
- * Revision 1.2  2001/11/26 09:16:15  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.1.2.1  2001/09/25 02:24:58  mcr
- * 	struct tdb -> struct ipsec_sa.
- * 	sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
- * 	ipsec_xform.c removed. header file still contains useful things.
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/ipsec_sha1.h b/src/libfreeswan/ipsec_sha1.h
index 116170e6b..1319081ad 100644
--- a/src/libfreeswan/ipsec_sha1.h
+++ b/src/libfreeswan/ipsec_sha1.h
@@ -30,50 +30,3 @@ void SHA1Final(unsigned char digest[20], void *context);
 
  
 #endif /* _IPSEC_SHA1_H_ */
-
-/*
- * $Log: ipsec_sha1.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.7  2002/09/10 01:45:09  mcr
- * 	changed type of MD5_CTX and SHA1_CTX to void * so that
- * 	the function prototypes would match, and could be placed
- * 	into a pointer to a function.
- *
- * Revision 1.6  2002/04/24 07:36:47  mcr
- * Moved from ./klips/net/ipsec/ipsec_sha1.h,v
- *
- * Revision 1.5  1999/12/13 13:59:13  rgb
- * Quick fix to argument size to Update bugs.
- *
- * Revision 1.4  1999/12/07 18:16:23  rgb
- * Fixed comments at end of #endif lines.
- *
- * Revision 1.3  1999/04/06 04:54:27  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.2  1998/11/30 13:22:54  rgb
- * Rationalised all the klips kernel file headers.  They are much shorter
- * now and won't conflict under RH5.2.
- *
- * Revision 1.1  1998/06/18 21:27:50  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.2  1998/04/23 20:54:05  rgb
- * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
- * verified.
- *
- * Revision 1.1  1998/04/09 03:04:21  henry
- * sources moved up from linux/net/ipsec
- * these two include files modified not to include others except in kernel
- *
- * Revision 1.1.1.1  1998/04/08 05:35:04  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * New transform
- *
- */
diff --git a/src/libfreeswan/ipsec_tunnel.h b/src/libfreeswan/ipsec_tunnel.h
index 3b25e95e1..672755946 100644
--- a/src/libfreeswan/ipsec_tunnel.h
+++ b/src/libfreeswan/ipsec_tunnel.h
@@ -16,6 +16,7 @@
  * RCSID $Id: ipsec_tunnel.h,v 1.1 2004/03/15 20:35:25 as Exp $
  */
 
+#include <linux/types.h>
 
 #ifdef NET_21
 # define DEV_QUEUE_XMIT(skb, device, pri) {\
@@ -125,141 +126,3 @@ extern int sysctl_ipsec_debug_verbose;
 #define DB_TN_OXFS	0x0080
 #define DB_TN_REVEC	0x0100
 #endif /* CONFIG_IPSEC_DEBUG */
-
-/*
- * $Log: ipsec_tunnel.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.28  2003/06/24 20:22:32  mcr
- * 	added new global: ipsecdevices[] so that we can keep track of
- * 	the ipsecX devices. They will be referenced with dev_hold(),
- * 	so 2.2 may need this as well.
- *
- * Revision 1.27  2003/04/03 17:38:09  rgb
- * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
- *
- * Revision 1.26  2003/02/12 19:32:20  rgb
- * Updated copyright year.
- *
- * Revision 1.25  2002/05/27 18:56:07  rgb
- * Convert to dynamic ipsec device allocation.
- *
- * Revision 1.24  2002/04/24 07:36:48  mcr
- * Moved from ./klips/net/ipsec/ipsec_tunnel.h,v
- *
- * Revision 1.23  2001/11/06 19:50:44  rgb
- * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for
- * use also by pfkey_v2_parser.c
- *
- * Revision 1.22  2001/09/15 16:24:05  rgb
- * Re-inject first and last HOLD packet when an eroute REPLACE is done.
- *
- * Revision 1.21  2001/06/14 19:35:10  rgb
- * Update copyright date.
- *
- * Revision 1.20  2000/09/15 11:37:02  rgb
- * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
- * IPCOMP zlib deflate code.
- *
- * Revision 1.19  2000/09/08 19:12:56  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.18  2000/07/28 13:50:54  rgb
- * Changed enet_statistics to net_device_stats and added back compatibility
- * for pre-2.1.19.
- *
- * Revision 1.17  1999/11/19 01:12:15  rgb
- * Purge unneeded proc_info prototypes, now that static linking uses
- * dynamic proc_info registration.
- *
- * Revision 1.16  1999/11/18 18:51:00  rgb
- * Changed all device registrations for static linking to
- * dynamic to reduce the number and size of patches.
- *
- * Revision 1.15  1999/11/18 04:14:21  rgb
- * Replaced all kernel version macros to shorter, readable form.
- * Added CONFIG_PROC_FS compiler directives in case it is shut off.
- * Added Marc Boucher's 2.3.25 proc patches.
- *
- * Revision 1.14  1999/05/25 02:50:10  rgb
- * Fix kernel version macros for 2.0.x static linking.
- *
- * Revision 1.13  1999/05/25 02:41:06  rgb
- * Add ipsec_klipsdebug support for static linking.
- *
- * Revision 1.12  1999/05/05 22:02:32  rgb
- * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
- *
- * Revision 1.11  1999/04/29 15:19:50  rgb
- * Add return values to init and cleanup functions.
- *
- * Revision 1.10  1999/04/16 16:02:39  rgb
- * Bump up macro to 4 ipsec I/Fs.
- *
- * Revision 1.9  1999/04/15 15:37:25  rgb
- * Forward check changes from POST1_00 branch.
- *
- * Revision 1.5.2.1  1999/04/02 04:26:14  rgb
- * Backcheck from HEAD, pre1.0.
- *
- * Revision 1.8  1999/04/11 00:29:01  henry
- * GPL boilerplate
- *
- * Revision 1.7  1999/04/06 04:54:28  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.6  1999/03/31 05:44:48  rgb
- * Keep PMTU reduction private.
- *
- * Revision 1.5  1999/02/10 22:31:20  rgb
- * Change rebuild_header member to reflect generality of link layer.
- *
- * Revision 1.4  1998/12/01 13:22:04  rgb
- * Added support for debug printing of version info.
- *
- * Revision 1.3  1998/07/29 20:42:46  rgb
- * Add a macro for clearing all tunnel devices.
- * Rearrange structures and declarations for sharing with userspace.
- *
- * Revision 1.2  1998/06/25 20:01:45  rgb
- * Make prototypes available for ipsec_init and ipsec proc_dir_entries
- * for static linking.
- *
- * Revision 1.1  1998/06/18 21:27:50  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.3  1998/05/18 21:51:50  rgb
- * Added macros for num of I/F's and a procfs debug switch.
- *
- * Revision 1.2  1998/04/21 21:29:09  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.1  1998/04/09 03:06:13  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:05  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.5  1997/06/03 04:24:48  ji
- * Added transport mode.
- * Changed the way routing is done.
- * Lots of bug fixes.
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * No changes.
- *
- * Revision 0.3  1996/11/20 14:39:04  ji
- * Minor cleanups.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libfreeswan/ipsec_xform.h b/src/libfreeswan/ipsec_xform.h
index 1dc6b6083..80beb7345 100644
--- a/src/libfreeswan/ipsec_xform.h
+++ b/src/libfreeswan/ipsec_xform.h
@@ -82,193 +82,3 @@ static inline const char *auth_name_id (unsigned id) {
 
 #define _IPSEC_XFORM_H_
 #endif /* _IPSEC_XFORM_H_ */
-
-/*
- * $Log: ipsec_xform.h,v $
- * Revision 1.3  2004/09/29 22:26:13  as
- * included ipsec_policy.h
- *
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.4.1  2004/03/16 09:48:18  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.36  2002/04/24 07:36:48  mcr
- * Moved from ./klips/net/ipsec/ipsec_xform.h,v
- *
- * Revision 1.35  2001/11/26 09:23:51  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.33.2.1  2001/09/25 02:24:58  mcr
- * 	struct tdb -> struct ipsec_sa.
- * 	sa(tdb) manipulation functions renamed and moved to ipsec_sa.c
- * 	ipsec_xform.c removed. header file still contains useful things.
- *
- * Revision 1.34  2001/11/06 19:47:17  rgb
- * Changed lifetime_packets to uint32 from uint64.
- *
- * Revision 1.33  2001/09/08 21:13:34  rgb
- * Added pfkey ident extension support for ISAKMPd. (NetCelo)
- *
- * Revision 1.32  2001/07/06 07:40:01  rgb
- * Reformatted for readability.
- * Added inbound policy checking fields for use with IPIP SAs.
- *
- * Revision 1.31  2001/06/14 19:35:11  rgb
- * Update copyright date.
- *
- * Revision 1.30  2001/05/30 08:14:03  rgb
- * Removed vestiges of esp-null transforms.
- *
- * Revision 1.29  2001/01/30 23:42:47  rgb
- * Allow pfkey msgs from pid other than user context required for ACQUIRE
- * and subsequent ADD or UDATE.
- *
- * Revision 1.28  2000/11/06 04:30:40  rgb
- * Add Svenning's adaptive content compression.
- *
- * Revision 1.27  2000/09/19 00:38:25  rgb
- * Fixed algorithm name bugs introduced for ipcomp.
- *
- * Revision 1.26  2000/09/17 21:36:48  rgb
- * Added proto2txt macro.
- *
- * Revision 1.25  2000/09/17 18:56:47  rgb
- * Added IPCOMP support.
- *
- * Revision 1.24  2000/09/12 19:34:12  rgb
- * Defined XF_IP6 from Gerhard for ipv6 tunnel support.
- *
- * Revision 1.23  2000/09/12 03:23:14  rgb
- * Cleaned out now unused tdb_xform and tdb_xdata members of struct tdb.
- *
- * Revision 1.22  2000/09/08 19:12:56  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- *
- * Revision 1.21  2000/09/01 18:32:43  rgb
- * Added (disabled) sensitivity members to tdb struct.
- *
- * Revision 1.20  2000/08/30 05:31:01  rgb
- * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
- * Kill remainder of tdb_xform, tdb_xdata, xformsw.
- *
- * Revision 1.19  2000/08/01 14:51:52  rgb
- * Removed _all_ remaining traces of DES.
- *
- * Revision 1.18  2000/01/21 06:17:45  rgb
- * Tidied up spacing.
- *
- * Revision 1.17  1999/11/17 15:53:40  rgb
- * Changed all occurrences of #include "../../../lib/freeswan.h"
- * to #include <freeswan.h> which works due to -Ilibfreeswan in the
- * klips/net/ipsec/Makefile.
- *
- * Revision 1.16  1999/10/16 04:23:07  rgb
- * Add stats for replaywin_errs, replaywin_max_sequence_difference,
- * authentication errors, encryption size errors, encryption padding
- * errors, and time since last packet.
- *
- * Revision 1.15  1999/10/16 00:29:11  rgb
- * Added SA lifetime packet counting variables.
- *
- * Revision 1.14  1999/10/01 00:04:14  rgb
- * Added tdb structure locking.
- * Add function to initialize tdb hash table.
- *
- * Revision 1.13  1999/04/29 15:20:57  rgb
- * dd return values to init and cleanup functions.
- * Eliminate unnessessary usage of tdb_xform member to further switch
- * away from the transform switch to the algorithm switch.
- * Change gettdb parameter to a pointer to reduce stack loading and
- * facilitate parameter sanity checking.
- * Add a parameter to tdbcleanup to be able to delete a class of SAs.
- *
- * Revision 1.12  1999/04/15 15:37:25  rgb
- * Forward check changes from POST1_00 branch.
- *
- * Revision 1.9.2.2  1999/04/13 20:35:57  rgb
- * Fix spelling mistake in comment.
- *
- * Revision 1.9.2.1  1999/03/30 17:13:52  rgb
- * Extend struct tdb to support pfkey.
- *
- * Revision 1.11  1999/04/11 00:29:01  henry
- * GPL boilerplate
- *
- * Revision 1.10  1999/04/06 04:54:28  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.9  1999/01/26 02:09:31  rgb
- * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
- * Removed dead code.
- *
- * Revision 1.8  1999/01/22 06:29:35  rgb
- * Added algorithm switch code.
- * Cruft clean-out.
- *
- * Revision 1.7  1998/11/10 05:37:35  rgb
- * Add support for SA direction flag.
- *
- * Revision 1.6  1998/10/19 14:44:29  rgb
- * Added inclusion of freeswan.h.
- * sa_id structure implemented and used: now includes protocol.
- *
- * Revision 1.5  1998/08/12 00:12:30  rgb
- * Added macros for new xforms.  Added prototypes for new xforms.
- *
- * Revision 1.4  1998/07/28 00:04:20  rgb
- * Add macro for clearing the SA table.
- *
- * Revision 1.3  1998/07/14 18:06:46  rgb
- * Added #ifdef __KERNEL__ directives to restrict scope of header.
- *
- * Revision 1.2  1998/06/23 03:02:19  rgb
- * Created a prototype for ipsec_tdbcleanup when it was moved from
- * ipsec_init.c.
- *
- * Revision 1.1  1998/06/18 21:27:51  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.4  1998/06/11 05:55:31  rgb
- * Added transform version string pointer to xformsw structure definition.
- * Added extern declarations for transform version strings.
- *
- * Revision 1.3  1998/05/18 22:02:54  rgb
- * Modify the *_zeroize function prototypes to include one parameter.
- *
- * Revision 1.2  1998/04/21 21:29:08  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.1  1998/04/09 03:06:14  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:06  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.5  1997/06/03 04:24:48  ji
- * Added ESP-3DES-MD5-96
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * Added new transforms.
- *
- * Revision 0.3  1996/11/20 14:39:04  ji
- * Minor cleanups.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/pfkey.h b/src/libfreeswan/pfkey.h
index afa5ce032..01c404677 100644
--- a/src/libfreeswan/pfkey.h
+++ b/src/libfreeswan/pfkey.h
@@ -324,175 +324,3 @@ pfkey_v2_sadb_type_string(int sadb_type);
 
 
 #endif /* __NET_IPSEC_PF_KEY_H */
-
-/*
- * $Log: pfkey.h,v $
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.2.1.2.1  2004/03/16 09:48:18  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1.2.1  2004/03/15 22:30:06  as
- * nat-0.6c patch merged
- *
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.42  2003/08/25 22:08:19  mcr
- * 	removed pfkey_proto_init() from pfkey.h for 2.6 support.
- *
- * Revision 1.41  2003/05/07 17:28:57  mcr
- * 	new function pfkey_debug_func added for us in debugging from
- * 	pfkey library.
- *
- * Revision 1.40  2003/01/30 02:31:34  rgb
- *
- * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
- *
- * Revision 1.39  2002/09/20 15:40:21  rgb
- * Switch from pfkey_alloc_ipsec_sa() to ipsec_sa_alloc().
- * Added ref parameter to pfkey_sa_build().
- * Cleaned out unused cruft.
- *
- * Revision 1.38  2002/05/14 02:37:24  rgb
- * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
- * ipsec_sa or ipsec_sa.
- * Added function prototypes for the functions moved to
- * pfkey_v2_ext_process.c.
- *
- * Revision 1.37  2002/04/24 07:36:49  mcr
- * Moved from ./lib/pfkey.h,v
- *
- * Revision 1.36  2002/01/20 20:34:49  mcr
- * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
- *
- * Revision 1.35  2001/11/27 05:27:47  mcr
- * 	pfkey parses are now maintained by a structure
- * 	that includes their name for debug purposes.
- *
- * Revision 1.34  2001/11/26 09:23:53  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.33  2001/11/06 19:47:47  rgb
- * Added packet parameter to lifetime and comb structures.
- *
- * Revision 1.32  2001/09/08 21:13:34  rgb
- * Added pfkey ident extension support for ISAKMPd. (NetCelo)
- *
- * Revision 1.31  2001/06/14 19:35:16  rgb
- * Update copyright date.
- *
- * Revision 1.30  2001/02/27 07:04:52  rgb
- * Added satype2name prototype.
- *
- * Revision 1.29  2001/02/26 19:59:33  rgb
- * Ditch unused sadb_satype2proto[], replaced by satype2proto().
- *
- * Revision 1.28  2000/10/10 20:10:19  rgb
- * Added support for debug_ipcomp and debug_verbose to klipsdebug.
- *
- * Revision 1.27  2000/09/21 04:20:45  rgb
- * Fixed array size off-by-one error.  (Thanks Svenning!)
- *
- * Revision 1.26  2000/09/12 03:26:05  rgb
- * Added pfkey_acquire prototype.
- *
- * Revision 1.25  2000/09/08 19:21:28  rgb
- * Fix pfkey_prop_build() parameter to be only single indirection.
- *
- * Revision 1.24  2000/09/01 18:46:42  rgb
- * Added a supported algorithms array lists, one per satype and registered
- * existing algorithms.
- * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to
- * list.
- *
- * Revision 1.23  2000/08/27 01:55:26  rgb
- * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
- *
- * Revision 1.22  2000/08/20 21:39:23  rgb
- * Added kernel prototypes for kernel funcitions pfkey_upmsg() and
- * pfkey_expire().
- *
- * Revision 1.21  2000/08/15 17:29:23  rgb
- * Fixes from SZI to untested pfkey_prop_build().
- *
- * Revision 1.20  2000/05/10 20:14:19  rgb
- * Fleshed out sensitivity, proposal and supported extensions.
- *
- * Revision 1.19  2000/03/16 14:07:23  rgb
- * Renamed ALIGN macro to avoid fighting with others in kernel.
- *
- * Revision 1.18  2000/01/22 23:24:06  rgb
- * Added prototypes for proto2satype(), satype2proto() and proto2name().
- *
- * Revision 1.17  2000/01/21 06:26:59  rgb
- * Converted from double tdb arguments to one structure (extr)
- * containing pointers to all temporary information structures.
- * Added klipsdebug switching capability.
- * Dropped unused argument to pfkey_x_satype_build().
- *
- * Revision 1.16  1999/12/29 21:17:41  rgb
- * Changed pfkey_msg_build() I/F to include a struct sadb_msg**
- * parameter for cleaner manipulation of extensions[] and to guard
- * against potential memory leaks.
- * Changed the I/F to pfkey_msg_free() for the same reason.
- *
- * Revision 1.15  1999/12/09 23:12:54  rgb
- * Added macro for BITS_PER_OCTET.
- * Added argument to pfkey_sa_build() to do eroutes.
- *
- * Revision 1.14  1999/12/08 20:33:25  rgb
- * Changed sa_family_t to uint16_t for 2.0.xx compatibility.
- *
- * Revision 1.13  1999/12/07 19:53:40  rgb
- * Removed unused first argument from extension parsers.
- * Changed __u* types to uint* to avoid use of asm/types.h and
- * sys/types.h in userspace code.
- * Added function prototypes for pfkey message and extensions
- * initialisation and cleanup.
- *
- * Revision 1.12  1999/12/01 22:19:38  rgb
- * Change pfkey_sa_build to accept an SPI in network byte order.
- *
- * Revision 1.11  1999/11/27 11:55:26  rgb
- * Added extern sadb_satype2proto to enable moving protocol lookup table
- * to lib/pfkey_v2_parse.c.
- * Delete unused, moved typedefs.
- * Add argument to pfkey_msg_parse() for direction.
- * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
- *
- * Revision 1.10  1999/11/23 22:29:21  rgb
- * This file has been moved in the distribution from klips/net/ipsec to
- * lib.
- * Add macros for dealing with alignment and rounding up more opaquely.
- * The uint<n>_t type defines have been moved to freeswan.h to avoid
- * chicken-and-egg problems.
- * Add macros for dealing with alignment and rounding up more opaque.
- * Added prototypes for using extention header bitmaps.
- * Added prototypes of all the build functions.
- *
- * Revision 1.9  1999/11/20 21:59:48  rgb
- * Moved socketlist type declarations and prototypes for shared use.
- * Slightly modified scope of sockaddr_key declaration.
- *
- * Revision 1.8  1999/11/17 14:34:25  rgb
- * Protect sa_family_t from being used in userspace with GLIBC<2.
- *
- * Revision 1.7  1999/10/27 19:40:35  rgb
- * Add a maximum PFKEY packet size macro.
- *
- * Revision 1.6  1999/10/26 16:58:58  rgb
- * Created a sockaddr_key and key_opt socket extension structures.
- *
- * Revision 1.5  1999/06/10 05:24:41  rgb
- * Renamed variables to reduce confusion.
- *
- * Revision 1.4  1999/04/29 15:21:11  rgb
- * Add pfkey support to debugging.
- * Add return values to init and cleanup functions.
- *
- * Revision 1.3  1999/04/15 17:58:07  rgb
- * Add RCSID labels.
- *
- */
diff --git a/src/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c
index 8430766aa..8b4be384f 100644
--- a/src/libfreeswan/pfkey_v2_debug.c
+++ b/src/libfreeswan/pfkey_v2_debug.c
@@ -126,52 +126,3 @@ pfkey_v2_sadb_type_string(int sadb_type)
     return "unknown-sadb-type";
   }
 }
-
-
-
-
-/*
- * $Log: pfkey_v2_debug.c,v $
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.2.1  2004/03/15 22:30:06  as
- * nat-0.6c patch merged
- *
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.7  2002/09/20 05:01:26  rgb
- * Fixed limit inclusion error in both type and ext string conversion.
- *
- * Revision 1.6  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.5  2002/04/24 07:36:40  mcr
- * Moved from ./lib/pfkey_v2_debug.c,v
- *
- * Revision 1.4  2002/01/29 22:25:36  rgb
- * Re-add ipsec_kversion.h to keep MALLOC happy.
- *
- * Revision 1.3  2002/01/29 01:59:09  mcr
- * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
- * 	updating of IPv6 structures to match latest in6.h version.
- * 	removed dead code from freeswan.h that also duplicated kversions.h
- * 	code.
- *
- * Revision 1.2  2002/01/20 20:34:50  mcr
- * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
- *
- * Revision 1.1  2001/11/27 05:30:06  mcr
- * 	initial set of debug strings for pfkey debugging.
- * 	this will eventually only be included for debug builds.
- *
- * Revision 1.1  2001/09/21 04:12:03  mcr
- * 	first compilable version.
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c
index b41941848..280438750 100644
--- a/src/libfreeswan/pfkey_v2_ext_bits.c
+++ b/src/libfreeswan/pfkey_v2_ext_bits.c
@@ -722,68 +722,3 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 }
 }
 };
-
-/*
- * $Log: pfkey_v2_ext_bits.c,v $
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.2.1  2004/03/15 22:30:06  as
- * nat-0.6c patch merged
- *
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.15  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.14  2002/04/24 07:36:40  mcr
- * Moved from ./lib/pfkey_v2_ext_bits.c,v
- *
- * Revision 1.13  2002/01/29 22:25:36  rgb
- * Re-add ipsec_kversion.h to keep MALLOC happy.
- *
- * Revision 1.12  2002/01/29 01:59:10  mcr
- * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
- * 	updating of IPv6 structures to match latest in6.h version.
- * 	removed dead code from freeswan.h that also duplicated kversions.h
- * 	code.
- *
- * Revision 1.11  2001/10/18 04:45:24  rgb
- * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
- * lib/freeswan.h version macros moved to lib/kversions.h.
- * Other compiler directive cleanups.
- *
- * Revision 1.10  2001/09/08 21:13:35  rgb
- * Added pfkey ident extension support for ISAKMPd. (NetCelo)
- *
- * Revision 1.9  2001/06/14 19:35:16  rgb
- * Update copyright date.
- *
- * Revision 1.8  2001/03/26 23:07:36  rgb
- * Remove requirement for auth and enc key from UPDATE.
- *
- * Revision 1.7  2000/09/12 22:35:37  rgb
- * Restructured to remove unused extensions from CLEARFLOW messages.
- *
- * Revision 1.6  2000/09/09 06:39:01  rgb
- * Added comments for clarity.
- *
- * Revision 1.5  2000/06/02 22:54:14  rgb
- * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
- *
- * Revision 1.4  2000/01/21 06:27:56  rgb
- * Added address cases for eroute flows.
- * Added comments for each message type.
- * Added klipsdebug switching capability.
- * Fixed GRPSA bitfields.
- *
- * Revision 1.3  1999/12/01 22:20:27  rgb
- * Remove requirement for a proxy address in an incoming getspi message.
- *
- * Revision 1.2  1999/11/27 11:57:06  rgb
- * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
- * Add CVS log entry to bottom of file.
- * Cleaned out unused bits.
- *
- */
diff --git a/src/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c
index 440aa8c1d..c19ec1c99 100644
--- a/src/libfreeswan/pfkey_v2_parse.c
+++ b/src/libfreeswan/pfkey_v2_parse.c
@@ -1597,228 +1597,3 @@ errlab:
 
 	return error;
 }
-
-/*
- * $Log: pfkey_v2_parse.c,v $
- * Revision 1.4  2004/06/13 20:35:07  as
- * removed references to ipsec_netlink.h
- *
- * Revision 1.3  2004/03/30 10:00:17  as
- * 64 bit issues
- *
- * Revision 1.2  2004/03/22 21:53:18  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.2.1  2004/03/15 22:30:06  as
- * nat-0.6c patch merged
- *
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.53  2003/01/30 02:32:09  rgb
- *
- * Rename SAref table macro names for clarity.
- * Convert IPsecSAref_t from signed to unsigned to fix apparent SAref exhaustion bug.
- *
- * Revision 1.52  2002/12/30 06:53:07  mcr
- * 	deal with short SA structures... #if 0 out for now. Probably
- * 	not quite the right way.
- *
- * Revision 1.51  2002/12/13 18:16:02  mcr
- * 	restored sa_ref code
- *
- * Revision 1.50  2002/12/13 18:06:52  mcr
- * 	temporarily removed sadb_x_sa_ref reference for 2.xx
- *
- * Revision 1.49  2002/10/05 05:02:58  dhr
- *
- * C labels go on statements
- *
- * Revision 1.48  2002/09/20 15:40:45  rgb
- * Added sadb_x_sa_ref to struct sadb_sa.
- *
- * Revision 1.47  2002/09/20 05:01:31  rgb
- * Fixed usage of pfkey_lib_debug.
- * Format for function declaration style consistency.
- * Added text labels to elucidate numeric values presented.
- * Re-organised debug output to reduce noise in output.
- *
- * Revision 1.46  2002/07/24 18:44:54  rgb
- * Type fiddling to tame ia64 compiler.
- *
- * Revision 1.45  2002/05/23 07:14:11  rgb
- * Cleaned up %p variants to 0p%p for test suite cleanup.
- *
- * Revision 1.44  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.43  2002/04/24 07:36:40  mcr
- * Moved from ./lib/pfkey_v2_parse.c,v
- *
- * Revision 1.42  2002/01/29 22:25:36  rgb
- * Re-add ipsec_kversion.h to keep MALLOC happy.
- *
- * Revision 1.41  2002/01/29 01:59:10  mcr
- * 	removal of kversions.h - sources that needed it now use ipsec_param.h.
- * 	updating of IPv6 structures to match latest in6.h version.
- * 	removed dead code from freeswan.h that also duplicated kversions.h
- * 	code.
- *
- * Revision 1.40  2002/01/20 20:34:50  mcr
- * 	added pfkey_v2_sadb_type_string to decode sadb_type to string.
- *
- * Revision 1.39  2001/11/27 05:29:22  mcr
- * 	pfkey parses are now maintained by a structure
- * 	that includes their name for debug purposes.
- * 	DEBUGGING() macro changed so that it takes a debug
- * 	level so that pf_key() can use this to decode the
- * 	structures without innundanting humans.
- * 	Also uses pfkey_v2_sadb_ext_string() in messages.
- *
- * Revision 1.38  2001/11/06 19:47:47  rgb
- * Added packet parameter to lifetime and comb structures.
- *
- * Revision 1.37  2001/10/18 04:45:24  rgb
- * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
- * lib/freeswan.h version macros moved to lib/kversions.h.
- * Other compiler directive cleanups.
- *
- * Revision 1.36  2001/06/14 19:35:16  rgb
- * Update copyright date.
- *
- * Revision 1.35  2001/05/03 19:44:51  rgb
- * Standardise on SENDERR() macro.
- *
- * Revision 1.34  2001/03/16 07:41:51  rgb
- * Put freeswan.h include before pluto includes.
- *
- * Revision 1.33  2001/02/27 07:13:51  rgb
- * Added satype2name() function.
- * Added text to default satype_tbl entry.
- * Added satype2name() conversions for most satype debug output.
- *
- * Revision 1.32  2001/02/26 20:01:09  rgb
- * Added internal IP protocol 61 for magic SAs.
- * Ditch unused sadb_satype2proto[], replaced by satype2proto().
- * Re-formatted debug output (split lines, consistent spacing).
- * Removed acquire, register and expire requirements for a known satype.
- * Changed message type checking to a switch structure.
- * Verify expected NULL auth for IPCOMP.
- * Enforced spi > 0x100 requirement, now that pass uses a magic SA for
- * appropriate message types.
- *
- * Revision 1.31  2000/12/01 07:09:00  rgb
- * Added ipcomp sanity check to require encalgo is set.
- *
- * Revision 1.30  2000/11/17 18:10:30  rgb
- * Fixed bugs mostly relating to spirange, to treat all spi variables as
- * network byte order since this is the way PF_KEYv2 stored spis.
- *
- * Revision 1.29  2000/10/12 00:02:39  rgb
- * Removed 'format, ##' nonsense from debug macros for RH7.0.
- *
- * Revision 1.28  2000/09/20 16:23:04  rgb
- * Remove over-paranoid extension check in the presence of sadb_msg_errno.
- *
- * Revision 1.27  2000/09/20 04:04:21  rgb
- * Changed static functions to DEBUG_NO_STATIC to reveal function names in
- * oopsen.
- *
- * Revision 1.26  2000/09/15 11:37:02  rgb
- * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
- * IPCOMP zlib deflate code.
- *
- * Revision 1.25  2000/09/12 22:35:37  rgb
- * Restructured to remove unused extensions from CLEARFLOW messages.
- *
- * Revision 1.24  2000/09/12 18:59:54  rgb
- * Added Gerhard's IPv6 support to pfkey parts of libfreeswan.
- *
- * Revision 1.23  2000/09/12 03:27:00  rgb
- * Moved DEBUGGING definition to compile kernel with debug off.
- *
- * Revision 1.22  2000/09/09 06:39:27  rgb
- * Restrict pfkey errno check to downward messages only.
- *
- * Revision 1.21  2000/09/08 19:22:34  rgb
- * Enabled pfkey_sens_parse().
- * Added check for errno on downward acquire messages only.
- *
- * Revision 1.20  2000/09/01 18:48:23  rgb
- * Fixed reserved check bug and added debug output in
- * pfkey_supported_parse().
- * Fixed debug output label bug in pfkey_ident_parse().
- *
- * Revision 1.19  2000/08/27 01:55:26  rgb
- * Define OCTETBITS and PFKEYBITS to avoid using 'magic' numbers in code.
- *
- * Revision 1.18  2000/08/24 17:00:36  rgb
- * Ignore unknown extensions instead of failing.
- *
- * Revision 1.17  2000/06/02 22:54:14  rgb
- * Added Gerhard Gessler's struct sockaddr_storage mods for IPv6 support.
- *
- * Revision 1.16  2000/05/10 19:25:11  rgb
- * Fleshed out proposal and supported extensions.
- *
- * Revision 1.15  2000/01/24 21:15:31  rgb
- * Added disabled pluto pfkey lib debug flag.
- * Added algo debugging reporting.
- *
- * Revision 1.14  2000/01/22 23:24:29  rgb
- * Added new functions proto2satype() and satype2proto() and lookup
- * table satype_tbl.  Also added proto2name() since it was easy.
- *
- * Revision 1.13  2000/01/21 09:43:59  rgb
- * Cast ntohl(spi) as (unsigned long int) to shut up compiler.
- *
- * Revision 1.12  2000/01/21 06:28:19  rgb
- * Added address cases for eroute flows.
- * Indented compiler directives for readability.
- * Added klipsdebug switching capability.
- *
- * Revision 1.11  1999/12/29 21:14:59  rgb
- * Fixed debug text cut and paste typo.
- *
- * Revision 1.10  1999/12/10 17:45:24  rgb
- * Added address debugging.
- *
- * Revision 1.9  1999/12/09 23:11:42  rgb
- * Ditched <string.h> include since we no longer use memset().
- * Use new pfkey_extensions_init() instead of memset().
- * Added check for SATYPE in pfkey_msg_build().
- * Tidy up comments and debugging comments.
- *
- * Revision 1.8  1999/12/07 19:55:26  rgb
- * Removed unused first argument from extension parsers.
- * Removed static pluto debug flag.
- * Moved message type and state checking to pfkey_msg_parse().
- * Changed print[fk] type from lx to x to quiet compiler.
- * Removed redundant remain check.
- * Changed __u* types to uint* to avoid use of asm/types.h and
- * sys/types.h in userspace code.
- *
- * Revision 1.7  1999/12/01 22:20:51  rgb
- * Moved pfkey_lib_debug variable into the library.
- * Added pfkey version check into header parsing.
- * Added check for SATYPE only for those extensions that require a
- * non-zero value.
- *
- * Revision 1.6  1999/11/27 11:58:05  rgb
- * Added ipv6 headers.
- * Moved sadb_satype2proto protocol lookup table from
- * klips/net/ipsec/pfkey_v2_parser.c.
- * Enable lifetime_current checking.
- * Debugging error messages added.
- * Add argument to pfkey_msg_parse() for direction.
- * Consolidated the 4 1-d extension bitmap arrays into one 4-d array.
- * Add CVS log entry to bottom of file.
- * Moved auth and enc alg check to pfkey_msg_parse().
- * Enable accidentally disabled spirange parsing.
- * Moved protocol/algorithm checks from klips/net/ipsec/pfkey_v2_parser.c
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/src/libfreeswan/radij.h b/src/libfreeswan/radij.h
index 2a66093a0..7fe30a6ea 100644
--- a/src/libfreeswan/radij.h
+++ b/src/libfreeswan/radij.h
@@ -199,82 +199,3 @@ extern int maj_keylen;
 #endif /* __KERNEL__ */
 
 #endif /* _RADIJ_H_ */
-
-
-/*
- * $Log: radij.h,v $
- * Revision 1.1  2004/03/15 20:35:25  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.12  2002/04/24 07:36:48  mcr
- * Moved from ./klips/net/ipsec/radij.h,v
- *
- * Revision 1.11  2001/09/20 15:33:00  rgb
- * Min/max cleanup.
- *
- * Revision 1.10  1999/11/18 04:09:20  rgb
- * Replaced all kernel version macros to shorter, readable form.
- *
- * Revision 1.9  1999/05/05 22:02:33  rgb
- * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
- *
- * Revision 1.8  1999/04/29 15:24:58  rgb
- * Add check for existence of macros min/max.
- *
- * Revision 1.7  1999/04/11 00:29:02  henry
- * GPL boilerplate
- *
- * Revision 1.6  1999/04/06 04:54:29  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.5  1999/01/22 06:30:32  rgb
- * 64-bit clean-up.
- *
- * Revision 1.4  1998/11/30 13:22:55  rgb
- * Rationalised all the klips kernel file headers.  They are much shorter
- * now and won't conflict under RH5.2.
- *
- * Revision 1.3  1998/10/25 02:43:27  rgb
- * Change return type on rj_addroute and rj_delete and add and argument
- * to the latter to be able to transmit more infomation about errors.
- *
- * Revision 1.2  1998/07/14 18:09:51  rgb
- * Add a routine to clear eroute table.
- * Added #ifdef __KERNEL__ directives to restrict scope of header.
- *
- * Revision 1.1  1998/06/18 21:30:22  henry
- * move sources from klips/src to klips/net/ipsec to keep stupid kernel
- * build scripts happier about symlinks
- *
- * Revision 1.4  1998/05/25 20:34:16  rgb
- * Remove temporary ipsec_walk, rj_deltree and rj_delnodes functions.
- *
- * Rename ipsec_rj_walker (ipsec_walk) to ipsec_rj_walker_procprint and
- * add ipsec_rj_walker_delete.
- *
- * Recover memory for eroute table on unload of module.
- *
- * Revision 1.3  1998/04/22 16:51:37  rgb
- * Tidy up radij debug code from recent rash of modifications to debug code.
- *
- * Revision 1.2  1998/04/14 17:30:38  rgb
- * Fix up compiling errors for radij tree memory reclamation.
- *
- * Revision 1.1  1998/04/09 03:06:16  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:04  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * No changes.
- *
- * Revision 0.3  1996/11/20 14:44:45  ji
- * Release update only.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index b103be193..292abc0a4 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -11,6 +11,7 @@ asn1/asn1.c asn1/asn1.h \
 asn1/oid.c asn1/oid.h \
 asn1/pem.c asn1/pem.h \
 asn1/ttodata.c asn1/ttodata.h \
+crypto/ac.c crypto/ac.h \
 crypto/ca.c crypto/ca.h \
 crypto/certinfo.c crypto/certinfo.h \
 crypto/crl.c crypto/crl.h \
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index e5c5c758e..015308449 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -60,7 +60,7 @@ am__DEPENDENCIES_1 =
 libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
-	printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ca.lo \
+	printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ac.lo ca.lo \
 	certinfo.lo crl.lo crypter.lo aes_cbc_crypter.lo \
 	des_crypter.lo diffie_hellman.lo hasher.lo sha1_hasher.lo \
 	sha2_hasher.lo md5_hasher.lo hmac.lo ocsp.lo fips_prf.lo \
@@ -129,6 +129,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -141,6 +142,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -151,8 +153,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -174,6 +180,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -183,6 +190,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -196,9 +205,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -213,6 +226,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 lib_LTLIBRARIES = libstrongswan.la
 libstrongswan_la_SOURCES = \
 credential_store.h \
@@ -225,6 +240,7 @@ asn1/asn1.c asn1/asn1.h \
 asn1/oid.c asn1/oid.h \
 asn1/pem.c asn1/pem.h \
 asn1/ttodata.c asn1/ttodata.h \
+crypto/ac.c crypto/ac.h \
 crypto/ca.c crypto/ca.h \
 crypto/certinfo.c crypto/certinfo.h \
 crypto/crl.c crypto/crl.h \
@@ -333,6 +349,7 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc_crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@
@@ -421,6 +438,13 @@ ttodata.lo: asn1/ttodata.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c
 
+ac.lo: crypto/ac.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ac.lo -MD -MP -MF "$(DEPDIR)/ac.Tpo" -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ac.Tpo" "$(DEPDIR)/ac.Plo"; else rm -f "$(DEPDIR)/ac.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ac.c' object='ac.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c
+
 ca.lo: crypto/ca.c
 @am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF "$(DEPDIR)/ca.Tpo" -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c; \
 @am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ca.Tpo" "$(DEPDIR)/ca.Plo"; else rm -f "$(DEPDIR)/ca.Tpo"; exit 1; fi
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 91a6621d4..2a0aa4ff6 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -731,3 +731,43 @@ chunk_t timetoasn1(const time_t *time, asn1_t type)
 	formatted_time.len = strlen(buf);
 	return asn1_simple_object(type, formatted_time);
 }
+
+/**
+ * ASN.1 definition of time
+ */
+static const asn1Object_t timeObjects[] = {
+	{ 0,   "utcTime",		ASN1_UTCTIME,			ASN1_OPT|ASN1_BODY 	}, /*  0 */
+	{ 0,   "end opt",		ASN1_EOC,				ASN1_END  			}, /*  1 */
+	{ 0,   "generalizeTime",ASN1_GENERALIZEDTIME,	ASN1_OPT|ASN1_BODY 	}, /*  2 */
+	{ 0,   "end opt",		ASN1_EOC,				ASN1_END  			}  /*  3 */
+};
+#define TIME_UTC			0
+#define TIME_GENERALIZED	2
+#define TIME_ROOF			4
+
+/**
+ * extracts and converts a UTCTIME or GENERALIZEDTIME object
+ */
+time_t parse_time(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	
+	while (objectID < TIME_ROOF)
+	{
+		if (!extract_object(timeObjects, &objectID, &object, &level, &ctx))
+			return 0;
+		
+		if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
+		{
+			return asn1totime(&object, (objectID == TIME_UTC)
+					? ASN1_UTCTIME : ASN1_GENERALIZEDTIME);
+		}
+		objectID++;
+	}
+	return 0;
+}
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 5ab519ec8..365ccb438 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -124,6 +124,8 @@ extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0, bool implicit
 extern bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx);
 extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name);
 extern int parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters);
+extern time_t parse_time(chunk_t blob, int level0);
+
 extern bool is_asn1(chunk_t blob);
 
 extern void code_asn1_length(size_t length, chunk_t *code);
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 4b0632de2..48df1b7c4 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -28,7 +28,7 @@ const oid_t oid_names[] = {
   {                0x01,       0, 1, "pilotAttributeType"     },  /*  15 */
   {                  0x01,    17, 0, "UID"                    },  /*  16 */
   {                  0x19,     0, 0, "DC"                     },  /*  17 */
-  {0x55,                      51, 1, "X.500"                  },  /*  18 */
+  {0x55,                      52, 1, "X.500"                  },  /*  18 */
   {  0x04,                    36, 1, "X.509"                  },  /*  19 */
   {    0x03,                  21, 0, "CN"                     },  /*  20 */
   {    0x04,                  22, 0, "S"                      },  /*  21 */
@@ -54,144 +54,145 @@ const oid_t oid_names[] = {
   {    0x11,                  42, 0, "subjectAltName"         },  /*  41 */
   {    0x12,                  43, 0, "issuerAltName"          },  /*  42 */
   {    0x13,                  44, 0, "basicConstraints"       },  /*  43 */
-  {    0x15,                  45, 0, "reasonCode"             },  /*  44 */
-  {    0x1F,                  46, 0, "crlDistributionPoints"  },  /*  45 */
-  {    0x20,                  47, 0, "certificatePolicies"    },  /*  46 */
-  {    0x23,                  48, 0, "authorityKeyIdentifier" },  /*  47 */
-  {    0x25,                  49, 0, "extendedKeyUsage"       },  /*  48 */
-  {    0x37,                  50, 0, "targetInformation"      },  /*  49 */
-  {    0x38,                   0, 0, "noRevAvail"             },  /*  50 */
-  {0x2A,                      88, 1, ""                       },  /*  51 */
-  {  0x86,                     0, 1, ""                       },  /*  52 */
-  {    0x48,                   0, 1, ""                       },  /*  53 */
-  {      0x86,                 0, 1, ""                       },  /*  54 */
-  {        0xF7,               0, 1, ""                       },  /*  55 */
-  {          0x0D,             0, 1, "RSADSI"                 },  /*  56 */
-  {            0x01,          83, 1, "PKCS"                   },  /*  57 */
-  {              0x01,        66, 1, "PKCS-1"                 },  /*  58 */
-  {                0x01,      60, 0, "rsaEncryption"          },  /*  59 */
-  {                0x02,      61, 0, "md2WithRSAEncryption"   },  /*  60 */
-  {                0x04,      62, 0, "md5WithRSAEncryption"   },  /*  61 */
-  {                0x05,      63, 0, "sha-1WithRSAEncryption" },  /*  62 */
-  {                0x0B,      64, 0, "sha256WithRSAEncryption"},  /*  63 */
-  {                0x0C,      65, 0, "sha384WithRSAEncryption"},  /*  64 */
-  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  65 */
-  {              0x07,        73, 1, "PKCS-7"                 },  /*  66 */
-  {                0x01,      68, 0, "data"                   },  /*  67 */
-  {                0x02,      69, 0, "signedData"             },  /*  68 */
-  {                0x03,      70, 0, "envelopedData"          },  /*  69 */
-  {                0x04,      71, 0, "signedAndEnvelopedData" },  /*  70 */
-  {                0x05,      72, 0, "digestedData"           },  /*  71 */
-  {                0x06,       0, 0, "encryptedData"          },  /*  72 */
-  {              0x09,         0, 1, "PKCS-9"                 },  /*  73 */
-  {                0x01,      75, 0, "E"                      },  /*  74 */
-  {                0x02,      76, 0, "unstructuredName"       },  /*  75 */
-  {                0x03,      77, 0, "contentType"            },  /*  76 */
-  {                0x04,      78, 0, "messageDigest"          },  /*  77 */
-  {                0x05,      79, 0, "signingTime"            },  /*  78 */
-  {                0x06,      80, 0, "counterSignature"       },  /*  79 */
-  {                0x07,      81, 0, "challengePassword"      },  /*  80 */
-  {                0x08,      82, 0, "unstructuredAddress"    },  /*  81 */
-  {                0x0E,       0, 0, "extensionRequest"       },  /*  82 */
-  {            0x02,          86, 1, "digestAlgorithm"        },  /*  83 */
-  {              0x02,        85, 0, "md2"                    },  /*  84 */
-  {              0x05,         0, 0, "md5"                    },  /*  85 */
-  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  86 */
-  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  87 */
-  {0x2B,                     149, 1, ""                       },  /*  88 */
-  {  0x06,                   136, 1, "dod"                    },  /*  89 */
-  {    0x01,                   0, 1, "internet"               },  /*  90 */
-  {      0x04,               105, 1, "private"                },  /*  91 */
-  {        0x01,               0, 1, "enterprise"             },  /*  92 */
-  {          0x82,            98, 1, ""                       },  /*  93 */
-  {            0x37,           0, 1, "Microsoft"              },  /*  94 */
-  {              0x0A,         0, 1, ""                       },  /*  95 */
-  {                0x03,       0, 1, ""                       },  /*  96 */
-  {                  0x03,     0, 0, "msSGC"                  },  /*  97 */
-  {          0x89,             0, 1, ""                       },  /*  98 */
-  {            0x31,           0, 1, ""                       },  /*  99 */
-  {              0x01,         0, 1, ""                       },  /* 100 */
-  {                0x01,       0, 1, ""                       },  /* 101 */
-  {                  0x02,     0, 1, ""                       },  /* 102 */
-  {                    0x02, 104, 0, ""                       },  /* 103 */
-  {                    0x4B,   0, 0, "TCGID"                  },  /* 104 */
-  {      0x05,                 0, 1, "security"               },  /* 105 */
-  {        0x05,               0, 1, "mechanisms"             },  /* 106 */
-  {          0x07,             0, 1, "id-pkix"                },  /* 107 */
-  {            0x01,         110, 1, "id-pe"                  },  /* 108 */
-  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 109 */
-  {            0x03,         120, 1, "id-kp"                  },  /* 110 */
-  {              0x01,       112, 0, "serverAuth"             },  /* 111 */
-  {              0x02,       113, 0, "clientAuth"             },  /* 112 */
-  {              0x03,       114, 0, "codeSigning"            },  /* 113 */
-  {              0x04,       115, 0, "emailProtection"        },  /* 114 */
-  {              0x05,       116, 0, "ipsecEndSystem"         },  /* 115 */
-  {              0x06,       117, 0, "ipsecTunnel"            },  /* 116 */
-  {              0x07,       118, 0, "ipsecUser"              },  /* 117 */
-  {              0x08,       119, 0, "timeStamping"           },  /* 118 */
-  {              0x09,         0, 0, "ocspSigning"            },  /* 119 */
-  {            0x08,         122, 1, "id-otherNames"          },  /* 120 */
-  {              0x05,         0, 0, "xmppAddr"               },  /* 121 */
-  {            0x0A,         127, 1, "id-aca"                 },  /* 122 */
-  {              0x01,       124, 0, "authenticationInfo"     },  /* 123 */
-  {              0x02,       125, 0, "accessIdentity"         },  /* 124 */
-  {              0x03,       126, 0, "chargingIdentity"       },  /* 125 */
-  {              0x04,         0, 0, "group"                  },  /* 126 */
-  {            0x30,           0, 1, "id-ad"                  },  /* 127 */
-  {              0x01,         0, 1, "ocsp"                   },  /* 128 */
-  {                0x01,     130, 0, "basic"                  },  /* 129 */
-  {                0x02,     131, 0, "nonce"                  },  /* 130 */
-  {                0x03,     132, 0, "crl"                    },  /* 131 */
-  {                0x04,     133, 0, "response"               },  /* 132 */
-  {                0x05,     134, 0, "noCheck"                },  /* 133 */
-  {                0x06,     135, 0, "archiveCutoff"          },  /* 134 */
-  {                0x07,       0, 0, "serviceLocator"         },  /* 135 */
-  {  0x0E,                   142, 1, "oiw"                    },  /* 136 */
-  {    0x03,                   0, 1, "secsig"                 },  /* 137 */
-  {      0x02,                 0, 1, "algorithms"             },  /* 138 */
-  {        0x07,             140, 0, "des-cbc"                },  /* 139 */
-  {        0x1A,             141, 0, "sha-1"                  },  /* 140 */
-  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 141 */
-  {  0x24,                     0, 1, "TeleTrusT"              },  /* 142 */
-  {    0x03,                   0, 1, "algorithm"              },  /* 143 */
-  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 144 */
-  {        0x01,               0, 1, "rsaSignature"           },  /* 145 */
-  {          0x02,           147, 0, "rsaSigWithripemd160"    },  /* 146 */
-  {          0x03,           148, 0, "rsaSigWithripemd128"    },  /* 147 */
-  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 148 */
-  {0x60,                       0, 1, ""                       },  /* 149 */
-  {  0x86,                     0, 1, ""                       },  /* 150 */
-  {    0x48,                   0, 1, ""                       },  /* 151 */
-  {      0x01,                 0, 1, "organization"           },  /* 152 */
-  {        0x65,             160, 1, "gov"                    },  /* 153 */
-  {          0x03,             0, 1, "csor"                   },  /* 154 */
-  {            0x04,           0, 1, "nistalgorithm"          },  /* 155 */
-  {              0x02,         0, 1, "hashalgs"               },  /* 156 */
-  {                0x01,     158, 0, "id-SHA-256"             },  /* 157 */
-  {                0x02,     159, 0, "id-SHA-384"             },  /* 158 */
-  {                0x03,       0, 0, "id-SHA-512"             },  /* 159 */
-  {        0x86,               0, 1, ""                       },  /* 160 */
-  {          0xf8,             0, 1, ""                       },  /* 161 */
-  {            0x42,         174, 1, "netscape"               },  /* 162 */
-  {              0x01,       169, 1, ""                       },  /* 163 */
-  {                0x01,     165, 0, "nsCertType"             },  /* 164 */
-  {                0x03,     166, 0, "nsRevocationUrl"        },  /* 165 */
-  {                0x04,     167, 0, "nsCaRevocationUrl"      },  /* 166 */
-  {                0x08,     168, 0, "nsCaPolicyUrl"          },  /* 167 */
-  {                0x0d,       0, 0, "nsComment"              },  /* 168 */
-  {              0x03,       172, 1, "directory"              },  /* 169 */
-  {                0x01,       0, 1, ""                       },  /* 170 */
-  {                  0x03,     0, 0, "employeeNumber"         },  /* 171 */
-  {              0x04,         0, 1, "policy"                 },  /* 172 */
-  {                0x01,       0, 0, "nsSGC"                  },  /* 173 */
-  {            0x45,           0, 1, "verisign"               },  /* 174 */
-  {              0x01,         0, 1, "pki"                    },  /* 175 */
-  {                0x09,       0, 1, "attributes"             },  /* 176 */
-  {                  0x02,   178, 0, "messageType"            },  /* 177 */
-  {                  0x03,   179, 0, "pkiStatus"              },  /* 178 */
-  {                  0x04,   180, 0, "failInfo"               },  /* 179 */
-  {                  0x05,   181, 0, "senderNonce"            },  /* 180 */
-  {                  0x06,   182, 0, "recipientNonce"         },  /* 181 */
-  {                  0x07,   183, 0, "transID"                },  /* 182 */
-  {                  0x08,     0, 0, "extensionReq"           }   /* 183 */
+  {    0x14,                  45, 0, "crlNumber"              },  /*  44 */
+  {    0x15,                  46, 0, "reasonCode"             },  /*  45 */
+  {    0x1F,                  47, 0, "crlDistributionPoints"  },  /*  46 */
+  {    0x20,                  48, 0, "certificatePolicies"    },  /*  47 */
+  {    0x23,                  49, 0, "authorityKeyIdentifier" },  /*  48 */
+  {    0x25,                  50, 0, "extendedKeyUsage"       },  /*  49 */
+  {    0x37,                  51, 0, "targetInformation"      },  /*  50 */
+  {    0x38,                   0, 0, "noRevAvail"             },  /*  51 */
+  {0x2A,                      89, 1, ""                       },  /*  52 */
+  {  0x86,                     0, 1, ""                       },  /*  53 */
+  {    0x48,                   0, 1, ""                       },  /*  54 */
+  {      0x86,                 0, 1, ""                       },  /*  55 */
+  {        0xF7,               0, 1, ""                       },  /*  56 */
+  {          0x0D,             0, 1, "RSADSI"                 },  /*  57 */
+  {            0x01,          84, 1, "PKCS"                   },  /*  58 */
+  {              0x01,        67, 1, "PKCS-1"                 },  /*  59 */
+  {                0x01,      61, 0, "rsaEncryption"          },  /*  60 */
+  {                0x02,      62, 0, "md2WithRSAEncryption"   },  /*  61 */
+  {                0x04,      63, 0, "md5WithRSAEncryption"   },  /*  62 */
+  {                0x05,      64, 0, "sha-1WithRSAEncryption" },  /*  63 */
+  {                0x0B,      65, 0, "sha256WithRSAEncryption"},  /*  64 */
+  {                0x0C,      66, 0, "sha384WithRSAEncryption"},  /*  65 */
+  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  66 */
+  {              0x07,        74, 1, "PKCS-7"                 },  /*  67 */
+  {                0x01,      69, 0, "data"                   },  /*  68 */
+  {                0x02,      70, 0, "signedData"             },  /*  69 */
+  {                0x03,      71, 0, "envelopedData"          },  /*  70 */
+  {                0x04,      72, 0, "signedAndEnvelopedData" },  /*  71 */
+  {                0x05,      73, 0, "digestedData"           },  /*  72 */
+  {                0x06,       0, 0, "encryptedData"          },  /*  73 */
+  {              0x09,         0, 1, "PKCS-9"                 },  /*  74 */
+  {                0x01,      76, 0, "E"                      },  /*  75 */
+  {                0x02,      77, 0, "unstructuredName"       },  /*  76 */
+  {                0x03,      78, 0, "contentType"            },  /*  77 */
+  {                0x04,      79, 0, "messageDigest"          },  /*  78 */
+  {                0x05,      80, 0, "signingTime"            },  /*  79 */
+  {                0x06,      81, 0, "counterSignature"       },  /*  80 */
+  {                0x07,      82, 0, "challengePassword"      },  /*  81 */
+  {                0x08,      83, 0, "unstructuredAddress"    },  /*  82 */
+  {                0x0E,       0, 0, "extensionRequest"       },  /*  83 */
+  {            0x02,          87, 1, "digestAlgorithm"        },  /*  84 */
+  {              0x02,        86, 0, "md2"                    },  /*  85 */
+  {              0x05,         0, 0, "md5"                    },  /*  86 */
+  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  87 */
+  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  88 */
+  {0x2B,                     150, 1, ""                       },  /*  89 */
+  {  0x06,                   137, 1, "dod"                    },  /*  90 */
+  {    0x01,                   0, 1, "internet"               },  /*  91 */
+  {      0x04,               106, 1, "private"                },  /*  92 */
+  {        0x01,               0, 1, "enterprise"             },  /*  93 */
+  {          0x82,            99, 1, ""                       },  /*  94 */
+  {            0x37,           0, 1, "Microsoft"              },  /*  95 */
+  {              0x0A,         0, 1, ""                       },  /*  96 */
+  {                0x03,       0, 1, ""                       },  /*  97 */
+  {                  0x03,     0, 0, "msSGC"                  },  /*  98 */
+  {          0x89,             0, 1, ""                       },  /*  99 */
+  {            0x31,           0, 1, ""                       },  /* 100 */
+  {              0x01,         0, 1, ""                       },  /* 101 */
+  {                0x01,       0, 1, ""                       },  /* 102 */
+  {                  0x02,     0, 1, ""                       },  /* 103 */
+  {                    0x02, 105, 0, ""                       },  /* 104 */
+  {                    0x4B,   0, 0, "TCGID"                  },  /* 105 */
+  {      0x05,                 0, 1, "security"               },  /* 106 */
+  {        0x05,               0, 1, "mechanisms"             },  /* 107 */
+  {          0x07,             0, 1, "id-pkix"                },  /* 108 */
+  {            0x01,         111, 1, "id-pe"                  },  /* 109 */
+  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 110 */
+  {            0x03,         121, 1, "id-kp"                  },  /* 111 */
+  {              0x01,       113, 0, "serverAuth"             },  /* 112 */
+  {              0x02,       114, 0, "clientAuth"             },  /* 113 */
+  {              0x03,       115, 0, "codeSigning"            },  /* 114 */
+  {              0x04,       116, 0, "emailProtection"        },  /* 115 */
+  {              0x05,       117, 0, "ipsecEndSystem"         },  /* 116 */
+  {              0x06,       118, 0, "ipsecTunnel"            },  /* 117 */
+  {              0x07,       119, 0, "ipsecUser"              },  /* 118 */
+  {              0x08,       120, 0, "timeStamping"           },  /* 119 */
+  {              0x09,         0, 0, "ocspSigning"            },  /* 120 */
+  {            0x08,         123, 1, "id-otherNames"          },  /* 121 */
+  {              0x05,         0, 0, "xmppAddr"               },  /* 122 */
+  {            0x0A,         128, 1, "id-aca"                 },  /* 123 */
+  {              0x01,       125, 0, "authenticationInfo"     },  /* 124 */
+  {              0x02,       126, 0, "accessIdentity"         },  /* 125 */
+  {              0x03,       127, 0, "chargingIdentity"       },  /* 126 */
+  {              0x04,         0, 0, "group"                  },  /* 127 */
+  {            0x30,           0, 1, "id-ad"                  },  /* 128 */
+  {              0x01,         0, 1, "ocsp"                   },  /* 129 */
+  {                0x01,     131, 0, "basic"                  },  /* 130 */
+  {                0x02,     132, 0, "nonce"                  },  /* 131 */
+  {                0x03,     133, 0, "crl"                    },  /* 132 */
+  {                0x04,     134, 0, "response"               },  /* 133 */
+  {                0x05,     135, 0, "noCheck"                },  /* 134 */
+  {                0x06,     136, 0, "archiveCutoff"          },  /* 135 */
+  {                0x07,       0, 0, "serviceLocator"         },  /* 136 */
+  {  0x0E,                   143, 1, "oiw"                    },  /* 137 */
+  {    0x03,                   0, 1, "secsig"                 },  /* 138 */
+  {      0x02,                 0, 1, "algorithms"             },  /* 139 */
+  {        0x07,             141, 0, "des-cbc"                },  /* 140 */
+  {        0x1A,             142, 0, "sha-1"                  },  /* 141 */
+  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 142 */
+  {  0x24,                     0, 1, "TeleTrusT"              },  /* 143 */
+  {    0x03,                   0, 1, "algorithm"              },  /* 144 */
+  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 145 */
+  {        0x01,               0, 1, "rsaSignature"           },  /* 146 */
+  {          0x02,           148, 0, "rsaSigWithripemd160"    },  /* 147 */
+  {          0x03,           149, 0, "rsaSigWithripemd128"    },  /* 148 */
+  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 149 */
+  {0x60,                       0, 1, ""                       },  /* 150 */
+  {  0x86,                     0, 1, ""                       },  /* 151 */
+  {    0x48,                   0, 1, ""                       },  /* 152 */
+  {      0x01,                 0, 1, "organization"           },  /* 153 */
+  {        0x65,             161, 1, "gov"                    },  /* 154 */
+  {          0x03,             0, 1, "csor"                   },  /* 155 */
+  {            0x04,           0, 1, "nistalgorithm"          },  /* 156 */
+  {              0x02,         0, 1, "hashalgs"               },  /* 157 */
+  {                0x01,     159, 0, "id-SHA-256"             },  /* 158 */
+  {                0x02,     160, 0, "id-SHA-384"             },  /* 159 */
+  {                0x03,       0, 0, "id-SHA-512"             },  /* 160 */
+  {        0x86,               0, 1, ""                       },  /* 161 */
+  {          0xf8,             0, 1, ""                       },  /* 162 */
+  {            0x42,         175, 1, "netscape"               },  /* 163 */
+  {              0x01,       170, 1, ""                       },  /* 164 */
+  {                0x01,     166, 0, "nsCertType"             },  /* 165 */
+  {                0x03,     167, 0, "nsRevocationUrl"        },  /* 166 */
+  {                0x04,     168, 0, "nsCaRevocationUrl"      },  /* 167 */
+  {                0x08,     169, 0, "nsCaPolicyUrl"          },  /* 168 */
+  {                0x0d,       0, 0, "nsComment"              },  /* 169 */
+  {              0x03,       173, 1, "directory"              },  /* 170 */
+  {                0x01,       0, 1, ""                       },  /* 171 */
+  {                  0x03,     0, 0, "employeeNumber"         },  /* 172 */
+  {              0x04,         0, 1, "policy"                 },  /* 173 */
+  {                0x01,       0, 0, "nsSGC"                  },  /* 174 */
+  {            0x45,           0, 1, "verisign"               },  /* 175 */
+  {              0x01,         0, 1, "pki"                    },  /* 176 */
+  {                0x09,       0, 1, "attributes"             },  /* 177 */
+  {                  0x02,   179, 0, "messageType"            },  /* 178 */
+  {                  0x03,   180, 0, "pkiStatus"              },  /* 179 */
+  {                  0x04,   181, 0, "failInfo"               },  /* 180 */
+  {                  0x05,   182, 0, "senderNonce"            },  /* 181 */
+  {                  0x06,   183, 0, "recipientNonce"         },  /* 182 */
+  {                  0x07,   184, 0, "transID"                },  /* 183 */
+  {                  0x08,     0, 0, "extensionReq"           }   /* 184 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index f85997159..49260c9f4 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -22,59 +22,63 @@ extern const oid_t oid_names[];
 #define OID_SUBJECT_KEY_ID					38
 #define OID_SUBJECT_ALT_NAME				41
 #define OID_BASIC_CONSTRAINTS				43
-#define OID_CRL_REASON_CODE					44
-#define OID_CRL_DISTRIBUTION_POINTS			45
-#define OID_AUTHORITY_KEY_ID				47
-#define OID_EXTENDED_KEY_USAGE				48
-#define OID_TARGET_INFORMATION				49
-#define OID_NO_REV_AVAIL					50
-#define OID_RSA_ENCRYPTION					59
-#define OID_MD2_WITH_RSA					60
-#define OID_MD5_WITH_RSA					61
-#define OID_SHA1_WITH_RSA					62
-#define OID_SHA256_WITH_RSA					63
-#define OID_SHA384_WITH_RSA					64
-#define OID_SHA512_WITH_RSA					65
-#define OID_PKCS7_DATA						67
-#define OID_PKCS7_SIGNED_DATA				68
-#define OID_PKCS7_ENVELOPED_DATA			69
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA		70
-#define OID_PKCS7_DIGESTED_DATA				71
-#define OID_PKCS7_ENCRYPTED_DATA			72
-#define OID_PKCS9_EMAIL						74
-#define OID_PKCS9_CONTENT_TYPE				76
-#define OID_PKCS9_MESSAGE_DIGEST			77
-#define OID_PKCS9_SIGNING_TIME				78
-#define OID_MD2								84
-#define OID_MD5								85
-#define OID_3DES_EDE_CBC					87
-#define OID_AUTHORITY_INFO_ACCESS			109
-#define OID_OCSP_SIGNING					119
-#define OID_XMPP_ADDR						121
-#define OID_AUTHENTICATION_INFO				123
-#define OID_ACCESS_IDENTITY					124
-#define OID_CHARGING_IDENTITY				125
-#define OID_GROUP							126
-#define OID_OCSP							128
-#define OID_BASIC							129
-#define OID_NONCE							130
-#define OID_CRL								131
-#define OID_RESPONSE						132
-#define OID_NO_CHECK						133
-#define OID_ARCHIVE_CUTOFF					134
-#define OID_SERVICE_LOCATOR					135
-#define OID_DES_CBC							139
-#define OID_SHA1							140
-#define OID_SHA1_WITH_RSA_OIW				141
-#define OID_NS_REVOCATION_URL				165
-#define OID_NS_CA_REVOCATION_URL			166
-#define OID_NS_CA_POLICY_URL				167
-#define OID_NS_COMMENT						168
-#define OID_PKI_MESSAGE_TYPE				177
-#define OID_PKI_STATUS						178
-#define OID_PKI_FAIL_INFO					179
-#define OID_PKI_SENDER_NONCE				180
-#define OID_PKI_RECIPIENT_NONCE				181
-#define OID_PKI_TRANS_ID					182
+#define OID_CRL_NUMBER						44
+#define OID_CRL_REASON_CODE					45
+#define OID_CRL_DISTRIBUTION_POINTS			46
+#define OID_AUTHORITY_KEY_ID				48
+#define OID_EXTENDED_KEY_USAGE				49
+#define OID_TARGET_INFORMATION				50
+#define OID_NO_REV_AVAIL					51
+#define OID_RSA_ENCRYPTION					60
+#define OID_MD2_WITH_RSA					61
+#define OID_MD5_WITH_RSA					62
+#define OID_SHA1_WITH_RSA					63
+#define OID_SHA256_WITH_RSA					64
+#define OID_SHA384_WITH_RSA					65
+#define OID_SHA512_WITH_RSA					66
+#define OID_PKCS7_DATA						68
+#define OID_PKCS7_SIGNED_DATA				69
+#define OID_PKCS7_ENVELOPED_DATA			70
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		71
+#define OID_PKCS7_DIGESTED_DATA				72
+#define OID_PKCS7_ENCRYPTED_DATA			73
+#define OID_PKCS9_EMAIL						75
+#define OID_PKCS9_CONTENT_TYPE				77
+#define OID_PKCS9_MESSAGE_DIGEST			78
+#define OID_PKCS9_SIGNING_TIME				79
+#define OID_MD2								85
+#define OID_MD5								86
+#define OID_3DES_EDE_CBC					88
+#define OID_AUTHORITY_INFO_ACCESS			110
+#define OID_OCSP_SIGNING					120
+#define OID_XMPP_ADDR						122
+#define OID_AUTHENTICATION_INFO				124
+#define OID_ACCESS_IDENTITY					125
+#define OID_CHARGING_IDENTITY				126
+#define OID_GROUP							127
+#define OID_OCSP							129
+#define OID_BASIC							130
+#define OID_NONCE							131
+#define OID_CRL								132
+#define OID_RESPONSE						133
+#define OID_NO_CHECK						134
+#define OID_ARCHIVE_CUTOFF					135
+#define OID_SERVICE_LOCATOR					136
+#define OID_DES_CBC							140
+#define OID_SHA1							141
+#define OID_SHA1_WITH_RSA_OIW				142
+#define OID_SHA256							158
+#define OID_SHA384							159
+#define OID_SHA512							160
+#define OID_NS_REVOCATION_URL				166
+#define OID_NS_CA_REVOCATION_URL			167
+#define OID_NS_CA_POLICY_URL				168
+#define OID_NS_COMMENT						169
+#define OID_PKI_MESSAGE_TYPE				178
+#define OID_PKI_STATUS						179
+#define OID_PKI_FAIL_INFO					180
+#define OID_PKI_SENDER_NONCE				181
+#define OID_PKI_RECIPIENT_NONCE				182
+#define OID_PKI_TRANS_ID					183
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index eed46d59d..2b3c96ae3 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -42,6 +42,7 @@
     0x11                     "subjectAltName"		OID_SUBJECT_ALT_NAME
     0x12                     "issuerAltName"
     0x13                     "basicConstraints"		OID_BASIC_CONSTRAINTS
+    0x14                     "crlNumber"		OID_CRL_NUMBER
     0x15                     "reasonCode"		OID_CRL_REASON_CODE
     0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
     0x20                     "certificatePolicies"
@@ -155,9 +156,9 @@
           0x03               "csor"
             0x04             "nistalgorithm"
               0x02           "hashalgs"
-                0x01         "id-SHA-256"
-                0x02         "id-SHA-384"
-                0x03         "id-SHA-512"
+                0x01         "id-SHA-256"		OID_SHA256
+                0x02         "id-SHA-384"		OID_SHA384
+                0x03         "id-SHA-512"		OID_SHA512
         0x86                 ""
           0xf8               ""
             0x42             "netscape"
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index cba823c22..d70e1723f 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -22,6 +22,7 @@
  */
 
 #include <stdio.h>
+#include <sys/stat.h>
 
 #include "chunk.h"
 
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
index 5d51981ec..dcbe43f52 100755
--- a/src/libstrongswan/credential_store.h
+++ b/src/libstrongswan/credential_store.h
@@ -88,15 +88,6 @@ struct credential_store_t {
 	rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
 	
 	/**
-	 * @brief Returns the RSA public key of a specific ID if is trusted
-	 * 
-	 * @param this					calling object
-	 * @param id					identification_t object identifiying the key.
-	 * @return						public key, or NULL if not found or not trusted
-	 */
-	rsa_public_key_t* (*get_trusted_public_key) (credential_store_t *this, identification_t *id);
-	
-	/**
 	 * @brief Returns the RSA private key belonging to an RSA public key
 	 * 
 	 * The returned rsa_private_key_t must be destroyed by the caller after usage.
@@ -151,16 +142,29 @@ struct credential_store_t {
 	 * @param cert					certificate for which issuer ca info is required
 	 * @return						ca info, or NULL if not found
 	 */
-	ca_info_t* (*get_issuer) (credential_store_t *this, const x509_t* cert);
+	ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert);
 
 	/**
+	 * @brief Verify an RSA signature given the ID of the signer
+	 * 
+	 * @param this					calling object
+	 * @param hash					hash value to be verified.
+	 * @param sig					signature to be verified.
+	 * @param id					identification_t object identifiying the signer.
+	 * @param issuer_p				issuer of the signer's certificate (if not self-signed).
+	 * @return						status of the verification - SUCCESS if successful
+	 */
+	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p);
+	
+	/**
 	 * @brief Verify an X.509 certificate up to trust anchor without any status checks
 	 *
 	 * @param this		calling object
+	 * @param label		label characterizing the certificate to be verified
 	 * @param cert		certificate to be verified
 	 * @return			TRUE if trusted
 	 */
-	bool (*is_trusted) (credential_store_t *this, x509_t *cert);
+	bool (*is_trusted) (credential_store_t *this, const char *label, x509_t *cert);
 
 	/**
 	 * @brief Verify an X.509 certificate up to trust anchor including status checks
@@ -196,8 +200,9 @@ struct credential_store_t {
 	 *
 	 * @param this		calling object
 	 * @param ca_info	ca info record to be added
+	 * @return			pointer to the added or already existing ca_info_t record
 	 */
-	void (*add_ca_info) (credential_store_t *this, ca_info_t *ca_info);
+	ca_info_t* (*add_ca_info) (credential_store_t *this, ca_info_t *ca_info);
 
 	/**
 	 * @brief Release a ca info record with a given name.
@@ -244,6 +249,24 @@ struct credential_store_t {
 	void (*load_ca_certificates) (credential_store_t *this);
 	
 	/**
+	 * @brief Loads authorization authority certificates from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 */
+	void (*load_aa_certificates) (credential_store_t *this);
+
+	/**
+	 * @brief Loads attribute certificates from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 */
+	void (*load_attr_certificates) (credential_store_t *this);
+
+	/**
 	 * @brief Loads ocsp certificates from a default directory.
 	 *
 	 * Certificates in both DER and PEM format are accepted
diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c
new file mode 100644
index 000000000..47605e9e1
--- /dev/null
+++ b/src/libstrongswan/crypto/ac.c
@@ -0,0 +1,665 @@
+/**
+ * @file ac.c
+ * 
+ * @brief Implementation of x509ac_t.
+ * 
+ */
+
+/* 
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+#include <debug.h>
+
+#include <asn1/asn1.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+
+#include "ac.h"
+
+typedef struct private_x509ac_t private_x509ac_t;
+
+/**
+ * Private data of a x509ac_t object.
+ */
+struct private_x509ac_t {
+	/**
+	 * Public interface for this attribute certificate.
+	 */
+	x509ac_t public;
+
+	/**
+	 * Time when attribute certificate was installed
+	 */
+	time_t installed;
+
+	/**
+	 * X.509 attribute certificate in DER format
+	 */
+	chunk_t certificate;
+
+	/**
+	 * X.509 attribute certificate body over which signature is computed
+	 */
+	chunk_t certificateInfo;
+
+	/**
+	 * Version of the X.509 attribute certificate
+	 */
+	u_int version;
+
+	/**
+	 * Serial number of the X.509 attribute certificate
+	 */
+	chunk_t serialNumber;
+
+	/**
+	 * ID representing the issuer of the holder certificate
+	 */
+	identification_t *holderIssuer;
+
+	/**
+	 * Serial number of the holder certificate
+	 */
+	chunk_t holderSerial;
+
+	/**
+	 * ID representing the holder
+	 */
+	identification_t *entityName;
+	
+	/**
+	 * ID representing the attribute certificate issuer
+	 */
+	identification_t *issuerName;
+
+	/**
+	 * Signature algorithm
+	 */
+	int sigAlg;
+
+	/**
+	 * Start time of certificate validity
+	 */
+	time_t notBefore;
+
+	/**
+	 * End time of certificate validity
+	 */
+	time_t notAfter;
+
+	/**
+	 * List of charging attributes
+	 */
+	linked_list_t *charging;
+
+	/**
+	 * List of groub attributes
+	 */
+	linked_list_t *groups;
+
+	/**
+	 * Authority Key Identifier
+	 */
+	chunk_t authKeyID;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+
+	/**
+	 * No revocation information available
+	 */
+	bool noRevAvail;
+
+	/**
+	 * Signature algorithm (must be identical to sigAlg)
+	 */
+	int algorithm;
+
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+};
+
+/**
+ * definition of ietfAttribute kinds
+ */
+typedef enum {
+	IETF_ATTRIBUTE_OCTETS =	0,
+	IETF_ATTRIBUTE_OID =	1,
+	IETF_ATTRIBUTE_STRING =	2
+} ietfAttribute_t;
+
+/**
+ * access structure for an ietfAttribute
+ */
+typedef struct ietfAttr_t ietfAttr_t;
+
+struct ietfAttr_t {
+	/**
+	 * IETF attribute kind
+	 */
+	ietfAttribute_t kind;
+
+	/**
+	 * IETF attribute valuse
+	 */
+	chunk_t value;
+
+	/**
+	 * Destroys the ietfAttr_t object.
+	 * 
+	 * @param this			ietfAttr_t to destroy
+	 */
+	void (*destroy) (ietfAttr_t *this);
+};
+
+/**
+ * Destroys an ietfAttr_t object
+ */
+static void ietfAttr_destroy(ietfAttr_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Creates an ietfAttr_t object.
+ */
+ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value)
+{
+	ietfAttr_t *this = malloc_thing(ietfAttr_t);
+
+	/* initialize */
+	this->kind = kind;
+	this->value = chunk_clone(value);
+
+	/* function */
+	this->destroy = ietfAttr_destroy;
+	
+	return this;
+}
+
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
+	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
+													ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
+	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
+	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }  /* 10 */
+};
+
+#define IETF_ATTR_OCTETS	 4
+#define IETF_ATTR_OID		 6
+#define IETF_ATTR_STRING	 8
+#define IETF_ATTR_ROOF		11
+
+/**
+ * ASN.1 definition of roleSyntax
+ */
+static const asn1Object_t roleSyntaxObjects[] =
+{
+	{ 0, "roleSyntax",			ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "roleAuthority",		ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_OBJ  }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "roleName",			ASN1_CONTEXT_C_1,	ASN1_OBJ  }  /*  3 */
+};
+
+#define ROLE_ROOF		4
+
+/**
+ * ASN.1 definition of an X509 attribute certificate
+ */
+static const asn1Object_t acObjects[] =
+{
+	{ 0, "AttributeCertificate",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  0 */
+	{ 1,   "AttributeCertificateInfo",		ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  1 */
+	{ 2,	   "version",					ASN1_INTEGER,		  ASN1_DEF |
+																  ASN1_BODY }, /*  2 */
+	{ 2,	   "holder",					ASN1_SEQUENCE,		  ASN1_NONE }, /*  3 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /*  4 */
+	{ 4,	       "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /*  5 */
+	{ 4,	       "serial",				ASN1_INTEGER,		  ASN1_BODY }, /*  6 */
+	{ 4,         "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /*  7 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /*  8 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /*  9 */
+	{ 3,	     "entityName",				ASN1_CONTEXT_C_1,	  ASN1_OPT |
+																  ASN1_OBJ  }, /* 10 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 11 */
+	{ 3,	     "objectDigestInfo",		ASN1_CONTEXT_C_2,	  ASN1_OPT  }, /* 12 */
+	{ 4,	       "digestedObjectType",	ASN1_ENUMERATED,	  ASN1_BODY }, /* 13*/
+	{ 4,	       "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 14 */
+	{ 4,         "end opt",					ASN1_EOC,			  ASN1_END  }, /* 15*/
+	{ 4,         "digestAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 16 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 17 */
+	{ 2,	   "v2Form",					ASN1_CONTEXT_C_0,	  ASN1_NONE }, /* 18 */
+	{ 3,	     "issuerName",				ASN1_SEQUENCE,		  ASN1_OPT |
+																  ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 20 */
+	{ 3,	     "baseCertificateID",		ASN1_CONTEXT_C_0,	  ASN1_OPT  }, /* 21 */
+	{ 4,	       "issuerSerial",			ASN1_SEQUENCE,		  ASN1_NONE }, /* 22 */
+	{ 5,	         "issuer",				ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 23 */
+	{ 5,	  	 "serial",					ASN1_INTEGER,		  ASN1_BODY }, /* 24 */
+	{ 5,           "issuerUID",				ASN1_BIT_STRING,	  ASN1_OPT |
+																  ASN1_BODY }, /* 25 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 26 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 27 */
+	{ 3,       "objectDigestInfo",			ASN1_CONTEXT_C_1,	  ASN1_OPT  }, /* 28 */
+	{ 4,	       "digestInfo",			ASN1_SEQUENCE,		  ASN1_OBJ  }, /* 29 */
+	{ 5,  	 "digestedObjectType",			ASN1_ENUMERATED,	  ASN1_BODY }, /* 30 */
+	{ 5,	  	 "otherObjectTypeID",		ASN1_OID,			  ASN1_OPT |
+																  ASN1_BODY }, /* 31 */
+	{ 5,           "end opt",				ASN1_EOC,			  ASN1_END  }, /* 32 */
+	{ 5,           "digestAlgorithm",		ASN1_EOC,			  ASN1_RAW  }, /* 33 */
+	{ 3,       "end opt",					ASN1_EOC,			  ASN1_END  }, /* 34 */
+	{ 2,	   "signature",					ASN1_EOC,			  ASN1_RAW  }, /* 35 */
+	{ 2,	   "serialNumber",				ASN1_INTEGER,		  ASN1_BODY }, /* 36 */
+	{ 2,	   "attrCertValidityPeriod",	ASN1_SEQUENCE,		  ASN1_NONE }, /* 37 */
+	{ 3,	     "notBeforeTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */
+	{ 3,	     "notAfterTime",			ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */
+	{ 2,	   "attributes",				ASN1_SEQUENCE,		  ASN1_LOOP }, /* 40 */
+	{ 3,       "attribute",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 41 */
+	{ 4,         "type",					ASN1_OID,			  ASN1_BODY }, /* 42 */
+	{ 4,         "values",					ASN1_SET, 			  ASN1_LOOP }, /* 43 */
+	{ 5,           "value",					ASN1_EOC, 			  ASN1_RAW  }, /* 44 */
+	{ 4, 	       "end loop",				ASN1_EOC,			  ASN1_END  }, /* 45 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 46 */
+	{ 2,     "extensions",					ASN1_SEQUENCE,		  ASN1_LOOP }, /* 47 */
+	{ 3,       "extension",					ASN1_SEQUENCE,		  ASN1_NONE }, /* 48 */
+	{ 4,         "extnID",					ASN1_OID,			  ASN1_BODY }, /* 49 */
+	{ 4,         "critical",				ASN1_BOOLEAN,		  ASN1_DEF |
+																  ASN1_BODY }, /* 50 */
+	{ 4,         "extnValue",				ASN1_OCTET_STRING,	  ASN1_BODY }, /* 51 */
+	{ 2,     "end loop",					ASN1_EOC,			  ASN1_END  }, /* 52 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,			  ASN1_RAW  }, /* 53 */
+	{ 1,   "signatureValue",				ASN1_BIT_STRING,	  ASN1_BODY }  /* 54 */
+};
+
+#define AC_OBJ_CERTIFICATE			 0
+#define AC_OBJ_CERTIFICATE_INFO		 1
+#define AC_OBJ_VERSION				 2
+#define AC_OBJ_HOLDER_ISSUER		 5
+#define AC_OBJ_HOLDER_SERIAL		 6
+#define AC_OBJ_ENTITY_NAME			10
+#define AC_OBJ_ISSUER_NAME			19
+#define AC_OBJ_ISSUER				23
+#define AC_OBJ_SIG_ALG				35
+#define AC_OBJ_SERIAL_NUMBER		36
+#define AC_OBJ_NOT_BEFORE			38
+#define AC_OBJ_NOT_AFTER			39
+#define AC_OBJ_ATTRIBUTE_TYPE		42
+#define AC_OBJ_ATTRIBUTE_VALUE		44
+#define AC_OBJ_EXTN_ID				49
+#define AC_OBJ_CRITICAL				50
+#define AC_OBJ_EXTN_VALUE			51
+#define AC_OBJ_ALGORITHM			53
+#define AC_OBJ_SIGNATURE			54
+#define AC_OBJ_ROOF					55
+
+/**
+ * Implements x509ac_t.is_valid
+ */
+static err_t is_valid(const private_x509ac_t *this, time_t *until)
+{
+	time_t current_time = time(NULL);
+	
+	DBG2("  not before  : %T", &this->notBefore);
+	DBG2("  current time: %T", &current_time);
+	DBG2("  not after   : %T", &this->notAfter);
+
+	if (until != NULL &&
+		(*until == UNDEFINED_TIME || this->notAfter < *until))
+	{
+		*until = this->notAfter;
+	}
+	if (current_time < this->notBefore)
+	{
+		return "is not valid yet";
+	}
+	if (current_time > this->notAfter)
+	{
+		return "has expired";
+	}
+	DBG2("  attribute certificate is valid");
+	return NULL;
+}
+
+/**
+ * parses a directoryName
+ */
+static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
+{
+	bool has_directoryName;
+	linked_list_t *list = linked_list_create();
+
+	parse_generalNames(blob, level, implicit, list);
+	has_directoryName = list->get_count(list) > 0;
+
+	if (has_directoryName)
+	{
+		iterator_t *iterator = list->create_iterator(list, TRUE);
+		identification_t *directoryName;
+		bool first = TRUE;
+
+		while (iterator->iterate(iterator, (void**)&directoryName))
+		{
+			if (first)
+			{
+				*name = directoryName;
+				first = FALSE;
+			}
+			else
+			{
+				DBG1("more than one directory name - first selected");
+				directoryName->destroy(directoryName);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	else
+	{
+		DBG1("no directoryName found");
+	}
+
+	list->destroy(list);
+	return has_directoryName;
+}
+
+/**
+ * parses ietfAttrSyntax
+ */
+static void parse_ietfAttrSyntax(chunk_t blob, int level0, linked_list_t *list)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < IETF_ATTR_ROOF)
+	{
+		if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx))
+		{
+			return;
+		}
+
+		switch (objectID)
+		{
+			case IETF_ATTR_OCTETS:
+			case IETF_ATTR_OID:
+			case IETF_ATTR_STRING:
+				{
+					ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2;
+					ietfAttr_t *attr   = ietfAttr_create(kind, object);
+					list->insert_last(list, (void *)attr);
+				}
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+}
+
+/**
+ * parses roleSyntax
+ */
+static void parse_roleSyntax(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	while (objectID < ROLE_ROOF)
+	{
+		if (!extract_object(roleSyntaxObjects, &objectID, &object, &level, &ctx))
+		{
+			return;
+		}
+
+		switch (objectID)
+		{
+			default:
+				break;
+		}
+		objectID++;
+	}
+}
+
+/**
+ * Parses an X.509 attribute certificate
+ */
+static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
+{
+	asn1_ctx_t ctx;
+	bool critical;
+	chunk_t object;
+	u_int level;
+	u_int type = OID_UNKNOWN;
+	u_int extn_oid = OID_UNKNOWN;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, 0, FALSE, FALSE);
+	while (objectID < AC_OBJ_ROOF)
+	{
+		if (!extract_object(acObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+
+		/* those objects which will parsed further need the next higher level */
+		level++;
+
+		switch (objectID)
+		{
+			case AC_OBJ_CERTIFICATE:
+				this->certificate = object;
+				break;
+			case AC_OBJ_CERTIFICATE_INFO:
+				this->certificateInfo = object;
+				break;
+			case AC_OBJ_VERSION:
+				this->version = (object.len) ? (1 + (u_int)*object.ptr) : 1;
+				DBG2("  v%d", this->version);
+				if (this->version != 2)
+				{
+					DBG1("v%d attribute certificates are not supported", this->version);
+					return FALSE;
+				}
+				break;
+			case AC_OBJ_HOLDER_ISSUER:
+				if (!parse_directoryName(object, level, FALSE, &this->holderIssuer))
+				{
+					return FALSE;
+				}
+				break;
+			case AC_OBJ_HOLDER_SERIAL:
+				this->holderSerial = object;
+				break;
+			case AC_OBJ_ENTITY_NAME:
+				if (!parse_directoryName(object, level, TRUE, &this->entityName))
+				{
+					return FALSE;
+				}
+				break;
+			case AC_OBJ_ISSUER_NAME:
+				if (!parse_directoryName(object, level, FALSE, &this->issuerName))
+				{
+					return FALSE;
+				}
+				break;
+			case AC_OBJ_SIG_ALG:
+				this->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case AC_OBJ_SERIAL_NUMBER:
+				this->serialNumber = object;
+				break;
+			case AC_OBJ_NOT_BEFORE:
+				this->notBefore = asn1totime(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case AC_OBJ_NOT_AFTER:
+				this->notAfter = asn1totime(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case AC_OBJ_ATTRIBUTE_TYPE:
+				type = known_oid(object);
+				break;
+			case AC_OBJ_ATTRIBUTE_VALUE:
+				{
+					switch (type)
+					{
+						case OID_AUTHENTICATION_INFO:
+							DBG2("  need to parse authenticationInfo");
+							break;
+						case OID_ACCESS_IDENTITY:
+							DBG2("  need to parse accessIdentity");
+							break;
+						case OID_CHARGING_IDENTITY:
+							parse_ietfAttrSyntax(object, level, this->charging);
+							break;
+						case OID_GROUP:
+							parse_ietfAttrSyntax(object, level, this->groups);
+							break;
+						case OID_ROLE:
+							parse_roleSyntax(object, level);
+							break;
+						default:
+							break;
+					}
+				}
+				break;
+			case AC_OBJ_EXTN_ID:
+				extn_oid = known_oid(object);
+				break;
+			case AC_OBJ_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s",(critical)?"TRUE":"FALSE");
+				break;
+			case AC_OBJ_EXTN_VALUE:
+				{
+					switch (extn_oid)
+					{
+						case OID_CRL_DISTRIBUTION_POINTS:
+							DBG2("  need to parse crlDistributionPoints");
+							break;
+						case OID_AUTHORITY_KEY_ID:
+							parse_authorityKeyIdentifier(object, level,
+									&this->authKeyID, &this->authKeySerialNumber);
+							break;
+						case OID_TARGET_INFORMATION:
+							DBG2("  need to parse targetInformation");
+							break;
+						case OID_NO_REV_AVAIL:
+							this->noRevAvail = TRUE;
+							break;
+						default:
+							break;
+					}
+				}
+				break;
+			case AC_OBJ_ALGORITHM:
+				this->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case AC_OBJ_SIGNATURE:
+				this->signature = object;
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+	this->installed = time(NULL);
+	return FALSE;
+}
+
+/**
+ * Implements x509ac_t.destroy
+ */
+static void destroy(private_x509ac_t *this)
+{
+	DESTROY_IF(this->holderIssuer);
+	DESTROY_IF(this->entityName);
+	DESTROY_IF(this->issuerName);
+	this->charging->destroy_offset(this->charging, 
+							offsetof(ietfAttr_t, destroy));
+	this->groups->destroy_offset(this->groups,
+						  offsetof(ietfAttr_t, destroy));
+	free(this->certificate.ptr);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+x509ac_t *x509ac_create_from_chunk(chunk_t chunk)
+{
+	private_x509ac_t *this = malloc_thing(private_x509ac_t);
+	
+	/* initialize */
+	this->holderIssuer = NULL;
+	this->entityName = NULL;
+	this->issuerName = NULL;
+	this->charging = linked_list_create();
+	this->groups = linked_list_create();
+
+	/* public functions */
+	this->public.is_valid = (err_t (*) (const x509ac_t*,time_t*))is_valid;
+	this->public.destroy = (void (*) (x509ac_t*))destroy;
+
+	if (!parse_certificate(chunk, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+x509ac_t *x509ac_create_from_file(const char *filename)
+{
+	bool pgp = FALSE;
+	chunk_t chunk = chunk_empty;
+
+	if (!pem_asn1_load_file(filename, NULL, "attribute certificate", &chunk, &pgp))
+	{
+		return NULL;
+	}
+	return x509ac_create_from_chunk(chunk);
+}
+
diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h
new file mode 100644
index 000000000..b7fd26c94
--- /dev/null
+++ b/src/libstrongswan/crypto/ac.h
@@ -0,0 +1,81 @@
+/**
+ * @file ac.h
+ * 
+ * @brief Interface of x509ac_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2007 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AC_H_
+#define AC_H_
+
+typedef struct x509ac_t x509ac_t;
+
+/**
+ * @brief X.509 attribute certificate.
+ * 
+ * @b Constructors:
+ *  - x509ac_create_from_chunk()
+ *  - x509ac_create_from_file()
+ *
+ * @ingroup crypto
+ */
+struct x509ac_t {
+
+	/**
+	 * @brief Checks the validity interval of the attribute certificate
+	 * 
+	 * @param this			certificate being examined
+	 * @param until			until = min(until, notAfter)
+	 * @return				NULL if the certificate is valid
+	 */
+	err_t (*is_valid) (const x509ac_t *this, time_t *until);
+
+	/**
+	 * @brief Destroys the attribute certificate.
+	 * 
+	 * @param this			certificate to destroy
+	 */
+	void (*destroy) (x509ac_t *this);
+};
+
+/**
+ * @brief Read a x509 attribute certificate from a DER encoded blob.
+ * 
+ * @param chunk 	chunk containing DER encoded data
+ * @return 			created x509ac_t certificate, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+x509ac_t *x509ac_create_from_chunk(chunk_t chunk);
+
+/**
+ * @brief Read a x509 attribute certificate from a DER encoded file.
+ * 
+ * @param filename 	file containing DER encoded data
+ * @return 			created x509ac_t certificate, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+x509ac_t *x509ac_create_from_file(const char *filename);
+
+
+#endif /* AC_H_ */
+
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c
index 1f566a098..07413e805 100644
--- a/src/libstrongswan/crypto/ca.c
+++ b/src/libstrongswan/crypto/ca.c
@@ -29,6 +29,7 @@
 #include "x509.h"
 #include "crl.h"
 #include "ca.h"
+#include "ac.h"
 #include "certinfo.h"
 #include "ocsp.h"
 
@@ -65,6 +66,11 @@ struct private_ca_info_t {
 	x509_t *cacert;
 	
 	/**
+	 * List of attribute certificates
+	 */
+	linked_list_t *attrcerts;
+
+	/**
 	 * List of crl URIs
 	 */
 	linked_list_t *crluris;
@@ -94,6 +100,7 @@ struct private_ca_info_t {
 /**
  * static options set by ca_info_set_options()
  */
+static strict_t strict_crl_policy = STRICT_NO;
 static bool cache_crls = FALSE;
 static u_int crl_check_interval = 0;
 
@@ -151,6 +158,31 @@ static bool is_crl_issuer(private_ca_info_t *this, const crl_t *crl)
 }
 
 /**
+ * Implements ca_info_t.is_ca
+ */
+static bool is_ca(private_ca_info_t *this)
+{
+	return this->cacert->is_ca(this->cacert);
+}
+
+/**
+ * Implements ca_info_t.is_strict
+ */
+static bool is_strict(private_ca_info_t *this)
+{
+	bool strict = strict_crl_policy != STRICT_NO;
+
+	if (strict_crl_policy == STRICT_IFURI)
+	{
+		pthread_mutex_lock(&(this->mutex));
+		strict = this->crluris->get_count(this->crluris)   > 0 ||
+				 this->ocspuris->get_count(this->ocspuris) > 0;
+		pthread_mutex_unlock(&(this->mutex));
+	}
+	return strict;
+}
+
+/**
  * Implements ca_info_t.has_crl
  */
 static bool has_crl(private_ca_info_t *this)
@@ -213,11 +245,9 @@ static void add_crl(private_ca_info_t *this, crl_t *crl)
  */
 static void list_crl(private_ca_info_t *this, FILE *out, bool utc)
 {
-	pthread_mutex_lock(&(this->mutex));
-
-	fprintf(out, "%#U\n", this->crl, utc);
-
-	pthread_mutex_unlock(&(this->mutex));
+	pthread_mutex_lock(&this->mutex);
+	this->crl->list(this->crl, out, utc);
+	pthread_mutex_unlock(&this->mutex);
 }
 
 /**
@@ -225,26 +255,42 @@ static void list_crl(private_ca_info_t *this, FILE *out, bool utc)
  */
 static void list_certinfos(private_ca_info_t *this, FILE *out, bool utc)
 {
-	pthread_mutex_lock(&(this->mutex));
+	iterator_t *iterator;
+	certinfo_t *certinfo;
+	chunk_t authkey;
 
+	pthread_mutex_lock(&this->mutex);
+
+	authkey = this->cacert->get_subjectKeyID(this->cacert);
 	fprintf(out,"    authname:  '%D'\n", this->cacert->get_subject(this->cacert));
-	{
-		chunk_t authkey = this->cacert->get_subjectKeyID(this->cacert);
+	fprintf(out,"    authkey:    %#B\n", &authkey);
 
-		fprintf(out,"    authkey:    %#B\n", &authkey);
-	}
+	iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+	while (iterator->iterate(iterator, (void**)&certinfo))
 	{
-		iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
-		certinfo_t *certinfo;
-
-		while (iterator->iterate(iterator, (void**)&certinfo))
+		time_t nextUpdate, thisUpdate, now;
+		chunk_t serial;
+		
+		now = time(NULL);
+		nextUpdate = certinfo->get_nextUpdate(certinfo);
+		thisUpdate = certinfo->get_thisUpdate(certinfo);
+		serial = certinfo->get_serialNumber(certinfo);
+		
+		fprintf(out, "%#T, until %#T, ", &thisUpdate, utc, &nextUpdate, utc);
+		if (now > nextUpdate)
 		{
-			fprintf(out, "%#Y\n", certinfo, utc);
+			fprintf(out, "expired (%V ago)\n", &now, &nextUpdate);
 		}
-		iterator->destroy(iterator);
+		else
+		{
+			fprintf(out, "ok (expires in %V)\n", &now, &nextUpdate);
+		}
+		fprintf(out, "    serial:     %#B, %N\n", &serial,
+				cert_status_names, certinfo->get_status(certinfo));
 	}
+	iterator->destroy(iterator);
 
-	pthread_mutex_unlock(&(this->mutex));
+	pthread_mutex_unlock(&this->mutex);
 }
 
 /**
@@ -644,6 +690,8 @@ static void purge_ocsp(private_ca_info_t *this)
  */
 static void destroy(private_ca_info_t *this)
 {
+	this->attrcerts->destroy_offset(this->attrcerts,
+								  offsetof(x509ac_t, destroy));
 	this->crluris->destroy_offset(this->crluris,
 								  offsetof(identification_t, destroy));
 	this->ocspuris->destroy_offset(this->ocspuris,
@@ -656,92 +704,59 @@ static void destroy(private_ca_info_t *this)
 }
 
 /**
- * output handler in printf()
+ * list the info of this CA
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+static void list(private_ca_info_t* this, FILE* out, bool utc)
 {
-	private_ca_info_t *this = *((private_ca_info_t**)(args[0]));
-	bool utc = TRUE;
-	int written = 0;
-	const x509_t *cacert;
+	chunk_t chunk;
+	identification_t *uri;
+	iterator_t *iterator;
+	bool first;
 	
-	if (info->alt)
-	{
-		utc = *((bool*)args[1]);
-	}
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-
 	pthread_mutex_lock(&(this->mutex));
-	written += fprintf(stream, "%#T", &this->installed, utc);
+	fprintf(out, "%#T", &this->installed, utc);
 
 	if (this->name)
 	{
-		written += fprintf(stream, ", \"%s\"\n", this->name);
+		fprintf(out, ", \"%s\"\n", this->name);
 	}
 	else
 	{
-		written += fprintf(stream, "\n");
+		fprintf(out, "\n");
 	}
 
-	cacert = this->cacert;
-	written += fprintf(stream, "    authname:  '%D'\n", cacert->get_subject(cacert));
-	{
-		chunk_t authkey = cacert->get_subjectKeyID(cacert);
-
-		written += fprintf(stream, "    authkey:    %#B\n", &authkey);
-	}
+	fprintf(out, "    authname:  '%D'\n", this->cacert->get_subject(this->cacert));
+	chunk = this->cacert->get_subjectKeyID(this->cacert);
+	fprintf(out, "    authkey:    %#B\n", &chunk);
+	chunk = this->cacert->get_keyid(this->cacert);
+	fprintf(out, "    keyid:      %#B\n", &chunk);
+	
+	first = TRUE;
+	iterator = this->crluris->create_iterator(this->crluris, TRUE);
+	while (iterator->iterate(iterator, (void**)&uri))
 	{
-		chunk_t keyid = cacert->get_keyid(cacert);
-
-		written += fprintf(stream, "    keyid:      %#B\n", &keyid);
-	}
-	{
-		identification_t *crluri;
-		iterator_t *iterator = this->crluris->create_iterator(this->crluris, TRUE);
-		bool first = TRUE;
-
-		while (iterator->iterate(iterator, (void**)&crluri))
-		{
-			written += fprintf(stream, "    %s   '%D'\n",
-							   first? "crluris:":"        ", crluri);
-			first = FALSE;
-		}
-		iterator->destroy(iterator);
+		fprintf(out, "    %s   '%D'\n",  first ? "crluris:":"        ", uri);
+		first = FALSE;
 	}
+	iterator->destroy(iterator);
+	
+	first = TRUE;
+	iterator = this->ocspuris->create_iterator(this->ocspuris, TRUE);
+	while (iterator->iterate(iterator, (void**)&uri))
 	{
-		identification_t *ocspuri;
-		iterator_t *iterator = this->ocspuris->create_iterator(this->ocspuris, TRUE);
-		bool first = TRUE;
-
-		while (iterator->iterate(iterator, (void**)&ocspuri))
-		{
-			written += fprintf(stream, "    %s  '%D'\n",
-							   first? "ocspuris:":"         ", ocspuri);
-			first = FALSE;
-		}
-		iterator->destroy(iterator);
+		fprintf(out, "    %s  '%D'\n", first ? "ocspuris:":"         ", uri);
+		first = FALSE;
 	}
+	iterator->destroy(iterator);
 	pthread_mutex_unlock(&(this->mutex));
-	return written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_CAINFO, print, arginfo_ptr_alt_ptr_int);
 }
 
 /*
  * Described in header.
  */
-void ca_info_set_options(bool cache, u_int interval)
+void ca_info_set_options(strict_t strict, bool cache, u_int interval)
 {
+	strict_crl_policy = strict;
 	cache_crls = cache;
 	crl_check_interval = interval;
 }
@@ -757,6 +772,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
 	this->installed = time(NULL);
 	this->name = (name == NULL)? NULL:strdup(name);
 	this->cacert = cacert;
+	this->attrcerts = linked_list_create();
 	this->crluris = linked_list_create();
 	this->ocspuris = linked_list_create();
 	this->certinfos = linked_list_create();
@@ -770,10 +786,13 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert)
 	this->public.equals_name_release_info = (bool (*) (ca_info_t*,const char*))equals_name_release_info;
 	this->public.is_cert_issuer = (bool (*) (ca_info_t*,const x509_t*))is_cert_issuer;
 	this->public.is_crl_issuer = (bool (*) (ca_info_t*,const crl_t*))is_crl_issuer;
+	this->public.is_ca = (bool (*) (ca_info_t*))is_ca;
+	this->public.is_strict = (bool (*) (ca_info_t*))is_strict;
 	this->public.add_info = (void (*) (ca_info_t*,const ca_info_t*))add_info;
 	this->public.add_crl = (void (*) (ca_info_t*,crl_t*))add_crl;
 	this->public.has_crl = (bool (*) (ca_info_t*))has_crl;
 	this->public.has_certinfos = (bool (*) (ca_info_t*))has_certinfos;
+	this->public.list = (void (*) (ca_info_t*,FILE*,bool))list;
 	this->public.list_crl = (void (*) (ca_info_t*,FILE*,bool))list_crl;
 	this->public.list_certinfos = (void (*) (ca_info_t*,FILE*,bool))list_certinfos;
 	this->public.add_crluri = (void (*) (ca_info_t*,chunk_t))add_crluri;
diff --git a/src/libstrongswan/crypto/ca.h b/src/libstrongswan/crypto/ca.h
index c494a4468..ff6271b15 100644
--- a/src/libstrongswan/crypto/ca.h
+++ b/src/libstrongswan/crypto/ca.h
@@ -26,13 +26,15 @@
 typedef struct ca_info_t ca_info_t;
 
 #include <library.h>
-#include <chunk.h>
-
-#include <credential_store.h>
 
 #include "x509.h"
 #include "crl.h"
 
+#define MAX_CA_PATH_LEN		7
+
+/*forward declaration */
+struct credential_store_t;
+
 /**
  * @brief X.509 certification authority information record
  * 
@@ -81,6 +83,22 @@ struct ca_info_t {
 	bool (*is_crl_issuer) (ca_info_t *this, const crl_t *crl);
 
 	/**
+	 * @brief Checks if the ca certificate has the isCA flag set
+	 *
+	 * @param this			ca info object
+	 * @return				TRUE if the isCA flag is set
+	 */
+	bool (*is_ca) (ca_info_t *this);
+
+	/**
+	 * @brief Checks if the ca enforces a strict crl policy
+	 * 
+	 * @param this			ca info object
+	 * @return				TRUE if the crl policy is strict
+	 */
+	bool (*is_strict) (ca_info_t *this);
+
+	/**
 	 * @brief Merges info from a secondary ca info object
 	 * 
 	 * @param this			primary ca info object
@@ -113,6 +131,16 @@ struct ca_info_t {
 	bool (*has_certinfos) (ca_info_t *this);
 
 	/**
+	 * @brief Print the CA info onto the console
+	 * 
+	 * @param this			ca info object
+	 * @param out			output stream
+	 * @param utc			TRUE -  utc
+							FALSE - local time
+	 */
+	void (*list) (ca_info_t *this, FILE *out, bool utc);
+
+	/**
 	 * @brief List the CRL onto the console
 	 * 
 	 * @param this			ca info object
@@ -174,7 +202,7 @@ struct ca_info_t {
 	 * @param credentials	credential store needed for trust path verification
 	 * @return				certificate status
 	 */
-	cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, credential_store_t* credentials);
+	cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, struct credential_store_t* credentials);
 
 	/**
 	 * @brief Purge the OCSP certinfos of a ca info record
@@ -199,7 +227,7 @@ struct ca_info_t {
  * 
  * @ingroup crypto
  */
-void ca_info_set_options(bool cache, u_int interval);
+void ca_info_set_options(strict_t strict, bool cache, u_int interval);
 
 /**
  * @brief Create a ca info record
diff --git a/src/libstrongswan/crypto/certinfo.c b/src/libstrongswan/crypto/certinfo.c
index 654e4c2bd..8a125e247 100644
--- a/src/libstrongswan/crypto/certinfo.c
+++ b/src/libstrongswan/crypto/certinfo.c
@@ -221,54 +221,6 @@ static void destroy(private_certinfo_t *this)
 	free(this);
 }
 
-/**
- * output handler in printf()
- */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
-{
-	private_certinfo_t *this = *((private_certinfo_t**)(args[0]));
-	bool utc = TRUE;
-	int written = 0;
-	time_t now;
-	
-	if (info->alt)
-	{
-		utc = *((bool*)args[1]);
-	}
-	
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-	
-	now = time(NULL);
-	
-	written += fprintf(stream, "%#T, until %#T, ",
-					   &this->thisUpdate, utc,
-					   &this->nextUpdate, utc);
-	if (now > this->nextUpdate)
-	{
-		written += fprintf(stream, "expired (%V ago)\n", &now, &this->nextUpdate);
-	}
-	else
-	{
-		written += fprintf(stream, "ok (expires in %V)\n", &now, &this->nextUpdate);
-	}
-	written += fprintf(stream, "    serial:     %#B, %N",
-					   &this->serialNumber,
-					   cert_status_names, this->status);
-	return written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_CERTINFO, print, arginfo_ptr_alt_ptr_int);
-}
-
 /*
  * Described in header.
  */
diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c
index 00d6a3ac3..b4ae37b2e 100755
--- a/src/libstrongswan/crypto/crl.c
+++ b/src/libstrongswan/crypto/crl.c
@@ -39,10 +39,6 @@
 
 #define CRL_WARNING_INTERVAL	7	/* days */
 
-extern char* check_expiry(time_t expiration_date, int warning_interval, bool strict);
-extern time_t parse_time(chunk_t blob, int level0);
-extern void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber);
-
 /* access structure for a revoked certificate */
 
 typedef struct revokedCert_t revokedCert_t;
@@ -100,6 +96,11 @@ struct private_crl_t {
 	identification_t *issuer;
 	
 	/**
+	 * CRL number
+	 */
+	chunk_t crlNumber;
+
+	/**
 	 * Time when the crl was generated
 	 */
 	time_t thisUpdate;
@@ -291,6 +292,14 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
 					{
 						parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber);
 					}
+					else if (extn_oid == OID_CRL_NUMBER)
+					{
+						if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber"))
+						{
+							return FALSE;
+						}
+						crl->crlNumber = object;
+					}
 				}
 				break;
 			case CRL_OBJ_ALGORITHM:
@@ -416,66 +425,47 @@ static void destroy(private_crl_t *this)
 }
 
 /**
- * output handler in printf()
+ * Implementation of crl_t.list.
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+static void list(private_crl_t *this, FILE* out, bool utc)
 {
-	private_crl_t *this = *((private_crl_t**)(args[0]));
-	bool utc = TRUE;
-	int written = 0;
 	time_t now;
 	
-	if (info->alt)
-	{
-		utc = *((bool*)args[1]);
-	}
-	
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-	
 	now = time(NULL);
 	
-	written += fprintf(stream, "%#T, revoked certs: %d\n", &this->installed, utc,
+	fprintf(out, "%#T, revoked certs: %d\n", &this->installed, utc,
 					   this->revokedCertificates->get_count(this->revokedCertificates));
-	written += fprintf(stream, "    issuer:    '%D'\n", this->issuer);
-	written += fprintf(stream, "    updates:    this %#T\n", &this->thisUpdate, utc);
-	written += fprintf(stream, "                next %#T ",  &this->nextUpdate, utc);
+	fprintf(out, "    issuer:    '%D'\n", this->issuer);
+	if (this->crlNumber.ptr)
+	{
+		fprintf(out, "    crlnumber:  %#B\n", &this->crlNumber);
+	}
+	fprintf(out, "    updates:    this %#T\n", &this->thisUpdate, utc);
+	fprintf(out, "                next %#T ",  &this->nextUpdate, utc);
 	if (this->nextUpdate == UNDEFINED_TIME)
 	{
-		written += fprintf(stream, "ok (expires never)");
+		fprintf(out, "ok (expires never)\n");
 	}
 	else if (now > this->nextUpdate)
 	{
-		written += fprintf(stream, "expired (%V ago)", &now, &this->nextUpdate);
+		fprintf(out, "expired (%V ago)\n", &now, &this->nextUpdate);
 	}
 	else if (now > this->nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
 	{
-		written += fprintf(stream, "ok (expires in %V)", &now, &this->nextUpdate);
+		fprintf(out, "ok (expires in %V)\n", &now, &this->nextUpdate);
 	}
 	else
 	{
-		written += fprintf(stream, "ok");
+		fprintf(out, "ok\n");
 	}
 	if (this->authKeyID.ptr)
 	{
-		written += fprintf(stream, "\n    authkey:    %#B", &this->authKeyID);
+		fprintf(out, "    authkey:    %#B\n", &this->authKeyID);
 	}
 	if (this->authKeySerialNumber.ptr)
 	{
-		written += fprintf(stream, "\n    aserial:    %#B", &this->authKeySerialNumber);
+		fprintf(out, "    aserial:    %#B\n", &this->authKeySerialNumber);
 	}
-	return written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_CRL, print, arginfo_ptr_alt_ptr_int);
 }
 
 /*
@@ -489,6 +479,7 @@ crl_t *crl_create_from_chunk(chunk_t chunk)
 	this->crlDistributionPoints = linked_list_create();
 	this->tbsCertList = chunk_empty;
 	this->issuer = NULL;
+	this->crlNumber = chunk_empty;
 	this->revokedCertificates = linked_list_create();
 	this->authKeyID = chunk_empty;
 	this->authKeySerialNumber = chunk_empty;
@@ -502,6 +493,7 @@ crl_t *crl_create_from_chunk(chunk_t chunk)
 	this->public.verify = (bool (*) (const crl_t*,const rsa_public_key_t*))verify;
 	this->public.get_status = (void (*) (const crl_t*,certinfo_t*))get_status;
 	this->public.write_to_file = (bool (*) (const crl_t*,const char*,mode_t,bool))write_to_file;
+	this->public.list = (void(*)(crl_t*, FILE* out, bool utc))list;
 	this->public.destroy = (void (*) (crl_t*))destroy;
 	
 	if (!parse_x509crl(chunk, 0, this))
@@ -520,14 +512,10 @@ crl_t *crl_create_from_file(const char *filename)
 {
 	bool pgp = FALSE;
 	chunk_t chunk = chunk_empty;
-	crl_t *crl = NULL;
 
 	if (!pem_asn1_load_file(filename, NULL, "crl", &chunk, &pgp))
+	{
 		return NULL;
-
-	crl = crl_create_from_chunk(chunk);
-
-	if (crl == NULL)
-		free(chunk.ptr);
-	return crl;
+	}
+	return crl_create_from_chunk(chunk);
 }
diff --git a/src/libstrongswan/crypto/crl.h b/src/libstrongswan/crypto/crl.h
index 8a11fc390..a367c3aff 100755
--- a/src/libstrongswan/crypto/crl.h
+++ b/src/libstrongswan/crypto/crl.h
@@ -104,6 +104,15 @@ struct crl_t {
 	 * @param certinfo		certinfo is updated
 	 */
 	void (*get_status) (const crl_t *this, certinfo_t *certinfo);
+	
+	/**
+	 * @brief Log the info of this CRL to out.
+	 *
+	 * @param this			calling object
+	 * @param out			stream to write to
+	 * @param utc			TRUE for UTC, FALSE for local time
+	 */
+	void (*list)(crl_t *this, FILE* out, bool utc);
 
 	/**
 	 * @brief Write a der-encoded crl to a file
diff --git a/src/libstrongswan/crypto/ocsp.c b/src/libstrongswan/crypto/ocsp.c
index 471996c8e..0d8093e4a 100644
--- a/src/libstrongswan/crypto/ocsp.c
+++ b/src/libstrongswan/crypto/ocsp.c
@@ -770,7 +770,7 @@ static void ocsp_process_response(private_ocsp_t *this, response_t *res, credent
 		if (res->responder_cert->is_ocsp_signer(res->responder_cert))
 		{
 			DBG2("received certificate is ocsp signer");
-			if (credentials->is_trusted(credentials, res->responder_cert))
+			if (credentials->is_trusted(credentials, "OCSP signing", res->responder_cert))
 			{
 				DBG1("received ocsp signer certificate is trusted");
 				ocsp_cert = credentials->add_auth_certificate(credentials,
diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c
index 58fcff16d..5bf3f26d7 100755
--- a/src/libstrongswan/crypto/x509.c
+++ b/src/libstrongswan/crypto/x509.c
@@ -6,7 +6,12 @@
  */
 
 /*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
+ * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
+ * Copyright (C) 2002 Mario Strasser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2006 Martin Willi, Andreas Steffen
+ *
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -117,6 +122,11 @@ struct private_x509_t {
 	identification_t *issuer;
 	
 	/**
+	 * link to the info recored of the certificate issuer
+	 */
+	ca_info_t *ca_info;
+
+	/**
 	 * Start time of certificate validity
 	 */
 	time_t notBefore;
@@ -172,6 +182,11 @@ struct private_x509_t {
 	chunk_t authKeySerialNumber;
 	
 	/**
+	 * Indicates if the certificate is self-signed
+	 */
+	bool isSelfSigned;
+
+	/**
 	 * CA basic constraints flag
 	 */
 	bool isCA;
@@ -249,19 +264,6 @@ static const asn1Object_t basicConstraintsObjects[] = {
 #define BASIC_CONSTRAINTS_CA	1
 #define BASIC_CONSTRAINTS_ROOF	4
 
-/**
- * ASN.1 definition of time
- */
-static const asn1Object_t timeObjects[] = {
-	{ 0,   "utcTime",		ASN1_UTCTIME,			ASN1_OPT|ASN1_BODY 	}, /*  0 */
-	{ 0,   "end opt",		ASN1_EOC,				ASN1_END  			}, /*  1 */
-	{ 0,   "generalizeTime",ASN1_GENERALIZEDTIME,	ASN1_OPT|ASN1_BODY 	}, /*  2 */
-	{ 0,   "end opt",		ASN1_EOC,				ASN1_END  			}  /*  3 */
-};
-#define TIME_UTC			0
-#define TIME_GENERALIZED	2
-#define TIME_ROOF			4
-
 /** 
  * ASN.1 definition of a keyIdentifier 
  */
@@ -545,7 +547,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 /**
  * extracts one or several GNs and puts them into a chained list
  */
-static void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
+void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
 {
 	asn1_ctx_t ctx;
 	chunk_t object;
@@ -572,33 +574,6 @@ static void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_l
 }
 
 /**
- * extracts and converts a UTCTIME or GENERALIZEDTIME object
- */
-time_t parse_time(chunk_t blob, int level0)
-{
-	asn1_ctx_t ctx;
-	chunk_t object;
-	u_int level;
-	int objectID = 0;
-	
-	asn1_init(&ctx, blob, level0, FALSE, FALSE);
-	
-	while (objectID < TIME_ROOF)
-	{
-		if (!extract_object(timeObjects, &objectID, &object, &level, &ctx))
-			return 0;
-		
-		if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
-		{
-			return asn1totime(&object, (objectID == TIME_UTC)
-					? ASN1_UTCTIME : ASN1_GENERALIZEDTIME);
-		}
-		objectID++;
-	}
-	return 0;
-}
-
-/**
  * extracts a keyIdentifier
  */
 static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
@@ -624,7 +599,11 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID,
 	u_int level;
 	int objectID = 0;
 	
+	*authKeyID = chunk_empty;
+	*authKeySerialNumber = chunk_empty;
+
 	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
 	while (objectID < AUTH_KEY_ID_ROOF)
 	{
 		if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
@@ -763,7 +742,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t
 /**
  * Parses an X.509v3 certificate
  */
-static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
+static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 {
 	asn1_ctx_t ctx;
 	bool critical;
@@ -779,38 +758,41 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
 		{
 			return FALSE;
 		}
+
 		/* those objects which will parsed further need the next higher level */
 		level++;
-		switch (objectID) {
+
+		switch (objectID)
+		{
 			case X509_OBJ_CERTIFICATE:
-				cert->certificate = object;
+				this->certificate = object;
 				break;
 			case X509_OBJ_TBS_CERTIFICATE:
-				cert->tbsCertificate = object;
+				this->tbsCertificate = object;
 				break;
 			case X509_OBJ_VERSION:
-				cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
-				DBG2("  v%d", cert->version);
+				this->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+				DBG2("  v%d", this->version);
 				break;
 			case X509_OBJ_SERIAL_NUMBER:
-				cert->serialNumber = object;
+				this->serialNumber = object;
 				break;
 			case X509_OBJ_SIG_ALG:
-				cert->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+				this->sigAlg = parse_algorithmIdentifier(object, level, NULL);
 				break;
 			case X509_OBJ_ISSUER:
-				cert->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%D'", cert->issuer);
+				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", this->issuer);
 				break;
 			case X509_OBJ_NOT_BEFORE:
-				cert->notBefore = parse_time(object, level);
+				this->notBefore = parse_time(object, level);
 				break;
 			case X509_OBJ_NOT_AFTER:
-				cert->notAfter = parse_time(object, level);
+				this->notAfter = parse_time(object, level);
 				break;
 			case X509_OBJ_SUBJECT:
-				cert->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
-				DBG2("  '%D'", cert->subject);
+				this->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", this->subject);
 				break;
 			case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
 				if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION)
@@ -832,7 +814,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
 				}
 				break;
 			case X509_OBJ_RSA_PUBLIC_KEY:
-				cert->subjectPublicKey = object;
+				this->subjectPublicKey = object;
 				break;
 			case X509_OBJ_EXTN_ID:
 				extn_oid = known_oid(object);
@@ -843,27 +825,28 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
 				break;
 			case X509_OBJ_EXTN_VALUE:
 			{
-				switch (extn_oid) {
+				switch (extn_oid)
+				{
 					case OID_SUBJECT_KEY_ID:
-						cert->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE));
+						this->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE));
 						break;
 					case OID_SUBJECT_ALT_NAME:
-						parse_generalNames(object, level, FALSE, cert->subjectAltNames);
+						parse_generalNames(object, level, FALSE, this->subjectAltNames);
 						break;
 					case OID_BASIC_CONSTRAINTS:
-						cert->isCA = parse_basicConstraints(object, level);
+						this->isCA = parse_basicConstraints(object, level);
 						break;
 					case OID_CRL_DISTRIBUTION_POINTS:
-						parse_crlDistributionPoints(object, level, cert->crlDistributionPoints);
+						parse_crlDistributionPoints(object, level, this->crlDistributionPoints);
 						break;
 					case OID_AUTHORITY_KEY_ID:
-						parse_authorityKeyIdentifier(object, level , &cert->authKeyID, &cert->authKeySerialNumber);
+						parse_authorityKeyIdentifier(object, level , &this->authKeyID, &this->authKeySerialNumber);
 						break;
 					case OID_AUTHORITY_INFO_ACCESS:
-						parse_authorityInfoAccess(object, level, cert->ocspAccessLocations);
+						parse_authorityInfoAccess(object, level, this->ocspAccessLocations);
 						break;
 					case OID_EXTENDED_KEY_USAGE:
-						cert->isOcspSigner = parse_extendedKeyUsage(object, level);
+						this->isOcspSigner = parse_extendedKeyUsage(object, level);
 						break;
 					case OID_NS_REVOCATION_URL:
 					case OID_NS_CA_REVOCATION_URL:
@@ -878,10 +861,10 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
 				break;
 			}
 			case X509_OBJ_ALGORITHM:
-				cert->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				this->algorithm = parse_algorithmIdentifier(object, level, NULL);
 				break;
 			case X509_OBJ_SIGNATURE:
-				cert->signature = object;
+				this->signature = object;
 				break;
 			default:
 				break;
@@ -889,15 +872,16 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
 		objectID++;
 	}
 
-	if (cert->subjectKeyID.ptr == NULL)
+	/* generate the subjectKeyID if it is missing in the certificate */
+	if (this->subjectKeyID.ptr == NULL)
 	{
 		hasher_t *hasher = hasher_create(HASH_SHA1);
 
-		hasher->allocate_hash(hasher, cert->subjectPublicKey, &cert->subjectKeyID);
+		hasher->allocate_hash(hasher, this->subjectPublicKey, &this->subjectKeyID);
 		hasher->destroy(hasher);
 	}
 
-	time(&cert->installed);
+	this->installed = time(NULL);
 	return TRUE;
 }
 
@@ -950,7 +934,7 @@ static bool is_ocsp_signer(const private_x509_t *this)
  */
 static bool is_self_signed(const private_x509_t *this)
 {
-	return this->subject->equals(this->subject, this->issuer);
+	return this->isSelfSigned;
 }
 
 /**
@@ -1043,6 +1027,22 @@ static identification_t *get_subject(const private_x509_t *this)
 }
 
 /**
+ * Implements x509_t.set_ca_info
+ */
+static void set_ca_info(private_x509_t *this, ca_info_t *ca_info)
+{
+	this->ca_info = ca_info;
+}
+
+/**
+ * Implements x509_t.get_ca_info
+ */
+static ca_info_t *get_ca_info(const private_x509_t *this)
+{
+	return this->ca_info;
+}
+
+/**
  * Implements x509_t.set_until
  */
 static void set_until(private_x509_t *this, time_t until)
@@ -1121,39 +1121,23 @@ static bool verify(const private_x509_t *this, const rsa_public_key_t *signer)
 {
 	return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertificate, this->signature) == SUCCESS;
 }
-
+	
 /**
- * output handler in printf()
+ * Implementation of x509_t.list.
  */
-static int print(FILE *stream, const struct printf_info *info,
-				 const void *const *args)
+static void list(private_x509_t *this, FILE *out, bool utc)
 {
-	private_x509_t *this = *((private_x509_t**)(args[0]));
 	iterator_t *iterator;
-	bool utc = TRUE;
-	int written = 0;
-	
-	if (info->alt)
-	{
-		utc = *((bool*)(args[1]));
-	}
-	
-	if (this == NULL)
-	{
-		return fprintf(stream, "(null)");
-	}
-	
-	/* determine the current time */
 	time_t now = time(NULL);
 
-	written += fprintf(stream, "%#T\n", &this->installed, utc);
+	fprintf(out, "%#T\n", &this->installed, utc);
 
 	if (this->subjectAltNames->get_count(this->subjectAltNames))
 	{
 		identification_t *subjectAltName;
 		bool first = TRUE;
 
-		written += fprintf(stream, "    altNames:  ");
+		fprintf(out, "    altNames:  ");
 		iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
 		while (iterator->iterate(iterator, (void**)&subjectAltName))
 		{
@@ -1163,71 +1147,71 @@ static int print(FILE *stream, const struct printf_info *info,
 			}
 			else
 			{
-				written += fprintf(stream, ", ");
+				fprintf(out, ", ");
 			}
-			written += fprintf(stream, "'%D'", subjectAltName);
+			fprintf(out, "'%D'", subjectAltName);
 		}
 		iterator->destroy(iterator);
-		written += fprintf(stream, "\n");
+		fprintf(out, "\n");
 	}
-	written += fprintf(stream, "    subject:   '%D'\n", this->subject);
-	written += fprintf(stream, "    issuer:    '%D'\n", this->issuer);
-	written += fprintf(stream, "    serial:     %#B\n", &this->serialNumber);
-	written += fprintf(stream, "    validity:   not before %#T, ", &this->notBefore, utc);
+	fprintf(out, "    subject:   '%D'\n", this->subject);
+	fprintf(out, "    issuer:    '%D'\n", this->issuer);
+	fprintf(out, "    serial:     %#B\n", &this->serialNumber);
+	fprintf(out, "    validity:   not before %#T, ", &this->notBefore, utc);
 	if (now < this->notBefore)
 	{
-		written += fprintf(stream, "not valid yet (valid in %V)\n", &now, &this->notBefore);
+		fprintf(out, "not valid yet (valid in %V)\n", &now, &this->notBefore);
 	}
 	else
 	{
-		written += fprintf(stream, "ok\n");
+		fprintf(out, "ok\n");
 	}
 	
-	written += fprintf(stream, "                not after  %#T, ", &this->notAfter, utc);
+	fprintf(out, "                not after  %#T, ", &this->notAfter, utc);
 	if (now > this->notAfter)
 	{
-		written += fprintf(stream, "expired (%V ago)\n", &now, &this->notAfter);
+		fprintf(out, "expired (%V ago)\n", &now, &this->notAfter);
 	}
 	else
 	{
-		written += fprintf(stream, "ok");
+		fprintf(out, "ok");
 		if (now > this->notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
 		{
-			written += fprintf(stream, " (expires in %V)", &now, &this->notAfter);
+			fprintf(out, " (expires in %V)", &now, &this->notAfter);
 		}
-		written += fprintf(stream, " \n");
+		fprintf(out, " \n");
 	}
 	
 	{
 		chunk_t keyid = this->public_key->get_keyid(this->public_key);
-		written += fprintf(stream, "    keyid:      %#B\n", &keyid);
+		fprintf(out, "    keyid:      %#B\n", &keyid);
 	}
 
 	if (this->subjectKeyID.ptr)
 	{
-		written += fprintf(stream, "    subjkey:    %#B\n", &this->subjectKeyID);
+		fprintf(out, "    subjkey:    %#B\n", &this->subjectKeyID);
 	}
 	if (this->authKeyID.ptr)
 	{
-		written += fprintf(stream, "    authkey:    %#B\n", &this->authKeyID);
+		fprintf(out, "    authkey:    %#B\n", &this->authKeyID);
 	}
 	if (this->authKeySerialNumber.ptr)
 	{
-		written += fprintf(stream, "    aserial:    %#B\n", &this->authKeySerialNumber);
+		fprintf(out, "    aserial:    %#B\n", &this->authKeySerialNumber);
 	}
 	
-	written += fprintf(stream, "    pubkey:     RSA %d bits", BITS_PER_BYTE *
-					   this->public_key->get_keysize(this->public_key));
-	written += fprintf(stream, ", status %N",
-					   cert_status_names, this->status);
+	fprintf(out, "    pubkey:     RSA %d bits", BITS_PER_BYTE *
+			this->public_key->get_keysize(this->public_key));
+	fprintf(out, ", status %N",
+		   cert_status_names, this->status);
 	
 	switch (this->status)
 	{
 		case CERT_GOOD:
-			written += fprintf(stream, " until %#T", &this->until, utc);
+			fprintf(out, " until %#T", &this->until, utc);
 			break;
 		case CERT_REVOKED:
-			written += fprintf(stream, " on %#T", &this->until, utc);
+			fprintf(out, " on %#T", &this->until, utc);
 			break;
 		case CERT_UNKNOWN:
 		case CERT_UNDEFINED:
@@ -1235,15 +1219,6 @@ static int print(FILE *stream, const struct printf_info *info,
 		default:
 			break;
 	}
-	return written;
-}
-
-/**
- * register printf() handlers
- */
-static void __attribute__ ((constructor))print_register()
-{
-	register_printf_function(PRINTF_X509, print, arginfo_ptr_alt_ptr_int);
 }
 
 /**
@@ -1277,6 +1252,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 	this->public_key = NULL;
 	this->subject = NULL;
 	this->issuer = NULL;
+	this->ca_info = NULL;
 	this->subjectAltNames = linked_list_create();
 	this->crlDistributionPoints = linked_list_create();
 	this->ocspAccessLocations = linked_list_create();
@@ -1284,6 +1260,8 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 	this->authKeyID = chunk_empty;
 	this->authKeySerialNumber = chunk_empty;
 	this->authority_flags = AUTH_NONE;
+	this->isCA = FALSE;
+	this->isOcspSigner = FALSE;
 	
 	/* public functions */
 	this->public.equals = (bool (*) (const x509_t*,const x509_t*))equals;
@@ -1300,6 +1278,8 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 	this->public.get_keyid = (chunk_t (*) (const x509_t*))get_keyid;
 	this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer;
 	this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject;
+	this->public.set_ca_info = (void (*) (x509_t*,ca_info_t*))set_ca_info;
+	this->public.get_ca_info = (ca_info_t* (*) (const x509_t*))get_ca_info;
 	this->public.set_until = (void (*) (x509_t*,time_t))set_until;
 	this->public.get_until = (time_t (*) (const x509_t*))get_until;
 	this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status;
@@ -1310,6 +1290,7 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 	this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator;
 	this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator;
 	this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify;
+	this->public.list = (void(*)(x509_t*, FILE *out, bool utc))list;
 	this->public.destroy = (void (*) (x509_t*))destroy;
 	
 	if (!parse_certificate(chunk, level, this))
@@ -1325,9 +1306,27 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 		destroy(this);
 		return NULL;
 	}
+
 	/* set trusted lifetime of public key to notAfter */
-	this->status = is_self_signed(this)? CERT_GOOD:CERT_UNDEFINED;
 	this->until = this->notAfter;
+
+	/* check if the certificate is self-signed */
+	this->isSelfSigned = FALSE;
+	if (this->subject->equals(this->subject, this->issuer))
+	{
+		this->isSelfSigned = this->public_key->verify_emsa_pkcs1_signature(this->public_key,
+							 this->tbsCertificate, this->signature) == SUCCESS;
+	}
+	if (this->isSelfSigned)
+	{
+		DBG2("  certificate is self-signed");
+		this->status = CERT_GOOD;
+	}
+	else
+	{
+		this->status = CERT_UNDEFINED;
+	}
+
 	return &this->public;
 }
 
@@ -1338,17 +1337,13 @@ x509_t *x509_create_from_file(const char *filename, const char *label)
 {
 	bool pgp = FALSE;
 	chunk_t chunk = chunk_empty;
-	x509_t *cert = NULL;
 	char cert_label[BUF_LEN];
 
 	snprintf(cert_label, BUF_LEN, "%s certificate", label);
 
 	if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp))
+	{
 		return NULL;
-
-	cert = x509_create_from_chunk(chunk, 0);
-
-	if (cert == NULL)
-		free(chunk.ptr);
-	return cert;
+	}
+	return x509_create_from_chunk(chunk, 0);
 }
diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h
index a949d99d2..c6fe148d4 100755
--- a/src/libstrongswan/crypto/x509.h
+++ b/src/libstrongswan/crypto/x509.h
@@ -6,7 +6,12 @@
  */
 
 /*
+ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
+ * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
+ * Copyright (C) 2002 Mario Strasser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
  * Copyright (C) 2006 Martin Willi, Andreas Steffen
+ *
  * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -28,8 +33,10 @@ typedef struct x509_t x509_t;
 #include <library.h>
 #include <crypto/rsa/rsa_public_key.h>
 #include <crypto/certinfo.h>
+#include <crypto/ca.h>
 #include <utils/identification.h>
 #include <utils/iterator.h>
+#include <utils/linked_list.h>
 
 /* authority flags */
 
@@ -44,12 +51,8 @@ typedef struct x509_t x509_t;
  * @b Constructors:
  *  - x509_create_from_chunk()
  *  - x509_create_from_file()
- * 
- * @todo more code cleanup needed!
- * @todo fix unimplemented functions...
- * @todo handle memory management
  *
- * @ingroup transforms
+ * @ingroup crypto
  */
 struct x509_t {
 
@@ -151,7 +154,7 @@ struct x509_t {
 	chunk_t (*get_keyid) (const x509_t *this);
 
 	/**
-	 * @brief Get the certificate issuer's ID.
+	 * @brief Get the issuerDistinguishedName
 	 * 
 	 * The resulting ID is always a identification_t
 	 * of type ID_DER_ASN1_DN.
@@ -162,7 +165,7 @@ struct x509_t {
 	identification_t *(*get_issuer) (const x509_t *this);
 
 	/**
-	 * @brief Get the subjectDistinguisheName.
+	 * @brief Get the subjectDistinguishedName.
 	 * 
 	 * The resulting ID is always a identification_t
 	 * of type ID_DER_ASN1_DN. 
@@ -173,6 +176,26 @@ struct x509_t {
 	identification_t *(*get_subject) (const x509_t *this);
 
 	/**
+	 * @brief Set a link  ca info
+	 * 
+	 * @param this				calling object
+	 * @param ca_info			link to the info record of the issuing ca
+	 */
+	void (*set_ca_info) (x509_t *this, ca_info_t *ca_info);
+
+	/**
+	 * @brief Get the .
+	 * 
+	 * The resulting ID is always a identification_t
+	 * of type ID_DER_ASN1_DN. 
+	 * 
+	 * @param this				calling object
+	 * @return					link to the info record of the issuing ca
+	 *							or NULL if it does not [yet] exist
+	 */
+	ca_info_t *(*get_ca_info) (const x509_t *this);
+
+	/**
 	 * @brief Create an iterator for the crlDistributionPoints.
 	 * 
 	 * @param this				calling object
@@ -257,7 +280,16 @@ struct x509_t {
 	 * @return				TRUE if self-signed
 	 */
 	bool (*is_self_signed) (const x509_t *this);
-
+	
+	/**
+	 * @brief Log the certificate info to out.
+	 *
+	 * @param this			calling object
+	 * @param out			stream to write to
+	 * @param utc			TRUE for UTC times, FALSE for local time
+	 */
+	void (*list)(x509_t *this, FILE *out, bool utc);
+	
 	/**
 	 * @brief Destroys the certificate.
 	 * 
@@ -272,7 +304,7 @@ struct x509_t {
  * @param chunk 	chunk containing DER encoded data
  * @return 			created x509_t certificate, or NULL if inv
lid.
  * 
- * @ingroup transforms
+ * @ingroup crypto
  */
 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
 
@@ -283,8 +315,32 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
  * @param label		label describing kind of certificate
  * @return 			created x509_t certificate, or NULL if invalid.
  * 
- * @ingroup transforms
+ * @ingroup crypto
  */
 x509_t *x509_create_from_file(const char *filename, const char *label);
 
+/**
+ * @brief Parses a DER encoded authorityKeyIdentifier
+ * 
+ * @param blob 					blob containing DER encoded data
+ * @param level0 				indicates the current parsing level
+ * @param authKeyID				assigns the authorityKeyIdentifier
+ * @param authKeySerialNumber	assigns the authKeySerialNumber
+ * 
+ * @ingroup crypto
+ */
+void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
+
+/**
+ * @brief Parses DER encoded generalNames
+ * 
+ * @param blob 			blob containing DER encoded data
+ * @param level0 		indicates the current parsing level
+ * @param implicit		implicit coding is used
+ * @param list			linked list of decoded generalNames
+ * 
+ * @ingroup crypto
+ */
+void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list);
+
 #endif /* X509_H_ */
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 7c7f087f0..67a05f118 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -234,6 +234,15 @@ enum status_t {
 };
 
 /**
+ * used by strict_crl_policy
+ */
+typedef enum {
+	STRICT_NO,
+	STRICT_YES,
+	STRICT_IFURI
+} strict_t;
+
+/**
  * enum_names for type status_t.
  */
 extern enum_name_t *status_names;
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
index 45184a8f0..03bcf447d 100644
--- a/src/libstrongswan/printf_hook.h
+++ b/src/libstrongswan/printf_hook.h
@@ -38,30 +38,14 @@
 #define PRINTF_IDENTIFICATION	'D'
 /** 1 argumnet: host_t *host; use #-modifier to include port number */
 #define PRINTF_HOST				'H'
-/** 1 argument: ike_sa_id_t *id */
-#define PRINTF_IKE_SA_ID		'J'
 /** 1 argument: ike_sa_t *ike_sa */
-#define PRINTF_IKE_SA			'K'
-/** 1 argument: message_t *message */
-#define PRINTF_MESSAGE			'M'
-/** 2 arguments: enum_name_t *name, long value */
 #define PRINTF_ENUM				'N'
 /** 1 argument: child_sa_t *child_sa */
-#define PRINTF_CHILD_SA			'P'
-/** 1 argument: traffic_selector_t *ts */
 #define PRINTF_TRAFFIC_SELECTOR	'R'
 /** 1 argument: time_t *time; with #-modifier 2 arguments: time_t *time, bool utc */
 #define PRINTF_TIME				'T'
-/** 1 argument: x509_t *cert; with #-modifier 2 arguments: x509_t *cert, bool utc */
-#define PRINTF_X509				'Q'
-/** 1 argument: crl_t *crl; with #-modifier 2 arguments: crl_t *crl, bool utc */
-#define PRINTF_CRL				'U'
 /** 2 arguments: time_t *begin, time_t *end */
 #define PRINTF_TIME_DELTA		'V'
-/** 1 argument: ca_info_t *ca_info; with #-modifier 2 arguments: ca_info_t *ca_info, bool utc */
-#define PRINTF_CAINFO			'W'
-/** 1 argument: certinfo_t *certinfo; with #-modifier 2 arguments: certinfo_t *certinfo, bool utc */
-#define PRINTF_CERTINFO			'Y'
 
 /**
  * Generic arginfo handlers for printf() hooks
diff --git a/src/libstrongswan/utils/fetcher.c b/src/libstrongswan/utils/fetcher.c
index 6165cc1e1..7a06999aa 100644
--- a/src/libstrongswan/utils/fetcher.c
+++ b/src/libstrongswan/utils/fetcher.c
@@ -25,6 +25,9 @@
 #endif /* LIBCURL */
 
 #ifdef LIBLDAP
+#ifndef LDAP_DEPRECATED
+#define LDAP_DEPRECATED		1
+#endif
 #include <ldap.h>
 #endif /* LIBLDAP */
 
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 8cbfd6ab8..68e9c9500 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -325,7 +325,7 @@ static bool equals(private_host_t *this, private_host_t *other)
 {
 	if (!ip_equals(this, other))
 	{
-		return FAILED;
+		return FALSE;
 	}
 	
 	switch (this->address.sa_family)
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 341af39c0..673cbb828 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -738,8 +738,15 @@ static bool contains_wildcards(private_identification_t *this)
  */
 static bool equals_binary(private_identification_t *this, private_identification_t *other)
 {
-	return this->type == other->type && 
-							chunk_equals(this->encoded, other->encoded);
+	if (this->type == other->type)
+	{
+		if (this->type == ID_ANY)
+		{
+			return TRUE;
+		}
+		return chunk_equals(this->encoded, other->encoded);
+	}
+	return FALSE;						
 }
 
 /**
@@ -956,7 +963,10 @@ static identification_t *clone_(private_identification_t *this)
 	private_identification_t *clone = identification_create();
 	
 	clone->type = this->type;
-	clone->encoded = chunk_clone(this->encoded);
+	if (this->encoded.len)
+	{
+		clone->encoded = chunk_clone(this->encoded);
+	}
 	clone->public.equals = this->public.equals;
 	clone->public.matches = this->public.matches;
 	
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 8a2bee51f..67396085c 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -127,6 +127,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -139,6 +140,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -149,8 +151,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -172,6 +178,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -181,6 +188,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -194,9 +203,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -211,6 +224,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 openac_SOURCES = openac.c build.c build.h loglite.c
 INCLUDES = \
 -I$(top_srcdir)/src/libfreeswan \
diff --git a/src/openac/build.c b/src/openac/build.c
index bd3df6fee..0c6a2be3b 100644
--- a/src/openac/build.c
+++ b/src/openac/build.c
@@ -31,212 +31,201 @@
 #include "build.h"
 
 static u_char ASN1_group_oid_str[] = {
-    0x06, 0x08,
-          0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
+	0x06, 0x08,
+		  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
 };
 
 static const chunk_t ASN1_group_oid = strchunk(ASN1_group_oid_str);
 
 static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
-    0x06, 0x03,
-          0x55, 0x1d, 0x23
+	0x06, 0x03,
+		  0x55, 0x1d, 0x23
 };
 
 static const chunk_t ASN1_authorityKeyIdentifier_oid
 	  = strchunk(ASN1_authorityKeyIdentifier_oid_str);
 
 static u_char ASN1_noRevAvail_ext_str[] = {
-    0x30, 0x09,
-          0x06, 0x03,
-	        0x55, 0x1d, 0x38,
-	  0x04, 0x02,
-	        0x05, 0x00
+	0x30, 0x09,
+		  0x06, 0x03,
+				0x55, 0x1d, 0x38,
+		  0x04, 0x02,
+				0x05, 0x00
 };
 
 static const chunk_t ASN1_noRevAvail_ext = strchunk(ASN1_noRevAvail_ext_str);
 
-/*
+/**
  * build directoryName
  */
-static chunk_t
-build_directoryName(asn1_t tag, chunk_t name)
+static chunk_t build_directoryName(asn1_t tag, chunk_t name)
 {
-    return asn1_wrap(tag, "m"
-		, asn1_simple_object(ASN1_CONTEXT_C_4, name));
+	return asn1_wrap(tag, "m",
+				asn1_simple_object(ASN1_CONTEXT_C_4, name));
 }
 
-/*
+/**
  * build holder
  */
-static chunk_t
-build_holder(void)
+static chunk_t build_holder(void)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "mm"
-		, asn1_wrap(ASN1_CONTEXT_C_0, "mm"
-		    , build_directoryName(ASN1_SEQUENCE, user->issuer)
-		    , asn1_simple_object(ASN1_INTEGER, user->serialNumber)
-		  )
-		, build_directoryName(ASN1_CONTEXT_C_1, user->subject));
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				asn1_wrap(ASN1_CONTEXT_C_0, "mm",
+					build_directoryName(ASN1_SEQUENCE, user->issuer),
+					asn1_simple_object(ASN1_INTEGER, user->serialNumber)
+				),
+				build_directoryName(ASN1_CONTEXT_C_1, user->subject));
 }
 
-/*
+/**
  * build v2Form
  */
-static chunk_t
-build_v2_form(void)
+static chunk_t build_v2_form(void)
 {
-    return asn1_wrap(ASN1_CONTEXT_C_0, "m"
-		, build_directoryName(ASN1_SEQUENCE, signer->subject));
+	return asn1_wrap(ASN1_CONTEXT_C_0, "m",
+				build_directoryName(ASN1_SEQUENCE, signer->subject));
 }
 
-/*
+/**
  * build attrCertValidityPeriod
  */
-static chunk_t
-build_attr_cert_validity(void)
+static chunk_t build_attr_cert_validity(void)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "mm"
-		, timetoasn1(&notBefore, ASN1_GENERALIZEDTIME) 
-		, timetoasn1(&notAfter,  ASN1_GENERALIZEDTIME));
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+				timetoasn1(&notBefore, ASN1_GENERALIZEDTIME),
+				timetoasn1(&notAfter,  ASN1_GENERALIZEDTIME));
 }
 
-/*
+/**
  * build attributes
  */
-static chunk_t
-build_ietfAttributes(ietfAttrList_t *list)
+static chunk_t build_ietfAttributes(ietfAttrList_t *list)
 {
-    chunk_t ietfAttributes;
-    ietfAttrList_t *item = list;
-    size_t size = 0;
-    u_char *pos;
-
-    /* precalculate the total size of all values */
-    while (item != NULL)
-    {
-	size_t len = item->attr->value.len;
-
-	size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
-	item = item->next;
-    }
-    pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size);
-
-    while (list != NULL)
-    {
-	ietfAttr_t *attr = list->attr;
-	asn1_t type = ASN1_NULL;
-
-	switch (attr->kind)
+	chunk_t ietfAttributes;
+	ietfAttrList_t *item = list;
+	size_t size = 0;
+	u_char *pos;
+
+	/* precalculate the total size of all values */
+	while (item != NULL)
 	{
-	case IETF_ATTRIBUTE_OCTETS:
-	    type = ASN1_OCTET_STRING;
-	    break;
-	case IETF_ATTRIBUTE_STRING:
-	    type = ASN1_UTF8STRING;
-	    break;
-	case IETF_ATTRIBUTE_OID:
-	    type = ASN1_OID;
-	    break;
+		size_t len = item->attr->value.len;
+
+		size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
+		item = item->next;
 	}
-	mv_chunk(&pos, asn1_simple_object(type, attr->value));
+	pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size);
 
-	list = list->next;
-    }
+	while (list != NULL)
+	{
+		ietfAttr_t *attr = list->attr;
+		asn1_t type = ASN1_NULL;
+
+		switch (attr->kind)
+		{
+			case IETF_ATTRIBUTE_OCTETS:
+				type = ASN1_OCTET_STRING;
+				break;
+			case IETF_ATTRIBUTE_STRING:
+				type = ASN1_UTF8STRING;
+				break;
+			case IETF_ATTRIBUTE_OID:
+				type = ASN1_OID;
+				break;
+		}
+		mv_chunk(&pos, asn1_simple_object(type, attr->value));
+
+		list = list->next;
+	}
 
-    return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes);
+	return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes);
 }
 
-/*
+/**
  * build attribute type
  */
-static chunk_t
-build_attribute_type(const chunk_t type, chunk_t content)
+static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, type
-		, asn1_wrap(ASN1_SET, "m", content));
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+				type,
+				asn1_wrap(ASN1_SET, "m", content));
 }
 
-/*
+/**
  * build attributes
  */
-static chunk_t
-build_attributes(void)
+static chunk_t build_attributes(void)
 {
-     return asn1_wrap(ASN1_SEQUENCE, "m"
-		, build_attribute_type(ASN1_group_oid
-		    , build_ietfAttributes(groups)));
+	return asn1_wrap(ASN1_SEQUENCE, "m",
+				build_attribute_type(ASN1_group_oid,
+					build_ietfAttributes(groups)));
 }
 
-/*
+/**
  * build authorityKeyIdentifier
  */
-static chunk_t
-build_authorityKeyID(x509cert_t *signer)
+static chunk_t build_authorityKeyID(x509cert_t *signer)
 {
-    chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL)
-			? empty_chunk
-			: asn1_simple_object(ASN1_CONTEXT_S_0
-				, signer->subjectKeyID);
-
-    chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1
-				, signer->issuer);
-
-    chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2
-				, signer->serialNumber);
-
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-		, ASN1_authorityKeyIdentifier_oid
-		, asn1_wrap(ASN1_OCTET_STRING, "m"
-		    , asn1_wrap(ASN1_SEQUENCE, "mmm"
-			, keyIdentifier
-			, authorityCertIssuer
-			, authorityCertSerialNumber
-		      )
-		  )
-	   );
+	chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL)
+				? empty_chunk
+				: asn1_simple_object(ASN1_CONTEXT_S_0,
+						signer->subjectKeyID);
+
+	chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
+						signer->issuer);
+
+	chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
+						signer->serialNumber);
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm",
+				ASN1_authorityKeyIdentifier_oid,
+				asn1_wrap(ASN1_OCTET_STRING, "m",
+					asn1_wrap(ASN1_SEQUENCE, "mmm",
+						keyIdentifier,
+						authorityCertIssuer,
+						authorityCertSerialNumber
+					)
+				)
+		   );
 }
 
-/*
+/**
  * build extensions
  */
-static chunk_t
-build_extensions(void)
+static chunk_t build_extensions(void)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "mc"
-		, build_authorityKeyID(signer)
-		, ASN1_noRevAvail_ext);
+	return asn1_wrap(ASN1_SEQUENCE, "mc",
+				build_authorityKeyID(signer),
+				ASN1_noRevAvail_ext);
 }
 
-/*
+/**
  * build attributeCertificateInfo
  */
-static chunk_t
-build_attr_cert_info(void)
+static chunk_t build_attr_cert_info(void)
 {
-    return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm"
-		, ASN1_INTEGER_1
-		, build_holder()
-		, build_v2_form()
-		, ASN1_sha1WithRSA_id
-		, asn1_simple_object(ASN1_INTEGER, serial)
-		, build_attr_cert_validity()
-		, build_attributes()
-		, build_extensions());
+	return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm",
+				ASN1_INTEGER_1,
+				build_holder(),
+				build_v2_form(),
+				ASN1_sha1WithRSA_id,
+				asn1_simple_object(ASN1_INTEGER, serial),
+				build_attr_cert_validity(),
+				build_attributes(),
+				build_extensions());
 }
 
-/*
+/**
  * build an X.509 attribute certificate
  */
-chunk_t
-build_attr_cert(void)
+chunk_t build_attr_cert(void)
 {
-    chunk_t attributeCertificateInfo = build_attr_cert_info();
-    chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo
-				, OID_SHA1, signerkey, TRUE);
-
-    return asn1_wrap(ASN1_SEQUENCE, "mcm"
-		, attributeCertificateInfo
-		, ASN1_sha1WithRSA_id
-		, signatureValue);
+	chunk_t attributeCertificateInfo = build_attr_cert_info();
+	chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo,
+								OID_SHA1, signerkey, TRUE);
+
+	return asn1_wrap(ASN1_SEQUENCE, "mcm",
+				attributeCertificateInfo,
+				ASN1_sha1WithRSA_id,
+				signatureValue);
 }
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 00f287b3a..e3f92fbd2 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -57,107 +57,113 @@ bool pkcs11_keep_state = FALSE;
 static void
 usage(const char *mess)
 {
-    if (mess != NULL && *mess != '\0')
-	fprintf(stderr, "%s\n", mess);
-    fprintf(stderr
-	, "Usage: openac"
-	    " [--help]"
-	    " [--version]"
-	    " [--optionsfrom <filename>]"
-	    " [--quiet]"
+	if (mess != NULL && *mess != '\0')
+	{
+		fprintf(stderr, "%s\n", mess);
+	}
+	fprintf(stderr, "Usage: openac"
+		" [--help]"
+		" [--version]"
+		" [--optionsfrom <filename>]"
+		" [--quiet]"
 #ifdef DEBUG
-	    " \\\n\t"
-	    "      [--debug-all]"
-	    " [--debug-parsing]"
-	    " [--debug-raw]"
-	    " [--debug-private]"
+		" \\\n\t"
+		"      [--debug-all]"
+		" [--debug-parsing]"
+		" [--debug-raw]"
+		" [--debug-private]"
 #endif
-	    " \\\n\t"
-	    "      [--days <days>]"
-	    " [--hours <hours>]"
-	    " \\\n\t"
-	    "      [--startdate <YYYYMMDDHHMMSSZ>]"
-	    " [--enddate <YYYYMMDDHHMMSSZ>]"
-	    " \\\n\t"
-	    "      --cert <certfile>"
-	    " --key <keyfile>"
-	    " [--password <password>]"
-	    " \\\n\t"
-	    "      --usercert <certfile>"
-	    " --groups <attr1,attr2,..>"
-	    " --out <filename>"
-	    "\n"
-    );
-    exit(mess == NULL? 0 : 1);
+		" \\\n\t"
+		"      [--days <days>]"
+		" [--hours <hours>]"
+		" \\\n\t"
+		"      [--startdate <YYYYMMDDHHMMSSZ>]"
+		" [--enddate <YYYYMMDDHHMMSSZ>]"
+		" \\\n\t"
+		"      --cert <certfile>"
+		" --key <keyfile>"
+		" [--password <password>]"
+		" \\\n\t"
+		"      --usercert <certfile>"
+		" --groups <attr1,attr2,..>"
+		" --out <filename>"
+		"\n"
+	);
+	exit(mess == NULL? 0 : 1);
 }
 
-/*
+/**
  * read the last serial number from file
  */
-static chunk_t
-read_serial(void)
+static chunk_t read_serial(void)
 {
-    MP_INT number;
+	MP_INT number;
 
-    char buf[BUF_LEN];
-    char bytes[BUF_LEN];
+	char buf[BUF_LEN];
+	char bytes[BUF_LEN];
 
-    FILE *fd = fopen(OPENAC_SERIAL, "r");
+	FILE *fd = fopen(OPENAC_SERIAL, "r");
 
-    /* serial number defaults to 0 */
-    size_t len = 1;
-    bytes[0] = 0x00;
+	/* serial number defaults to 0 */
+	size_t len = 1;
+	bytes[0] = 0x00;
 
-    if (fd)
-    {
-	if (fscanf(fd, "%s", buf))
+	if (fd)
 	{
-	    err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len);
-
-	    if (ugh != NULL)
-		plog("  error reading serial number from %s: %s"
-		    , OPENAC_SERIAL, ugh);
+		if (fscanf(fd, "%s", buf))
+		{
+			err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len);
+
+			if (ugh != NULL)
+			{
+				plog("  error reading serial number from %s: %s"
+		    	, OPENAC_SERIAL, ugh);
+			}
+		}
+		fclose(fd);
 	}
-	fclose(fd);
-    }
-    else
-	plog("  file '%s' does not exist yet - serial number set to 01"
+	else
+	{
+		plog("  file '%s' does not exist yet - serial number set to 01"
 	    , OPENAC_SERIAL);
+	}
 
-    /* conversion of read serial number to a multiprecision integer
-     * and incrementing it by one
-     * and representing it as a two's complement octet string
-     */
-    n_to_mpz(&number, bytes, len);
-    mpz_add_ui(&number, &number, 0x01);
-    serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE);
-    mpz_clear(&number);
-
-    return serial;
+	/**
+	 * conversion of read serial number to a multiprecision integer
+	 * and incrementing it by one
+	 * and representing it as a two's complement octet string
+	 */
+	n_to_mpz(&number, bytes, len);
+	mpz_add_ui(&number, &number, 0x01);
+	serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE);
+	mpz_clear(&number);
+
+	return serial;
 }
 
-/*
+/**
  * write back the last serial number to file
  */
-static void
-write_serial(chunk_t serial)
+static void write_serial(chunk_t serial)
 {
-    char buf[BUF_LEN];
-
-    FILE *fd = fopen(OPENAC_SERIAL, "w");
-
-    if (fd)
-    {
-	datatot(serial.ptr, serial.len, 16, buf, BUF_LEN);
-	plog("  serial number is %s", buf);
-	fprintf(fd, "%s\n", buf);
-	fclose(fd);
-    }
-    else
-	plog("  could not open file '%s' for writing", OPENAC_SERIAL);
+	char buf[BUF_LEN];
+
+	FILE *fd = fopen(OPENAC_SERIAL, "w");
+
+	if (fd)
+	{
+		datatot(serial.ptr, serial.len, 16, buf, BUF_LEN);
+		plog("  serial number is %s", buf);
+		fprintf(fd, "%s\n", buf);
+		fclose(fd);
+	}
+	else
+	{
+		plog("  could not open file '%s' for writing", OPENAC_SERIAL);
+	}
 }
 
-/*
+/**
  * global variables accessible by both main() and build.c
  */
 x509cert_t *user   = NULL;
@@ -171,268 +177,264 @@ time_t notAfter = 0;
 
 chunk_t serial;
 
-
-int
-main(int argc, char **argv)
+int main(int argc, char **argv)
 {
-    char *keyfile = NULL;
-    char *certfile = NULL;
-    char *usercertfile = NULL;
-    char *outfile = NULL;
+	char *keyfile = NULL;
+	char *certfile = NULL;
+	char *usercertfile = NULL;
+	char *outfile = NULL;
 
-    cert_t signercert = empty_cert;
-    cert_t usercert = empty_cert;
+	cert_t signercert = empty_cert;
+	cert_t usercert = empty_cert;
 
-    chunk_t attr_cert = empty_chunk;
-    x509acert_t *ac = NULL;
+	chunk_t attr_cert = empty_chunk;
+	x509acert_t *ac = NULL;
 
-    const time_t default_validity = 24*3600; 	/* 24 hours */
-    time_t validity = 0;
+	const time_t default_validity = 24*3600; 	/* 24 hours */
+	time_t validity = 0;
 
-    prompt_pass_t pass;
+	prompt_pass_t pass;
 
-    pass.secret[0] = '\0';
-    pass.prompt = TRUE;
-    pass.fd = STDIN_FILENO;
+	pass.secret[0] = '\0';
+	pass.prompt = TRUE;
+	pass.fd = STDIN_FILENO;
 
-    log_to_stderr = TRUE;
+	log_to_stderr = TRUE;
 
-    /* handle arguments */
-    for (;;)
-    {
+	/* handle arguments */
+	for (;;)
+	{
 #	define DBG_OFFSET 256
-	static const struct option long_opts[] = {
-	    /* name, has_arg, flag, val */
-	    { "help", no_argument, NULL, 'h' },
-	    { "version", no_argument, NULL, 'v' },
-	    { "optionsfrom", required_argument, NULL, '+' },
-	    { "quiet", no_argument, NULL, 'q' },
-	    { "cert", required_argument, NULL, 'c' },
-	    { "key", required_argument, NULL, 'k' },
-	    { "password", required_argument, NULL, 'p' },
-	    { "usercert", required_argument, NULL, 'u' },
-	    { "groups", required_argument, NULL, 'g' },
-	    { "days", required_argument, NULL, 'D' },
-	    { "hours", required_argument, NULL, 'H' },
-	    { "startdate", required_argument, NULL, 'S' },
-	    { "enddate", required_argument, NULL, 'E' },
-	    { "out", required_argument, NULL, 'o' },
+		static const struct option long_opts[] = {
+			/* name, has_arg, flag, val */
+			{ "help", no_argument, NULL, 'h' },
+			{ "version", no_argument, NULL, 'v' },
+			{ "optionsfrom", required_argument, NULL, '+' },
+			{ "quiet", no_argument, NULL, 'q' },
+			{ "cert", required_argument, NULL, 'c' },
+				{ "key", required_argument, NULL, 'k' },
+			{ "password", required_argument, NULL, 'p' },
+			{ "usercert", required_argument, NULL, 'u' },
+			{ "groups", required_argument, NULL, 'g' },
+			{ "days", required_argument, NULL, 'D' },
+			{ "hours", required_argument, NULL, 'H' },
+			{ "startdate", required_argument, NULL, 'S' },
+			{ "enddate", required_argument, NULL, 'E' },
+			{ "out", required_argument, NULL, 'o' },
 #ifdef DEBUG
-	    { "debug-all", no_argument, NULL, 'A' },
-	    { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
-	    { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
-	    { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
+			{ "debug-all", no_argument, NULL, 'A' },
+			{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
+			{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
+			{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
 #endif
-	    { 0,0,0,0 }
-	};
+			{ 0,0,0,0 }
+		};
 	
-	int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL);
-
-	/* Note: "breaking" from case terminates loop */
-	switch (c)
-	{
-	case EOF:	/* end of flags */
-	    break;
-
-	case 0: /* long option already handled */
-	    continue;
-
-	case ':':	/* diagnostic already printed by getopt_long */
-	case '?':	/* diagnostic already printed by getopt_long */
-	    usage(NULL);
-	    break;   /* not actually reached */
-
-	case 'h':	/* --help */
-	    usage(NULL);
-	    break;	/* not actually reached */
-
-	case 'v':	/* --version */
-		printf("%s\n", openac_version);
-	    exit(0);
-	    break;	/* not actually reached */
-
-	case '+':	/* --optionsfrom <filename> */
-	    {
-		char path[BUF_LEN];
-
-		if (*optarg == '/')	/* absolute pathname */
-		    strncpy(path, optarg, BUF_LEN);
-		else			/* relative pathname */
-		    snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
-		optionsfrom(path, &argc, &argv, optind, stderr);
-		/* does not return on error */
-	    }
-	    continue;
-
-	case 'q':	/* --quiet */
-	    log_to_stderr = TRUE;
-	    continue;
-
-	case 'c':	/* --cert */
-	    certfile = optarg;
-	    continue;
-
-	case 'k':	/* --key */
-	    keyfile = optarg;
-	    continue;
-
-	case 'p':	/* --key */
-	    pass.prompt = FALSE;
-	    strncpy(pass.secret, optarg, sizeof(pass.secret));
-	    continue;
-
-	case 'u':	/* --usercert */
-	    usercertfile = optarg;
-	    continue;
-
-	case 'g':	/* --groups */
-	    decode_groups(optarg, &groups);
-	    continue;
-
-	case 'D':	/* --days */
-            if (optarg == NULL || !isdigit(optarg[0]))
-                usage("missing number of days");
-            {
-                char *endptr;
-                long days = strtol(optarg, &endptr, 0);
-
-                if (*endptr != '\0' || endptr == optarg
-                || days <= 0)
-                    usage("<days> must be a positive number");
-                validity += 24*3600*days;
-            }
-	    continue;
-
-	case 'H':	/* --hours */
-            if (optarg == NULL || !isdigit(optarg[0]))
-                usage("missing number of hours");
-            {
-                char *endptr;
-                long hours = strtol(optarg, &endptr, 0);
-
-                if (*endptr != '\0' || endptr == optarg
-                || hours <= 0)
-                    usage("<hours> must be a positive number");
-                validity += 3600*hours;
-            }
-	    continue;
-
-	case 'S':	/* --startdate */
-            if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
-                usage("date format must be YYYYMMDDHHMMSSZ");
-	    {
-		chunk_t date = { optarg, 15 };
-		notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
-	    }
-	    continue;
-
-	case 'E':	/* --enddate */
-            if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
-                usage("date format must be YYYYMMDDHHMMSSZ");
-	    {
-		chunk_t date = { optarg, 15 };
-		notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
-	    }
-	    continue;
-
-	case 'o':	/* --outt */
-	    outfile = optarg;
-	    continue	    ;
+		int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL);
+
+		/* Note: "breaking" from case terminates loop */
+		switch (c)
+		{
+			case EOF:	/* end of flags */
+				break;
+
+			case 0: /* long option already handled */
+		 		continue;
+
+			case ':':	/* diagnostic already printed by getopt_long */
+			case '?':	/* diagnostic already printed by getopt_long */
+				usage(NULL);
+				break;   /* not actually reached */
+
+			case 'h':	/* --help */
+				usage(NULL);
+				break;	/* not actually reached */
+
+			case 'v':	/* --version */
+				printf("%s\n", openac_version);
+				exit(0);
+				break;	/* not actually reached */
+
+			case '+':	/* --optionsfrom <filename> */
+				{
+					char path[BUF_LEN];
+
+					if (*optarg == '/')	/* absolute pathname */
+		    			strncpy(path, optarg, BUF_LEN);
+					else			/* relative pathname */
+		    			snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
+					optionsfrom(path, &argc, &argv, optind, stderr);
+					/* does not return on error */
+		 		}
+				continue;
+
+			case 'q':	/* --quiet */
+				log_to_stderr = TRUE;
+				continue;
+
+			case 'c':	/* --cert */
+				certfile = optarg;
+				continue;
+
+			case 'k':	/* --key */
+				keyfile = optarg;
+				continue;
+
+			case 'p':	/* --key */
+				pass.prompt = FALSE;
+				strncpy(pass.secret, optarg, sizeof(pass.secret));
+				continue;
+
+			case 'u':	/* --usercert */
+				usercertfile = optarg;
+				continue;
+
+			case 'g':	/* --groups */
+				decode_groups(optarg, &groups);
+				continue;
+
+			case 'D':	/* --days */
+				if (optarg == NULL || !isdigit(optarg[0]))
+					usage("missing number of days");
+				{
+					char *endptr;
+					long days = strtol(optarg, &endptr, 0);
+
+					if (*endptr != '\0' || endptr == optarg || days <= 0)
+						usage("<days> must be a positive number");
+					validity += 24*3600*days;
+				}
+				continue;
+
+			case 'H':	/* --hours */
+				if (optarg == NULL || !isdigit(optarg[0]))
+					usage("missing number of hours");
+				{
+					char *endptr;
+					long hours = strtol(optarg, &endptr, 0);
+
+					if (*endptr != '\0' || endptr == optarg || hours <= 0)
+						usage("<hours> must be a positive number");
+					validity += 3600*hours;
+				}
+				continue;
+
+			case 'S':	/* --startdate */
+				if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
+					usage("date format must be YYYYMMDDHHMMSSZ");
+				{
+					chunk_t date = { optarg, 15 };
+					notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
+				}
+				continue;
+
+			case 'E':	/* --enddate */
+				if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
+					usage("date format must be YYYYMMDDHHMMSSZ");
+				{
+					chunk_t date = { optarg, 15 };
+					notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
+				}
+				continue;
+
+			case 'o':	/* --outt */
+				outfile = optarg;
+				continue;
 
 #ifdef DEBUG
-	case 'A':	/* --debug-all */
-	    base_debugging = DBG_ALL;
-	    continue;
+			case 'A':	/* --debug-all */
+				base_debugging = DBG_ALL;
+				continue;
 #endif
-	default:
+			default:
 #ifdef DEBUG
-	    if (c >= DBG_OFFSET)
-	    {
-		base_debugging |= c - DBG_OFFSET;
-		continue;
-	    }
+				if (c >= DBG_OFFSET)
+				{
+					base_debugging |= c - DBG_OFFSET;
+					continue;
+				}
 #undef	    DBG_OFFSET
 #endif
-	    bad_case(c);
+				bad_case(c);
+		}
+		break;
 	}
-	break;
-    }
 
-    init_log("openac");
-    cur_debugging = base_debugging;
+	init_log("openac");
+	cur_debugging = base_debugging;
 
-    if (optind != argc)
-	usage("unexpected argument");
+	if (optind != argc)
+		usage("unexpected argument");
 
-    /* load the signer's RSA private key */
-    if (keyfile != NULL)
-    {
-	err_t ugh = NULL;
+	/* load the signer's RSA private key */
+	if (keyfile != NULL)
+	{
+		err_t ugh = NULL;
+
+		signerkey = alloc_thing(RSA_private_key_t, "RSA private key");
+		ugh = load_rsa_private_key(keyfile, &pass, signerkey);
+
+		if (ugh != NULL)
+		{
+			free_RSA_private_content(signerkey);
+			pfree(signerkey);
+			plog("%s", ugh);
+			exit(1);
+		}
+	}
 
-	signerkey = alloc_thing(RSA_private_key_t, "RSA private key");
-	ugh = load_rsa_private_key(keyfile, &pass, signerkey);
+	/* load the signer's X.509 certificate */
+	if (certfile != NULL)
+	{
+		if (!load_cert(certfile, "signer cert", &signercert))
+			exit(1);
+		signer = signercert.u.x509;
+	}
 
-	if (ugh != NULL)
+	/* load the users's X.509 certificate */
+	if (usercertfile != NULL)
 	{
-	    free_RSA_private_content(signerkey);
-	    pfree(signerkey);
-	    plog("%s", ugh);
-	    exit(1);
+		if (!load_cert(usercertfile, "user cert", &usercert))
+			exit(1);
+		user = usercert.u.x509;
 	}
-    }
-
-    /* load the signer's X.509 certificate */
-    if (certfile != NULL)
-    {
-	if (!load_cert(certfile, "signer cert", &signercert))
-	    exit(1);
-	signer = signercert.u.x509;
-    }
-
-    /* load the users's X.509 certificate */
-    if (usercertfile != NULL)
-    {
-	if (!load_cert(usercertfile, "user cert", &usercert))
-	    exit(1);
-	user = usercert.u.x509;
-    }
-    
-    /* compute validity interval */
-    validity = (validity)? validity : default_validity;
-    notBefore = (notBefore) ? notBefore : time(NULL);
-    notAfter = (notAfter) ? notAfter : notBefore + validity;
-
-    /* build and parse attribute certificate */
-    if (user != NULL && signer != NULL && signerkey != NULL)
-    {
-	/* read the serial number and increment it by one */
-	serial = read_serial();
-
-	attr_cert = build_attr_cert();
-	ac = alloc_thing(x509acert_t, "x509acert");
-	*ac = empty_ac;
-	parse_ac(attr_cert, ac);
+
+	/* compute validity interval */
+	validity = (validity)? validity : default_validity;
+	notBefore = (notBefore) ? notBefore : time(NULL);
+	notAfter = (notAfter) ? notAfter : notBefore + validity;
+
+	/* build and parse attribute certificate */
+	if (user != NULL && signer != NULL && signerkey != NULL)
+	{
+		/* read the serial number and increment it by one */
+		serial = read_serial();
+
+		attr_cert = build_attr_cert();
+		ac = alloc_thing(x509acert_t, "x509acert");
+		*ac = empty_ac;
+		parse_ac(attr_cert, ac);
 	
-	/* write the attribute certificate to file */
-	if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE))
-	    write_serial(serial);
-    }
-
-    /* delete all dynamic objects */
-    if (signerkey != NULL)
-    {
-	free_RSA_private_content(signerkey);
-	pfree(signerkey);
-    }
-    free_x509cert(signercert.u.x509);
-    free_x509cert(usercert.u.x509);
-    free_ietfAttrList(groups);
-    free_acert(ac);
-    pfree(serial.ptr);
+		/* write the attribute certificate to file */
+		if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE))
+		write_serial(serial);
+	}
+
+	/* delete all dynamic objects */
+	if (signerkey != NULL)
+	{
+		free_RSA_private_content(signerkey);
+		pfree(signerkey);
+	}
+	free_x509cert(signercert.u.x509);
+	free_x509cert(usercert.u.x509);
+	free_ietfAttrList(groups);
+	free_acert(ac);
+	pfree(serial.ptr);
 
 #ifdef LEAK_DETECTIVE
-    report_leaks();
+	report_leaks();
 #endif /* LEAK_DETECTIVE */
-    close_log();
-    exit(0);
+	close_log();
+	exit(0);
 }
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index b1b848c76..7dd5f422b 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -64,12 +64,12 @@ xauth.c xauth.h \
 x509.c x509.h \
 alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
 alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
-linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
 
 INCLUDES = \
+-I${linuxdir} \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/libcrypto \
 -I$(top_srcdir)/src/whack
@@ -137,4 +137,5 @@ install-exec-local :
 	mkdir -p -m 755 $(confdir)/ipsec.d/crls
 	mkdir -p -m 755 $(confdir)/ipsec.d/reqs
 	mkdir -p -m 700 $(confdir)/ipsec.d/private
+	chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
 
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 1f996a065..e164717a9 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -164,6 +164,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -176,6 +177,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -186,8 +188,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -209,6 +215,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -218,6 +225,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -231,9 +240,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -248,6 +261,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 pluto_SOURCES = \
 ac.c ac.h \
 alg_info.c alg_info.h \
@@ -308,11 +323,11 @@ xauth.c xauth.h \
 x509.c x509.h \
 alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
 alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
-linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
 rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
 
 _pluto_adns_SOURCES = adns.c adns.h
 INCLUDES = \
+-I${linuxdir} \
 -I$(top_srcdir)/src/libfreeswan \
 -I$(top_srcdir)/src/libcrypto \
 -I$(top_srcdir)/src/whack
@@ -873,6 +888,7 @@ install-exec-local :
 	mkdir -p -m 755 $(confdir)/ipsec.d/crls
 	mkdir -p -m 755 $(confdir)/ipsec.d/reqs
 	mkdir -p -m 700 $(confdir)/ipsec.d/private
+	chown -R $(ipsecuid):$(ipsecgid) $(confdir)/ipsec.d
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 05e8d1402..dc8932769 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -121,6 +121,7 @@ const x509crl_t empty_x509crl = {
                     /*         extnValue */
     { NULL, 0 }   , /*           authKeyID */
     { NULL, 0 }   , /*           authKeySerialNumber */
+    { NULL, 0 }   , /*           crlNumber */
     OID_UNKNOWN   , /*   algorithm */
     { NULL, 0 }     /*   signature */
 };
@@ -491,6 +492,12 @@ parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
 		    parse_authorityKeyIdentifier(object, level
 			, &crl->authKeyID, &crl->authKeySerialNumber);
 		}
+		else if (extn_oid == OID_CRL_NUMBER)
+		{
+		    if (!parse_asn1_simple_object(&object, ASN1_INTEGER, level, "crlNumber"))
+			return FALSE;
+		    crl->crlNumber = object;
+		}
 	    }
 	    break;
 	case CRL_OBJ_ALGORITHM:
@@ -735,7 +742,12 @@ list_crls(bool utc, bool strict)
 		timetoa(&crl->installed, utc), revoked);
 	dntoa(buf, BUF_LEN, crl->issuer);
 	whack_log(RC_COMMENT, "       issuer:   '%s'", buf);
-
+	if (crl->crlNumber.ptr != NULL)
+	{
+	    datatot(crl->crlNumber.ptr, crl->crlNumber.len, ':'
+		, buf, BUF_LEN);
+	    whack_log(RC_COMMENT, "       crlnumber: %s", buf);
+	}
 	list_distribution_points(crl->distributionPoints);
 
 	whack_log(RC_COMMENT, "       updates:   this %s",
diff --git a/src/pluto/crl.h b/src/pluto/crl.h
index 9f985b6cd..328539770 100644
--- a/src/pluto/crl.h
+++ b/src/pluto/crl.h
@@ -52,6 +52,7 @@ struct x509crl {
                 /*       extnValue */
   chunk_t		 authKeyID;
   chunk_t		 authKeySerialNumber;
+  chunk_t		 crlNumber;
 
                 /* signatureAlgorithm */
   int                algorithm;
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index e3e56d3a8..8f48152f6 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -32,6 +32,9 @@
 #include <freeswan.h>
 
 #ifdef LIBLDAP
+#ifndef LDAP_DEPRECATED
+#define LDAP_DEPRECATED		1
+#endif
 #include <ldap.h>
 #endif
 
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index 1947ddbac..9b9d7b9ed 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -24,10 +24,10 @@
 #include <sys/types.h>
 #include <sys/queue.h>
 #include <unistd.h>
+#include <linux/xfrm.h>
+#include <linux/rtnetlink.h>
 
 #include "kameipsec.h"
-#include "linux26/rtnetlink.h"
-#include "linux26/xfrm.h"
 
 #include <freeswan.h>
 #include <pfkeyv2.h>
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index eed81230f..1efe85228 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -647,7 +647,7 @@ xauth_get_secret(xauth_t *xauth_secret)
  * find a matching secret
  */
 static bool
-xauth_verify_secret(const xauth_t *xauth_secret)
+xauth_verify_secret(const char *conn_name, const xauth_t *xauth_secret)
 {
     bool found = FALSE;
     secret_t *s;
diff --git a/src/pluto/linux26/netlink.h b/src/pluto/linux26/netlink.h
deleted file mode 100644
index 6b0896da6..000000000
--- a/src/pluto/linux26/netlink.h
+++ /dev/null
@@ -1,90 +0,0 @@
-#ifndef __LINUX_NETLINK_H
-#define __LINUX_NETLINK_H
-
-#include <stdint.h>
-#include <sys/socket.h> /* for sa_family_t */
-
-#define NETLINK_ROUTE		0	/* Routing/device hook				*/
-#define NETLINK_SKIP		1	/* Reserved for ENskip  			*/
-#define NETLINK_USERSOCK	2	/* Reserved for user mode socket protocols 	*/
-#define NETLINK_FIREWALL	3	/* Firewalling hook				*/
-#define NETLINK_TCPDIAG		4	/* TCP socket monitoring			*/
-#define NETLINK_NFLOG		5	/* netfilter/iptables ULOG */
-#define NETLINK_XFRM		6	/* ipsec */
-#define NETLINK_ARPD		8
-#define NETLINK_ROUTE6		11	/* af_inet6 route comm channel */
-#define NETLINK_IP6_FW		13
-#define NETLINK_DNRTMSG		14	/* DECnet routing messages */
-#define NETLINK_TAPBASE		16	/* 16 to 31 are ethertap */
-
-#define MAX_LINKS 32		
-
-struct sockaddr_nl
-{
-	sa_family_t	nl_family;	/* AF_NETLINK	*/
-	unsigned short	nl_pad;		/* zero		*/
-	uint32_t	nl_pid;		/* process pid	*/
-       	uint32_t	nl_groups;	/* multicast groups mask */
-};
-
-struct nlmsghdr
-{
-	uint32_t	nlmsg_len;	/* Length of message including header */
-	uint16_t	nlmsg_type;	/* Message content */
-	uint16_t	nlmsg_flags;	/* Additional flags */
-	uint32_t	nlmsg_seq;	/* Sequence number */
-	uint32_t	nlmsg_pid;	/* Sending process PID */
-};
-
-/* Flags values */
-
-#define NLM_F_REQUEST		1	/* It is request message. 	*/
-#define NLM_F_MULTI		2	/* Multipart message, terminated by NLMSG_DONE */
-#define NLM_F_ACK		4	/* Reply with ack, with zero or error code */
-#define NLM_F_ECHO		8	/* Echo this request 		*/
-
-/* Modifiers to GET request */
-#define NLM_F_ROOT	0x100	/* specify tree	root	*/
-#define NLM_F_MATCH	0x200	/* return all matching	*/
-#define NLM_F_ATOMIC	0x400	/* atomic GET		*/
-#define NLM_F_DUMP	(NLM_F_ROOT|NLM_F_MATCH)
-
-/* Modifiers to NEW request */
-#define NLM_F_REPLACE	0x100	/* Override existing		*/
-#define NLM_F_EXCL	0x200	/* Do not touch, if it exists	*/
-#define NLM_F_CREATE	0x400	/* Create, if it does not exist	*/
-#define NLM_F_APPEND	0x800	/* Add to end of list		*/
-
-/*
-   4.4BSD ADD		NLM_F_CREATE|NLM_F_EXCL
-   4.4BSD CHANGE	NLM_F_REPLACE
-
-   True CHANGE		NLM_F_CREATE|NLM_F_REPLACE
-   Append		NLM_F_CREATE
-   Check		NLM_F_EXCL
- */
-
-#define NLMSG_ALIGNTO	4
-#define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) )
-#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(sizeof(struct nlmsghdr)))
-#define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len))
-#define NLMSG_DATA(nlh)  ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
-#define NLMSG_NEXT(nlh,len)	 ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
-				  (struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len)))
-#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
-			   (nlh)->nlmsg_len <= (len))
-#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len)))
-
-#define NLMSG_NOOP		0x1	/* Nothing.		*/
-#define NLMSG_ERROR		0x2	/* Error		*/
-#define NLMSG_DONE		0x3	/* End of a dump	*/
-#define NLMSG_OVERRUN		0x4	/* Data lost		*/
-
-struct nlmsgerr
-{
-	int		error;
-	struct nlmsghdr msg;
-};
-
-#define NET_MAJOR 36		/* Major 36 is reserved for networking 						*/
-#endif	/* __LINUX_NETLINK_H */
diff --git a/src/pluto/linux26/rtnetlink.h b/src/pluto/linux26/rtnetlink.h
deleted file mode 100644
index 341bc1f86..000000000
--- a/src/pluto/linux26/rtnetlink.h
+++ /dev/null
@@ -1,562 +0,0 @@
-#ifndef __LINUX_RTNETLINK_H
-#define __LINUX_RTNETLINK_H
-
-#include "netlink.h"
-#include <stdint.h>
-
-#define RTNL_DEBUG 1
-
-
-/****
- *		Routing/neighbour discovery messages.
- ****/
-
-/* Types of messages */
-
-#define RTM_BASE	0x10
-
-#define	RTM_NEWLINK	(RTM_BASE+0)
-#define	RTM_DELLINK	(RTM_BASE+1)
-#define	RTM_GETLINK	(RTM_BASE+2)
-#define	RTM_SETLINK	(RTM_BASE+3)
-
-#define	RTM_NEWADDR	(RTM_BASE+4)
-#define	RTM_DELADDR	(RTM_BASE+5)
-#define	RTM_GETADDR	(RTM_BASE+6)
-
-#define	RTM_NEWROUTE	(RTM_BASE+8)
-#define	RTM_DELROUTE	(RTM_BASE+9)
-#define	RTM_GETROUTE	(RTM_BASE+10)
-
-#define	RTM_NEWNEIGH	(RTM_BASE+12)
-#define	RTM_DELNEIGH	(RTM_BASE+13)
-#define	RTM_GETNEIGH	(RTM_BASE+14)
-
-#define	RTM_NEWRULE	(RTM_BASE+16)
-#define	RTM_DELRULE	(RTM_BASE+17)
-#define	RTM_GETRULE	(RTM_BASE+18)
-
-#define	RTM_NEWQDISC	(RTM_BASE+20)
-#define	RTM_DELQDISC	(RTM_BASE+21)
-#define	RTM_GETQDISC	(RTM_BASE+22)
-
-#define	RTM_NEWTCLASS	(RTM_BASE+24)
-#define	RTM_DELTCLASS	(RTM_BASE+25)
-#define	RTM_GETTCLASS	(RTM_BASE+26)
-
-#define	RTM_NEWTFILTER	(RTM_BASE+28)
-#define	RTM_DELTFILTER	(RTM_BASE+29)
-#define	RTM_GETTFILTER	(RTM_BASE+30)
-
-#define	RTM_MAX		(RTM_BASE+31)
-
-/* 
-   Generic structure for encapsulation optional route information.
-   It is reminiscent of sockaddr, but with sa_family replaced
-   with attribute type.
- */
-
-struct rtattr
-{
-	unsigned short	rta_len;
-	unsigned short	rta_type;
-};
-
-/* Macros to handle rtattributes */
-
-#define RTA_ALIGNTO	4
-#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) )
-#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \
-			 (rta)->rta_len <= (len))
-#define RTA_NEXT(rta,attrlen)	((attrlen) -= RTA_ALIGN((rta)->rta_len), \
-				 (struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
-#define RTA_LENGTH(len)	(RTA_ALIGN(sizeof(struct rtattr)) + (len))
-#define RTA_SPACE(len)	RTA_ALIGN(RTA_LENGTH(len))
-#define RTA_DATA(rta)   ((void*)(((char*)(rta)) + RTA_LENGTH(0)))
-#define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
-
-
-
-
-/******************************************************************************
- *		Definitions used in routing table administation.
- ****/
-
-struct rtmsg
-{
-	unsigned char		rtm_family;
-	unsigned char		rtm_dst_len;
-	unsigned char		rtm_src_len;
-	unsigned char		rtm_tos;
-
-	unsigned char		rtm_table;	/* Routing table id */
-	unsigned char		rtm_protocol;	/* Routing protocol; see below	*/
-	unsigned char		rtm_scope;	/* See below */	
-	unsigned char		rtm_type;	/* See below	*/
-
-	unsigned		rtm_flags;
-};
-
-/* rtm_type */
-
-enum
-{
-	RTN_UNSPEC,
-	RTN_UNICAST,		/* Gateway or direct route	*/
-	RTN_LOCAL,		/* Accept locally		*/
-	RTN_BROADCAST,		/* Accept locally as broadcast,
-				   send as broadcast */
-	RTN_ANYCAST,		/* Accept locally as broadcast,
-				   but send as unicast */
-	RTN_MULTICAST,		/* Multicast route		*/
-	RTN_BLACKHOLE,		/* Drop				*/
-	RTN_UNREACHABLE,	/* Destination is unreachable   */
-	RTN_PROHIBIT,		/* Administratively prohibited	*/
-	RTN_THROW,		/* Not in this table		*/
-	RTN_NAT,		/* Translate this address	*/
-	RTN_XRESOLVE,		/* Use external resolver	*/
-};
-
-#define RTN_MAX RTN_XRESOLVE
-
-
-/* rtm_protocol */
-
-#define RTPROT_UNSPEC	0
-#define RTPROT_REDIRECT	1	/* Route installed by ICMP redirects;
-				   not used by current IPv4 */
-#define RTPROT_KERNEL	2	/* Route installed by kernel		*/
-#define RTPROT_BOOT	3	/* Route installed during boot		*/
-#define RTPROT_STATIC	4	/* Route installed by administrator	*/
-
-/* Values of protocol >= RTPROT_STATIC are not interpreted by kernel;
-   they just passed from user and back as is.
-   It will be used by hypothetical multiple routing daemons.
-   Note that protocol values should be standardized in order to
-   avoid conflicts.
- */
-
-#define RTPROT_GATED	8	/* Apparently, GateD */
-#define RTPROT_RA	9	/* RDISC/ND router advertisments */
-#define RTPROT_MRT	10	/* Merit MRT */
-#define RTPROT_ZEBRA	11	/* Zebra */
-#define RTPROT_BIRD	12	/* BIRD */
-#define RTPROT_DNROUTED	13	/* DECnet routing daemon */
-
-/* rtm_scope
-
-   Really it is not scope, but sort of distance to the destination.
-   NOWHERE are reserved for not existing destinations, HOST is our
-   local addresses, LINK are destinations, located on directly attached
-   link and UNIVERSE is everywhere in the Universe.
-
-   Intermediate values are also possible f.e. interior routes
-   could be assigned a value between UNIVERSE and LINK.
-*/
-
-enum rt_scope_t
-{
-	RT_SCOPE_UNIVERSE=0,
-/* User defined values  */
-	RT_SCOPE_SITE=200,
-	RT_SCOPE_LINK=253,
-	RT_SCOPE_HOST=254,
-	RT_SCOPE_NOWHERE=255
-};
-
-/* rtm_flags */
-
-#define RTM_F_NOTIFY		0x100	/* Notify user of route change	*/
-#define RTM_F_CLONED		0x200	/* This route is cloned		*/
-#define RTM_F_EQUALIZE		0x400	/* Multipath equalizer: NI	*/
-
-/* Reserved table identifiers */
-
-enum rt_class_t
-{
-	RT_TABLE_UNSPEC=0,
-/* User defined values */
-	RT_TABLE_DEFAULT=253,
-	RT_TABLE_MAIN=254,
-	RT_TABLE_LOCAL=255
-};
-#define RT_TABLE_MAX RT_TABLE_LOCAL
-
-
-
-/* Routing message attributes */
-
-enum rtattr_type_t
-{
-	RTA_UNSPEC,
-	RTA_DST,
-	RTA_SRC,
-	RTA_IIF,
-	RTA_OIF,
-	RTA_GATEWAY,
-	RTA_PRIORITY,
-	RTA_PREFSRC,
-	RTA_METRICS,
-	RTA_MULTIPATH,
-	RTA_PROTOINFO,
-	RTA_FLOW,
-	RTA_CACHEINFO,
-	RTA_SESSION,
-};
-
-#define RTA_MAX RTA_SESSION
-
-#define RTM_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct rtmsg))))
-#define RTM_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct rtmsg))
-
-/* RTM_MULTIPATH --- array of struct rtnexthop.
- *
- * "struct rtnexthop" describres all necessary nexthop information,
- * i.e. parameters of path to a destination via this nextop.
- *
- * At the moment it is impossible to set different prefsrc, mtu, window
- * and rtt for different paths from multipath.
- */
-
-struct rtnexthop
-{
-	unsigned short		rtnh_len;
-	unsigned char		rtnh_flags;
-	unsigned char		rtnh_hops;
-	int			rtnh_ifindex;
-};
-
-/* rtnh_flags */
-
-#define RTNH_F_DEAD		1	/* Nexthop is dead (used by multipath)	*/
-#define RTNH_F_PERVASIVE	2	/* Do recursive gateway lookup	*/
-#define RTNH_F_ONLINK		4	/* Gateway is forced on link	*/
-
-/* Macros to handle hexthops */
-
-#define RTNH_ALIGNTO	4
-#define RTNH_ALIGN(len) ( ((len)+RTNH_ALIGNTO-1) & ~(RTNH_ALIGNTO-1) )
-#define RTNH_OK(rtnh,len) ((rtnh)->rtnh_len >= sizeof(struct rtnexthop) && \
-			   ((int)(rtnh)->rtnh_len) <= (len))
-#define RTNH_NEXT(rtnh)	((struct rtnexthop*)(((char*)(rtnh)) + RTNH_ALIGN((rtnh)->rtnh_len)))
-#define RTNH_LENGTH(len) (RTNH_ALIGN(sizeof(struct rtnexthop)) + (len))
-#define RTNH_SPACE(len)	RTNH_ALIGN(RTNH_LENGTH(len))
-#define RTNH_DATA(rtnh)   ((struct rtattr*)(((char*)(rtnh)) + RTNH_LENGTH(0)))
-
-/* RTM_CACHEINFO */
-
-struct rta_cacheinfo
-{
-	uint32_t	rta_clntref;
-	uint32_t	rta_lastuse;
-	int32_t	rta_expires;
-	uint32_t	rta_error;
-	uint32_t	rta_used;
-
-#define RTNETLINK_HAVE_PEERINFO 1
-	uint32_t	rta_id;
-	uint32_t	rta_ts;
-	uint32_t	rta_tsage;
-};
-
-/* RTM_METRICS --- array of struct rtattr with types of RTAX_* */
-
-enum
-{
-	RTAX_UNSPEC,
-#define RTAX_UNSPEC RTAX_UNSPEC
-	RTAX_LOCK,
-#define RTAX_LOCK RTAX_LOCK
-	RTAX_MTU,
-#define RTAX_MTU RTAX_MTU
-	RTAX_WINDOW,
-#define RTAX_WINDOW RTAX_WINDOW
-	RTAX_RTT,
-#define RTAX_RTT RTAX_RTT
-	RTAX_RTTVAR,
-#define RTAX_RTTVAR RTAX_RTTVAR
-	RTAX_SSTHRESH,
-#define RTAX_SSTHRESH RTAX_SSTHRESH
-	RTAX_CWND,
-#define RTAX_CWND RTAX_CWND
-	RTAX_ADVMSS,
-#define RTAX_ADVMSS RTAX_ADVMSS
-	RTAX_REORDERING,
-#define RTAX_REORDERING RTAX_REORDERING
-};
-
-#define RTAX_MAX RTAX_REORDERING
-
-struct rta_session
-{
-	uint8_t	proto;
-
-	union {
-		struct {
-			uint16_t	sport;
-			uint16_t	dport;
-		} ports;
-
-		struct {
-			uint8_t		type;
-			uint8_t		code;
-			uint16_t	ident;
-		} icmpt;
-
-		uint32_t		spi;
-	} u;
-};
-
-
-/*********************************************************
- *		Interface address.
- ****/
-
-struct ifaddrmsg
-{
-	unsigned char	ifa_family;
-	unsigned char	ifa_prefixlen;	/* The prefix length		*/
-	unsigned char	ifa_flags;	/* Flags			*/
-	unsigned char	ifa_scope;	/* See above			*/
-	int		ifa_index;	/* Link index			*/
-};
-
-enum
-{
-	IFA_UNSPEC,
-	IFA_ADDRESS,
-	IFA_LOCAL,
-	IFA_LABEL,
-	IFA_BROADCAST,
-	IFA_ANYCAST,
-	IFA_CACHEINFO
-};
-
-#define IFA_MAX IFA_CACHEINFO
-
-/* ifa_flags */
-
-#define IFA_F_SECONDARY		0x01
-#define IFA_F_TEMPORARY		IFA_F_SECONDARY
-
-#define IFA_F_DEPRECATED	0x20
-#define IFA_F_TENTATIVE		0x40
-#define IFA_F_PERMANENT		0x80
-
-struct ifa_cacheinfo
-{
-	int32_t	ifa_prefered;
-	int32_t	ifa_valid;
-};
-
-
-#define IFA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
-#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg))
-
-/*
-   Important comment:
-   IFA_ADDRESS is prefix address, rather than local interface address.
-   It makes no difference for normally configured broadcast interfaces,
-   but for point-to-point IFA_ADDRESS is DESTINATION address,
-   local address is supplied in IFA_LOCAL attribute.
- */
-
-/**************************************************************
- *		Neighbour discovery.
- ****/
-
-struct ndmsg
-{
-	unsigned char	ndm_family;
-	unsigned char	ndm_pad1;
-	unsigned short	ndm_pad2;
-	int		ndm_ifindex;	/* Link index			*/
-	uint16_t	ndm_state;
-	uint8_t		ndm_flags;
-	uint8_t		ndm_type;
-};
-
-enum
-{
-	NDA_UNSPEC,
-	NDA_DST,
-	NDA_LLADDR,
-	NDA_CACHEINFO
-};
-
-#define NDA_MAX NDA_CACHEINFO
-
-#define NDA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg))))
-#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg))
-
-/*
- *	Neighbor Cache Entry Flags
- */
-
-#define NTF_PROXY	0x08	/* == ATF_PUBL */
-#define NTF_ROUTER	0x80
-
-/*
- *	Neighbor Cache Entry States.
- */
-
-#define NUD_INCOMPLETE	0x01
-#define NUD_REACHABLE	0x02
-#define NUD_STALE	0x04
-#define NUD_DELAY	0x08
-#define NUD_PROBE	0x10
-#define NUD_FAILED	0x20
-
-/* Dummy states */
-#define NUD_NOARP	0x40
-#define NUD_PERMANENT	0x80
-#define NUD_NONE	0x00
-
-
-struct nda_cacheinfo
-{
-	uint32_t		ndm_confirmed;
-	uint32_t		ndm_used;
-	uint32_t		ndm_updated;
-	uint32_t		ndm_refcnt;
-};
-
-/****
- *		General form of address family dependent message.
- ****/
-
-struct rtgenmsg
-{
-	unsigned char		rtgen_family;
-};
-
-/*****************************************************************
- *		Link layer specific messages.
- ****/
-
-/* struct ifinfomsg
- * passes link level specific information, not dependent
- * on network protocol.
- */
-
-struct ifinfomsg
-{
-	unsigned char	ifi_family;
-	unsigned char	__ifi_pad;
-	unsigned short	ifi_type;		/* ARPHRD_* */
-	int		ifi_index;		/* Link index	*/
-	unsigned	ifi_flags;		/* IFF_* flags	*/
-	unsigned	ifi_change;		/* IFF_* change mask */
-};
-
-enum
-{
-	IFLA_UNSPEC,
-	IFLA_ADDRESS,
-	IFLA_BROADCAST,
-	IFLA_IFNAME,
-	IFLA_MTU,
-	IFLA_LINK,
-	IFLA_QDISC,
-	IFLA_STATS,
-	IFLA_COST,
-#define IFLA_COST IFLA_COST
-	IFLA_PRIORITY,
-#define IFLA_PRIORITY IFLA_PRIORITY
-	IFLA_MASTER,
-#define IFLA_MASTER IFLA_MASTER
-	IFLA_WIRELESS,		/* Wireless Extension event - see wireless.h */
-#define IFLA_WIRELESS IFLA_WIRELESS
-};
-
-
-#define IFLA_MAX IFLA_WIRELESS
-
-#define IFLA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg))))
-#define IFLA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg))
-
-/* ifi_flags.
-
-   IFF_* flags.
-
-   The only change is:
-   IFF_LOOPBACK, IFF_BROADCAST and IFF_POINTOPOINT are
-   more not changeable by user. They describe link media
-   characteristics and set by device driver.
-
-   Comments:
-   - Combination IFF_BROADCAST|IFF_POINTOPOINT is invalid
-   - If neiher of these three flags are set;
-     the interface is NBMA.
-
-   - IFF_MULTICAST does not mean anything special:
-   multicasts can be used on all not-NBMA links.
-   IFF_MULTICAST means that this media uses special encapsulation
-   for multicast frames. Apparently, all IFF_POINTOPOINT and
-   IFF_BROADCAST devices are able to use multicasts too.
- */
-
-/* IFLA_LINK.
-   For usual devices it is equal ifi_index.
-   If it is a "virtual interface" (f.e. tunnel), ifi_link
-   can point to real physical interface (f.e. for bandwidth calculations),
-   or maybe 0, what means, that real media is unknown (usual
-   for IPIP tunnels, when route to endpoint is allowed to change)
- */
-
-/*****************************************************************
- *		Traffic control messages.
- ****/
-
-struct tcmsg
-{
-	unsigned char	tcm_family;
-	unsigned char	tcm__pad1;
-	unsigned short	tcm__pad2;
-	int		tcm_ifindex;
-	uint32_t	tcm_handle;
-	uint32_t	tcm_parent;
-	uint32_t	tcm_info;
-};
-
-enum
-{
-	TCA_UNSPEC,
-	TCA_KIND,
-	TCA_OPTIONS,
-	TCA_STATS,
-	TCA_XSTATS,
-	TCA_RATE,
-};
-
-#define TCA_MAX TCA_RATE
-
-#define TCA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct tcmsg))))
-#define TCA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct tcmsg))
-
-
-/* SUMMARY: maximal rtattr understood by kernel */
-
-#define RTATTR_MAX		RTA_MAX
-
-/* RTnetlink multicast groups */
-
-#define RTMGRP_LINK		1
-#define RTMGRP_NOTIFY		2
-#define RTMGRP_NEIGH		4
-#define RTMGRP_TC		8
-
-#define RTMGRP_IPV4_IFADDR	0x10
-#define RTMGRP_IPV4_MROUTE	0x20
-#define RTMGRP_IPV4_ROUTE	0x40
-
-#define RTMGRP_IPV6_IFADDR	0x100
-#define RTMGRP_IPV6_MROUTE	0x200
-#define RTMGRP_IPV6_ROUTE	0x400
-
-#define RTMGRP_DECnet_IFADDR    0x1000
-#define RTMGRP_DECnet_ROUTE     0x4000
-
-/* End of information exported to user level */
-
-#endif	/* __LINUX_RTNETLINK_H */
diff --git a/src/pluto/linux26/xfrm.h b/src/pluto/linux26/xfrm.h
deleted file mode 100644
index 4269ae29b..000000000
--- a/src/pluto/linux26/xfrm.h
+++ /dev/null
@@ -1,233 +0,0 @@
-#ifndef _LINUX_XFRM_H
-#define _LINUX_XFRM_H
-
-#include <stdint.h>
-
-/* All of the structures in this file may not change size as they are
- * passed into the kernel from userspace via netlink sockets.
- */
-
-/* Structure to encapsulate addresses. I do not want to use
- * "standard" structure. My apologies.
- */
-typedef union
-{
-	uint32_t	a4;
-	uint32_t	a6[4];
-} xfrm_address_t;
-
-/* Ident of a specific xfrm_state. It is used on input to lookup
- * the state by (spi,daddr,ah/esp) or to store information about
- * spi, protocol and tunnel address on output.
- */
-struct xfrm_id
-{
-	xfrm_address_t	daddr;
-	uint32_t	spi;
-	uint8_t		proto;
-};
-
-/* Selector, used as selector both on policy rules (SPD) and SAs. */
-
-struct xfrm_selector
-{
-	xfrm_address_t	daddr;
-	xfrm_address_t	saddr;
-	uint16_t	dport;
-	uint16_t	dport_mask;
-	uint16_t	sport;
-	uint16_t	sport_mask;
-	uint16_t	family;
-	uint8_t		prefixlen_d;
-	uint8_t		prefixlen_s;
-	uint8_t		proto;
-	int		ifindex;
-	uid_t		user;
-};
-
-#define XFRM_INF (~(uint64_t)0)
-
-struct xfrm_lifetime_cfg
-{
-	uint64_t	soft_byte_limit;
-	uint64_t	hard_byte_limit;
-	uint64_t	soft_packet_limit;
-	uint64_t	hard_packet_limit;
-	uint64_t	soft_add_expires_seconds;
-	uint64_t	hard_add_expires_seconds;
-	uint64_t	soft_use_expires_seconds;
-	uint64_t	hard_use_expires_seconds;
-};
-
-struct xfrm_lifetime_cur
-{
-	uint64_t	bytes;
-	uint64_t	packets;
-	uint64_t	add_time;
-	uint64_t	use_time;
-};
-
-struct xfrm_replay_state
-{
-	uint32_t	oseq;
-	uint32_t	seq;
-	uint32_t	bitmap;
-};
-
-struct xfrm_algo {
-	char	alg_name[64];
-	int	alg_key_len;    /* in bits */
-	char	alg_key[0];
-};
-
-struct xfrm_stats {
-	uint32_t	replay_window;
-	uint32_t	replay;
-	uint32_t	integrity_failed;
-};
-
-enum
-{
-	XFRM_POLICY_IN	= 0,
-	XFRM_POLICY_OUT	= 1,
-	XFRM_POLICY_FWD	= 2,
-	XFRM_POLICY_MAX	= 3
-};
-
-enum
-{
-	XFRM_SHARE_ANY,		/* No limitations */
-	XFRM_SHARE_SESSION,	/* For this session only */
-	XFRM_SHARE_USER,	/* For this user only */
-	XFRM_SHARE_UNIQUE	/* Use once */
-};
-
-/* Netlink configuration messages.  */
-#define XFRM_MSG_BASE		0x10
-
-#define XFRM_MSG_NEWSA		(XFRM_MSG_BASE + 0)
-#define XFRM_MSG_DELSA		(XFRM_MSG_BASE + 1)
-#define XFRM_MSG_GETSA		(XFRM_MSG_BASE + 2)
-
-#define XFRM_MSG_NEWPOLICY	(XFRM_MSG_BASE + 3)
-#define XFRM_MSG_DELPOLICY	(XFRM_MSG_BASE + 4)
-#define XFRM_MSG_GETPOLICY	(XFRM_MSG_BASE + 5)
-
-#define XFRM_MSG_ALLOCSPI	(XFRM_MSG_BASE + 6)
-#define XFRM_MSG_ACQUIRE	(XFRM_MSG_BASE + 7)
-#define XFRM_MSG_EXPIRE		(XFRM_MSG_BASE + 8)
-
-#define XFRM_MSG_UPDPOLICY	(XFRM_MSG_BASE + 9)
-#define XFRM_MSG_UPDSA		(XFRM_MSG_BASE + 10)
-
-#define XFRM_MSG_POLEXPIRE	(XFRM_MSG_BASE + 11)
-
-#define XFRM_MSG_MAX		(XFRM_MSG_POLEXPIRE+1)
-
-struct xfrm_user_tmpl {
-	struct xfrm_id		id;
-	uint16_t		family;
-	xfrm_address_t		saddr;
-	uint32_t		reqid;
-	uint8_t			mode;
-	uint8_t			share;
-	uint8_t			optional;
-	uint32_t		aalgos;
-	uint32_t		ealgos;
-	uint32_t		calgos;
-};
-
-struct xfrm_encap_tmpl {
-	uint16_t		encap_type;
-	uint16_t		encap_sport;
-	uint16_t		encap_dport;
-	xfrm_address_t		encap_oa;
-};
-
-/* Netlink message attributes.  */
-enum xfrm_attr_type_t {
-	XFRMA_UNSPEC,
-	XFRMA_ALG_AUTH,		/* struct xfrm_algo */
-	XFRMA_ALG_CRYPT,	/* struct xfrm_algo */
-	XFRMA_ALG_COMP,		/* struct xfrm_algo */
-	XFRMA_ENCAP,		/* struct xfrm_algo + struct xfrm_encap_tmpl */
-	XFRMA_TMPL,		/* 1 or more struct xfrm_user_tmpl */
-
-#define XFRMA_MAX XFRMA_TMPL
-};
-
-struct xfrm_usersa_info {
-	struct xfrm_selector		sel;
-	struct xfrm_id			id;
-	xfrm_address_t			saddr;
-	struct xfrm_lifetime_cfg	lft;
-	struct xfrm_lifetime_cur	curlft;
-	struct xfrm_stats		stats;
-	uint32_t			seq;
-	uint32_t			reqid;
-	uint16_t			family;
-	uint8_t				mode; /* 0=transport,1=tunnel */
-	uint8_t				replay_window;
-	uint8_t				flags;
-#define XFRM_STATE_NOECN	1
-};
-
-struct xfrm_usersa_id {
-	xfrm_address_t			daddr;
-	uint32_t			spi;
-	uint16_t			family;
-	uint8_t				proto;
-};
-
-struct xfrm_userspi_info {
-	struct xfrm_usersa_info		info;
-	uint32_t			min;
-	uint32_t			max;
-};
-
-struct xfrm_userpolicy_info {
-	struct xfrm_selector		sel;
-	struct xfrm_lifetime_cfg	lft;
-	struct xfrm_lifetime_cur	curlft;
-	uint32_t			priority;
-	uint32_t			index;
-	uint8_t				dir;
-	uint8_t				action;
-#define XFRM_POLICY_ALLOW	0
-#define XFRM_POLICY_BLOCK	1
-	uint8_t				flags;
-#define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
-	uint8_t				share;
-};
-
-struct xfrm_userpolicy_id {
-	struct xfrm_selector		sel;
-	uint32_t			index;
-	uint8_t				dir;
-};
-
-struct xfrm_user_acquire {
-	struct xfrm_id			id;
-	xfrm_address_t			saddr;
-	struct xfrm_selector		sel;
-	struct xfrm_userpolicy_info	policy;
-	uint32_t			aalgos;
-	uint32_t			ealgos;
-	uint32_t			calgos;
-	uint32_t			seq;
-};
-
-struct xfrm_user_expire {
-	struct xfrm_usersa_info		state;
-	uint8_t				hard;
-};
-
-struct xfrm_user_polexpire {
-	struct xfrm_userpolicy_info	pol;
-	uint8_t				hard;
-};
-
-#define XFRMGRP_ACQUIRE		1
-#define XFRMGRP_EXPIRE		2
-
-#endif /* _LINUX_XFRM_H */
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index ab44a113e..cda6007c7 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -978,7 +978,8 @@ xauth_inR1(struct msg_digest *md)
 		   , ia.xauth_secret.user_password.ptr)
 	)
 	/* verify the user credentials using a plugn function */
-	st->st_xauth.status = xauth_module.verify_secret(&ia.xauth_secret);
+	st->st_xauth.status = xauth_module.verify_secret(st->st_connection->name
+						       , &ia.xauth_secret);
 	plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
     }
 
diff --git a/src/pluto/oid.c b/src/pluto/oid.c
index 4b0632de2..48df1b7c4 100644
--- a/src/pluto/oid.c
+++ b/src/pluto/oid.c
@@ -28,7 +28,7 @@ const oid_t oid_names[] = {
   {                0x01,       0, 1, "pilotAttributeType"     },  /*  15 */
   {                  0x01,    17, 0, "UID"                    },  /*  16 */
   {                  0x19,     0, 0, "DC"                     },  /*  17 */
-  {0x55,                      51, 1, "X.500"                  },  /*  18 */
+  {0x55,                      52, 1, "X.500"                  },  /*  18 */
   {  0x04,                    36, 1, "X.509"                  },  /*  19 */
   {    0x03,                  21, 0, "CN"                     },  /*  20 */
   {    0x04,                  22, 0, "S"                      },  /*  21 */
@@ -54,144 +54,145 @@ const oid_t oid_names[] = {
   {    0x11,                  42, 0, "subjectAltName"         },  /*  41 */
   {    0x12,                  43, 0, "issuerAltName"          },  /*  42 */
   {    0x13,                  44, 0, "basicConstraints"       },  /*  43 */
-  {    0x15,                  45, 0, "reasonCode"             },  /*  44 */
-  {    0x1F,                  46, 0, "crlDistributionPoints"  },  /*  45 */
-  {    0x20,                  47, 0, "certificatePolicies"    },  /*  46 */
-  {    0x23,                  48, 0, "authorityKeyIdentifier" },  /*  47 */
-  {    0x25,                  49, 0, "extendedKeyUsage"       },  /*  48 */
-  {    0x37,                  50, 0, "targetInformation"      },  /*  49 */
-  {    0x38,                   0, 0, "noRevAvail"             },  /*  50 */
-  {0x2A,                      88, 1, ""                       },  /*  51 */
-  {  0x86,                     0, 1, ""                       },  /*  52 */
-  {    0x48,                   0, 1, ""                       },  /*  53 */
-  {      0x86,                 0, 1, ""                       },  /*  54 */
-  {        0xF7,               0, 1, ""                       },  /*  55 */
-  {          0x0D,             0, 1, "RSADSI"                 },  /*  56 */
-  {            0x01,          83, 1, "PKCS"                   },  /*  57 */
-  {              0x01,        66, 1, "PKCS-1"                 },  /*  58 */
-  {                0x01,      60, 0, "rsaEncryption"          },  /*  59 */
-  {                0x02,      61, 0, "md2WithRSAEncryption"   },  /*  60 */
-  {                0x04,      62, 0, "md5WithRSAEncryption"   },  /*  61 */
-  {                0x05,      63, 0, "sha-1WithRSAEncryption" },  /*  62 */
-  {                0x0B,      64, 0, "sha256WithRSAEncryption"},  /*  63 */
-  {                0x0C,      65, 0, "sha384WithRSAEncryption"},  /*  64 */
-  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  65 */
-  {              0x07,        73, 1, "PKCS-7"                 },  /*  66 */
-  {                0x01,      68, 0, "data"                   },  /*  67 */
-  {                0x02,      69, 0, "signedData"             },  /*  68 */
-  {                0x03,      70, 0, "envelopedData"          },  /*  69 */
-  {                0x04,      71, 0, "signedAndEnvelopedData" },  /*  70 */
-  {                0x05,      72, 0, "digestedData"           },  /*  71 */
-  {                0x06,       0, 0, "encryptedData"          },  /*  72 */
-  {              0x09,         0, 1, "PKCS-9"                 },  /*  73 */
-  {                0x01,      75, 0, "E"                      },  /*  74 */
-  {                0x02,      76, 0, "unstructuredName"       },  /*  75 */
-  {                0x03,      77, 0, "contentType"            },  /*  76 */
-  {                0x04,      78, 0, "messageDigest"          },  /*  77 */
-  {                0x05,      79, 0, "signingTime"            },  /*  78 */
-  {                0x06,      80, 0, "counterSignature"       },  /*  79 */
-  {                0x07,      81, 0, "challengePassword"      },  /*  80 */
-  {                0x08,      82, 0, "unstructuredAddress"    },  /*  81 */
-  {                0x0E,       0, 0, "extensionRequest"       },  /*  82 */
-  {            0x02,          86, 1, "digestAlgorithm"        },  /*  83 */
-  {              0x02,        85, 0, "md2"                    },  /*  84 */
-  {              0x05,         0, 0, "md5"                    },  /*  85 */
-  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  86 */
-  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  87 */
-  {0x2B,                     149, 1, ""                       },  /*  88 */
-  {  0x06,                   136, 1, "dod"                    },  /*  89 */
-  {    0x01,                   0, 1, "internet"               },  /*  90 */
-  {      0x04,               105, 1, "private"                },  /*  91 */
-  {        0x01,               0, 1, "enterprise"             },  /*  92 */
-  {          0x82,            98, 1, ""                       },  /*  93 */
-  {            0x37,           0, 1, "Microsoft"              },  /*  94 */
-  {              0x0A,         0, 1, ""                       },  /*  95 */
-  {                0x03,       0, 1, ""                       },  /*  96 */
-  {                  0x03,     0, 0, "msSGC"                  },  /*  97 */
-  {          0x89,             0, 1, ""                       },  /*  98 */
-  {            0x31,           0, 1, ""                       },  /*  99 */
-  {              0x01,         0, 1, ""                       },  /* 100 */
-  {                0x01,       0, 1, ""                       },  /* 101 */
-  {                  0x02,     0, 1, ""                       },  /* 102 */
-  {                    0x02, 104, 0, ""                       },  /* 103 */
-  {                    0x4B,   0, 0, "TCGID"                  },  /* 104 */
-  {      0x05,                 0, 1, "security"               },  /* 105 */
-  {        0x05,               0, 1, "mechanisms"             },  /* 106 */
-  {          0x07,             0, 1, "id-pkix"                },  /* 107 */
-  {            0x01,         110, 1, "id-pe"                  },  /* 108 */
-  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 109 */
-  {            0x03,         120, 1, "id-kp"                  },  /* 110 */
-  {              0x01,       112, 0, "serverAuth"             },  /* 111 */
-  {              0x02,       113, 0, "clientAuth"             },  /* 112 */
-  {              0x03,       114, 0, "codeSigning"            },  /* 113 */
-  {              0x04,       115, 0, "emailProtection"        },  /* 114 */
-  {              0x05,       116, 0, "ipsecEndSystem"         },  /* 115 */
-  {              0x06,       117, 0, "ipsecTunnel"            },  /* 116 */
-  {              0x07,       118, 0, "ipsecUser"              },  /* 117 */
-  {              0x08,       119, 0, "timeStamping"           },  /* 118 */
-  {              0x09,         0, 0, "ocspSigning"            },  /* 119 */
-  {            0x08,         122, 1, "id-otherNames"          },  /* 120 */
-  {              0x05,         0, 0, "xmppAddr"               },  /* 121 */
-  {            0x0A,         127, 1, "id-aca"                 },  /* 122 */
-  {              0x01,       124, 0, "authenticationInfo"     },  /* 123 */
-  {              0x02,       125, 0, "accessIdentity"         },  /* 124 */
-  {              0x03,       126, 0, "chargingIdentity"       },  /* 125 */
-  {              0x04,         0, 0, "group"                  },  /* 126 */
-  {            0x30,           0, 1, "id-ad"                  },  /* 127 */
-  {              0x01,         0, 1, "ocsp"                   },  /* 128 */
-  {                0x01,     130, 0, "basic"                  },  /* 129 */
-  {                0x02,     131, 0, "nonce"                  },  /* 130 */
-  {                0x03,     132, 0, "crl"                    },  /* 131 */
-  {                0x04,     133, 0, "response"               },  /* 132 */
-  {                0x05,     134, 0, "noCheck"                },  /* 133 */
-  {                0x06,     135, 0, "archiveCutoff"          },  /* 134 */
-  {                0x07,       0, 0, "serviceLocator"         },  /* 135 */
-  {  0x0E,                   142, 1, "oiw"                    },  /* 136 */
-  {    0x03,                   0, 1, "secsig"                 },  /* 137 */
-  {      0x02,                 0, 1, "algorithms"             },  /* 138 */
-  {        0x07,             140, 0, "des-cbc"                },  /* 139 */
-  {        0x1A,             141, 0, "sha-1"                  },  /* 140 */
-  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 141 */
-  {  0x24,                     0, 1, "TeleTrusT"              },  /* 142 */
-  {    0x03,                   0, 1, "algorithm"              },  /* 143 */
-  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 144 */
-  {        0x01,               0, 1, "rsaSignature"           },  /* 145 */
-  {          0x02,           147, 0, "rsaSigWithripemd160"    },  /* 146 */
-  {          0x03,           148, 0, "rsaSigWithripemd128"    },  /* 147 */
-  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 148 */
-  {0x60,                       0, 1, ""                       },  /* 149 */
-  {  0x86,                     0, 1, ""                       },  /* 150 */
-  {    0x48,                   0, 1, ""                       },  /* 151 */
-  {      0x01,                 0, 1, "organization"           },  /* 152 */
-  {        0x65,             160, 1, "gov"                    },  /* 153 */
-  {          0x03,             0, 1, "csor"                   },  /* 154 */
-  {            0x04,           0, 1, "nistalgorithm"          },  /* 155 */
-  {              0x02,         0, 1, "hashalgs"               },  /* 156 */
-  {                0x01,     158, 0, "id-SHA-256"             },  /* 157 */
-  {                0x02,     159, 0, "id-SHA-384"             },  /* 158 */
-  {                0x03,       0, 0, "id-SHA-512"             },  /* 159 */
-  {        0x86,               0, 1, ""                       },  /* 160 */
-  {          0xf8,             0, 1, ""                       },  /* 161 */
-  {            0x42,         174, 1, "netscape"               },  /* 162 */
-  {              0x01,       169, 1, ""                       },  /* 163 */
-  {                0x01,     165, 0, "nsCertType"             },  /* 164 */
-  {                0x03,     166, 0, "nsRevocationUrl"        },  /* 165 */
-  {                0x04,     167, 0, "nsCaRevocationUrl"      },  /* 166 */
-  {                0x08,     168, 0, "nsCaPolicyUrl"          },  /* 167 */
-  {                0x0d,       0, 0, "nsComment"              },  /* 168 */
-  {              0x03,       172, 1, "directory"              },  /* 169 */
-  {                0x01,       0, 1, ""                       },  /* 170 */
-  {                  0x03,     0, 0, "employeeNumber"         },  /* 171 */
-  {              0x04,         0, 1, "policy"                 },  /* 172 */
-  {                0x01,       0, 0, "nsSGC"                  },  /* 173 */
-  {            0x45,           0, 1, "verisign"               },  /* 174 */
-  {              0x01,         0, 1, "pki"                    },  /* 175 */
-  {                0x09,       0, 1, "attributes"             },  /* 176 */
-  {                  0x02,   178, 0, "messageType"            },  /* 177 */
-  {                  0x03,   179, 0, "pkiStatus"              },  /* 178 */
-  {                  0x04,   180, 0, "failInfo"               },  /* 179 */
-  {                  0x05,   181, 0, "senderNonce"            },  /* 180 */
-  {                  0x06,   182, 0, "recipientNonce"         },  /* 181 */
-  {                  0x07,   183, 0, "transID"                },  /* 182 */
-  {                  0x08,     0, 0, "extensionReq"           }   /* 183 */
+  {    0x14,                  45, 0, "crlNumber"              },  /*  44 */
+  {    0x15,                  46, 0, "reasonCode"             },  /*  45 */
+  {    0x1F,                  47, 0, "crlDistributionPoints"  },  /*  46 */
+  {    0x20,                  48, 0, "certificatePolicies"    },  /*  47 */
+  {    0x23,                  49, 0, "authorityKeyIdentifier" },  /*  48 */
+  {    0x25,                  50, 0, "extendedKeyUsage"       },  /*  49 */
+  {    0x37,                  51, 0, "targetInformation"      },  /*  50 */
+  {    0x38,                   0, 0, "noRevAvail"             },  /*  51 */
+  {0x2A,                      89, 1, ""                       },  /*  52 */
+  {  0x86,                     0, 1, ""                       },  /*  53 */
+  {    0x48,                   0, 1, ""                       },  /*  54 */
+  {      0x86,                 0, 1, ""                       },  /*  55 */
+  {        0xF7,               0, 1, ""                       },  /*  56 */
+  {          0x0D,             0, 1, "RSADSI"                 },  /*  57 */
+  {            0x01,          84, 1, "PKCS"                   },  /*  58 */
+  {              0x01,        67, 1, "PKCS-1"                 },  /*  59 */
+  {                0x01,      61, 0, "rsaEncryption"          },  /*  60 */
+  {                0x02,      62, 0, "md2WithRSAEncryption"   },  /*  61 */
+  {                0x04,      63, 0, "md5WithRSAEncryption"   },  /*  62 */
+  {                0x05,      64, 0, "sha-1WithRSAEncryption" },  /*  63 */
+  {                0x0B,      65, 0, "sha256WithRSAEncryption"},  /*  64 */
+  {                0x0C,      66, 0, "sha384WithRSAEncryption"},  /*  65 */
+  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  66 */
+  {              0x07,        74, 1, "PKCS-7"                 },  /*  67 */
+  {                0x01,      69, 0, "data"                   },  /*  68 */
+  {                0x02,      70, 0, "signedData"             },  /*  69 */
+  {                0x03,      71, 0, "envelopedData"          },  /*  70 */
+  {                0x04,      72, 0, "signedAndEnvelopedData" },  /*  71 */
+  {                0x05,      73, 0, "digestedData"           },  /*  72 */
+  {                0x06,       0, 0, "encryptedData"          },  /*  73 */
+  {              0x09,         0, 1, "PKCS-9"                 },  /*  74 */
+  {                0x01,      76, 0, "E"                      },  /*  75 */
+  {                0x02,      77, 0, "unstructuredName"       },  /*  76 */
+  {                0x03,      78, 0, "contentType"            },  /*  77 */
+  {                0x04,      79, 0, "messageDigest"          },  /*  78 */
+  {                0x05,      80, 0, "signingTime"            },  /*  79 */
+  {                0x06,      81, 0, "counterSignature"       },  /*  80 */
+  {                0x07,      82, 0, "challengePassword"      },  /*  81 */
+  {                0x08,      83, 0, "unstructuredAddress"    },  /*  82 */
+  {                0x0E,       0, 0, "extensionRequest"       },  /*  83 */
+  {            0x02,          87, 1, "digestAlgorithm"        },  /*  84 */
+  {              0x02,        86, 0, "md2"                    },  /*  85 */
+  {              0x05,         0, 0, "md5"                    },  /*  86 */
+  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  87 */
+  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  88 */
+  {0x2B,                     150, 1, ""                       },  /*  89 */
+  {  0x06,                   137, 1, "dod"                    },  /*  90 */
+  {    0x01,                   0, 1, "internet"               },  /*  91 */
+  {      0x04,               106, 1, "private"                },  /*  92 */
+  {        0x01,               0, 1, "enterprise"             },  /*  93 */
+  {          0x82,            99, 1, ""                       },  /*  94 */
+  {            0x37,           0, 1, "Microsoft"              },  /*  95 */
+  {              0x0A,         0, 1, ""                       },  /*  96 */
+  {                0x03,       0, 1, ""                       },  /*  97 */
+  {                  0x03,     0, 0, "msSGC"                  },  /*  98 */
+  {          0x89,             0, 1, ""                       },  /*  99 */
+  {            0x31,           0, 1, ""                       },  /* 100 */
+  {              0x01,         0, 1, ""                       },  /* 101 */
+  {                0x01,       0, 1, ""                       },  /* 102 */
+  {                  0x02,     0, 1, ""                       },  /* 103 */
+  {                    0x02, 105, 0, ""                       },  /* 104 */
+  {                    0x4B,   0, 0, "TCGID"                  },  /* 105 */
+  {      0x05,                 0, 1, "security"               },  /* 106 */
+  {        0x05,               0, 1, "mechanisms"             },  /* 107 */
+  {          0x07,             0, 1, "id-pkix"                },  /* 108 */
+  {            0x01,         111, 1, "id-pe"                  },  /* 109 */
+  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 110 */
+  {            0x03,         121, 1, "id-kp"                  },  /* 111 */
+  {              0x01,       113, 0, "serverAuth"             },  /* 112 */
+  {              0x02,       114, 0, "clientAuth"             },  /* 113 */
+  {              0x03,       115, 0, "codeSigning"            },  /* 114 */
+  {              0x04,       116, 0, "emailProtection"        },  /* 115 */
+  {              0x05,       117, 0, "ipsecEndSystem"         },  /* 116 */
+  {              0x06,       118, 0, "ipsecTunnel"            },  /* 117 */
+  {              0x07,       119, 0, "ipsecUser"              },  /* 118 */
+  {              0x08,       120, 0, "timeStamping"           },  /* 119 */
+  {              0x09,         0, 0, "ocspSigning"            },  /* 120 */
+  {            0x08,         123, 1, "id-otherNames"          },  /* 121 */
+  {              0x05,         0, 0, "xmppAddr"               },  /* 122 */
+  {            0x0A,         128, 1, "id-aca"                 },  /* 123 */
+  {              0x01,       125, 0, "authenticationInfo"     },  /* 124 */
+  {              0x02,       126, 0, "accessIdentity"         },  /* 125 */
+  {              0x03,       127, 0, "chargingIdentity"       },  /* 126 */
+  {              0x04,         0, 0, "group"                  },  /* 127 */
+  {            0x30,           0, 1, "id-ad"                  },  /* 128 */
+  {              0x01,         0, 1, "ocsp"                   },  /* 129 */
+  {                0x01,     131, 0, "basic"                  },  /* 130 */
+  {                0x02,     132, 0, "nonce"                  },  /* 131 */
+  {                0x03,     133, 0, "crl"                    },  /* 132 */
+  {                0x04,     134, 0, "response"               },  /* 133 */
+  {                0x05,     135, 0, "noCheck"                },  /* 134 */
+  {                0x06,     136, 0, "archiveCutoff"          },  /* 135 */
+  {                0x07,       0, 0, "serviceLocator"         },  /* 136 */
+  {  0x0E,                   143, 1, "oiw"                    },  /* 137 */
+  {    0x03,                   0, 1, "secsig"                 },  /* 138 */
+  {      0x02,                 0, 1, "algorithms"             },  /* 139 */
+  {        0x07,             141, 0, "des-cbc"                },  /* 140 */
+  {        0x1A,             142, 0, "sha-1"                  },  /* 141 */
+  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 142 */
+  {  0x24,                     0, 1, "TeleTrusT"              },  /* 143 */
+  {    0x03,                   0, 1, "algorithm"              },  /* 144 */
+  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 145 */
+  {        0x01,               0, 1, "rsaSignature"           },  /* 146 */
+  {          0x02,           148, 0, "rsaSigWithripemd160"    },  /* 147 */
+  {          0x03,           149, 0, "rsaSigWithripemd128"    },  /* 148 */
+  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 149 */
+  {0x60,                       0, 1, ""                       },  /* 150 */
+  {  0x86,                     0, 1, ""                       },  /* 151 */
+  {    0x48,                   0, 1, ""                       },  /* 152 */
+  {      0x01,                 0, 1, "organization"           },  /* 153 */
+  {        0x65,             161, 1, "gov"                    },  /* 154 */
+  {          0x03,             0, 1, "csor"                   },  /* 155 */
+  {            0x04,           0, 1, "nistalgorithm"          },  /* 156 */
+  {              0x02,         0, 1, "hashalgs"               },  /* 157 */
+  {                0x01,     159, 0, "id-SHA-256"             },  /* 158 */
+  {                0x02,     160, 0, "id-SHA-384"             },  /* 159 */
+  {                0x03,       0, 0, "id-SHA-512"             },  /* 160 */
+  {        0x86,               0, 1, ""                       },  /* 161 */
+  {          0xf8,             0, 1, ""                       },  /* 162 */
+  {            0x42,         175, 1, "netscape"               },  /* 163 */
+  {              0x01,       170, 1, ""                       },  /* 164 */
+  {                0x01,     166, 0, "nsCertType"             },  /* 165 */
+  {                0x03,     167, 0, "nsRevocationUrl"        },  /* 166 */
+  {                0x04,     168, 0, "nsCaRevocationUrl"      },  /* 167 */
+  {                0x08,     169, 0, "nsCaPolicyUrl"          },  /* 168 */
+  {                0x0d,       0, 0, "nsComment"              },  /* 169 */
+  {              0x03,       173, 1, "directory"              },  /* 170 */
+  {                0x01,       0, 1, ""                       },  /* 171 */
+  {                  0x03,     0, 0, "employeeNumber"         },  /* 172 */
+  {              0x04,         0, 1, "policy"                 },  /* 173 */
+  {                0x01,       0, 0, "nsSGC"                  },  /* 174 */
+  {            0x45,           0, 1, "verisign"               },  /* 175 */
+  {              0x01,         0, 1, "pki"                    },  /* 176 */
+  {                0x09,       0, 1, "attributes"             },  /* 177 */
+  {                  0x02,   179, 0, "messageType"            },  /* 178 */
+  {                  0x03,   180, 0, "pkiStatus"              },  /* 179 */
+  {                  0x04,   181, 0, "failInfo"               },  /* 180 */
+  {                  0x05,   182, 0, "senderNonce"            },  /* 181 */
+  {                  0x06,   183, 0, "recipientNonce"         },  /* 182 */
+  {                  0x07,   184, 0, "transID"                },  /* 183 */
+  {                  0x08,     0, 0, "extensionReq"           }   /* 184 */
 };
diff --git a/src/pluto/oid.h b/src/pluto/oid.h
index ccdfb2954..869a87eb0 100644
--- a/src/pluto/oid.h
+++ b/src/pluto/oid.h
@@ -19,60 +19,61 @@ extern const oid_t oid_names[];
 #define OID_SUBJECT_KEY_ID		38
 #define OID_SUBJECT_ALT_NAME		41
 #define OID_BASIC_CONSTRAINTS		43
-#define OID_CRL_REASON_CODE		44
-#define OID_CRL_DISTRIBUTION_POINTS	45
-#define OID_AUTHORITY_KEY_ID		47
-#define OID_EXTENDED_KEY_USAGE		48
-#define OID_TARGET_INFORMATION		49
-#define OID_NO_REV_AVAIL		50
-#define OID_RSA_ENCRYPTION		59
-#define OID_MD2_WITH_RSA		60
-#define OID_MD5_WITH_RSA		61
-#define OID_SHA1_WITH_RSA		62
-#define OID_SHA256_WITH_RSA		63
-#define OID_SHA384_WITH_RSA		64
-#define OID_SHA512_WITH_RSA		65
-#define OID_PKCS7_DATA			67
-#define OID_PKCS7_SIGNED_DATA		68
-#define OID_PKCS7_ENVELOPED_DATA	69
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA	70
-#define OID_PKCS7_DIGESTED_DATA		71
-#define OID_PKCS7_ENCRYPTED_DATA	72
-#define OID_PKCS9_EMAIL			74
-#define OID_PKCS9_CONTENT_TYPE		76
-#define OID_PKCS9_MESSAGE_DIGEST	77
-#define OID_PKCS9_SIGNING_TIME		78
-#define OID_MD2				84
-#define OID_MD5				85
-#define OID_3DES_EDE_CBC		87
-#define OID_AUTHORITY_INFO_ACCESS	109
-#define OID_OCSP_SIGNING		119
-#define OID_XMPP_ADDR			121
-#define OID_AUTHENTICATION_INFO		123
-#define OID_ACCESS_IDENTITY		124
-#define OID_CHARGING_IDENTITY		125
-#define OID_GROUP			126
-#define OID_OCSP			128
-#define OID_BASIC			129
-#define OID_NONCE			130
-#define OID_CRL				131
-#define OID_RESPONSE			132
-#define OID_NO_CHECK			133
-#define OID_ARCHIVE_CUTOFF		134
-#define OID_SERVICE_LOCATOR		135
-#define OID_DES_CBC			139
-#define OID_SHA1			140
-#define OID_SHA1_WITH_RSA_OIW		141
-#define OID_SHA256			157
-#define OID_SHA384			158
-#define OID_SHA512			159
-#define OID_NS_REVOCATION_URL		165
-#define OID_NS_CA_REVOCATION_URL	166
-#define OID_NS_CA_POLICY_URL		167
-#define OID_NS_COMMENT			168
-#define OID_PKI_MESSAGE_TYPE		177
-#define OID_PKI_STATUS			178
-#define OID_PKI_FAIL_INFO		179
-#define OID_PKI_SENDER_NONCE		180
-#define OID_PKI_RECIPIENT_NONCE		181
-#define OID_PKI_TRANS_ID		182
+#define OID_CRL_NUMBER			44
+#define OID_CRL_REASON_CODE		45
+#define OID_CRL_DISTRIBUTION_POINTS	46
+#define OID_AUTHORITY_KEY_ID		48
+#define OID_EXTENDED_KEY_USAGE		49
+#define OID_TARGET_INFORMATION		50
+#define OID_NO_REV_AVAIL		51
+#define OID_RSA_ENCRYPTION		60
+#define OID_MD2_WITH_RSA		61
+#define OID_MD5_WITH_RSA		62
+#define OID_SHA1_WITH_RSA		63
+#define OID_SHA256_WITH_RSA		64
+#define OID_SHA384_WITH_RSA		65
+#define OID_SHA512_WITH_RSA		66
+#define OID_PKCS7_DATA			68
+#define OID_PKCS7_SIGNED_DATA		69
+#define OID_PKCS7_ENVELOPED_DATA	70
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA	71
+#define OID_PKCS7_DIGESTED_DATA		72
+#define OID_PKCS7_ENCRYPTED_DATA	73
+#define OID_PKCS9_EMAIL			75
+#define OID_PKCS9_CONTENT_TYPE		77
+#define OID_PKCS9_MESSAGE_DIGEST	78
+#define OID_PKCS9_SIGNING_TIME		79
+#define OID_MD2				85
+#define OID_MD5				86
+#define OID_3DES_EDE_CBC		88
+#define OID_AUTHORITY_INFO_ACCESS	110
+#define OID_OCSP_SIGNING		120
+#define OID_XMPP_ADDR			122
+#define OID_AUTHENTICATION_INFO		124
+#define OID_ACCESS_IDENTITY		125
+#define OID_CHARGING_IDENTITY		126
+#define OID_GROUP			127
+#define OID_OCSP			129
+#define OID_BASIC			130
+#define OID_NONCE			131
+#define OID_CRL				132
+#define OID_RESPONSE			133
+#define OID_NO_CHECK			134
+#define OID_ARCHIVE_CUTOFF		135
+#define OID_SERVICE_LOCATOR		136
+#define OID_DES_CBC			140
+#define OID_SHA1			141
+#define OID_SHA1_WITH_RSA_OIW		142
+#define OID_SHA256			158
+#define OID_SHA384			159
+#define OID_SHA512			160
+#define OID_NS_REVOCATION_URL		166
+#define OID_NS_CA_REVOCATION_URL	167
+#define OID_NS_CA_POLICY_URL		168
+#define OID_NS_COMMENT			169
+#define OID_PKI_MESSAGE_TYPE		178
+#define OID_PKI_STATUS			179
+#define OID_PKI_FAIL_INFO		180
+#define OID_PKI_SENDER_NONCE		181
+#define OID_PKI_RECIPIENT_NONCE		182
+#define OID_PKI_TRANS_ID		183
diff --git a/src/pluto/oid.txt b/src/pluto/oid.txt
index e8750024e..2b3c96ae3 100644
--- a/src/pluto/oid.txt
+++ b/src/pluto/oid.txt
@@ -42,6 +42,7 @@
     0x11                     "subjectAltName"		OID_SUBJECT_ALT_NAME
     0x12                     "issuerAltName"
     0x13                     "basicConstraints"		OID_BASIC_CONSTRAINTS
+    0x14                     "crlNumber"		OID_CRL_NUMBER
     0x15                     "reasonCode"		OID_CRL_REASON_CODE
     0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
     0x20                     "certificatePolicies"
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index e235ff765..d9b2167c8 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -29,6 +29,8 @@
 #include <resolv.h>
 #include <arpa/nameser.h>	/* missing from <resolv.h> on old systems */
 #include <sys/queue.h>
+#include <linux/capability.h>
+#include <sys/prctl.h>
 
 #include <freeswan.h>
 
@@ -64,6 +66,11 @@
 #include "nat_traversal.h"
 #include "virtual.h"
 
+/* on some distros, a capset() definition is missing */
+#ifdef NO_CAPSET_DEFINED
+extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
+#endif /* NO_CAPSET_DEFINED */
+
 static void
 usage(const char *mess)
 {
@@ -221,6 +228,8 @@ main(int argc, char **argv)
     bool force_keepalive = FALSE;
     char *virtual_private = NULL;
     int lockfd;
+    struct __user_cap_header_struct hdr;
+    struct __user_cap_data_struct data;
 
     /* handle arguments */
     for (;;)
@@ -596,6 +605,26 @@ main(int argc, char **argv)
     init_id();
     init_fetch();
 
+    /* drop unneeded capabilities and change UID/GID */
+    hdr.version = _LINUX_CAPABILITY_VERSION;
+    hdr.pid = 0;
+    data.effective = data.permitted = 1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
+    data.inheritable = 0;
+
+    prctl(PR_SET_KEEPCAPS, 1);
+
+#   if IPSEC_GID
+	setgid(IPSEC_GID);
+#   endif
+#   if IPSEC_UID
+	setuid(IPSEC_UID);
+#   endif
+    if (capset(&hdr, &data))
+    {
+	plog("unable to drop root privileges");
+	abort();
+    }
+
     /* loading X.509 CA certificates */
     load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
     /* loading X.509 AA certificates */
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index e888d5e16..c2ea2b5a0 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -205,7 +205,9 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.1.1")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.1.3")
+	DEC_MD5_VID(STRONGSWAN_4_1_2, "strongSwan 4.1.2")
+	DEC_MD5_VID(STRONGSWAN_4_1_1, "strongSwan 4.1.1")
 	DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
 	DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
 	DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 8e0444f4d..5ba65ea37 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -99,6 +99,8 @@ enum known_vendorid {
   VID_STRONGSWAN_4_0_6		= 76,
   VID_STRONGSWAN_4_0_7		= 77,
   VID_STRONGSWAN_4_1_0		= 78,
+  VID_STRONGSWAN_4_1_1		= 79,
+  VID_STRONGSWAN_4_1_2		= 80,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=101,
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
index 3d30ad227..77ac8dee7 100644
--- a/src/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -44,7 +44,7 @@ xauth_init(void)
 		DBG_log("xauth module: found get_secret() function");
 	    }
 	)
-	xauth_module.verify_secret = (bool (*) (const xauth_t*))
+	xauth_module.verify_secret = (bool (*) (const char*, const xauth_t*))
 			dlsym(xauth_module.handle, "verify_secret");
 	DBG(DBG_CONTROL,
 	    if (xauth_module.verify_secret != NULL)
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
index 1f06aefd9..740618750 100644
--- a/src/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -30,7 +30,7 @@ typedef struct {
 typedef struct {
     void *handle;
     bool (*get_secret) (xauth_t *xauth_secret);
-    bool (*verify_secret) (const xauth_t *xauth_secret);
+    bool (*verify_secret) (const char *conn_name, const xauth_t *xauth_secret);
 } xauth_module_t;
 
 extern xauth_module_t xauth_module;
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index b21b9bf05..798f09de8 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -128,6 +128,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -140,6 +141,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -150,8 +152,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -173,6 +179,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -182,6 +189,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -195,9 +204,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -212,6 +225,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 scepclient_SOURCES = rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h scepclient.c
 INCLUDES = \
 -I$(top_srcdir)/src/libfreeswan \
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 80410a205..432b3d6d5 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -121,6 +121,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -133,6 +134,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -143,8 +145,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -166,6 +172,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -175,6 +182,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -188,9 +197,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -205,6 +218,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
 starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
 starterstroke.h interfaces.c invokepluto.h confread.h  interfaces.h args.c \
diff --git a/src/starter/args.c b/src/starter/args.c
index 82e957f59..fb8424841 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -61,6 +61,12 @@ static const char *LST_sendcert[] = {
      NULL
 };
 
+static const char *LST_strict[] = {
+    "no",
+    "yes",
+    "ifuri",
+     NULL
+};
 static const char *LST_dpd_action[] = {
     "none",
     "clear",
@@ -160,7 +166,7 @@ static const token_info_t token_info[] =
     { ARG_UINT, offsetof(starter_config_t, setup.overridemtu), NULL                },
     { ARG_TIME, offsetof(starter_config_t, setup.crlcheckinterval), NULL           },
     { ARG_ENUM, offsetof(starter_config_t, setup.cachecrls), LST_bool              },
-    { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_bool        },
+    { ARG_ENUM, offsetof(starter_config_t, setup.strictcrlpolicy), LST_strict      },
     { ARG_ENUM, offsetof(starter_config_t, setup.nocrsend), LST_bool               },
     { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
     { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
diff --git a/src/starter/confread.h b/src/starter/confread.h
index e0de68376..2fe75fcc6 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -46,6 +46,12 @@ typedef enum {
 	KEY_EXCHANGE_IKEV2
 } keyexchange_t;
 
+typedef enum {
+	STRICT_NO,
+	STRICT_YES,
+	STRICT_IFURI
+} strict_t;
+
 typedef struct starter_end starter_end_t;
 
 struct starter_end {
@@ -156,23 +162,23 @@ struct starter_config {
 		bool	plutostart;
 
 		/* pluto/charon keywords */
-		char	**plutodebug;
-		char	*charondebug;
-		char	*prepluto;
-		char	*postpluto;
-		bool	uniqueids;
-		u_int	overridemtu;
-		u_int	crlcheckinterval;
-		bool	cachecrls;
-		bool	strictcrlpolicy;
-		bool	nocrsend;
-		bool	nat_traversal;
-		u_int	keep_alive;
-		char	*virtual_private;
-		char	*eapdir;
-		char	*pkcs11module;
-		bool	pkcs11keepstate;
-		bool	pkcs11proxy;
+		char	 **plutodebug;
+		char	 *charondebug;
+		char	 *prepluto;
+		char	 *postpluto;
+		bool	 uniqueids;
+		u_int	 overridemtu;
+		u_int	 crlcheckinterval;
+		bool	 cachecrls;
+		strict_t strictcrlpolicy;
+		bool	 nocrsend;
+		bool	 nat_traversal;
+		u_int	 keep_alive;
+		char	 *virtual_private;
+		char	 *eapdir;
+		char	 *pkcs11module;
+		bool	 pkcs11keepstate;
+		bool	 pkcs11proxy;
 
 		/* KLIPS keywords */
 		char	**klipsdebug;
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index e97c8388b..48cb4151b 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -100,6 +100,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 {
     int pid, i;
     struct stat stb;
+    char buffer[BUF_LEN], buffer1[BUF_LEN];
     int argc = 1;
     char *arg[] = {
 	CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
@@ -115,6 +116,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     if (cfg->setup.strictcrlpolicy)
     {
 	arg[argc++] = "--strictcrlpolicy";
+	arg[argc++] = cfg->setup.strictcrlpolicy == STRICT_IFURI ? "2":"1";
     }
     if (cfg->setup.cachecrls)
     {
@@ -122,11 +124,9 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     }
     if (cfg->setup.crlcheckinterval > 0)
     {
-	char buffer[BUF_LEN];
-
-	snprintf(buffer, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
+	snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
 	arg[argc++] = "--crlcheckinterval";
-	arg[argc++] = buffer;
+	arg[argc++] = buffer1;
     }
     if (cfg->setup.eapdir)
     {
@@ -135,7 +135,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     }
 
     {   /* parse debug string */
-    	char *pos, *level, *buf_pos, type[4], buffer[BUF_LEN];
+    	char *pos, *level, *buf_pos, type[4];
 	pos = cfg->setup.charondebug;
 	buf_pos = buffer;
 	while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
@@ -181,7 +181,11 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 	    FILE *f;
 
 	    plog("no %s file, generating RSA key", SECRETS_FILE);
+	    seteuid(IPSEC_UID);
+	    setegid(IPSEC_GID);
 	    system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+	    seteuid(0);
+	    setegid(0);
 
 	    /* ipsec.secrets is root readable only */
 	    oldmask = umask(0066);
@@ -194,6 +198,7 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 		fprintf(f, ": RSA myKey.der\n");
 		fclose(f);
 	    }
+	    chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID);
 	    umask(oldmask);
 	}
 
@@ -207,6 +212,8 @@ starter_start_charon (starter_config_t *cfg, bool debug)
 	    /* child */
 	    setsid();
 	    sigprocmask(SIG_SETMASK, 0, NULL);
+	    /* disable glibc's malloc checker, conflicts with leak detective */
+	    setenv("MALLOC_CHECK_", "0", 1);
 	    execv(arg[0], arg);
 	    plog("can't execv(%s,...): %s", arg[0], strerror(errno));
 	    exit(1);
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 1b11b4a10..240d98391 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -216,7 +216,11 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 	    FILE *f;
 
 	    plog("no %s file, generating RSA key", SECRETS_FILE);
+	    seteuid(IPSEC_UID);
+	    setegid(IPSEC_GID);
 	    system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+	    seteuid(0);
+	    setegid(0);
 
 	    /* ipsec.secrets is root readable only */
 	    oldmask = umask(0066);
@@ -229,6 +233,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 		fprintf(f, ": RSA myKey.der\n");
 		fclose(f);
 	    }
+	    chown(SECRETS_FILE, IPSEC_UID, IPSEC_GID);
 	    umask(oldmask);
 	}
 
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 3e59190e3..c80c5166b 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -600,7 +600,16 @@ value is
 .B %modeconfig
 or
 .B %config,
-an address is requested from the peer.
+an address is requested from the peer. In IKEv2, a defined address is requested,
+but the server may change it. If the server does not support it, the address
+is enforced. 
+.TP
+.B rightsourceip
+The internal source IP to use in a tunnel for the remote peer. If the
+value is
+.B %config
+on the responder side, the initiator must propose a address which is then echoed
+back.
 .TP
 .B leftsubnetwithin
 Not relevant for IKEv2, as subnets are narrowed.
@@ -678,13 +687,16 @@ Relevant only locally, other end need not agree on it.
 .B ike
 IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
 .B aes128-sha1-modp2048
-(encryption-integrity-dhgroup).
+(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals
+may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
 .TP
 .B esp
 ESP encryption/authentication algorithm to be used
 for the connection, e.g.
 .B 3des-md5
-(encryption-integrity).
+(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup
+and rekeying include a separate diffe hellman exchange (IKEv2 only).
 .TP
 .B ah
 AH authentication algorithm to be used
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index fb8e74b8c..13c2f4326 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -156,6 +156,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->id = push_string(msg, conn_end->id);
 	msg_end->cert = push_string(msg, conn_end->cert);
 	msg_end->ca = push_string(msg, conn_end->ca);
+	msg_end->groups = push_string(msg, conn_end->groups);
 	msg_end->updown = push_string(msg, conn_end->updown);
 	ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
 	msg_end->address = push_string(msg, buffer);
@@ -167,7 +168,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->has_client;
 	msg_end->protocol = conn_end->protocol;
 	msg_end->port = conn_end->port;
-	msg_end->virtual_ip = conn_end->modecfg;
+	msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
 	ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
 	msg_end->sourceip = push_string(msg, buffer);
 }
diff --git a/src/starter/y.tab.c b/src/starter/y.tab.c
index 11a0373e9..49da832c0 100644
--- a/src/starter/y.tab.c
+++ b/src/starter/y.tab.c
@@ -172,7 +172,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 typedef union YYSTYPE
 #line 56 "parser.y"
 { char *s; }
-/* Line 193 of yacc.c.  */
+/* Line 187 of yacc.c.  */
 #line 177 "y.tab.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/starter/y.tab.h b/src/starter/y.tab.h
index 4b55cb005..b4352e6b4 100644
--- a/src/starter/y.tab.h
+++ b/src/starter/y.tab.h
@@ -70,7 +70,7 @@
 typedef union YYSTYPE
 #line 56 "parser.y"
 { char *s; }
-/* Line 1528 of yacc.c.  */
+/* Line 1488 of yacc.c.  */
 #line 75 "y.tab.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 179bca750..a32dc8b90 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -111,6 +111,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -123,6 +124,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -133,8 +135,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -156,6 +162,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -165,6 +172,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -178,9 +187,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -195,6 +208,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 stroke_SOURCES = stroke.c stroke.h stroke_keywords.c stroke_keywords.h
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 EXTRA_DIST = stroke_keywords.txt
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 5d3fd6e77..cd2e85caa 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -218,6 +218,9 @@ static int list_flags[] = {
 	LIST_CERTS,
 	LIST_CACERTS,
 	LIST_OCSPCERTS,
+	LIST_AACERTS,
+	LIST_ACERTS,
+	LIST_GROUPS,
 	LIST_CAINFOS,
 	LIST_CRLS,
 	LIST_OCSP,
@@ -238,6 +241,8 @@ static int list(stroke_keyword_t kw, int utc)
 static int reread_flags[] = {
 	REREAD_CACERTS,
 	REREAD_OCSPCERTS,
+	REREAD_AACERTS,
+	REREAD_ACERTS,
 	REREAD_CRLS,
 	REREAD_ALL
 };
diff --git a/src/stroke/stroke.h b/src/stroke/stroke.h
index 2eefb36c4..94e07d465 100644
--- a/src/stroke/stroke.h
+++ b/src/stroke/stroke.h
@@ -47,14 +47,20 @@ enum list_flag_t {
 	LIST_CACERTS =		0x0002,
 	/** list all ocsp signer certs */
 	LIST_OCSPCERTS =	0x0004,
+	/** list all aa certs */
+	LIST_AACERTS =		0x0008,
+	/** list all attribute certs */
+	LIST_ACERTS =		0x0010,
+	/** list all access control groups */
+	LIST_GROUPS =		0x0020,
 	/** list all ca information records */
-	LIST_CAINFOS =		0x0008,
+	LIST_CAINFOS =		0x0040,
 	/** list all crls */
-	LIST_CRLS =			0x0010,
+	LIST_CRLS =			0x0080,
 	/** list all ocsp cache entries */
-	LIST_OCSP =			0x0020,
+	LIST_OCSP =			0x0100,
 	/** all list options */
-	LIST_ALL =			0x003F,
+	LIST_ALL =			0x01FF,
 };
 
 typedef enum reread_flag_t reread_flag_t;
@@ -70,10 +76,14 @@ enum reread_flag_t {
 	REREAD_CACERTS =	0x0001,
 	/** reread all ocsp signer certs */
 	REREAD_OCSPCERTS =	0x0002,
+	/** reread all aa certs */
+	REREAD_AACERTS =	0x0004,
+	/** reread all attribute certs */
+	REREAD_ACERTS =		0x0008,
 	/** reread all crls */
-	REREAD_CRLS =		0x0004,
+	REREAD_CRLS =		0x0010,
 	/** all reread options */
-	REREAD_ALL =		0x0007,
+	REREAD_ALL =		0x001F,
 };
 
 typedef enum purge_flag_t purge_flag_t;
@@ -98,6 +108,7 @@ struct stroke_end_t {
 	char *id;
 	char *cert;
 	char *ca;
+	char *groups;
 	char *updown;
 	char *address;
 	char *sourceip;
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
index 71d99ecad..11ac592ed 100644
--- a/src/stroke/stroke_keywords.c
+++ b/src/stroke/stroke_keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.1 */
 /* Command-line: /usr/bin/gperf -C -G -t  */
-/* Computed positions: -k'2,7' */
+/* Computed positions: -k'1,5,7' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -56,12 +56,12 @@ struct stroke_token {
     stroke_keyword_t kw;
 };
 
-#define TOTAL_KEYWORDS 22
+#define TOTAL_KEYWORDS 27
 #define MIN_WORD_LENGTH 2
 #define MAX_WORD_LENGTH 15
-#define MIN_HASH_VALUE 2
-#define MAX_HASH_VALUE 33
-/* maximum key range = 32, duplicates = 0 */
+#define MIN_HASH_VALUE 3
+#define MAX_HASH_VALUE 40
+/* maximum key range = 38, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,32 +77,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34,  0, 34,  0,
-      30,  0, 34, 34, 34,  5, 34, 34, 15, 34,
-       0,  0,  0, 34, 10,  5,  5, 10, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
-      34, 34, 34, 34, 34, 34
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41,  0, 41,  5,
+      28,  0, 41,  5, 41, 20, 41, 41,  0, 41,
+      41, 15,  0, 41, 10, 10,  0, 10, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+      41, 41, 41, 41, 41, 41
     };
   register int hval = len;
 
@@ -113,10 +113,13 @@ hash (str, len)
       /*FALLTHROUGH*/
       case 6:
       case 5:
+        hval += asso_values[(unsigned char)str[4]];
+      /*FALLTHROUGH*/
       case 4:
       case 3:
       case 2:
-        hval += asso_values[(unsigned char)str[1]];
+      case 1:
+        hval += asso_values[(unsigned char)str[0]];
         break;
     }
   return hval;
@@ -124,35 +127,42 @@ hash (str, len)
 
 static const struct stroke_token wordlist[] =
   {
-    {""}, {""},
+    {""}, {""}, {""},
+    {"add",             STROKE_ADD},
+    {""}, {""}, {""},
+    {"listall",         STROKE_LIST_ALL},
+    {"loglevel",        STROKE_LOGLEVEL},
+    {""},
+    {"listacerts",      STROKE_LIST_ACERTS},
+    {""},
     {"up",              STROKE_UP},
-    {"del",             STROKE_DEL},
-    {"down",            STROKE_DOWN},
+    {"listcrls",        STROKE_LIST_CRLS},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
     {"route",           STROKE_ROUTE},
-    {"delete",          STROKE_DELETE},
-    {"unroute",         STROKE_UNROUTE},
-    {"loglevel",        STROKE_LOGLEVEL},
+    {"listaacerts",     STROKE_LIST_AACERTS},
+    {""}, {""},
     {"rereadall",       STROKE_REREAD_ALL},
+    {""},
+    {"listcacerts",     STROKE_LIST_CACERTS},
+    {"rereadacerts",    STROKE_REREAD_ACERTS,},
+    {"rereadaacerts",   STROKE_REREAD_AACERTS,},
+    {"listcerts",       STROKE_LIST_CERTS},
     {"rereadcrls",      STROKE_REREAD_CRLS},
     {"status",          STROKE_STATUS},
-    {""},
+    {"unroute",         STROKE_UNROUTE},
     {"rereadcacerts",   STROKE_REREAD_CACERTS},
     {"statusall",       STROKE_STATUSALL},
-    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
-    {"listcacerts",     STROKE_LIST_CACERTS},
-    {""},
+    {"listgroups",      STROKE_LIST_GROUPS},
+    {"del",             STROKE_DEL},
+    {"down",            STROKE_DOWN},
     {"listocsp",        STROKE_LIST_OCSP},
-    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {"delete",          STROKE_DELETE},
     {""},
     {"listcainfos",     STROKE_LIST_CAINFOS},
     {""},
     {"listocspcerts",   STROKE_LIST_OCSPCERTS},
-    {"listcerts",       STROKE_LIST_CERTS},
-    {""}, {""},
-    {"listall",         STROKE_LIST_ALL},
-    {"listcrls",        STROKE_LIST_CRLS},
-    {""}, {""}, {""}, {""},
-    {"add",             STROKE_ADD}
+    {""},
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}
   };
 
 #ifdef __GNUC__
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
index 2e7d7c385..2b4b40e52 100644
--- a/src/stroke/stroke_keywords.h
+++ b/src/stroke/stroke_keywords.h
@@ -32,12 +32,17 @@ typedef enum {
 	STROKE_LIST_CERTS,
 	STROKE_LIST_CACERTS,
 	STROKE_LIST_OCSPCERTS,
+	STROKE_LIST_AACERTS,
+	STROKE_LIST_ACERTS,
+	STROKE_LIST_GROUPS,
 	STROKE_LIST_CAINFOS,
 	STROKE_LIST_CRLS,
 	STROKE_LIST_OCSP,
 	STROKE_LIST_ALL,
 	STROKE_REREAD_CACERTS,
 	STROKE_REREAD_OCSPCERTS,
+	STROKE_REREAD_AACERTS,
+	STROKE_REREAD_ACERTS,
 	STROKE_REREAD_CRLS,
 	STROKE_REREAD_ALL,
 	STROKE_PURGE_OCSP
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
index 1e8afe19e..962b4c555 100644
--- a/src/stroke/stroke_keywords.txt
+++ b/src/stroke/stroke_keywords.txt
@@ -39,12 +39,17 @@ statusall,       STROKE_STATUSALL
 listcerts,       STROKE_LIST_CERTS
 listcacerts,     STROKE_LIST_CACERTS
 listocspcerts,   STROKE_LIST_OCSPCERTS
+listaacerts,     STROKE_LIST_AACERTS
+listacerts,      STROKE_LIST_ACERTS
+listgroups,      STROKE_LIST_GROUPS
 listcainfos,     STROKE_LIST_CAINFOS
 listcrls,        STROKE_LIST_CRLS
 listocsp,        STROKE_LIST_OCSP
 listall,         STROKE_LIST_ALL
 rereadcacerts,   STROKE_REREAD_CACERTS
 rereadocspcerts, STROKE_REREAD_OCSPCERTS
+rereadaacerts,   STROKE_REREAD_AACERTS,
+rereadacerts,    STROKE_REREAD_ACERTS,
 rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index d14f5e8ed..e9a7af85d 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -111,6 +111,7 @@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
@@ -123,6 +124,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
 RANLIB = @RANLIB@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -133,8 +135,12 @@ USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
 USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
 USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
 USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
+USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
 USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
 USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
+USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
 USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
 USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
 USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
@@ -156,6 +162,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -165,6 +172,8 @@ build_vendor = @build_vendor@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbus_CFLAGS = @dbus_CFLAGS@
+dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
 eapdir = @eapdir@
@@ -178,9 +187,13 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
+interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
+ipsecuid = @ipsecuid@
 libdir = @libdir@
 libexecdir = @libexecdir@
+linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
@@ -195,6 +208,8 @@ sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
 whack_SOURCES = whack.c whack.h
 INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto
 whack_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
diff --git a/testing/INSTALL b/testing/INSTALL
index e11b7302e..d19c7eafe 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.20.3.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.bz2
 
     * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
       to make the vanilla kernel UML-capable. For older kernels you'll find
@@ -63,7 +63,7 @@ are required for the strongSwan testing environment:
 
     * The matching .config file required to compile the UML kernel:
 
-      http://download.strongswan.org/uml/.config-2.6.20
+      http://download.strongswan.org/uml/.config-2.6.21
 
     * A gentoo-based UML file system (compressed size 130 MBytes) found at
 
@@ -71,7 +71,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-4.1.0.tar.gz
+      http://download.strongswan.org/strongswan-4.1.3.tar.gz
 
 
 3. Creating the environment
diff --git a/testing/do-tests b/testing/do-tests
index fd11a6324..8cb99410b 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -44,8 +44,8 @@ TESTDATE=`date +%Y%m%d-%H%M`
 
 TODAYDIR=$TESTRESULTSDIR/$TESTDATE
 mkdir $TODAYDIR
-TESTRESULTSHTML=$TODAYDIR/index.html
-ALLHTML=$TODAYDIR/all.html
+TESTRESULTSHTML=$TODAYDIR/all.html
+INDEX=$TODAYDIR/index.html
 DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
 
 testnumber="0"
@@ -105,37 +105,45 @@ done
 KERNEL_VERSION=`basename $KERNEL .tar.bz2`
 IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2`
 
-cat > $TESTRESULTSHTML <<@EOF
+cat > $INDEX <<@EOF
 <html>
 <head>
-  <title>strongSwan UML Testing</title>
+  <title>strongSwan UML Tests</title>
 </head>
 <body>
-  <h2>strongSwan UML Testing</h2>
+  <h2>strongSwan UML Tests</h2>
   <table border="0" cellspacing="2">
-    <tr><td><b>Host:</b></td><td>`uname -a`</td></tr>
-    <tr><td><b>UML kernel: &nbsp;</b></td><td>$KERNEL_VERSION</td></tr>
-    <tr><td><b>IPsec:</b></td><td>$IPSEC_VERSION</td></tr>
-    <tr><td><b>Date:</b></td><td>$TESTDATE</td></tr>
-  </table>
-  <p>
-  <table border="0" width="500">
-    <thead align="left"><th>Number</th><th>Test</th><th>Result</th></thead>
+    <tr valign="top">
+      <td><b>Host:</b></td>
+      <td colspan="3">`uname -a`</td>
+    </tr>
+    <tr valign="top">
+      <td><b>UML kernel: &nbsp;</b></td>
+      <td colspan="3">$KERNEL_VERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>IPsec:</b></td>
+      <td colspan="3">$IPSEC_VERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Date:</b></td>
+      <td colspan="3">$TESTDATE</td>
+    </tr>
+    <tr>
+      <td width="100">&nbsp;</td>
+      <td width="200">&nbsp;</td>
+      <td width=" 50">&nbsp;</td>
+      <td >&nbsp;</td>
+    </tr>
 @EOF
 
-cat > $ALLHTML <<@EOF
-<html>
-<head>
-  <title>strongSwan UML Testing</title>
-</head>
-<body>
-  <h2>strongSwan UML Testing</h2>
-  <table border="0" cellspacing="2">
-    <tr><td><b>Host:</b></td><td>`uname -a`</td></tr>
-    <tr><td><b>UML kernel: &nbsp;</b></td><td>$KERNEL_VERSION</td></tr>
-    <tr><td><b>IPsec:</b></td><td>$IPSEC_VERSION</td></tr>
-    <tr><td><b>Date:</b></td><td>$TESTDATE</td></tr>
-    <tr><td colspan="2">&nbsp;</td></tr>
+cat $INDEX > $TESTRESULTSHTML
+cat >> $TESTRESULTSHTML <<@EOF
+    <tr align="left">
+      <th>Number</th>
+      <th>Test</th>
+      <th colspan="2">Result</th>
+    </tr>
 @EOF
 
 cecho "UML kernel: $KERNEL_VERSION"
@@ -174,7 +182,51 @@ do
     if [ ! -d $TODAYDIR/$SUBDIR ]
     then
 	mkdir $TODAYDIR/$SUBDIR
-	echo "<tr><td>&nbsp;</td><td><a href=\"$SUBDIR\">$SUBDIR</a></td>" >> $ALLHTML
+	if [ $testnumber == 0 ]
+	then
+	    FIRST="<b>Category:</b"
+	else
+	    FIRST="&nbsp;"
+	fi
+	echo "    <tr>" >> $INDEX
+    echo "      <td>$FIRST</td>">> $INDEX
+    echo "      <td><a href=\"$SUBDIR/index.html\">$SUBDIR</a></td>" >> $INDEX
+    echo "      <td align=\"right\"></td>" >> $INDEX
+    echo "      <td>&nbsp;</td>" >> $INDEX
+    echo "    </tr>" >> $INDEX
+	SUBTESTSINDEX=$TODAYDIR/$SUBDIR/index.html
+	cat > $SUBTESTSINDEX <<@EOF
+<html>
+<head>
+  <title>strongSwan $SUBDIR Tests</title>
+</head>
+<body>
+  <h2>strongSwan $SUBDIR Tests</h2>
+  <table border="0" cellspacing="2">
+    <tr valign="top">
+      <td><b>UML kernel: &nbsp;</b></td>
+      <td colspan="3">$KERNEL_VERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>IPsec:</b></td>
+      <td colspan="3">$IPSEC_VERSION</td>
+    </tr>
+    <tr valign="top">
+      <td><b>Date:</b></td>
+      <td colspan="3">$TESTDATE</td>
+    </tr>
+    <tr>
+      <td width="100">&nbsp;</td>
+      <td width="200">&nbsp;</td>
+      <td width=" 50">&nbsp;</td>
+      <td >&nbsp;</td>
+    </tr>
+    <tr align="left">
+       <th>Number</th>
+       <th>Test</th>
+       <th colspan="2">Result</th>
+    </tr>
+@EOF
     fi
 
     for name in $SUBTESTS
@@ -518,12 +570,13 @@ do
 	# write test status to html file
 	#
 
-	cecho "$STATUS"
 	if [ $STATUS = "passed" ]
 	then
 	    COLOR="green"
+	    cecho "\033[1;32m$STATUS"
 	else
 	    COLOR="red"
+	    cecho "$STATUS"
 	fi
 
 	cat >> $TESTRESULTSHTML << @EOF
@@ -531,10 +584,20 @@ do
     <td>$testnumber</td>
     <td><a href="$testname/">$testname</a></td>
     <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td>
+    <td>&nbsp;</td>
+  </tr>
+@EOF
+	cat >> $SUBTESTSINDEX << @EOF
+  <tr>
+    <td>$testnumber</td>
+    <td><a href="$name/">$name</a></td>
+    <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td>
+    <td>&nbsp;</td>
   </tr>
 @EOF
 
     done
+
 done
 
 
@@ -545,21 +608,35 @@ done
 cat >> $TESTRESULTSHTML << @EOF
   </table>
   <p>
-  <b>Passed: &nbsp; $passed_cnt</b><br>
-  <b>Failed: &nbsp; $failed_cnt</b><br>
+  <b>Passed: &nbsp; <font color="green">$passed_cnt</font></b><br>
+  <b>Failed: &nbsp; <font color="red">$failed_cnt</font></b><br>
   <p>
 </body>
 </html>
 @EOF
 
-cat >> $ALLHTML << @EOF
+let "all_cnt = $passed_cnt + $failed_cnt"
+
+cat >> $INDEX << @EOF
+    <tr>
+      <td>&nbsp;</td>
+      <td><a href="all.html"><b>all</b></a></td>
+      <td align="right"><b>$all_cnt</b></td>
+      <td>&nbsp;</td>
+    </tr>
+    <tr>
+      <td><b>Failed:</b></td>
+      <td>&nbsp;</td>
+      <td align="right"><b><font color="red">$failed_cnt</font></b></td>
+      <td>&nbsp;</td>
+    </tr>
   </table>
 </body>
 </html>
 @EOF
 
 cecho ""
-cecho "Passed:   $passed_cnt"
+cecho "\033[1;32mPassed:   $passed_cnt"
 cecho "Failed:   $failed_cnt"
 cecho ""
 
diff --git a/testing/hosts/winnetou/etc/openssl/crlnumber b/testing/hosts/winnetou/etc/openssl/crlnumber
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/crlnumber
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/crlnumber.old b/testing/hosts/winnetou/etc/openssl/crlnumber.old
new file mode 100644
index 000000000..8a0f05e16
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/crlnumber.old
@@ -0,0 +1 @@
+01
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 5a8fd7782..99274c0ba 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -19,17 +19,17 @@
 export COMMON_NAME=strongSwan
 
 cd /etc/openssl
-openssl ca -config /etc/openssl/openssl.cnf -gencrl -out crl.pem
+openssl ca -gencrl -crldays 30 -config /etc/openssl/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out strongswan.crl
 cp strongswan.crl     /var/www/localhost/htdocs/
 cp strongswanCert.pem /var/www/localhost/htdocs/
 cp index.html         /var/www/localhost/htdocs/
 cd /etc/openssl/research
-openssl ca -config /etc/openssl/research/openssl.cnf -gencrl -out crl.pem
+openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl
 cp research.crl       /var/www/localhost/htdocs/
 cd /etc/openssl/sales
-openssl ca -config /etc/openssl/sales/openssl.cnf -gencrl -out crl.pem
+openssl ca -gencrl -crldays 15 -config /etc/openssl/sales/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out sales.crl
 cp sales.crl         /var/www/localhost/htdocs/
 
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 12025d75c..64b725536 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -11,9 +11,10 @@ V	091231214318Z		0A	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strong
 V	100216084430Z		0B	unknown	/C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
 R	140321062536Z	050621195214Z	0C	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	140321062916Z		0D	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
-V	100607191714Z		0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
+R	100607191714Z	070427213122Z	0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
 V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
 V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
+V	120425210745Z		14	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 9e744674d..12025d75c 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -16,3 +16,4 @@ V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
+V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/14.pem b/testing/hosts/winnetou/etc/openssl/newcerts/14.pem
new file mode 100644
index 000000000..7ce46c0da
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/14.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIBFDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA3MDQyNzIxMDc0NVoXDTEyMDQyNTIxMDc0NVowSjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
+dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAyhjm+42JEXAkZX1ktLC6eS/r5zE72OlqfY0GB+mvuFDb69Z/2q8kjAFcQ98R
+p0OEA/GvrUBCVOnfjWG0C325MH3BXxaovBaLMTWGDrZehns7T92Wvga01Gs8PDqa
+7ZU/CQ9KrXaI5+7FkQYlCYR/m7kL6hX06XqkVFXCGodR8ERr3eKd9DhLfGuED8j9
+QlGmVLxddosS3ce/8jnUgx0EpNFYNeL3i+QxgkSczm8CQg13KBWFByoL83qccAer
+zjT44/dPdcthlDuBtuY/g42nrTz7eYE7rTm4FPBPAnhRKQ6t2WOUFAA/LdP/+LXs
+C0Y6Ux4zN5UP6MHae/herVBGiwIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCA6gwHQYDVR0OBBYEFE2oX5CxDsAnsxzCk9/TRoDowNQNMG0GA1UdIwRm
+MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
+IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
+HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
+bi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAEg3hsYbiNx3jjZeU09qZeHbrl+DM0Q3
+JuaeL18JuEcJI8cwB5vG5YXeeUXZWnXkmdhWDsq1hVcMfjBlikUvnGDcxm4tgbNn
+1fhRi6yKRA7GVyBtDAZjONrjltFRSLBvEa+koQJGtSELm4G+vRaUd4/X1LJ2SoeH
+2ZJvIB3sOeLgw8yXX6I2HDQ/UqSRnWEfTDGs2LQ+tEC8JPjd9sHIGjx9B2XwaO+l
+E55Nk3jXAQH1bgAJKgdBas6P/DF+YIz3IepOtO0WIxQPNN0zbHvXxNmI/PFr/m6Y
+mejqjn+LQzLO/X//KLspw0JiFhQWijLjmmmt78+3r6A0zicd7+37mrw=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index 165d8bbeb..56a9061f6 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -34,6 +34,7 @@ new_certs_dir   = $dir/newcerts           # default place for new certs.
 certificate     = $dir/strongswanCert.pem # The CA certificate
 serial          = $dir/serial             # The current serial number
 crl             = $dir/crl.pem            # The current CRL
+crlnumber	= $dir/crlnumber	  # The current CRL serial number
 private_key     = $dir/strongswanKey.pem  # The private key
 RANDFILE        = $dir/.rand              # private random number file
 
diff --git a/testing/hosts/winnetou/etc/openssl/research/crlnumber b/testing/hosts/winnetou/etc/openssl/research/crlnumber
new file mode 100644
index 000000000..75016ea36
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/crlnumber
@@ -0,0 +1 @@
+03
diff --git a/testing/hosts/winnetou/etc/openssl/research/crlnumber.old b/testing/hosts/winnetou/etc/openssl/research/crlnumber.old
new file mode 100644
index 000000000..9e22bcb8e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/crlnumber.old
@@ -0,0 +1 @@
+02
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 2ccf6489c..05e38f050 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,3 +1,4 @@
 V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
 V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V	120418092554Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 4bd650072..2ccf6489c 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1,2 +1,3 @@
 V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem
new file mode 100644
index 000000000..894bf7dbd
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/04.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDQyMDA5MjU1NFoXDTEyMDQxODA5MjU1
+NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOByjCBxzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUi6jZ
+/eq7FoNJDiWP3Mlw9iaZzyIwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPd
+VCChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ8wHwYDVR0RBBgwFoEUY2Fy
+b2xAc3Ryb25nc3dhbi5vcmcwDQYJKoZIhvcNAQEFBQADggEBADHYFhLgIo3jrKcw
+bmfkqHLrwI0sHgyJJrEf1hl3cdc16VdKVW+V3qMwumdlMobK20yTRtW90x1ErULS
+RClHlQ5UtDubtQTwjcc6Uc8tOcBdAAH1SQk2xLikxQq19UGFpRRA0VxDXzF5yXnJ
+oM9mJZvgscQZeZPqMEXd3yQclK3Ouap70zE1J8kcyT/yrdkTM3nMbiq8aPytr3Al
+njoW+ToTsDqcTZYWeF3A3tfSZ5+AhlValx1btbcNPZVjjhBx46knOrOFeQLE5f5C
+3XYxVaWPX7hcjfQz/e3T4Rnb8nVQqoCnycUPfYxG/4z7pp/GplS/MEuMNNGDhSsI
+nTjnJgY=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index 706a52635..2d2765650 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -34,6 +34,7 @@ new_certs_dir   = $dir/newcerts           # default place for new certs.
 certificate     = $dir/researchCert.pem   # The CA certificate
 serial          = $dir/serial             # The current serial number
 crl             = $dir/crl.pem            # The current CRL
+crlnumber       = $dir/crlnumber          # The current CRL serial number
 private_key     = $dir/researchKey.pem    # The private key
 RANDFILE        = $dir/.rand              # private random number file
 
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index 64969239d..eeee65ec4 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-04
+05
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 75016ea36..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-03
+04
diff --git a/testing/hosts/winnetou/etc/openssl/sales/crlnumber b/testing/hosts/winnetou/etc/openssl/sales/crlnumber
new file mode 100644
index 000000000..eeee65ec4
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/crlnumber
@@ -0,0 +1 @@
+05
diff --git a/testing/hosts/winnetou/etc/openssl/sales/crlnumber.old b/testing/hosts/winnetou/etc/openssl/sales/crlnumber.old
new file mode 100644
index 000000000..718f9f12e
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/crlnumber.old
@@ -0,0 +1 @@
+O4
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index ab3c06416..87af9dd15 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,3 +1,4 @@
 V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
+V	120418093600Z		04	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index 5093b34e9..ab3c06416 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1,2 +1,3 @@
 V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem
new file mode 100644
index 000000000..c19c7333a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/04.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDQyMDA5MzYwMFoXDTEyMDQxODA5MzYwMFowVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4IBCDCC
+AQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFILLnutR01FvK1SR
+EZgaOaO9d8izMG0GA1UdIwRmMGSAFF+bE0b5IHLIANWItadMLpfqC5MooUmkRzBF
+MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UE
+AxMSc3Ryb25nU3dhbiBSb290IENBggENMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25n
+c3dhbi5vcmcwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vb2Nz
+cDIuc3Ryb25nc3dhbi5vcmc6ODg4MjANBgkqhkiG9w0BAQUFAAOCAQEAhhebUzkR
+5bllLrfSb0H+Uns0Fw/hfyrvJPjKOcb/otwPZOeGftGYQgihGu3X0Wi6IPX3/I6v
+tAnjYTyMXO68Cm2Zw3ZjjjSupQ3LOtyUhKPehk1EXNI5S1WnpYvEjocaBeT5DBaH
+fjMHL4L32dUcyzU49zbrkFEY7ffka44s3SUf4tEaw5QlBfAnwoij2A/rucokWNeQ
+6KVE9wfYJri6P7ztVTWFsAD6MXRCjzYrS6lOo02w32k2Rpp5SdAWuiwnXLY1BPi9
+U031sS6eh2aRM+u1UKuCGQtUDCMOI6yDv5U2aWQuxYS2uTW05PlWwKAg2atFt7uZ
+P35gzzpJWopPqw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index 687956d60..b9287377d 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -34,6 +34,7 @@ new_certs_dir   = $dir/newcerts           # default place for new certs.
 certificate     = $dir/salesCert.pem      # The CA certificate
 serial          = $dir/serial             # The current serial number
 crl             = $dir/crl.pem            # The current CRL
+crlnumber       = $dir/crlnumber          # The current CRL serial number
 private_key     = $dir/salesKey.pem       # The private key
 RANDFILE        = $dir/.rand              # private random number file
 
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index 64969239d..eeee65ec4 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-04
+05
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index 75016ea36..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-03
+04
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index 8351c1939..60d3b2f4a 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-14
+15
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index b1bd38b62..8351c1939 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-13
+14
diff --git a/testing/hosts/winnetou/etc/openssl/winnetouCert.pem b/testing/hosts/winnetou/etc/openssl/winnetouCert.pem
new file mode 100644
index 000000000..7ce46c0da
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/winnetouCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIBFDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA3MDQyNzIxMDc0NVoXDTEyMDQyNTIxMDc0NVowSjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l
+dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAyhjm+42JEXAkZX1ktLC6eS/r5zE72OlqfY0GB+mvuFDb69Z/2q8kjAFcQ98R
+p0OEA/GvrUBCVOnfjWG0C325MH3BXxaovBaLMTWGDrZehns7T92Wvga01Gs8PDqa
+7ZU/CQ9KrXaI5+7FkQYlCYR/m7kL6hX06XqkVFXCGodR8ERr3eKd9DhLfGuED8j9
+QlGmVLxddosS3ce/8jnUgx0EpNFYNeL3i+QxgkSczm8CQg13KBWFByoL83qccAer
+zjT44/dPdcthlDuBtuY/g42nrTz7eYE7rTm4FPBPAnhRKQ6t2WOUFAA/LdP/+LXs
+C0Y6Ux4zN5UP6MHae/herVBGiwIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCA6gwHQYDVR0OBBYEFE2oX5CxDsAnsxzCk9/TRoDowNQNMG0GA1UdIwRm
+MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290
+IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud
+HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh
+bi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAEg3hsYbiNx3jjZeU09qZeHbrl+DM0Q3
+JuaeL18JuEcJI8cwB5vG5YXeeUXZWnXkmdhWDsq1hVcMfjBlikUvnGDcxm4tgbNn
+1fhRi6yKRA7GVyBtDAZjONrjltFRSLBvEa+koQJGtSELm4G+vRaUd4/X1LJ2SoeH
+2ZJvIB3sOeLgw8yXX6I2HDQ/UqSRnWEfTDGs2LQ+tEC8JPjd9sHIGjx9B2XwaO+l
+E55Nk3jXAQH1bgAJKgdBas6P/DF+YIz3IepOtO0WIxQPNN0zbHvXxNmI/PFr/m6Y
+mejqjn+LQzLO/X//KLspw0JiFhQWijLjmmmt78+3r6A0zicd7+37mrw=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/winnetouKey.pem b/testing/hosts/winnetou/etc/openssl/winnetouKey.pem
new file mode 100644
index 000000000..8d68bac6b
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/winnetouKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyhjm+42JEXAkZX1ktLC6eS/r5zE72OlqfY0GB+mvuFDb69Z/
+2q8kjAFcQ98Rp0OEA/GvrUBCVOnfjWG0C325MH3BXxaovBaLMTWGDrZehns7T92W
+vga01Gs8PDqa7ZU/CQ9KrXaI5+7FkQYlCYR/m7kL6hX06XqkVFXCGodR8ERr3eKd
+9DhLfGuED8j9QlGmVLxddosS3ce/8jnUgx0EpNFYNeL3i+QxgkSczm8CQg13KBWF
+ByoL83qccAerzjT44/dPdcthlDuBtuY/g42nrTz7eYE7rTm4FPBPAnhRKQ6t2WOU
+FAA/LdP/+LXsC0Y6Ux4zN5UP6MHae/herVBGiwIDAQABAoIBAQDI61cAcib6SjY1
+HCP5q9XH08fBUmZAcVaouYJsbXyATwtFfTwhKoy4EEYtR+FiHDJsRWS1ZrRLfTP+
+eEsqPXTWa7/KjFl2nScG5kJ/7/kr0+oUraVHCJ3QrUf2TQFoAD/p/uTsbXMQuoZ6
+dtRtkOfY5nCc6fVSBdbH7XaLL0tcBLUmhb0XI9Llt0vjdYEfCoOx+JwWmmyc41H0
+WjEA2DA/5z+r6IV4yKNAx70uur2PURDy6JKUZyIqzfY/WHU0+yrV3LIN2svWQ1jR
+NALOFI9BuO8Hqz8Yf4wThz6r5hJWye7H9AWLaaNTTJjyuHKYCMaZ8iwdgPM+3IbY
+nnauB5CxAoGBAO9z432m2HwIBAUuMdrmxRHjy9zsgKroLJR0wGYB+qIBlFV0NWQK
+BMMG/j2gzvSfqHLlfdJoFrEhNxeoMejDnlBGYktriSBHWpgB4pgG0We0UjhhE0dP
+GOG4wkVodHTf3Jknoeb8GkPvFuBqdRjrwXn4RT2o9AOvhdhtdZIQcKHzAoGBANgQ
+KotOv/F9hN39Yhra1mKMMsQZYDd0GoAmzUr1Meyrk+yIcjTEkZWWDjyrzOoceBJa
+l+Vtty4RuNVTZsVNg+Pdu/YV8Mpdz+5aYO9OiB8NpGqmManfg8IB0DnIlGsxBNPG
+QGAo9zMh+mWACEOheszoz3deJdQW4RsPlBQHq1cJAoGAYDswt7Sv19jY1MQl4RVR
+Kclkipq5cvXvxJHPKK+u7CC6XkVfl563HzHWRyozQfhQGCzGjiKqy/DPVUCRHjxP
+iW9f3XOQHlrOu7w2Nma3DXhYerP4rXXKSByaZo5+DuJQo3RcCppSa+7QQMxH1wYY
+MU5ndUpLFpgZsEr9LwBQY6UCgYBEDluIQ8bb5yCJ1/0l3lZ29hgrgp62+OA8C3zQ
+pokSNj1C3Pu0OVJuHrTfUXIbL9p2VYjQ4I05eqWQtFODxFXN2ZMSAXk2FPSg7GDq
+H/9qYJ6wZSbxjhDvdCjFerOdS/RsTF8MqvqqZYJ8pCZ2Pw/yKUboH4Sk2IwRPQf0
+gzHqGQKBgQCjOA0O4yuD7WThnLvFRg+qMlmsl7x+ivC8vSI2gmxxVtaWCL095n2Y
+p2AFn1dFz1OINZeIge+tT2ZkQlgQc5sIIKLHaaaPAuBfQMnUUQEhkD/zkaoFWCl6
++JDmYZMBIQ2g1u5+0SCvuow+Papximr7ncimzTeYvoGa5zGmMalLPQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh
index 22a79698d..aa944924c 100755
--- a/testing/scripts/function.sh
+++ b/testing/scripts/function.sh
@@ -22,11 +22,11 @@
 #
 
 function cecho {
-    echo -e "\033\13301;31m$1\033\1330m"
+    echo -e "\033[1;31m$1\033[0m"
 }
 
 function cecho-n {
-    echo -en "\033\13301;31m$1\033\1330m"
+    echo -en "\033[1;31m$1\033[0m"
 }
 
 
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
index 8379438c8..eeaa959e8 100755
--- a/testing/scripts/kstart-umls
+++ b/testing/scripts/kstart-umls
@@ -68,7 +68,7 @@ do
 	    ubda=$UMLHOSTFS \
 	    \$SWITCH_${host} \
 	    mem=${MEM}M con=pty con0=fd:0,fd:1" &
-        cecho "done"
+        cecho "\033[1;32mdone"
     fi
     let "x0+=dx"
     let "y0+=dy"
@@ -114,7 +114,7 @@ do
 	cecho "exit"
 	exit 1
     else
-	cecho "up"
+	cecho "\033[1;32mup"
     fi
 done
 
diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches
index 82433babe..c9cafafc1 100755
--- a/testing/scripts/start-switches
+++ b/testing/scripts/start-switches
@@ -31,9 +31,9 @@ do
 	cecho " * Great, umlswitch$n is already running!"
     else
 	cecho-n " * Starting umlswitch$n.."
-	uml_switch -hub -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
+	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
 	sleep 2
 	eval ifconfig "tap$n \$IFCONFIG_$n up"
-	cecho "done"
+	cecho "\033[1;32mdone"
     fi
 done
diff --git a/testing/stop-testing b/testing/stop-testing
index 5b53505ac..7b21c6b07 100755
--- a/testing/stop-testing
+++ b/testing/stop-testing
@@ -39,7 +39,7 @@ for host in $HOSTS
 do
     uml_mconsole $host halt &> /dev/null
 done
-cecho "done"
+cecho "\033[1;32mdone"
 
 #####################################################
 # Shutting down the uml switches
@@ -47,5 +47,5 @@ cecho "done"
 cecho-n " * Stopping the UML switches.."
 killall uml_switch &> /dev/null
 rm -f /tmp/umlswitch[012] &> /dev/null 2>&1
-cecho "done"
+cecho "\033[1;32mdone"
 
diff --git a/testing/testing.conf b/testing/testing.conf
index d4d6767c9..85807d0a6 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -21,19 +21,19 @@ UMLTESTDIR=/home/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.20.3.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.21.1.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 
 # Kernel configuration file
-KERNELCONFIG=$UMLTESTDIR/.config-2.6.20
+KERNELCONFIG=$UMLTESTDIR/.config-2.6.21
 
 # Bzipped uml patch for kernel
 UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-4.1.0.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.1.3.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
diff --git a/testing/tests/ikev2/crl-ldap/description.txt b/testing/tests/ikev2/crl-ldap/description.txt
index d7ed591cc..46e7a6961 100644
--- a/testing/tests/ikev2/crl-ldap/description.txt
+++ b/testing/tests/ikev2/crl-ldap/description.txt
@@ -1,6 +1,6 @@
 By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
 both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
 the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
-availabl, an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> is
+available, an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> is
 successfully started and the IKE authentication completes. The new CRL is again
 cached locally as a file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
index 3b1fbabb8..47a52b60b 100755
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,7 @@ config setup
 
 ca strongswan
 	cacert=strongswanCert.pem
-	crluri="ldap://ldap1.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
 	auto=add
 
 conn %default
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt b/testing/tests/ikev2/esp-alg-aesxcbc/description.txt
new file mode 100644
index 000000000..0ea28a716
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
+the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat
new file mode 100644
index 000000000..19b0b4378
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES
+carol::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..d00d8762d
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha256-modp2048!
+	esp=aes256-aesxcbc-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fca2cbdab
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256-sha256-modp2048!
+	esp=aes256-aesxcbc-modp2048!
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat
new file mode 100644
index 000000000..f360351e1
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf b/testing/tests/ikev2/esp-alg-aesxcbc/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-aesxcbc/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/description.txt b/testing/tests/ikev2/multi-level-ca-ldap/description.txt
new file mode 100644
index 000000000..18fb88840
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/description.txt
@@ -0,0 +1,11 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p>
+By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
+Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the
+connection setups can be successfully completed.
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
new file mode 100644
index 000000000..00cafc130
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -0,0 +1,11 @@
+moon::cat /var/log/daemon.log::sending ldap request to::YES
+moon::cat /var/log/daemon.log::received valid ldap response::YES
+carol::ipsec status::alice.*INSTALLED::YES
+moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::ipsec status::venus.*INSTALLED::NO
+moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
+dave::ipsec status::venus.*INSTALLED::YES
+moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave::ipsec status::alice.*INSTALLED::NO
+moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
+
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..466b08eae
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+        cacert=strongswanCert.pem
+        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+        auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..d4b20453d
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..8de514a2e
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow ldap crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c342625af
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,45 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+ca research 
+        cacert=researchCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+	
+ca sales 
+        cacert=salesCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+			
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
new file mode 100644
index 000000000..ec4ba6e10
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+winnetou::/etc/init.d/slapd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
new file mode 100644
index 000000000..322f42102
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
@@ -0,0 +1,10 @@
+winnetou::/etc/init.d/slapd start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-loop/description.txt b/testing/tests/ikev2/multi-level-ca-loop/description.txt
new file mode 100644
index 000000000..9b63c2c66
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>carol</b>, possessing a certificate issued by the
+Research CA, tries to set up a tunnel to gateway <b>moon</b>.
+The Research CA's certificate is signed by the Sales CA and
+the Sales CA's certificate in turn is signed by the Research CA.
+This leads to an endless trust path loop but which is aborted by
+<b>moon</b> when the path level reaches a depth of 7 iterations.
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
new file mode 100644
index 000000000..c60f722ec
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
@@ -0,0 +1,4 @@
+moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
+carol::ipsec status::alice.*INSTALLED::NO
+moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..11dce322e
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..52e5cd8cd
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
new file mode 100644
index 000000000..efb939e3a
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
+CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
+rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
+BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
+4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
+m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
+/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
+x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB
+AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr
+Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup
+Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg
+pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL
+rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S
+uaJ2yDwEhOHn3ihb1bqlanM=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
new file mode 100644
index 000000000..90e207c4b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx
+MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
+/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
+4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
+XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
+kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
+gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
+p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
+L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD
+ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO
+clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB
+b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI
+koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf
+Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA
+/szZoxwnE2iHtIoMAhfHZpRvOkg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/posttest.dat b/testing/tests/ikev2/multi-level-ca-loop/posttest.dat
new file mode 100644
index 000000000..076f51f4d
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
new file mode 100644
index 000000000..0a0ec22bf
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
@@ -0,0 +1,6 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2/multi-level-ca-loop/test.conf
new file mode 100644
index 000000000..3189fdfc7
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-loop/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/description.txt b/testing/tests/ikev2/multi-level-ca-revoked/description.txt
new file mode 100644
index 000000000..c91ac285b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/description.txt
@@ -0,0 +1,4 @@
+The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA.
+The certificate of the Research CA has been revoked by the Root CA by entering
+the serial number in the CRL. Therefore upon verification of the trust path
+the gateway <b>moon</b> will reject the roadwarrior's certificate  
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
new file mode 100644
index 000000000..1e52d2273
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec listcacerts --utc::status revoked on::YES
+moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon::cat /var/log/daemon.log::received end entity certificate is not trusted::YES
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon::ipsec status::alice.*ESTABLISHED::NO
+carol::ipsec status::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9350d121e
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..61574d1f0
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..c380a5110
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
+LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
+6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
+T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
+9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
+cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
+YO2C4HE=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat
new file mode 100644
index 000000000..f84b7e37b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt
new file mode 100644
index 000000000..86cbbc58b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/description.txt
@@ -0,0 +1,7 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced
+on all peers.
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust
+chain anchored in strongSwan Root CA. Therefore both road warriors
+<b>carol</b> and <b>dave</b>, holding certificates from the Research CA
+and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>.
diff --git a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
new file mode 100644
index 000000000..a594745b7
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
@@ -0,0 +1,6 @@
+carol::ipsec status::alice.*INSTALLED::YES
+carol::ipsec status::venus.*INSTALLED::YES
+moon::ipsec status::ESTABLISHED.*carol@strongswan.org::YES
+dave::ipsec status::venus.*INSTALLED::YES
+dave::ipsec status::alice.*INSTALLED::YES
+moon::ipsec status::ESTABLISHED.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6fcc1578e
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..c4b41aa06
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9c02993e7
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-strict/posttest.dat b/testing/tests/ikev2/multi-level-ca-strict/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
new file mode 100644
index 000000000..67c50c2ef
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-strict/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca/description.txt b/testing/tests/ikev2/multi-level-ca/description.txt
new file mode 100644
index 000000000..64825cb30
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/description.txt
@@ -0,0 +1,7 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
new file mode 100644
index 000000000..6cb0bd8ae
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status::alice.*INSTALLED::YES
+moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::ipsec status::venus.*INSTALLED::NO
+moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES
+moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
+dave::ipsec status::venus.*INSTALLED::YES
+moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave::ipsec status::alice.*INSTALLED::NO
+moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES
+moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3f95ed506
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..082ed2974
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftsendcert=ifasked
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..4561a52db
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="cfg 2"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri=http://crl.strongswan.org/strongswan.crl
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftsendcert=ifasked
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca/posttest.dat b/testing/tests/ikev2/multi-level-ca/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat
new file mode 100644
index 000000000..67c50c2ef
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index 911c209a5..93d152f6b 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -6,5 +6,5 @@ carol::cat /var/log/daemon.log::certificate is good::YES
 dave::cat /var/log/daemon.log::certificate is good::YES
 moon::ipsec status::ESTABLISHED.*carol::YES
 moon::ipsec status::ESTABLISHED.*dave::YES
-carol::ipsec status::alice.*ESTABLISHED::YES
-dave::ipsec status::venus.*ESTABLISHED::YES
+carol::ipsec status::ESTABLISHED::YES
+dave::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
index 89a4f2ce9..86c9dca75 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	crlcheckinterval=180
-	strictcrlpolicy=no
+	strictcrlpolicy=yes
 	plutostart=no
 
 ca strongswan
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
index 45b6efcc8..1613e72cf 100755
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	crlcheckinterval=180
-	strictcrlpolicy=no
+	strictcrlpolicy=yes
 	plutostart=no
 
 ca strongswan
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/description.txt b/testing/tests/ikev2/ocsp-no-signer-cert/description.txt
new file mode 100644
index 000000000..4fa492c14
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/description.txt
@@ -0,0 +1,5 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which is sending a normal host
+certificate not containing an OCSPSigning extended key usage flag. As a consequence
+the OCSP signing certificate is not accepted and the connection setup is aborted.
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
new file mode 100644
index 000000000..f185536a6
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES
+moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3c685a839
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e2fabe0f5
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..74d22b90d
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey winnetouKey.pem -rsigner winnetouCert.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt b/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
new file mode 100644
index 000000000..580684cf8
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
@@ -0,0 +1,18 @@
+This scenario tests the <b>strictcrlpolicy=ifuri</b> option which enforces a
+strict CRL policy for a given CA if at least one OCSP or CRL URI is known
+for this CA at the time of the certificate trust path verification.
+On the gateway <b>moon</b> two different Intermediate CAs control the access
+to the hosts <b>alice</b> and <b>venus</b>. Access to <b>alice</b> is granted
+to users presenting a certificate issued by the Research CA whereas <b>venus</b>
+can only be reached with a certificate issued by the Sales CA. 
+<p>
+The roadwarrior <b>carol</b> has a certificate from the Research CA which does not
+contain any URIs. Therefore a strict CRL policy is <b>not</b> enforced and the
+connection setup succeeds, although the certificate status is unknown.
+</p>
+<p>
+The roadwarrrior <b>dave</b> has a certificate from the Sales CA which contains
+a single OCSP URI but which is not resolvable. Thus because of  the known URI
+a strict CRL policy is enforced and the unknown certificate status causes the
+connection setup to fail.
+</p>
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
new file mode 100644
index 000000000..48f24aa8f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
+moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
+moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES
+moon::ipsec status::ESTABLISHED.*carol::YES
+moon::ipsec status::ESTABLISHED.*dave::NO
+carol::ipsec status::ESTABLISHED::YES
+dave::ipsec status::ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..cfde9714e
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=ifuri
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert-ifuri.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
new file mode 100644
index 000000000..894bf7dbd
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDQyMDA5MjU1NFoXDTEyMDQxODA5MjU1
+NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOByjCBxzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUi6jZ
+/eq7FoNJDiWP3Mlw9iaZzyIwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPd
+VCChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ8wHwYDVR0RBBgwFoEUY2Fy
+b2xAc3Ryb25nc3dhbi5vcmcwDQYJKoZIhvcNAQEFBQADggEBADHYFhLgIo3jrKcw
+bmfkqHLrwI0sHgyJJrEf1hl3cdc16VdKVW+V3qMwumdlMobK20yTRtW90x1ErULS
+RClHlQ5UtDubtQTwjcc6Uc8tOcBdAAH1SQk2xLikxQq19UGFpRRA0VxDXzF5yXnJ
+oM9mJZvgscQZeZPqMEXd3yQclK3Ouap70zE1J8kcyT/yrdkTM3nMbiq8aPytr3Al
+njoW+ToTsDqcTZYWeF3A3tfSZ5+AhlValx1btbcNPZVjjhBx46knOrOFeQLE5f5C
+3XYxVaWPX7hcjfQz/e3T4Rnb8nVQqoCnycUPfYxG/4z7pp/GplS/MEuMNNGDhSsI
+nTjnJgY=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1cea9f47c
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=ifuri
+	plutostart=no
+	
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert-ifuri.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
new file mode 100644
index 000000000..c19c7333a
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDQyMDA5MzYwMFoXDTEyMDQxODA5MzYwMFowVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4IBCDCC
+AQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFILLnutR01FvK1SR
+EZgaOaO9d8izMG0GA1UdIwRmMGSAFF+bE0b5IHLIANWItadMLpfqC5MooUmkRzBF
+MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UE
+AxMSc3Ryb25nU3dhbiBSb290IENBggENMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25n
+c3dhbi5vcmcwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vb2Nz
+cDIuc3Ryb25nc3dhbi5vcmc6ODg4MjANBgkqhkiG9w0BAQUFAAOCAQEAhhebUzkR
+5bllLrfSb0H+Uns0Fw/hfyrvJPjKOcb/otwPZOeGftGYQgihGu3X0Wi6IPX3/I6v
+tAnjYTyMXO68Cm2Zw3ZjjjSupQ3LOtyUhKPehk1EXNI5S1WnpYvEjocaBeT5DBaH
+fjMHL4L32dUcyzU49zbrkFEY7ffka44s3SUf4tEaw5QlBfAnwoij2A/rucokWNeQ
+6KVE9wfYJri6P7ztVTWFsAD6MXRCjzYrS6lOo02w32k2Rpp5SdAWuiwnXLY1BPi9
+U031sS6eh2aRM+u1UKuCGQtUDCMOI6yDv5U2aWQuxYS2uTW05PlWwKAg2atFt7uZ
+P35gzzpJWopPqw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..be96bd957
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=ifuri
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
new file mode 100644
index 000000000..f15265e32
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+dave::ipsec up venus
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/two-certs/description.txt b/testing/tests/ikev2/two-certs/description.txt
new file mode 100644
index 000000000..46ca8fec1
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Gateway <b>moon</b> has already loaded a revoked certificate for <b>carol</b>
+and a self-signed certificate for <b>dave</b> locally but gets actual certificates
+as CERT payloads from both peers. The RSA signature verification process tries all
+candidate peer certificates until it finds a valid one with a matching public key.
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
new file mode 100644
index 000000000..3421c6e0f
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -0,0 +1,14 @@
+moon::cat /var/log/daemon.log::candidate peer certificate was not successfully verified::YES
+moon::cat /var/log/daemon.log::candidate peer certificate has a non-matching RSA public key::YES
+moon::cat /var/log/daemon.log::candidate peer certificate has a matching RSA public key::YES
+moon::ipsec statusall::carol.*ESTABLISHED::YES
+moon::ipsec statusall::dave.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e5d9ad476
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3c0014965
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..86be51824
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="cfg 2"
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+
+conn carol
+	rightid=carol@strongswan.org
+	rightcert=carolRevokedCert.pem
+	auto=add
+
+conn dave
+	rightid=dave@strongswan.org
+	rightcert=daveCert.der
+	rightca=%any
+	auto=add
+
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der
new file mode 100644
index 000000000..6c4f37c27
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
new file mode 100644
index 000000000..195065a5f
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip-override/description.txt b/testing/tests/ikev2/virtual-ip-override/description.txt
new file mode 100644
index 000000000..adb655004
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> both set up a connection to gateway <b>moon</b>.
+The roadwarriors each unilaterally define a static virtual IP using the <b>leftsourceip</b>
+parameter. In order to detect potential address conflicts, the roadwarriors send
+their virtual IPs embedded in a configuration payload to <b>moon</b> for verification.
+In our scenario <b>carol</b> and <b>dave</b> both request the same IP address.
+These requests are overridden by gateway <b>moon</b> which assigns a
+distinct virtual IP to each road warrior.
diff --git a/testing/tests/ikev2/virtual-ip-override/evaltest.dat b/testing/tests/ikev2/virtual-ip-override/evaltest.dat
new file mode 100644
index 000000000..5216a53bb
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+dave::ipsec statusall::home.*INSTALLED::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO
+moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list dev eth0::src PH_IP_CAROL1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list dev eth0::src PH_IP_DAVE1::YES
+
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c9867c7d4
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..98dd99271
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=PH_IP_CAROL1
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..bafd1b155
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw-carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+	auto=add
+
+conn rw-dave
+	right=%any
+	rightid=dave@strongswan.org
+	rightsourceip=PH_IP_DAVE1
+	auto=add
diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2/virtual-ip-override/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat
new file mode 100644
index 000000000..5ec37aae1
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2/virtual-ip-override/test.conf
new file mode 100644
index 000000000..01c94f7fb
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip-override/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip/description.txt b/testing/tests/ikev2/virtual-ip/description.txt
new file mode 100644
index 000000000..044189730
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> both set up a connection to gateway <b>moon</b>.
+The roadwarriors each unilaterally define a static virtual IP using the <b>leftsourceip</b>
+parameter. In order to detect potential address conflicts, the roadwarriors send
+their virtual IPs embedded in a configuration payload to <b>moon</b> for verification.
+In our scenario <b>moon</b> accepts the address choices thus allowing <b>carol</b> and
+<b>dave</b> to install their respective virtual IP addresses.
+<p>
+In order to test the tunnels both <b>carol</b> and <b>dave</b> ping the client <b>alice</b>
+behind the gateway <b>moon</b> as well as the inner interface of the gateway.
+The latter ping requires access to the gateway itself which is granted by the
+directive <b>lefthostaccess=yes</b>. The source IP of the two pings will be the virtual
+IP addresses <b>carol1</b> and <b>dave1</b>, respectively. Also thanks to the automatically
+configured source route entries, <b>moon</b> is able to ping both roadwarriors by using the
+established net-net IPsec tunnels.
diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2/virtual-ip/evaltest.dat
new file mode 100644
index 000000000..dbb873ebc
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/evaltest.dat
@@ -0,0 +1,27 @@
+moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+dave::ipsec statusall::home.*INSTALLED::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list dev eth0::src PH_IP_CAROL1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list dev eth0::src PH_IP_DAVE1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c9867c7d4
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=PH_IP_CAROL1
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..b58ba5460
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=PH_IP_DAVE1
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fb7abe556
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=%any
+	rightsourceip=%config
+	auto=add
diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2/virtual-ip/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat
new file mode 100644
index 000000000..5ec37aae1
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2/virtual-ip/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
index 8b5ee4f6c..e658398db 100644
--- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -1,5 +1,5 @@
-moon::ipsec status::host-host.*ESTABLISHED::YES
-sun::ipsec status::ESTABLISHED::YES
+moon::ipsec status::host-host.*INSTALLED::YES
+sun::ipsec status::host-host.*INSTALLED::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES